diff --git a/.github/workflows/sigma-gen.yml b/.github/workflows/sigma-gen.yml new file mode 100644 index 00000000..0c2884c8 --- /dev/null +++ b/.github/workflows/sigma-gen.yml @@ -0,0 +1,35 @@ +name: Generate Sigma Rules + +on: + push: + branches: + - main + paths: + - 'yaml/**' + workflow_dispatch: + +permissions: + contents: write + +jobs: + generate-sigma: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4.2.0 + + - name: Set up Python + uses: actions/setup-python@v4.7.1 + with: + python-version: '3.10' + + - name: Install PyYAML + run: pip install pyyaml + + - name: Generate Sigma rules + run: python bin/sigma-gen.py + + - name: Git Auto Commit + uses: stefanzweifel/git-auto-commit-action@v4.15.4 + with: + commit_message: Update Sigma rules [skip ci] + file_pattern: detections/sigma/*.yml diff --git a/bin/sigma-gen.py b/bin/sigma-gen.py index 260bd702..cd8dc30e 100644 --- a/bin/sigma-gen.py +++ b/bin/sigma-gen.py @@ -4,6 +4,9 @@ import uuid from typing import Dict, List, Any +# Namespace UUID for generating deterministic rule IDs +LOLRMM_NAMESPACE = uuid.UUID("a1b2c3d4-e5f6-7890-abcd-ef1234567890") + def extract_artifacts(yaml_data: Dict[str, Any]) -> Dict[str, List[str]]: artifacts = {"files": [], "registry": [], "network": [], "processes": []} @@ -88,13 +91,16 @@ def write_sigma_rule(rule: Dict[str, Any], filepath: str) -> None: if isinstance(subvalue, list): # Single element: write inline, multiple elements: write as list if len(subvalue) == 1: - f.write(f" {subkey}: {subvalue[0]}\n") + val = subvalue[0].replace("'", "''") + f.write(f" {subkey}: '{val}'\n") else: f.write(f" {subkey}:\n") for item in subvalue: - f.write(f" - {item}\n") + val = item.replace("'", "''") + f.write(f" - '{val}'\n") else: - f.write(f" {subkey}: {subvalue}\n") + val = subvalue.replace("'", "''") + f.write(f" {subkey}: '{val}'\n") f.write(f" condition: {detection['condition']}\n") # Falsepositives @@ -161,7 +167,7 @@ def generate_sigma_rules(yaml_file: str, output_dir: str) -> List[Dict[str, Any] # Create rule with proper field order rule = { "title": rule_template["title"], - "id": str(uuid.uuid4()), + "id": str(uuid.uuid5(LOLRMM_NAMESPACE, rule_template["title"])), "status": "experimental", "description": f"Detects potential {artifact_type} activity of {name} RMM tool", "references": ["https://github.com/magicsword-io/LOLRMM"], diff --git a/detections/sigma/247ithelp.com__connectwise__network_sigma.yml b/detections/sigma/247ithelp.com__connectwise__network_sigma.yml index 58117cdf..cab21fac 100644 --- a/detections/sigma/247ithelp.com__connectwise__network_sigma.yml +++ b/detections/sigma/247ithelp.com__connectwise__network_sigma.yml @@ -1,12 +1,12 @@ title: Potential 247ithelp.com (ConnectWise) RMM Tool Network Activity -id: 43e31a0e-0682-4a5b-9031-2c36d6cf829b +id: 46a93cbf-d8b6-5ad5-ac4d-cbddd7fc5733 status: experimental description: | Detects potential network activity of 247ithelp.com (ConnectWise) RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,7 +15,7 @@ logsource: category: network_connection detection: selection: - DestinationHostname|endswith: *.247ithelp.com + DestinationHostname|endswith: '*.247ithelp.com' condition: selection falsepositives: - Legitimate use of 247ithelp.com (ConnectWise) diff --git a/detections/sigma/247ithelp.com__connectwise__processes_sigma.yml b/detections/sigma/247ithelp.com__connectwise__processes_sigma.yml index 4faa313c..bca4a857 100644 --- a/detections/sigma/247ithelp.com__connectwise__processes_sigma.yml +++ b/detections/sigma/247ithelp.com__connectwise__processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential 247ithelp.com (ConnectWise) RMM Tool Process Activity -id: ddbae18a-5f5b-4245-a754-33fc427a4162 +id: bb00e1fb-6ca9-59d2-b441-fcfc87ed759e status: experimental description: | Detects potential processes activity of 247ithelp.com (ConnectWise) RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,9 +15,9 @@ logsource: category: process_creation detection: selection_parent: - ParentImage|endswith: Remote Workforce Client.exe + ParentImage|endswith: 'Remote Workforce Client.exe' selection_image: - Image|endswith: Remote Workforce Client.exe + Image|endswith: 'Remote Workforce Client.exe' condition: 1 of selection_* falsepositives: - Legitimate use of 247ithelp.com (ConnectWise) diff --git a/detections/sigma/absolute__computrace__network_sigma.yml b/detections/sigma/absolute__computrace__network_sigma.yml index c667ca82..6d7ce8b9 100644 --- a/detections/sigma/absolute__computrace__network_sigma.yml +++ b/detections/sigma/absolute__computrace__network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Absolute (Computrace) RMM Tool Network Activity -id: 1121ec6d-2ddb-4423-8722-397074293568 +id: 7a0e6218-bc60-5010-8890-6efa9223f650 status: experimental description: | Detects potential network activity of Absolute (Computrace) RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,8 +16,8 @@ logsource: detection: selection: DestinationHostname|endswith: - - *search.namequery.com - - *server.absolute.com + - '*search.namequery.com' + - '*server.absolute.com' condition: selection falsepositives: - Legitimate use of Absolute (Computrace) diff --git a/detections/sigma/absolute__computrace__processes_sigma.yml b/detections/sigma/absolute__computrace__processes_sigma.yml index 2dcc7322..02f2bec4 100644 --- a/detections/sigma/absolute__computrace__processes_sigma.yml +++ b/detections/sigma/absolute__computrace__processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Absolute (Computrace) RMM Tool Process Activity -id: 6633e0fe-00b0-4441-a635-35318721392f +id: 4dc903cb-205b-516a-88cb-e4dc5181561f status: experimental description: | Detects potential processes activity of Absolute (Computrace) RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,18 +16,18 @@ logsource: detection: selection_parent: ParentImage|endswith: - - rpcnet.exe - - ctes.exe - - ctespersitence.exe - - cteshostsvc.exe - - rpcld.exe + - 'rpcnet.exe' + - 'ctes.exe' + - 'ctespersitence.exe' + - 'cteshostsvc.exe' + - 'rpcld.exe' selection_image: Image|endswith: - - rpcnet.exe - - ctes.exe - - ctespersitence.exe - - cteshostsvc.exe - - rpcld.exe + - 'rpcnet.exe' + - 'ctes.exe' + - 'ctespersitence.exe' + - 'cteshostsvc.exe' + - 'rpcld.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Absolute (Computrace) diff --git a/detections/sigma/access_remote_pc_files_sigma.yml b/detections/sigma/access_remote_pc_files_sigma.yml index d893440d..3dbc9f9e 100644 --- a/detections/sigma/access_remote_pc_files_sigma.yml +++ b/detections/sigma/access_remote_pc_files_sigma.yml @@ -1,12 +1,12 @@ title: Potential Access Remote PC RMM Tool File Activity -id: 1a263981-f6d4-4ba8-8ae3-16525d97c9b9 +id: 6ede7801-b64d-5315-8168-da1264d8bd71 status: experimental description: | Detects potential files activity of Access Remote PC RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,8 +16,8 @@ logsource: detection: selection: TargetFilename|endswith: - - C:\Program Files (x86)\RemotePC\RemotePCUIU.exe - - C:\Program Files (x86)\RemotePC\* + - 'C:\Program Files (x86)\RemotePC\RemotePCUIU.exe' + - 'C:\Program Files (x86)\RemotePC\*' condition: selection falsepositives: - Legitimate use of Access Remote PC diff --git a/detections/sigma/acronis_cyber_protect__remotix__network_sigma.yml b/detections/sigma/acronis_cyber_protect__remotix__network_sigma.yml index 5f81e164..b89dbf90 100644 --- a/detections/sigma/acronis_cyber_protect__remotix__network_sigma.yml +++ b/detections/sigma/acronis_cyber_protect__remotix__network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Acronis Cyber Protect (Remotix) RMM Tool Network Activity -id: 9e6372f6-47e7-4a2b-9306-2d7f2347cb62 +id: 09b5684f-5571-5607-9051-07f2b11e4fbe status: experimental description: | Detects potential network activity of Acronis Cyber Protect (Remotix) RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,10 +16,10 @@ logsource: detection: selection: DestinationHostname|endswith: - - cloud.acronis.com - - agents*-cloud.acronis.com - - gw.remotix.com - - connect.acronis.com + - 'cloud.acronis.com' + - 'agents*-cloud.acronis.com' + - 'gw.remotix.com' + - 'connect.acronis.com' condition: selection falsepositives: - Legitimate use of Acronis Cyber Protect (Remotix) diff --git a/detections/sigma/acronis_cyber_protect__remotix__processes_sigma.yml b/detections/sigma/acronis_cyber_protect__remotix__processes_sigma.yml index 3ae85aef..09b8c43d 100644 --- a/detections/sigma/acronis_cyber_protect__remotix__processes_sigma.yml +++ b/detections/sigma/acronis_cyber_protect__remotix__processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Acronis Cyber Protect (Remotix) RMM Tool Process Activity -id: 1c52dfd5-39b5-4891-86be-b20a5dd5443d +id: 567d575d-1c03-5ce9-8dc8-dad4b7c5372d status: experimental description: | Detects potential processes activity of Acronis Cyber Protect (Remotix) RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,12 +16,12 @@ logsource: detection: selection_parent: ParentImage|endswith: - - AcronisCyberProtectConnectQuickAssist*.exe - - AcronisCyberProtectConnectAgent.exe + - 'AcronisCyberProtectConnectQuickAssist*.exe' + - 'AcronisCyberProtectConnectAgent.exe' selection_image: Image|endswith: - - AcronisCyberProtectConnectQuickAssist*.exe - - AcronisCyberProtectConnectAgent.exe + - 'AcronisCyberProtectConnectQuickAssist*.exe' + - 'AcronisCyberProtectConnectAgent.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Acronis Cyber Protect (Remotix) diff --git a/detections/sigma/action1_files_sigma.yml b/detections/sigma/action1_files_sigma.yml index 64c292e4..383bf68c 100644 --- a/detections/sigma/action1_files_sigma.yml +++ b/detections/sigma/action1_files_sigma.yml @@ -1,12 +1,12 @@ title: Potential Action1 RMM Tool File Activity -id: 0e4ac9ba-0f84-4437-b952-3a5ff816eef3 +id: ecb5ed8f-5729-51f5-9a54-3a6557cd7d9e status: experimental description: | Detects potential files activity of Action1 RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,11 +16,11 @@ logsource: detection: selection: TargetFilename|endswith: - - C:\Windows\Action1\action1_agent.exe - - C:\Windows\Action1\* - - C:\Windows\Action1\scripts\* - - C:\Windows\Action1\rule_data\* - - C:\Windows\Action1\action1_log_*.log + - 'C:\Windows\Action1\action1_agent.exe' + - 'C:\Windows\Action1\*' + - 'C:\Windows\Action1\scripts\*' + - 'C:\Windows\Action1\rule_data\*' + - 'C:\Windows\Action1\action1_log_*.log' condition: selection falsepositives: - Legitimate use of Action1 diff --git a/detections/sigma/action1_network_sigma.yml b/detections/sigma/action1_network_sigma.yml index 0809c471..9a1cf546 100644 --- a/detections/sigma/action1_network_sigma.yml +++ b/detections/sigma/action1_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Action1 RMM Tool Network Activity -id: 22015403-2881-4c36-ba1b-aff8da000ae6 +id: 4f70ef33-917d-5993-bd3c-e8511ac16c9d status: experimental description: | Detects potential network activity of Action1 RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,8 +16,8 @@ logsource: detection: selection: DestinationHostname|endswith: - - *.action1.com - - a1-backend-packages.s3.amazonaws.com + - '*.action1.com' + - 'a1-backend-packages.s3.amazonaws.com' condition: selection falsepositives: - Legitimate use of Action1 diff --git a/detections/sigma/action1_registry_sigma.yml b/detections/sigma/action1_registry_sigma.yml index faf1664e..74e2820a 100644 --- a/detections/sigma/action1_registry_sigma.yml +++ b/detections/sigma/action1_registry_sigma.yml @@ -1,12 +1,12 @@ title: Potential Action1 RMM Tool Registry Activity -id: 641f0d60-932c-45c2-8feb-03143209c7ee +id: 2841f3b2-7212-5b7c-83a8-f301ccb46d6f status: experimental description: | Detects potential registry activity of Action1 RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,9 +16,9 @@ logsource: detection: selection: TargetObject|contains: - - HKLM\System\CurrentControlSet\Services\A1Agent - - HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\Windows Error Reporting\LocalDumps\action1_agent.exe - - HKLM\SOFTWARE\WOW6432Node\Action1 + - 'HKLM\System\CurrentControlSet\Services\A1Agent' + - 'HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\Windows Error Reporting\LocalDumps\action1_agent.exe' + - 'HKLM\SOFTWARE\WOW6432Node\Action1' condition: selection falsepositives: - Legitimate use of Action1 diff --git a/detections/sigma/addigy_network_sigma.yml b/detections/sigma/addigy_network_sigma.yml index 0ec0297e..d4dd30d5 100644 --- a/detections/sigma/addigy_network_sigma.yml +++ b/detections/sigma/addigy_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Addigy RMM Tool Network Activity -id: 43757bb8-b54f-41be-9e96-8099c0dc9a16 +id: 19353241-8add-5556-8a66-870cdecfa84d status: experimental description: | Detects potential network activity of Addigy RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,9 +16,9 @@ logsource: detection: selection: DestinationHostname|endswith: - - prod.addigy.com - - grtmprod.addigy.com - - agents.addigy.com + - 'prod.addigy.com' + - 'grtmprod.addigy.com' + - 'agents.addigy.com' condition: selection falsepositives: - Legitimate use of Addigy diff --git a/detections/sigma/adobe_connect_network_sigma.yml b/detections/sigma/adobe_connect_network_sigma.yml index 58b37120..128b8b84 100644 --- a/detections/sigma/adobe_connect_network_sigma.yml +++ b/detections/sigma/adobe_connect_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Adobe Connect RMM Tool Network Activity -id: c32a974a-ab36-4e6d-862f-e36c129dd140 +id: 43bfb949-54e0-5a67-bbb6-d208dd02c8c4 status: experimental description: | Detects potential network activity of Adobe Connect RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,7 +15,7 @@ logsource: category: network_connection detection: selection: - DestinationHostname|endswith: *.adobeconnect.com + DestinationHostname|endswith: '*.adobeconnect.com' condition: selection falsepositives: - Legitimate use of Adobe Connect diff --git a/detections/sigma/adobe_connect_processes_sigma.yml b/detections/sigma/adobe_connect_processes_sigma.yml index 4916fe6d..ae58d40e 100644 --- a/detections/sigma/adobe_connect_processes_sigma.yml +++ b/detections/sigma/adobe_connect_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Adobe Connect RMM Tool Process Activity -id: e8f2d33b-025e-47aa-be08-fe034fb8373f +id: 88477682-dd8c-5d99-be68-7e890fbbe847 status: experimental description: | Detects potential processes activity of Adobe Connect RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,16 +16,16 @@ logsource: detection: selection_parent: ParentImage|endswith: - - ConnectAppSetup*.exe - - ConnectShellSetup*.exe - - Connect.exe - - ConnectDetector.exe + - 'ConnectAppSetup*.exe' + - 'ConnectShellSetup*.exe' + - 'Connect.exe' + - 'ConnectDetector.exe' selection_image: Image|endswith: - - ConnectAppSetup*.exe - - ConnectShellSetup*.exe - - Connect.exe - - ConnectDetector.exe + - 'ConnectAppSetup*.exe' + - 'ConnectShellSetup*.exe' + - 'Connect.exe' + - 'ConnectDetector.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Adobe Connect diff --git a/detections/sigma/aeroadmin_network_sigma.yml b/detections/sigma/aeroadmin_network_sigma.yml index 1af6d386..996d85ac 100644 --- a/detections/sigma/aeroadmin_network_sigma.yml +++ b/detections/sigma/aeroadmin_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential AeroAdmin RMM Tool Network Activity -id: 0b37a0c4-a652-4902-b649-735b7a6139bb +id: 8725a7f1-8d97-5436-9004-bea5a9f63767 status: experimental description: | Detects potential network activity of AeroAdmin RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,8 +16,8 @@ logsource: detection: selection: DestinationHostname|endswith: - - auth*.aeroadmin.com - - aeroadmin.com + - 'auth*.aeroadmin.com' + - 'aeroadmin.com' condition: selection falsepositives: - Legitimate use of AeroAdmin diff --git a/detections/sigma/aeroadmin_processes_sigma.yml b/detections/sigma/aeroadmin_processes_sigma.yml index 5fb59fb0..a0502e1d 100644 --- a/detections/sigma/aeroadmin_processes_sigma.yml +++ b/detections/sigma/aeroadmin_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential AeroAdmin RMM Tool Process Activity -id: 42b71d87-e5da-4468-94d3-a086e8648f41 +id: 95672471-6203-5935-814e-ea51994e5212 status: experimental description: | Detects potential processes activity of AeroAdmin RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,12 +16,12 @@ logsource: detection: selection_parent: ParentImage|endswith: - - aeroadmin.exe - - AeroAdmin.exe + - 'aeroadmin.exe' + - 'AeroAdmin.exe' selection_image: Image|endswith: - - aeroadmin.exe - - AeroAdmin.exe + - 'aeroadmin.exe' + - 'AeroAdmin.exe' condition: 1 of selection_* falsepositives: - Legitimate use of AeroAdmin diff --git a/detections/sigma/aliwangwang-remote-control_network_sigma.yml b/detections/sigma/aliwangwang-remote-control_network_sigma.yml index aa7e7cf4..0e1b50f6 100644 --- a/detections/sigma/aliwangwang-remote-control_network_sigma.yml +++ b/detections/sigma/aliwangwang-remote-control_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential AliWangWang-remote-control RMM Tool Network Activity -id: 20416554-81e2-4d2b-a643-5838ceaed775 +id: f8d54406-6279-589a-91dc-c557acd33cb6 status: experimental description: | Detects potential network activity of AliWangWang-remote-control RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,7 +15,7 @@ logsource: category: network_connection detection: selection: - DestinationHostname|endswith: wangwang.taobao.com + DestinationHostname|endswith: 'wangwang.taobao.com' condition: selection falsepositives: - Legitimate use of AliWangWang-remote-control diff --git a/detections/sigma/aliwangwang-remote-control_processes_sigma.yml b/detections/sigma/aliwangwang-remote-control_processes_sigma.yml index 855edc4a..5fa2549f 100644 --- a/detections/sigma/aliwangwang-remote-control_processes_sigma.yml +++ b/detections/sigma/aliwangwang-remote-control_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential AliWangWang-remote-control RMM Tool Process Activity -id: ba1c6242-0f04-4913-bc23-5ad3cd2964da +id: 73ace0a7-c394-5070-adbc-20505b81e441 status: experimental description: | Detects potential processes activity of AliWangWang-remote-control RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,9 +15,9 @@ logsource: category: process_creation detection: selection_parent: - ParentImage|endswith: alitask.exe + ParentImage|endswith: 'alitask.exe' selection_image: - Image|endswith: alitask.exe + Image|endswith: 'alitask.exe' condition: 1 of selection_* falsepositives: - Legitimate use of AliWangWang-remote-control diff --git a/detections/sigma/alpemix_files_sigma.yml b/detections/sigma/alpemix_files_sigma.yml index c783f6bc..6f951f41 100644 --- a/detections/sigma/alpemix_files_sigma.yml +++ b/detections/sigma/alpemix_files_sigma.yml @@ -1,12 +1,12 @@ title: Potential Alpemix RMM Tool File Activity -id: 48635891-4740-4323-9654-0c950f7129a0 +id: 59f6d5ac-c4f1-5e23-bdca-0637a851df51 status: experimental description: | Detects potential files activity of Alpemix RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,7 +15,7 @@ logsource: category: file_event detection: selection: - TargetFilename|endswith: %localappdata%\Alpemix\Alpemix.ini + TargetFilename|endswith: '%localappdata%\Alpemix\Alpemix.ini' condition: selection falsepositives: - Legitimate use of Alpemix diff --git a/detections/sigma/alpemix_network_sigma.yml b/detections/sigma/alpemix_network_sigma.yml index 2c766ec3..d0b9331b 100644 --- a/detections/sigma/alpemix_network_sigma.yml +++ b/detections/sigma/alpemix_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Alpemix RMM Tool Network Activity -id: 0dac95e2-50a7-42dd-96da-322399ebabac +id: b8658364-6780-5a56-bfc3-521fb3b85d89 status: experimental description: | Detects potential network activity of Alpemix RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,8 +16,8 @@ logsource: detection: selection: DestinationHostname|endswith: - - *.alpemix.com - - *.teknopars.com + - '*.alpemix.com' + - '*.teknopars.com' condition: selection falsepositives: - Legitimate use of Alpemix diff --git a/detections/sigma/alpemix_processes_sigma.yml b/detections/sigma/alpemix_processes_sigma.yml index e2192b2a..9f90c19b 100644 --- a/detections/sigma/alpemix_processes_sigma.yml +++ b/detections/sigma/alpemix_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Alpemix RMM Tool Process Activity -id: e48f7b65-5748-4e0e-a12d-7dcbc08a5065 +id: 8f623bd9-633c-5f56-af26-7c4148a35e9f status: experimental description: | Detects potential processes activity of Alpemix RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,9 +15,9 @@ logsource: category: process_creation detection: selection_parent: - ParentImage|endswith: AlpemixService.exe + ParentImage|endswith: 'C:\AlpemixService.exe' selection_image: - Image|endswith: AlpemixService.exe + Image|endswith: 'C:\AlpemixService.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Alpemix diff --git a/detections/sigma/alpemix_registry_sigma.yml b/detections/sigma/alpemix_registry_sigma.yml index 7e203d7d..723dbb4a 100644 --- a/detections/sigma/alpemix_registry_sigma.yml +++ b/detections/sigma/alpemix_registry_sigma.yml @@ -1,12 +1,12 @@ title: Potential Alpemix RMM Tool Registry Activity -id: bc21f832-b65a-428e-9692-764f20b24731 +id: 7ea38b5e-00fd-5919-b1a6-7ac3b8b361a4 status: experimental description: | Detects potential registry activity of Alpemix RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,7 +15,7 @@ logsource: category: registry_event detection: selection: - TargetObject|contains: HKLM\SYSTEM\CurrentControlSet\Services\AlpemixSrvcx + TargetObject|contains: 'HKLM\SYSTEM\CurrentControlSet\Services\AlpemixSrvcx' condition: selection falsepositives: - Legitimate use of Alpemix diff --git a/detections/sigma/ammyy_admin_files_sigma.yml b/detections/sigma/ammyy_admin_files_sigma.yml index dc514414..92ee52eb 100644 --- a/detections/sigma/ammyy_admin_files_sigma.yml +++ b/detections/sigma/ammyy_admin_files_sigma.yml @@ -1,12 +1,12 @@ title: Potential Ammyy Admin RMM Tool File Activity -id: f888a292-f924-4ec6-89f0-e1d645380537 +id: 95a064f3-4195-53e7-976e-b771f48f05de status: experimental description: | Detects potential files activity of Ammyy Admin RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,8 +16,8 @@ logsource: detection: selection: TargetFilename|endswith: - - %programdata%\\AMMYY\\access.log - - %Binary_path%\\AA_v3.log + - '%programdata%\\AMMYY\\access.log' + - '%Binary_path%\\AA_v3.log' condition: selection falsepositives: - Legitimate use of Ammyy Admin diff --git a/detections/sigma/ammyy_admin_network_sigma.yml b/detections/sigma/ammyy_admin_network_sigma.yml index 2f075196..7a6f8f70 100644 --- a/detections/sigma/ammyy_admin_network_sigma.yml +++ b/detections/sigma/ammyy_admin_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Ammyy Admin RMM Tool Network Activity -id: 68d4c11a-9996-4883-aeda-c081efffa7c7 +id: b039d751-e0ca-5a6d-a45d-6d832f7d4cc4 status: experimental description: | Detects potential network activity of Ammyy Admin RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,11 +16,11 @@ logsource: detection: selection: DestinationHostname|endswith: - - ammyy.com - - *ammyy.com - - 136.243.104.235 - - 136.243.104.242 - - 136.243.18.122 + - 'ammyy.com' + - '*ammyy.com' + - '136.243.104.235' + - '136.243.104.242' + - '136.243.18.122' condition: selection falsepositives: - Legitimate use of Ammyy Admin diff --git a/detections/sigma/ammyy_admin_processes_sigma.yml b/detections/sigma/ammyy_admin_processes_sigma.yml index 3744de2a..09e1a987 100644 --- a/detections/sigma/ammyy_admin_processes_sigma.yml +++ b/detections/sigma/ammyy_admin_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Ammyy Admin RMM Tool Process Activity -id: 295131f7-4740-4607-9ce2-551e8c96096d +id: 39aec77e-6757-56c8-8f78-794838727fdb status: experimental description: | Detects potential processes activity of Ammyy Admin RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,16 +16,16 @@ logsource: detection: selection_parent: ParentImage|endswith: - - AMMYY_Admin.exe - - aa_v*.exe - - AMMYY_Admin.exe - - AMMYY_Admin.exe + - 'AMMYY_Admin.exe' + - 'aa_v*.exe' + - 'C:\Users\*\Downloads\AMMYY_Admin.exe' + - '*\AMMYY_Admin.exe' selection_image: Image|endswith: - - AMMYY_Admin.exe - - aa_v*.exe - - AMMYY_Admin.exe - - AMMYY_Admin.exe + - 'AMMYY_Admin.exe' + - 'aa_v*.exe' + - 'C:\Users\*\Downloads\AMMYY_Admin.exe' + - '*\AMMYY_Admin.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Ammyy Admin diff --git a/detections/sigma/ammyy_admin_registry_sigma.yml b/detections/sigma/ammyy_admin_registry_sigma.yml index 0b44b829..5321b0f2 100644 --- a/detections/sigma/ammyy_admin_registry_sigma.yml +++ b/detections/sigma/ammyy_admin_registry_sigma.yml @@ -1,12 +1,12 @@ title: Potential Ammyy Admin RMM Tool Registry Activity -id: b467222e-2511-4dc8-b7f2-6512e51f010f +id: cea54c85-6d56-51b6-8dd2-ba04f37a71b2 status: experimental description: | Detects potential registry activity of Ammyy Admin RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,8 +16,8 @@ logsource: detection: selection: TargetObject|contains: - - HKU\.DEFAULT\Software\Ammyy\Admin - - HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\AmmyyAdmin + - 'HKU\.DEFAULT\Software\Ammyy\Admin' + - 'HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\AmmyyAdmin' condition: selection falsepositives: - Legitimate use of Ammyy Admin diff --git a/detections/sigma/any_support_network_sigma.yml b/detections/sigma/any_support_network_sigma.yml index 9d4ce9d1..6776f213 100644 --- a/detections/sigma/any_support_network_sigma.yml +++ b/detections/sigma/any_support_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Any Support RMM Tool Network Activity -id: 2266db74-38c4-40ab-b8b2-c3bf041ae11f +id: af4bf192-fda9-5e3a-b41f-c4228a2abced status: experimental description: | Detects potential network activity of Any Support RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,7 +15,7 @@ logsource: category: network_connection detection: selection: - DestinationHostname|endswith: *.anysupport.net + DestinationHostname|endswith: '*.anysupport.net' condition: selection falsepositives: - Legitimate use of Any Support diff --git a/detections/sigma/any_support_processes_sigma.yml b/detections/sigma/any_support_processes_sigma.yml index 2a47abd6..07b124be 100644 --- a/detections/sigma/any_support_processes_sigma.yml +++ b/detections/sigma/any_support_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Any Support RMM Tool Process Activity -id: 7799e615-745e-4cd7-948c-b21d032345d2 +id: d31dfc2d-dcac-5d04-96e7-276e60de36a0 status: experimental description: | Detects potential processes activity of Any Support RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,9 +15,9 @@ logsource: category: process_creation detection: selection_parent: - ParentImage|endswith: ManualLauncher.exe + ParentImage|endswith: 'ManualLauncher.exe' selection_image: - Image|endswith: ManualLauncher.exe + Image|endswith: 'ManualLauncher.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Any Support diff --git a/detections/sigma/anydesk_files_sigma.yml b/detections/sigma/anydesk_files_sigma.yml index 305ecac3..862a3073 100644 --- a/detections/sigma/anydesk_files_sigma.yml +++ b/detections/sigma/anydesk_files_sigma.yml @@ -1,12 +1,12 @@ title: Potential AnyDesk RMM Tool File Activity -id: 57cb129e-6cd6-42e9-8b5d-04542121fd79 +id: 44367621-23b7-59dc-ab1a-c20ffafff741 status: experimental description: | Detects potential files activity of AnyDesk RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,22 +16,22 @@ logsource: detection: selection: TargetFilename|endswith: - - %programdata%\AnyDesk\ad_svc.trace - - %programdata%\AnyDesk\connection_trace.txt - - %APPDATA%\AnyDesk\connection_trace.txt - - %APPDATA%\AnyDesk\ad.trace - - %APPDATA%\AnyDesk\chat\*.txt - - %APPDATA%\AnyDesk\user.conf - - %PROGRAMDATA%\AnyDesk\service.conf - - %APPDATA%\AnyDesk\service.conf - - %APPDATA%\AnyDesk\system.conf - - %PROGRAMDATA%\AnyDesk\system.conf - - %PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\AnyDesk.lnk - - %PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\AnyDesk\Uninstall AnyDesk.lnk - - C:\Users\*\Videos\AnyDesk\*.anydesk - - C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\AnyDesk\* - - ~/Library/Application Support/AnyDesk/Logs/ - - ~/.config/AnyDesk/Logs/ + - '%programdata%\AnyDesk\ad_svc.trace' + - '%programdata%\AnyDesk\connection_trace.txt' + - '%APPDATA%\AnyDesk\connection_trace.txt' + - '%APPDATA%\AnyDesk\ad.trace' + - '%APPDATA%\AnyDesk\chat\*.txt' + - '%APPDATA%\AnyDesk\user.conf' + - '%PROGRAMDATA%\AnyDesk\service.conf' + - '%APPDATA%\AnyDesk\service.conf' + - '%APPDATA%\AnyDesk\system.conf' + - '%PROGRAMDATA%\AnyDesk\system.conf' + - '%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\AnyDesk.lnk' + - '%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\AnyDesk\Uninstall AnyDesk.lnk' + - 'C:\Users\*\Videos\AnyDesk\*.anydesk' + - 'C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\AnyDesk\*' + - '~/Library/Application Support/AnyDesk/Logs/' + - '~/.config/AnyDesk/Logs/' condition: selection falsepositives: - Legitimate use of AnyDesk diff --git a/detections/sigma/anydesk_network_sigma.yml b/detections/sigma/anydesk_network_sigma.yml index 670ae45e..a512af73 100644 --- a/detections/sigma/anydesk_network_sigma.yml +++ b/detections/sigma/anydesk_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential AnyDesk RMM Tool Network Activity -id: 191aeb11-f0cc-4876-841c-009bf39bdf19 +id: 404b77e6-19cc-599d-b1a5-a99812279600 status: experimental description: | Detects potential network activity of AnyDesk RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,9 +16,9 @@ logsource: detection: selection: DestinationHostname|endswith: - - boot.net.anydesk.com - - relay-[a-f0-9]{8}.net.anydesk.com:443 - - *.anydesk.com + - 'boot.net.anydesk.com' + - 'relay-[a-f0-9]{8}.net.anydesk.com:443' + - '*.anydesk.com' condition: selection falsepositives: - Legitimate use of AnyDesk diff --git a/detections/sigma/anydesk_registry_sigma.yml b/detections/sigma/anydesk_registry_sigma.yml index 7278073a..feea8ff2 100644 --- a/detections/sigma/anydesk_registry_sigma.yml +++ b/detections/sigma/anydesk_registry_sigma.yml @@ -1,12 +1,12 @@ title: Potential AnyDesk RMM Tool Registry Activity -id: 3313d179-78b1-41d3-afe0-40dfc5dc794f +id: 8ec90487-32c3-5776-91ae-4b2effe2ad25 status: experimental description: | Detects potential registry activity of AnyDesk RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,14 +16,14 @@ logsource: detection: selection: TargetObject|contains: - - HKLM\SOFTWARE\Clients\Media\AnyDesk - - HKLM\SYSTEM\CurrentControlSet\Services\AnyDesk - - HKLM\SOFTWARE\Classes\.anydesk\shell\open\command - - HKLM\SOFTWARE\Classes\AnyDesk\shell\open\command - - HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\AnyDesk Printer\* - - HKLM\DRIVERS\DriverDatabase\DeviceIds\USBPRINT\AnyDesk - - HKLM\DRIVERS\DriverDatabase\DeviceIds\WSDPRINT\AnyDesk - - HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AnyDesk + - 'HKLM\SOFTWARE\Clients\Media\AnyDesk' + - 'HKLM\SYSTEM\CurrentControlSet\Services\AnyDesk' + - 'HKLM\SOFTWARE\Classes\.anydesk\shell\open\command' + - 'HKLM\SOFTWARE\Classes\AnyDesk\shell\open\command' + - 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\AnyDesk Printer\*' + - 'HKLM\DRIVERS\DriverDatabase\DeviceIds\USBPRINT\AnyDesk' + - 'HKLM\DRIVERS\DriverDatabase\DeviceIds\WSDPRINT\AnyDesk' + - 'HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AnyDesk' condition: selection falsepositives: - Legitimate use of AnyDesk diff --git a/detections/sigma/anyplace_control_network_sigma.yml b/detections/sigma/anyplace_control_network_sigma.yml index 6a2775d1..0e2752e9 100644 --- a/detections/sigma/anyplace_control_network_sigma.yml +++ b/detections/sigma/anyplace_control_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Anyplace Control RMM Tool Network Activity -id: 6db5caaa-93ad-406b-a8b0-e652033f91a9 +id: fd43f5b7-5a26-5176-8cd6-4c24f3a33c32 status: experimental description: | Detects potential network activity of Anyplace Control RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,7 +15,7 @@ logsource: category: network_connection detection: selection: - DestinationHostname|endswith: anyplace-control.com + DestinationHostname|endswith: 'anyplace-control.com' condition: selection falsepositives: - Legitimate use of Anyplace Control diff --git a/detections/sigma/anyplace_control_processes_sigma.yml b/detections/sigma/anyplace_control_processes_sigma.yml index 52d54c27..59a2cafd 100644 --- a/detections/sigma/anyplace_control_processes_sigma.yml +++ b/detections/sigma/anyplace_control_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Anyplace Control RMM Tool Process Activity -id: 4a442359-e6f0-49fc-a0f2-ec14addb0994 +id: a6737cd0-9c35-56ca-903f-6be7ea0756cd status: experimental description: | Detects potential processes activity of Anyplace Control RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,9 +15,9 @@ logsource: category: process_creation detection: selection_parent: - ParentImage|endswith: apc_host.exe + ParentImage|endswith: 'apc_host.exe' selection_image: - Image|endswith: apc_host.exe + Image|endswith: 'apc_host.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Anyplace Control diff --git a/detections/sigma/anyviewer_network_sigma.yml b/detections/sigma/anyviewer_network_sigma.yml index b9d7d673..d8ddf9ac 100644 --- a/detections/sigma/anyviewer_network_sigma.yml +++ b/detections/sigma/anyviewer_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential AnyViewer RMM Tool Network Activity -id: f79262ed-7f6b-40f8-ac51-245aecab6b97 +id: 983b7380-5252-5f5b-b3a5-2b260507e03c status: experimental description: | Detects potential network activity of AnyViewer RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,8 +16,8 @@ logsource: detection: selection: DestinationHostname|endswith: - - *.anyviewer.com - - *.aomeisoftware.com + - '*.anyviewer.com' + - '*.aomeisoftware.com' condition: selection falsepositives: - Legitimate use of AnyViewer diff --git a/detections/sigma/apple_remote_desktop_network_sigma.yml b/detections/sigma/apple_remote_desktop_network_sigma.yml index 10f19ef0..1cd599a5 100644 --- a/detections/sigma/apple_remote_desktop_network_sigma.yml +++ b/detections/sigma/apple_remote_desktop_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Apple Remote Desktop RMM Tool Network Activity -id: b6f5a66a-ed37-429a-8488-c196186726ca +id: 2a881cc7-b51f-59b9-be7a-dc197dece509 status: experimental description: | Detects potential network activity of Apple Remote Desktop RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,7 +15,7 @@ logsource: category: network_connection detection: selection: - DestinationHostname|endswith: user_managed + DestinationHostname|endswith: 'user_managed' condition: selection falsepositives: - Legitimate use of Apple Remote Desktop diff --git a/detections/sigma/aspia_files_sigma.yml b/detections/sigma/aspia_files_sigma.yml index 148a5c14..08d62b90 100644 --- a/detections/sigma/aspia_files_sigma.yml +++ b/detections/sigma/aspia_files_sigma.yml @@ -1,12 +1,12 @@ title: Potential Aspia RMM Tool File Activity -id: 043a2b6b-dc86-43ae-91f1-157c2b6efddb +id: 7d008bdc-f620-5661-b386-06d2f655c12a status: experimental description: | Detects potential files activity of Aspia RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,9 +16,9 @@ logsource: detection: selection: TargetFilename|endswith: - - C:\Users\*\AppData\Roaming\aspia\client.ini - - C:\Users\*\AppData\Local\Temp\aspia\aspia_client-*.log - - C:\Program Files\Aspia\Client\qt.conf + - 'C:\Users\*\AppData\Roaming\aspia\client.ini' + - 'C:\Users\*\AppData\Local\Temp\aspia\aspia_client-*.log' + - 'C:\Program Files\Aspia\Client\qt.conf' condition: selection falsepositives: - Legitimate use of Aspia diff --git a/detections/sigma/aspia_network_sigma.yml b/detections/sigma/aspia_network_sigma.yml index 38ea848c..139b1a4f 100644 --- a/detections/sigma/aspia_network_sigma.yml +++ b/detections/sigma/aspia_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Aspia RMM Tool Network Activity -id: 413afa8d-3ea2-4561-814a-b77f4d9d652c +id: e03486e4-0c5d-5337-8ff5-3ffe8cf32f66 status: experimental description: | Detects potential network activity of Aspia RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,7 +15,7 @@ logsource: category: network_connection detection: selection: - DestinationHostname|endswith: https://github.com/dchapyshev/aspia + DestinationHostname|endswith: 'https://github.com/dchapyshev/aspia' condition: selection falsepositives: - Legitimate use of Aspia diff --git a/detections/sigma/aspia_processes_sigma.yml b/detections/sigma/aspia_processes_sigma.yml index ab450e50..30a21c50 100644 --- a/detections/sigma/aspia_processes_sigma.yml +++ b/detections/sigma/aspia_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Aspia RMM Tool Process Activity -id: e99e5977-1f68-48e8-9fd5-5e67840021d1 +id: 8aea3415-5723-5f0d-8afa-9c722f137e31 status: experimental description: | Detects potential processes activity of Aspia RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,9 +15,9 @@ logsource: category: process_creation detection: selection_parent: - ParentImage|endswith: aspia_client.exe + ParentImage|endswith: '*\aspia_client.exe' selection_image: - Image|endswith: aspia_client.exe + Image|endswith: '*\aspia_client.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Aspia diff --git a/detections/sigma/atera_files_sigma.yml b/detections/sigma/atera_files_sigma.yml index 77ce2b46..3e240fdb 100644 --- a/detections/sigma/atera_files_sigma.yml +++ b/detections/sigma/atera_files_sigma.yml @@ -1,12 +1,12 @@ title: Potential Atera RMM Tool File Activity -id: b7910581-e65f-4a2c-ae44-0edb2479154d +id: 16b7fb6f-538e-5caf-b575-ef1a0b693f7c status: experimental description: | Detects potential files activity of Atera RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,15 +16,15 @@ logsource: detection: selection: TargetFilename|endswith: - - C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageRunCommandInteractive\log.txt - - C:\Program Files\ATERA Networks\AteraAgent\Packages\* - - C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe - - C:\Program Files\Atera Networks\AlphaAgent.exe - - C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe - - C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe - - C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe - - C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageFileExplorer\AgentPackageFileExplorer.exe - - C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageRunCommandInteractive\AgentPackageRunCommandInteractive.exe + - 'C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageRunCommandInteractive\log.txt' + - 'C:\Program Files\ATERA Networks\AteraAgent\Packages\*' + - 'C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe' + - 'C:\Program Files\Atera Networks\AlphaAgent.exe' + - 'C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe' + - 'C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe' + - 'C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe' + - 'C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageFileExplorer\AgentPackageFileExplorer.exe' + - 'C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageRunCommandInteractive\AgentPackageRunCommandInteractive.exe' condition: selection falsepositives: - Legitimate use of Atera diff --git a/detections/sigma/atera_network_sigma.yml b/detections/sigma/atera_network_sigma.yml index fde98c72..9e7a423a 100644 --- a/detections/sigma/atera_network_sigma.yml +++ b/detections/sigma/atera_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Atera RMM Tool Network Activity -id: 674787f1-97f4-4b3f-ae3a-361e909e800d +id: d59b2d4e-0991-559c-9c9c-27b4038191be status: experimental description: | Detects potential network activity of Atera RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,21 +16,20 @@ logsource: detection: selection: DestinationHostname|endswith: - - pubsub.atera.com - - pubsub.pubnub.com - - agentreporting.atera.com - - getalphacontrol.com - - app.atera.com - - agenthb.atera.com - - packagesstore.blob.core.windows.net - - ps.pndsn.com - - agent-api.atera.com - - cacerts.thawte.com - - agentreportingstore.blob.core.windows.net - - atera-agent-heartbeat.servicebus.windows.net - - ps.atera.com - - atera.pubnubapi.com - - appcdn.atera.com + - 'pubsub.atera.com' + - 'pubsub.pubnub.com' + - 'agentreporting.atera.com' + - 'getalphacontrol.com' + - 'app.atera.com' + - 'agenthb.atera.com' + - 'packagesstore.blob.core.windows.net' + - 'ps.pndsn.com' + - 'agent-api.atera.com' + - 'agentreportingstore.blob.core.windows.net' + - 'atera-agent-heartbeat.servicebus.windows.net' + - 'ps.atera.com' + - 'atera.pubnubapi.com' + - 'appcdn.atera.com' condition: selection falsepositives: - Legitimate use of Atera diff --git a/detections/sigma/atera_processes_sigma.yml b/detections/sigma/atera_processes_sigma.yml index 107d1527..2cd8a751 100644 --- a/detections/sigma/atera_processes_sigma.yml +++ b/detections/sigma/atera_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Atera RMM Tool Process Activity -id: e151128f-c963-49f4-8899-5d9280d85880 +id: 418237cd-7d23-5667-914b-4651419344b9 status: experimental description: | Detects potential processes activity of Atera RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,22 +16,22 @@ logsource: detection: selection_parent: ParentImage|endswith: - - AgentPackageNetworkDiscovery.exe - - AgentPackageTaskScheduler.exe - - AteraAgent.exe - - atera_agent.exe - - atera_agent.exe - - ateraagent.exe - - syncrosetup.exe + - '*\AgentPackageNetworkDiscovery.exe' + - '*\AgentPackageTaskScheduler.exe' + - '*\AteraAgent.exe' + - 'atera_agent.exe' + - 'atera_agent.exe' + - 'ateraagent.exe' + - 'syncrosetup.exe' selection_image: Image|endswith: - - AgentPackageNetworkDiscovery.exe - - AgentPackageTaskScheduler.exe - - AteraAgent.exe - - atera_agent.exe - - atera_agent.exe - - ateraagent.exe - - syncrosetup.exe + - '*\AgentPackageNetworkDiscovery.exe' + - '*\AgentPackageTaskScheduler.exe' + - '*\AteraAgent.exe' + - 'atera_agent.exe' + - 'atera_agent.exe' + - 'ateraagent.exe' + - 'syncrosetup.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Atera diff --git a/detections/sigma/atera_registry_sigma.yml b/detections/sigma/atera_registry_sigma.yml index 7741ddbc..5ff54738 100644 --- a/detections/sigma/atera_registry_sigma.yml +++ b/detections/sigma/atera_registry_sigma.yml @@ -1,12 +1,12 @@ title: Potential Atera RMM Tool Registry Activity -id: b69b6b57-5522-4407-8ea1-a74632142f81 +id: 3ab147be-c8db-5c67-a3fc-836c5772273e status: experimental description: | Detects potential registry activity of Atera RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,15 +16,15 @@ logsource: detection: selection: TargetObject|contains: - - HKLM\SOFTWARE\ATERA Networks\AlphaAgent - - HKLM\SYSTEM\CurrentControlSet\Services\AteraAgent - - KLM\SOFTWARE\WOW6432Node\Splashtop Inc. - - HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Splashtop Software Updater - - HKLM\SYSTEM\ControlSet\Services\EventLog\Application\AlphaAgent - - HKLM\SYSTEM\ControlSet\Services\EventLog\Application\AteraAgent - - HKLM\SOFTWARE\Microsoft\Tracing\AteraAgent_RASAPI32 - - HKLM\SOFTWARE\Microsoft\Tracing\AteraAgent_RASMANCS - - HKLM\SOFTWARE\ATERA Networks\* + - 'HKLM\SOFTWARE\ATERA Networks\AlphaAgent' + - 'HKLM\SYSTEM\CurrentControlSet\Services\AteraAgent' + - 'KLM\SOFTWARE\WOW6432Node\Splashtop Inc.' + - 'HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Splashtop Software Updater' + - 'HKLM\SYSTEM\ControlSet\Services\EventLog\Application\AlphaAgent' + - 'HKLM\SYSTEM\ControlSet\Services\EventLog\Application\AteraAgent' + - 'HKLM\SOFTWARE\Microsoft\Tracing\AteraAgent_RASAPI32' + - 'HKLM\SOFTWARE\Microsoft\Tracing\AteraAgent_RASMANCS' + - 'HKLM\SOFTWARE\ATERA Networks\*' condition: selection falsepositives: - Legitimate use of Atera diff --git a/detections/sigma/auvik_network_sigma.yml b/detections/sigma/auvik_network_sigma.yml index ac92b8eb..f140cf00 100644 --- a/detections/sigma/auvik_network_sigma.yml +++ b/detections/sigma/auvik_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Auvik RMM Tool Network Activity -id: 6184c193-a07b-43e8-b72e-6e62b4ec73c9 +id: 5ebf1127-b3c1-53e9-9760-e542a5e326d9 status: experimental description: | Detects potential network activity of Auvik RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,9 +16,9 @@ logsource: detection: selection: DestinationHostname|endswith: - - *.my.auvik.com - - *.auvik.com - - auvik.com + - '*.my.auvik.com' + - '*.auvik.com' + - 'auvik.com' condition: selection falsepositives: - Legitimate use of Auvik diff --git a/detections/sigma/auvik_processes_sigma.yml b/detections/sigma/auvik_processes_sigma.yml index 24f0b1af..605b0c85 100644 --- a/detections/sigma/auvik_processes_sigma.yml +++ b/detections/sigma/auvik_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Auvik RMM Tool Process Activity -id: 5e122c70-c7cd-4f0d-ab0b-c5d0ba91ffab +id: 41f0444d-6d10-536a-95f3-09a0c8bdec06 status: experimental description: | Detects potential processes activity of Auvik RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,12 +16,12 @@ logsource: detection: selection_parent: ParentImage|endswith: - - auvik.engine.exe - - auvik.agent.exe + - 'auvik.engine.exe' + - 'auvik.agent.exe' selection_image: Image|endswith: - - auvik.engine.exe - - auvik.agent.exe + - 'auvik.engine.exe' + - 'auvik.agent.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Auvik diff --git a/detections/sigma/aweray_network_sigma.yml b/detections/sigma/aweray_network_sigma.yml index c3fd3931..b0cad03f 100644 --- a/detections/sigma/aweray_network_sigma.yml +++ b/detections/sigma/aweray_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential AweRay RMM Tool Network Activity -id: 4bcb82fa-7d77-4720-948a-c445b9fb7976 +id: 59c68e6a-acfa-54df-9ad5-7371e311ad96 status: experimental description: | Detects potential network activity of AweRay RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,8 +16,8 @@ logsource: detection: selection: DestinationHostname|endswith: - - asapi*.aweray.net - - client-api.aweray.com + - 'asapi*.aweray.net' + - 'client-api.aweray.com' condition: selection falsepositives: - Legitimate use of AweRay diff --git a/detections/sigma/aweray_processes_sigma.yml b/detections/sigma/aweray_processes_sigma.yml index 07e17452..429eee6c 100644 --- a/detections/sigma/aweray_processes_sigma.yml +++ b/detections/sigma/aweray_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential AweRay RMM Tool Process Activity -id: b57062f2-1916-44dd-9ea0-4e96e06f7721 +id: 711b30b0-2032-5dd4-9e8a-c41b82b8b56a status: experimental description: | Detects potential processes activity of AweRay RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,12 +16,12 @@ logsource: detection: selection_parent: ParentImage|endswith: - - aweray_remote*.exe - - AweSun.exe + - 'aweray_remote*.exe' + - 'AweSun.exe' selection_image: Image|endswith: - - aweray_remote*.exe - - AweSun.exe + - 'aweray_remote*.exe' + - 'AweSun.exe' condition: 1 of selection_* falsepositives: - Legitimate use of AweRay diff --git a/detections/sigma/baramundi_management_suite_files_sigma.yml b/detections/sigma/baramundi_management_suite_files_sigma.yml new file mode 100644 index 00000000..bad81ac9 --- /dev/null +++ b/detections/sigma/baramundi_management_suite_files_sigma.yml @@ -0,0 +1,22 @@ +title: Potential baramundi Management Suite RMM Tool File Activity +id: 999f157a-b11a-5b19-bde9-4dd581031cb2 +status: experimental +description: | + Detects potential files activity of baramundi Management Suite RMM tool +references: + - https://github.com/magicsword-io/LOLRMM +author: LOLRMM Project +date: 2026-02-03 +tags: + - attack.execution + - attack.t1219 +logsource: + product: windows + category: file_event +detection: + selection: + TargetFilename|endswith: 'C:\Program Files\bsag\bma\bma.exe' + condition: selection +falsepositives: + - Legitimate use of baramundi Management Suite +level: medium diff --git a/detections/sigma/baramundi_management_suite_network_sigma.yml b/detections/sigma/baramundi_management_suite_network_sigma.yml new file mode 100644 index 00000000..4c1f7b78 --- /dev/null +++ b/detections/sigma/baramundi_management_suite_network_sigma.yml @@ -0,0 +1,27 @@ +title: Potential baramundi Management Suite RMM Tool Network Activity +id: 6a3f6976-7dc0-5aaa-a981-b4f18b374b6d +status: experimental +description: | + Detects potential network activity of baramundi Management Suite RMM tool +references: + - https://github.com/magicsword-io/LOLRMM +author: LOLRMM Project +date: 2026-02-03 +tags: + - attack.execution + - attack.t1219 +logsource: + product: windows + category: network_connection +detection: + selection: + DestinationHostname|endswith: + - '*.baramundi.com' + - 'www.baramundi.com' + - 'docs.baramundi.com' + - 'isodownload.baramundi.com' + - '*.baramundi.com' + condition: selection +falsepositives: + - Legitimate use of baramundi Management Suite +level: medium diff --git a/detections/sigma/barracuda_network_sigma.yml b/detections/sigma/barracuda_network_sigma.yml index 8b463f05..1d3fd11f 100644 --- a/detections/sigma/barracuda_network_sigma.yml +++ b/detections/sigma/barracuda_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Barracuda RMM Tool Network Activity -id: f15d23a0-b1aa-4e74-afe5-4c500848a66d +id: 3d84d486-cefd-5a6a-89e3-cbf41838f8e2 status: experimental description: | Detects potential network activity of Barracuda RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,9 +16,9 @@ logsource: detection: selection: DestinationHostname|endswith: - - *.islonline.net - - rmm.barracudamsp.com - - barracudamsp.com + - '*.islonline.net' + - 'rmm.barracudamsp.com' + - 'barracudamsp.com' condition: selection falsepositives: - Legitimate use of Barracuda diff --git a/detections/sigma/basecamp_network_sigma.yml b/detections/sigma/basecamp_network_sigma.yml index a590f11c..4881a1a2 100644 --- a/detections/sigma/basecamp_network_sigma.yml +++ b/detections/sigma/basecamp_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Basecamp RMM Tool Network Activity -id: 890f9d7c-6d30-468e-aee2-2b10c767fff6 +id: 7b84e0c7-ca69-51df-ab26-b1a83afae31c status: experimental description: | Detects potential network activity of Basecamp RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,7 +15,7 @@ logsource: category: network_connection detection: selection: - DestinationHostname|endswith: basecamp.com + DestinationHostname|endswith: 'basecamp.com' condition: selection falsepositives: - Legitimate use of Basecamp diff --git a/detections/sigma/beamyourscreen_network_sigma.yml b/detections/sigma/beamyourscreen_network_sigma.yml index 0bce4a0e..c54f5ffb 100644 --- a/detections/sigma/beamyourscreen_network_sigma.yml +++ b/detections/sigma/beamyourscreen_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential BeamYourScreen RMM Tool Network Activity -id: 5c6428ad-4e34-4c26-9459-ecd2ac372496 +id: 95c5c4fa-841d-5c6d-8c6d-41c8d3a36de1 status: experimental description: | Detects potential network activity of BeamYourScreen RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,8 +16,8 @@ logsource: detection: selection: DestinationHostname|endswith: - - beamyourscreen.com - - *.beamyourscreen.com + - 'beamyourscreen.com' + - '*.beamyourscreen.com' condition: selection falsepositives: - Legitimate use of BeamYourScreen diff --git a/detections/sigma/beamyourscreen_processes_sigma.yml b/detections/sigma/beamyourscreen_processes_sigma.yml index fc667d07..08ba77ce 100644 --- a/detections/sigma/beamyourscreen_processes_sigma.yml +++ b/detections/sigma/beamyourscreen_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential BeamYourScreen RMM Tool Process Activity -id: c288ef87-eaa9-4de0-9ad5-39167ee79527 +id: 515bb822-a67e-57af-9d88-af17147d2916 status: experimental description: | Detects potential processes activity of BeamYourScreen RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,12 +16,12 @@ logsource: detection: selection_parent: ParentImage|endswith: - - beamyourscreen.exe - - beamyourscreen-host.exe + - 'beamyourscreen.exe' + - 'beamyourscreen-host.exe' selection_image: Image|endswith: - - beamyourscreen.exe - - beamyourscreen-host.exe + - 'beamyourscreen.exe' + - 'beamyourscreen-host.exe' condition: 1 of selection_* falsepositives: - Legitimate use of BeamYourScreen diff --git a/detections/sigma/beanywhere_network_sigma.yml b/detections/sigma/beanywhere_network_sigma.yml index 8580f19b..9c56a97b 100644 --- a/detections/sigma/beanywhere_network_sigma.yml +++ b/detections/sigma/beanywhere_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential BeAnyWhere RMM Tool Network Activity -id: e68427eb-6abc-4dbe-85b9-0ca93e3742ed +id: d4357bf4-139a-51ea-97b5-5700251446f6 status: experimental description: | Detects potential network activity of BeAnyWhere RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,8 +16,8 @@ logsource: detection: selection: DestinationHostname|endswith: - - beanywhere.en.uptodown.com/windows - - beanywhere.com + - 'beanywhere.en.uptodown.com/windows' + - 'beanywhere.com' condition: selection falsepositives: - Legitimate use of BeAnyWhere diff --git a/detections/sigma/beanywhere_processes_sigma.yml b/detections/sigma/beanywhere_processes_sigma.yml index cb94a237..cfdd7a1a 100644 --- a/detections/sigma/beanywhere_processes_sigma.yml +++ b/detections/sigma/beanywhere_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential BeAnyWhere RMM Tool Process Activity -id: 4838d652-76f6-4171-b998-1943633ffbc3 +id: 0ca8ec9d-d4e6-56fe-afa4-9ec032c65a97 status: experimental description: | Detects potential processes activity of BeAnyWhere RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,24 +16,24 @@ logsource: detection: selection_parent: ParentImage|endswith: - - basuptshelper.exe - - basupsrvcupdate.exe - - BASupApp.exe - - BASupSysInf.exe - - BASupAppSrvc.exe - - TakeControl.exe - - BASupAppElev.exe - - basupsrvc.exe + - 'basuptshelper.exe' + - 'basupsrvcupdate.exe' + - 'BASupApp.exe' + - 'BASupSysInf.exe' + - 'BASupAppSrvc.exe' + - 'TakeControl.exe' + - 'BASupAppElev.exe' + - 'basupsrvc.exe' selection_image: Image|endswith: - - basuptshelper.exe - - basupsrvcupdate.exe - - BASupApp.exe - - BASupSysInf.exe - - BASupAppSrvc.exe - - TakeControl.exe - - BASupAppElev.exe - - basupsrvc.exe + - 'basuptshelper.exe' + - 'basupsrvcupdate.exe' + - 'BASupApp.exe' + - 'BASupSysInf.exe' + - 'BASupAppSrvc.exe' + - 'TakeControl.exe' + - 'BASupAppElev.exe' + - 'basupsrvc.exe' condition: 1 of selection_* falsepositives: - Legitimate use of BeAnyWhere diff --git a/detections/sigma/beinsync_network_sigma.yml b/detections/sigma/beinsync_network_sigma.yml index 53271d8d..48a02493 100644 --- a/detections/sigma/beinsync_network_sigma.yml +++ b/detections/sigma/beinsync_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential BeInSync RMM Tool Network Activity -id: 815a3008-1333-4d9d-a475-99dab884d493 +id: 38d0538c-31b6-5b86-8499-d2c790eb868b status: experimental description: | Detects potential network activity of BeInSync RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,8 +16,8 @@ logsource: detection: selection: DestinationHostname|endswith: - - *.beinsync.net - - *.beinsync.com + - '*.beinsync.net' + - '*.beinsync.com' condition: selection falsepositives: - Legitimate use of BeInSync diff --git a/detections/sigma/beinsync_processes_sigma.yml b/detections/sigma/beinsync_processes_sigma.yml index 112d7d71..3a5e3e51 100644 --- a/detections/sigma/beinsync_processes_sigma.yml +++ b/detections/sigma/beinsync_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential BeInSync RMM Tool Process Activity -id: 608f00ea-10b2-49c6-8b5f-7a0ca2c31d4f +id: 52b76eb2-977f-5b1c-9414-0bde6a679e4e status: experimental description: | Detects potential processes activity of BeInSync RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,9 +15,9 @@ logsource: category: process_creation detection: selection_parent: - ParentImage|endswith: Beinsync*.exe + ParentImage|endswith: 'Beinsync*.exe' selection_image: - Image|endswith: Beinsync*.exe + Image|endswith: 'Beinsync*.exe' condition: 1 of selection_* falsepositives: - Legitimate use of BeInSync diff --git a/detections/sigma/beyondtrust__bomgar__network_sigma.yml b/detections/sigma/beyondtrust__bomgar__network_sigma.yml index e07fd5f5..8d837893 100644 --- a/detections/sigma/beyondtrust__bomgar__network_sigma.yml +++ b/detections/sigma/beyondtrust__bomgar__network_sigma.yml @@ -1,12 +1,12 @@ title: Potential BeyondTrust (Bomgar) RMM Tool Network Activity -id: 694d14f2-df79-4aaa-b59f-ee94278977fc +id: 31a6cb1f-8fc3-5d01-ae00-8814d0900248 status: experimental description: | Detects potential network activity of BeyondTrust (Bomgar) RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,9 +16,9 @@ logsource: detection: selection: DestinationHostname|endswith: - - *.beyondtrustcloud.com - - *.bomgarcloud.com - - bomgarcloud.com + - '*.beyondtrustcloud.com' + - '*.bomgarcloud.com' + - 'bomgarcloud.com' condition: selection falsepositives: - Legitimate use of BeyondTrust (Bomgar) diff --git a/detections/sigma/beyondtrust__bomgar__processes_sigma.yml b/detections/sigma/beyondtrust__bomgar__processes_sigma.yml index 35d617c5..3ee64f49 100644 --- a/detections/sigma/beyondtrust__bomgar__processes_sigma.yml +++ b/detections/sigma/beyondtrust__bomgar__processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential BeyondTrust (Bomgar) RMM Tool Process Activity -id: 208d9aea-6137-4310-bd7c-2db02f30eb8a +id: 9125d93a-b5a7-5991-aa96-48ccfe3b08ff status: experimental description: | Detects potential processes activity of BeyondTrust (Bomgar) RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,18 +16,18 @@ logsource: detection: selection_parent: ParentImage|endswith: - - bomgar-scc-*.exe - - bomgar-scc.exe - - bomgar-pac-*.exe - - bomgar-pac.exe - - bomgar-rdp.exe + - 'bomgar-scc-*.exe' + - 'bomgar-scc.exe' + - 'bomgar-pac-*.exe' + - 'bomgar-pac.exe' + - 'bomgar-rdp.exe' selection_image: Image|endswith: - - bomgar-scc-*.exe - - bomgar-scc.exe - - bomgar-pac-*.exe - - bomgar-pac.exe - - bomgar-rdp.exe + - 'bomgar-scc-*.exe' + - 'bomgar-scc.exe' + - 'bomgar-pac-*.exe' + - 'bomgar-pac.exe' + - 'bomgar-rdp.exe' condition: 1 of selection_* falsepositives: - Legitimate use of BeyondTrust (Bomgar) diff --git a/detections/sigma/bitvise_ssh_client_processes_sigma.yml b/detections/sigma/bitvise_ssh_client_processes_sigma.yml index 2eb6930c..6aa41ebc 100644 --- a/detections/sigma/bitvise_ssh_client_processes_sigma.yml +++ b/detections/sigma/bitvise_ssh_client_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Bitvise SSH Client RMM Tool Process Activity -id: 7f1fada1-517d-48d8-8a82-69fed9148224 +id: c28e3f32-2644-56cf-b101-93151f52b360 status: experimental description: | Detects potential processes activity of Bitvise SSH Client RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,9 +15,9 @@ logsource: category: process_creation detection: selection_parent: - ParentImage|endswith: BvSshClient-Inst.exe + ParentImage|endswith: '*\BvSshClient-Inst.exe' selection_image: - Image|endswith: BvSshClient-Inst.exe + Image|endswith: '*\BvSshClient-Inst.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Bitvise SSH Client diff --git a/detections/sigma/bitvise_ssh_server_processes_sigma.yml b/detections/sigma/bitvise_ssh_server_processes_sigma.yml index cd0d6871..84bac28b 100644 --- a/detections/sigma/bitvise_ssh_server_processes_sigma.yml +++ b/detections/sigma/bitvise_ssh_server_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Bitvise SSH Server RMM Tool Process Activity -id: 037e22d4-9e7b-44ce-ab0f-30841dfc2b9b +id: ac726cbf-0c75-5177-be9d-94cfc0dcd736 status: experimental description: | Detects potential processes activity of Bitvise SSH Server RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,9 +15,9 @@ logsource: category: process_creation detection: selection_parent: - ParentImage|endswith: BvSshServer-Inst.exe + ParentImage|endswith: '*\BvSshServer-Inst.exe' selection_image: - Image|endswith: BvSshServer-Inst.exe + Image|endswith: '*\BvSshServer-Inst.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Bitvise SSH Server diff --git a/detections/sigma/bluetrait_files_sigma.yml b/detections/sigma/bluetrait_files_sigma.yml index 7e45fff9..3f9600fb 100644 --- a/detections/sigma/bluetrait_files_sigma.yml +++ b/detections/sigma/bluetrait_files_sigma.yml @@ -1,12 +1,12 @@ title: Potential Bluetrait RMM Tool File Activity -id: 28f4af4e-d03d-4148-98fe-8ccea55e4572 +id: 3c9415f1-7451-5cd7-b664-5f74241ab4a5 status: experimental description: | Detects potential files activity of Bluetrait RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,11 +16,11 @@ logsource: detection: selection: TargetFilename|endswith: - - C:\Program Files (x86)\Bluetrait Agent\Bluetrait MSP Agent.exe - - C:\Program Files (x86)\Bluetrait Agent\BluetraitUserAgent.exe - - C:\Program Files (x86)\Bluetrait Agent\config.db - - C:\Program Files (x86)\Bluetrait Agent\config.json - - C:\Program Files (x86)\Bluetrait Agent\libraries\paexec.exe + - 'C:\Program Files (x86)\Bluetrait Agent\Bluetrait MSP Agent.exe' + - 'C:\Program Files (x86)\Bluetrait Agent\BluetraitUserAgent.exe' + - 'C:\Program Files (x86)\Bluetrait Agent\config.db' + - 'C:\Program Files (x86)\Bluetrait Agent\config.json' + - 'C:\Program Files (x86)\Bluetrait Agent\libraries\paexec.exe' condition: selection falsepositives: - Legitimate use of Bluetrait diff --git a/detections/sigma/bluetrait_network_sigma.yml b/detections/sigma/bluetrait_network_sigma.yml index 77e89892..12018e98 100644 --- a/detections/sigma/bluetrait_network_sigma.yml +++ b/detections/sigma/bluetrait_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Bluetrait RMM Tool Network Activity -id: 93108072-c01a-49c7-ae19-bf3730ac5f86 +id: 7b82b4eb-1d6e-5858-8a4e-138a57840c66 status: experimental description: | Detects potential network activity of Bluetrait RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,8 +16,8 @@ logsource: detection: selection: DestinationHostname|endswith: - - bluetrait.io - - *.bluetrait.io + - 'bluetrait.io' + - '*.bluetrait.io' condition: selection falsepositives: - Legitimate use of Bluetrait diff --git a/detections/sigma/centrastage__now_datto__network_sigma.yml b/detections/sigma/centrastage__now_datto__network_sigma.yml index e5b78d1f..c9d1b551 100644 --- a/detections/sigma/centrastage__now_datto__network_sigma.yml +++ b/detections/sigma/centrastage__now_datto__network_sigma.yml @@ -1,12 +1,12 @@ title: Potential CentraStage (Now Datto) RMM Tool Network Activity -id: dc92ed7e-9e42-4533-b244-f6d424efab0f +id: 2881c97b-4674-5ba0-809c-f4aeea00f981 status: experimental description: | Detects potential network activity of CentraStage (Now Datto) RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,9 +16,9 @@ logsource: detection: selection: DestinationHostname|endswith: - - *.rmm.datto.com - - *cc.centrastage.net - - datto.com/au/products/rmm/ + - '*.rmm.datto.com' + - '*cc.centrastage.net' + - 'datto.com/au/products/rmm/' condition: selection falsepositives: - Legitimate use of CentraStage (Now Datto) diff --git a/detections/sigma/centrastage__now_datto__processes_sigma.yml b/detections/sigma/centrastage__now_datto__processes_sigma.yml index c088caa5..ffb15e65 100644 --- a/detections/sigma/centrastage__now_datto__processes_sigma.yml +++ b/detections/sigma/centrastage__now_datto__processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential CentraStage (Now Datto) RMM Tool Process Activity -id: e0867d17-bfc8-43e2-8607-939676a6b412 +id: 8986ff10-b5a7-5960-8e31-70841d340ae8 status: experimental description: | Detects potential processes activity of CentraStage (Now Datto) RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,12 +16,12 @@ logsource: detection: selection_parent: ParentImage|endswith: - - CagService.exe - - AEMAgent.exe + - 'CagService.exe' + - 'AEMAgent.exe' selection_image: Image|endswith: - - CagService.exe - - AEMAgent.exe + - 'CagService.exe' + - 'AEMAgent.exe' condition: 1 of selection_* falsepositives: - Legitimate use of CentraStage (Now Datto) diff --git a/detections/sigma/centurion_network_sigma.yml b/detections/sigma/centurion_network_sigma.yml index 2571e53c..0b221d9e 100644 --- a/detections/sigma/centurion_network_sigma.yml +++ b/detections/sigma/centurion_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Centurion RMM Tool Network Activity -id: 4edb8177-08d8-4d5f-8cf6-cb488b87f729 +id: 0ad4624d-7f8c-57e3-9983-5c8afd6300ed status: experimental description: | Detects potential network activity of Centurion RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,7 +15,7 @@ logsource: category: network_connection detection: selection: - DestinationHostname|endswith: centuriontech.com + DestinationHostname|endswith: 'centuriontech.com' condition: selection falsepositives: - Legitimate use of Centurion diff --git a/detections/sigma/centurion_processes_sigma.yml b/detections/sigma/centurion_processes_sigma.yml index 83364983..b6b68849 100644 --- a/detections/sigma/centurion_processes_sigma.yml +++ b/detections/sigma/centurion_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Centurion RMM Tool Process Activity -id: 497ba66f-fb7d-4cc7-97aa-97fc6e4ea9ca +id: 6505221f-cf22-520c-8c3b-3be78b43b05c status: experimental description: | Detects potential processes activity of Centurion RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,9 +15,9 @@ logsource: category: process_creation detection: selection_parent: - ParentImage|endswith: ctiserv.exe + ParentImage|endswith: 'ctiserv.exe' selection_image: - Image|endswith: ctiserv.exe + Image|endswith: 'ctiserv.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Centurion diff --git a/detections/sigma/chrome_remote_desktop_network_sigma.yml b/detections/sigma/chrome_remote_desktop_network_sigma.yml index 13d02548..2cd6acb7 100644 --- a/detections/sigma/chrome_remote_desktop_network_sigma.yml +++ b/detections/sigma/chrome_remote_desktop_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Chrome Remote Desktop RMM Tool Network Activity -id: fb58cca5-8a73-401f-92ad-abf0e5c09e89 +id: 72dccdee-9224-5b8c-b6f3-139c5f6ad971 status: experimental description: | Detects potential network activity of Chrome Remote Desktop RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,12 +16,12 @@ logsource: detection: selection: DestinationHostname|endswith: - - *remotedesktop.google.com - - *remotedesktop-pa.googleapis.com - - remotedesktop.google.com - - chromoting-client.talkgadget.google.com - - chromoting-host.talkgadget.google.com - - chromoting-oauth.talkgadget.google.com + - '*remotedesktop.google.com' + - '*remotedesktop-pa.googleapis.com' + - 'remotedesktop.google.com' + - 'chromoting-client.talkgadget.google.com' + - 'chromoting-host.talkgadget.google.com' + - 'chromoting-oauth.talkgadget.google.com' condition: selection falsepositives: - Legitimate use of Chrome Remote Desktop diff --git a/detections/sigma/chrome_remote_desktop_processes_sigma.yml b/detections/sigma/chrome_remote_desktop_processes_sigma.yml index c12ee303..ffb11b79 100644 --- a/detections/sigma/chrome_remote_desktop_processes_sigma.yml +++ b/detections/sigma/chrome_remote_desktop_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Chrome Remote Desktop RMM Tool Process Activity -id: bc915205-3ead-4c5b-9cfc-5858b9370aeb +id: ea591f30-b9c4-510f-a485-719096f06a0f status: experimental description: | Detects potential processes activity of Chrome Remote Desktop RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,14 +16,14 @@ logsource: detection: selection_parent: ParentImage|endswith: - - remote_host.exe - - remoting_host.exe - - remoting_host.exe + - 'remote_host.exe' + - 'remoting_host.exe' + - '*\remoting_host.exe' selection_image: Image|endswith: - - remote_host.exe - - remoting_host.exe - - remoting_host.exe + - 'remote_host.exe' + - 'remoting_host.exe' + - '*\remoting_host.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Chrome Remote Desktop diff --git a/detections/sigma/cloudflare_tunnel_network_sigma.yml b/detections/sigma/cloudflare_tunnel_network_sigma.yml index 61acd513..b8598b82 100644 --- a/detections/sigma/cloudflare_tunnel_network_sigma.yml +++ b/detections/sigma/cloudflare_tunnel_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential CloudFlare Tunnel RMM Tool Network Activity -id: e04b9b34-e501-49d9-89f4-f9ae4534131f +id: 75494e1e-0ddc-5086-966d-475c6ef35243 status: experimental description: | Detects potential network activity of CloudFlare Tunnel RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,7 +15,7 @@ logsource: category: network_connection detection: selection: - DestinationHostname|endswith: cloudflare.com/products/tunnel/ + DestinationHostname|endswith: 'cloudflare.com/products/tunnel/' condition: selection falsepositives: - Legitimate use of CloudFlare Tunnel diff --git a/detections/sigma/cloudflare_tunnel_processes_sigma.yml b/detections/sigma/cloudflare_tunnel_processes_sigma.yml index 68151d5a..b9d70e1f 100644 --- a/detections/sigma/cloudflare_tunnel_processes_sigma.yml +++ b/detections/sigma/cloudflare_tunnel_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential CloudFlare Tunnel RMM Tool Process Activity -id: 74702f51-ec4a-4823-af3e-f883ce33e8f8 +id: 9f95ff4f-7088-5e70-88b0-95f6c1818720 status: experimental description: | Detects potential processes activity of CloudFlare Tunnel RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,9 +15,9 @@ logsource: category: process_creation detection: selection_parent: - ParentImage|endswith: cloudflared.exe + ParentImage|endswith: 'cloudflared.exe' selection_image: - Image|endswith: cloudflared.exe + Image|endswith: 'cloudflared.exe' condition: 1 of selection_* falsepositives: - Legitimate use of CloudFlare Tunnel diff --git a/detections/sigma/comodo_rmm_network_sigma.yml b/detections/sigma/comodo_rmm_network_sigma.yml index 1e33add5..bf1ddd5e 100644 --- a/detections/sigma/comodo_rmm_network_sigma.yml +++ b/detections/sigma/comodo_rmm_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Comodo RMM RMM Tool Network Activity -id: cd536a9b-4222-4866-9df4-a5d43aaf88bf +id: d083615c-4f20-53a6-b19f-342e62825f96 status: experimental description: | Detects potential network activity of Comodo RMM RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,9 +16,9 @@ logsource: detection: selection: DestinationHostname|endswith: - - *.itsm-us1.comodo.com - - *mdmsupport.comodo.com - - one.comodo.com + - '*.itsm-us1.comodo.com' + - '*mdmsupport.comodo.com' + - 'one.comodo.com' condition: selection falsepositives: - Legitimate use of Comodo RMM diff --git a/detections/sigma/comodo_rmm_processes_sigma.yml b/detections/sigma/comodo_rmm_processes_sigma.yml index 16dce52a..8046255e 100644 --- a/detections/sigma/comodo_rmm_processes_sigma.yml +++ b/detections/sigma/comodo_rmm_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Comodo RMM RMM Tool Process Activity -id: 92cb2669-b3c5-4664-a253-ca98a906a085 +id: d581f469-36fa-5793-a259-3cd16dddc6fd status: experimental description: | Detects potential processes activity of Comodo RMM RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,12 +16,12 @@ logsource: detection: selection_parent: ParentImage|endswith: - - itsmagent.exe - - rviewer.exe + - 'itsmagent.exe' + - 'rviewer.exe' selection_image: Image|endswith: - - itsmagent.exe - - rviewer.exe + - 'itsmagent.exe' + - 'rviewer.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Comodo RMM diff --git a/detections/sigma/connectwise_automate__labtech__network_sigma.yml b/detections/sigma/connectwise_automate__labtech__network_sigma.yml index 48711e34..67e4231f 100644 --- a/detections/sigma/connectwise_automate__labtech__network_sigma.yml +++ b/detections/sigma/connectwise_automate__labtech__network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Connectwise Automate (LabTech) RMM Tool Network Activity -id: a964c1ea-0038-41c0-ba27-346c80e7e31c +id: 293db247-2294-592f-b891-d9684d5e0282 status: experimental description: | Detects potential network activity of Connectwise Automate (LabTech) RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,7 +15,7 @@ logsource: category: network_connection detection: selection: - DestinationHostname|endswith: *.hostedrmm.com + DestinationHostname|endswith: '*.hostedrmm.com' condition: selection falsepositives: - Legitimate use of Connectwise Automate (LabTech) diff --git a/detections/sigma/connectwise_automate__labtech__processes_sigma.yml b/detections/sigma/connectwise_automate__labtech__processes_sigma.yml index 9a4b851e..f008fbb6 100644 --- a/detections/sigma/connectwise_automate__labtech__processes_sigma.yml +++ b/detections/sigma/connectwise_automate__labtech__processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Connectwise Automate (LabTech) RMM Tool Process Activity -id: f8fdfe0f-1508-46b5-91a7-e0a9c3e4407b +id: 7975ad91-a7b5-5703-a395-968a8229d4a9 status: experimental description: | Detects potential processes activity of Connectwise Automate (LabTech) RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,14 +16,14 @@ logsource: detection: selection_parent: ParentImage|endswith: - - ltsvc.exe - - ltsvcmon.exe - - lttray.exe + - 'ltsvc.exe' + - 'ltsvcmon.exe' + - 'lttray.exe' selection_image: Image|endswith: - - ltsvc.exe - - ltsvcmon.exe - - lttray.exe + - 'ltsvc.exe' + - 'ltsvcmon.exe' + - 'lttray.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Connectwise Automate (LabTech) diff --git a/detections/sigma/connectwise_control_network_sigma.yml b/detections/sigma/connectwise_control_network_sigma.yml index 1bf68635..17217e56 100644 --- a/detections/sigma/connectwise_control_network_sigma.yml +++ b/detections/sigma/connectwise_control_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential ConnectWise Control RMM Tool Network Activity -id: 8598b2b0-3a5e-4c6a-b2dc-863d2f130903 +id: 0bd0958e-24ab-564e-956f-7468cf3d3356 status: experimental description: | Detects potential network activity of ConnectWise Control RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,8 +16,8 @@ logsource: detection: selection: DestinationHostname|endswith: - - live.screenconnect.com - - control.connectwise.com + - 'live.screenconnect.com' + - 'control.connectwise.com' condition: selection falsepositives: - Legitimate use of ConnectWise Control diff --git a/detections/sigma/connectwise_control_processes_sigma.yml b/detections/sigma/connectwise_control_processes_sigma.yml index 8f2cc07e..e20818e3 100644 --- a/detections/sigma/connectwise_control_processes_sigma.yml +++ b/detections/sigma/connectwise_control_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential ConnectWise Control RMM Tool Process Activity -id: 2208c309-8a9b-49d0-b96f-cff473d97748 +id: a3a68601-a633-5e2b-90b8-8aeac4c8c4e4 status: experimental description: | Detects potential processes activity of ConnectWise Control RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,14 +16,14 @@ logsource: detection: selection_parent: ParentImage|endswith: - - connectwisechat-customer.exe - - connectwisecontrol.client.exe - - screenconnect.windowsclient.exe + - 'connectwisechat-customer.exe' + - 'connectwisecontrol.client.exe' + - 'screenconnect.windowsclient.exe' selection_image: Image|endswith: - - connectwisechat-customer.exe - - connectwisecontrol.client.exe - - screenconnect.windowsclient.exe + - 'connectwisechat-customer.exe' + - 'connectwisecontrol.client.exe' + - 'screenconnect.windowsclient.exe' condition: 1 of selection_* falsepositives: - Legitimate use of ConnectWise Control diff --git a/detections/sigma/crossloop_network_sigma.yml b/detections/sigma/crossloop_network_sigma.yml index c6a95ba1..a17edc32 100644 --- a/detections/sigma/crossloop_network_sigma.yml +++ b/detections/sigma/crossloop_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential CrossLoop RMM Tool Network Activity -id: 40f7000c-d0eb-45a0-9203-f6db301528de +id: 99770785-9c41-5435-8839-372a9c8e2b07 status: experimental description: | Detects potential network activity of CrossLoop RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,8 +16,8 @@ logsource: detection: selection: DestinationHostname|endswith: - - *.crossloop.com - - crossloop.en.softonic.com + - '*.crossloop.com' + - 'crossloop.en.softonic.com' condition: selection falsepositives: - Legitimate use of CrossLoop diff --git a/detections/sigma/crossloop_processes_sigma.yml b/detections/sigma/crossloop_processes_sigma.yml index 25b0a05f..4e998c11 100644 --- a/detections/sigma/crossloop_processes_sigma.yml +++ b/detections/sigma/crossloop_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential CrossLoop RMM Tool Process Activity -id: b59a1213-6778-4ba7-b466-15a04a64d532 +id: 67431f75-7e18-5e2b-af78-b6415e48bf2f status: experimental description: | Detects potential processes activity of CrossLoop RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,14 +16,14 @@ logsource: detection: selection_parent: ParentImage|endswith: - - crossloopservice.exe - - CrossLoopConnect.exe - - WinVNCStub.exe + - 'crossloopservice.exe' + - 'CrossLoopConnect.exe' + - 'WinVNCStub.exe' selection_image: Image|endswith: - - crossloopservice.exe - - CrossLoopConnect.exe - - WinVNCStub.exe + - 'crossloopservice.exe' + - 'CrossLoopConnect.exe' + - 'WinVNCStub.exe' condition: 1 of selection_* falsepositives: - Legitimate use of CrossLoop diff --git a/detections/sigma/crosstec_remote_control_network_sigma.yml b/detections/sigma/crosstec_remote_control_network_sigma.yml index 1a8acb33..df25a29e 100644 --- a/detections/sigma/crosstec_remote_control_network_sigma.yml +++ b/detections/sigma/crosstec_remote_control_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential CrossTec Remote Control RMM Tool Network Activity -id: 91c888e7-1d6d-4cdc-beef-b0c049a647fd +id: 6c3d64ea-c89c-53ed-90b9-fe1b45f201d0 status: experimental description: | Detects potential network activity of CrossTec Remote Control RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,8 +16,8 @@ logsource: detection: selection: DestinationHostname|endswith: - - user_managed - - crosstecsoftware.com/remotecontrol + - 'user_managed' + - 'crosstecsoftware.com/remotecontrol' condition: selection falsepositives: - Legitimate use of CrossTec Remote Control diff --git a/detections/sigma/crosstec_remote_control_processes_sigma.yml b/detections/sigma/crosstec_remote_control_processes_sigma.yml index e88da10a..ae6c91d9 100644 --- a/detections/sigma/crosstec_remote_control_processes_sigma.yml +++ b/detections/sigma/crosstec_remote_control_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential CrossTec Remote Control RMM Tool Process Activity -id: 453cefc5-e656-4b6f-a421-03969acdeddd +id: 3658e4fb-2277-5c96-af7d-66c4519250b7 status: experimental description: | Detects potential processes activity of CrossTec Remote Control RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,12 +16,12 @@ logsource: detection: selection_parent: ParentImage|endswith: - - PCIVIDEO.EXE - - supporttool.exe + - 'PCIVIDEO.EXE' + - 'supporttool.exe' selection_image: Image|endswith: - - PCIVIDEO.EXE - - supporttool.exe + - 'PCIVIDEO.EXE' + - 'supporttool.exe' condition: 1 of selection_* falsepositives: - Legitimate use of CrossTec Remote Control diff --git a/detections/sigma/dameware_network_sigma.yml b/detections/sigma/dameware_network_sigma.yml index 43e9feea..08ba211b 100644 --- a/detections/sigma/dameware_network_sigma.yml +++ b/detections/sigma/dameware_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential DameWare RMM Tool Network Activity -id: 58145224-11b2-4a3e-8d37-1f7769459ece +id: 3c6b800b-0504-5583-9396-02b4defb8181 status: experimental description: | Detects potential network activity of DameWare RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,7 +15,7 @@ logsource: category: network_connection detection: selection: - DestinationHostname|endswith: dameware.com + DestinationHostname|endswith: 'dameware.com' condition: selection falsepositives: - Legitimate use of DameWare diff --git a/detections/sigma/dameware_processes_sigma.yml b/detections/sigma/dameware_processes_sigma.yml index 4dabd158..89d0a04f 100644 --- a/detections/sigma/dameware_processes_sigma.yml +++ b/detections/sigma/dameware_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential DameWare RMM Tool Process Activity -id: 9c274b89-fa4c-4030-903b-129f013ecee6 +id: b79fd824-6056-5227-b17f-3cbf8c729d67 status: experimental description: | Detects potential processes activity of DameWare RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,22 +16,22 @@ logsource: detection: selection_parent: ParentImage|endswith: - - SolarWinds-Dameware-DRS*.exe - - DameWare Mini Remote Control*.exe - - dntus*.exe - - dwrcs.exe - - dwrcst.exe - - DameWare Remote Support.exe - - SolarWinds-Dameware-MRC*.exe + - 'SolarWinds-Dameware-DRS*.exe' + - 'DameWare Mini Remote Control*.exe' + - 'dntus*.exe' + - 'dwrcs.exe' + - '*\dwrcst.exe' + - 'DameWare Remote Support.exe' + - 'SolarWinds-Dameware-MRC*.exe' selection_image: Image|endswith: - - SolarWinds-Dameware-DRS*.exe - - DameWare Mini Remote Control*.exe - - dntus*.exe - - dwrcs.exe - - dwrcst.exe - - DameWare Remote Support.exe - - SolarWinds-Dameware-MRC*.exe + - 'SolarWinds-Dameware-DRS*.exe' + - 'DameWare Mini Remote Control*.exe' + - 'dntus*.exe' + - 'dwrcs.exe' + - '*\dwrcst.exe' + - 'DameWare Remote Support.exe' + - 'SolarWinds-Dameware-MRC*.exe' condition: 1 of selection_* falsepositives: - Legitimate use of DameWare diff --git a/detections/sigma/deskday_network_sigma.yml b/detections/sigma/deskday_network_sigma.yml index 86d1e816..e1fe3a8e 100644 --- a/detections/sigma/deskday_network_sigma.yml +++ b/detections/sigma/deskday_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential DeskDay RMM Tool Network Activity -id: d4cfe618-7477-44c2-a9b1-34e0add888fe +id: ec7f887d-a13e-5e5b-8491-ab6bed87a1e7 status: experimental description: | Detects potential network activity of DeskDay RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,8 +16,8 @@ logsource: detection: selection: DestinationHostname|endswith: - - deskday.ai - - app.deskday.ai + - 'deskday.ai' + - 'app.deskday.ai' condition: selection falsepositives: - Legitimate use of DeskDay diff --git a/detections/sigma/deskday_processes_sigma.yml b/detections/sigma/deskday_processes_sigma.yml index 27c9ac7b..7c0388dd 100644 --- a/detections/sigma/deskday_processes_sigma.yml +++ b/detections/sigma/deskday_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential DeskDay RMM Tool Process Activity -id: 0ab77c50-f1f2-4427-8e18-5c30e7b97351 +id: 731b379c-a7fe-5630-9149-561e6955a908 status: experimental description: | Detects potential processes activity of DeskDay RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,9 +15,9 @@ logsource: category: process_creation detection: selection_parent: - ParentImage|endswith: ultimate_*.exe + ParentImage|endswith: 'ultimate_*.exe' selection_image: - Image|endswith: ultimate_*.exe + Image|endswith: 'ultimate_*.exe' condition: 1 of selection_* falsepositives: - Legitimate use of DeskDay diff --git a/detections/sigma/deskshare_network_sigma.yml b/detections/sigma/deskshare_network_sigma.yml index 8abca15b..1bf0af6e 100644 --- a/detections/sigma/deskshare_network_sigma.yml +++ b/detections/sigma/deskshare_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential DeskShare RMM Tool Network Activity -id: 5c3bdd06-0757-4713-8682-a098e436113f +id: deef7543-ba1c-5a9e-a284-bdbeeb4a9f6f status: experimental description: | Detects potential network activity of DeskShare RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,7 +15,7 @@ logsource: category: network_connection detection: selection: - DestinationHostname|endswith: user_managed + DestinationHostname|endswith: 'user_managed' condition: selection falsepositives: - Legitimate use of DeskShare diff --git a/detections/sigma/deskshare_processes_sigma.yml b/detections/sigma/deskshare_processes_sigma.yml index f52687f3..9bbc064b 100644 --- a/detections/sigma/deskshare_processes_sigma.yml +++ b/detections/sigma/deskshare_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential DeskShare RMM Tool Process Activity -id: 3e853e40-0c3e-4e9e-94ed-5786aa7268ee +id: 372fdee7-19bb-501d-ad80-cf6244c40bfe status: experimental description: | Detects potential processes activity of DeskShare RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,12 +16,12 @@ logsource: detection: selection_parent: ParentImage|endswith: - - TeamTaskManager.exe - - DSGuest.exe + - 'TeamTaskManager.exe' + - 'DSGuest.exe' selection_image: Image|endswith: - - TeamTaskManager.exe - - DSGuest.exe + - 'TeamTaskManager.exe' + - 'DSGuest.exe' condition: 1 of selection_* falsepositives: - Legitimate use of DeskShare diff --git a/detections/sigma/desktopnow_network_sigma.yml b/detections/sigma/desktopnow_network_sigma.yml index 52e79bfb..746c04e6 100644 --- a/detections/sigma/desktopnow_network_sigma.yml +++ b/detections/sigma/desktopnow_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential DesktopNow RMM Tool Network Activity -id: 8e485557-189d-4e48-835c-f55b3e114c4e +id: 23562e9b-0deb-5d34-a12f-9ffebfcc110e status: experimental description: | Detects potential network activity of DesktopNow RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,7 +15,7 @@ logsource: category: network_connection detection: selection: - DestinationHostname|endswith: *.nchuser.com + DestinationHostname|endswith: '*.nchuser.com' condition: selection falsepositives: - Legitimate use of DesktopNow diff --git a/detections/sigma/desktopnow_processes_sigma.yml b/detections/sigma/desktopnow_processes_sigma.yml index c89596df..f1fc6441 100644 --- a/detections/sigma/desktopnow_processes_sigma.yml +++ b/detections/sigma/desktopnow_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential DesktopNow RMM Tool Process Activity -id: 89659168-cbba-4db8-8e19-bf82dca35a04 +id: 0a645493-88e9-534d-9c54-3e5698ae8301 status: experimental description: | Detects potential processes activity of DesktopNow RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,9 +15,9 @@ logsource: category: process_creation detection: selection_parent: - ParentImage|endswith: desktopnow.exe + ParentImage|endswith: 'desktopnow.exe' selection_image: - Image|endswith: desktopnow.exe + Image|endswith: 'desktopnow.exe' condition: 1 of selection_* falsepositives: - Legitimate use of DesktopNow diff --git a/detections/sigma/dev_tunnels__aka_visual_studio_dev_tunnel__network_sigma.yml b/detections/sigma/dev_tunnels__aka_visual_studio_dev_tunnel__network_sigma.yml index 5f5e6cb0..d55ef6fb 100644 --- a/detections/sigma/dev_tunnels__aka_visual_studio_dev_tunnel__network_sigma.yml +++ b/detections/sigma/dev_tunnels__aka_visual_studio_dev_tunnel__network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Dev Tunnels (aka Visual Studio Dev Tunnel) RMM Tool Network Activity -id: 0d2e5351-66d9-4054-98f3-15492cdb8d64 +id: 583a972f-64dc-5410-91b8-bf8eb8f64122 status: experimental description: | Detects potential network activity of Dev Tunnels (aka Visual Studio Dev Tunnel) RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,7 +15,7 @@ logsource: category: network_connection detection: selection: - DestinationHostname|endswith: learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview + DestinationHostname|endswith: 'learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview' condition: selection falsepositives: - Legitimate use of Dev Tunnels (aka Visual Studio Dev Tunnel) diff --git a/detections/sigma/devolutions_remote_desktop_manager_files_sigma.yml b/detections/sigma/devolutions_remote_desktop_manager_files_sigma.yml index b5d80b03..5368ce11 100644 --- a/detections/sigma/devolutions_remote_desktop_manager_files_sigma.yml +++ b/detections/sigma/devolutions_remote_desktop_manager_files_sigma.yml @@ -1,12 +1,12 @@ title: Potential Devolutions Remote Desktop Manager RMM Tool File Activity -id: 19ed3ecc-024f-4afe-bc9c-5c61e581846f +id: 21280f5a-30e9-5f10-9312-d6492722012d status: experimental description: | Detects potential files activity of Devolutions Remote Desktop Manager RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,9 +16,9 @@ logsource: detection: selection: TargetFilename|endswith: - - %localappdata%\Devolutions\RemoteDesktopManager\Connections.log - - %localappdata%\Devolutions\RemoteDesktopManager[GUID]\Mru.xml - - %localappdata%\Devolutions\RemoteDesktopManager\Connections.db + - '%localappdata%\Devolutions\RemoteDesktopManager\Connections.log' + - '%localappdata%\Devolutions\RemoteDesktopManager[GUID]\Mru.xml' + - '%localappdata%\Devolutions\RemoteDesktopManager\Connections.db' condition: selection falsepositives: - Legitimate use of Devolutions Remote Desktop Manager diff --git a/detections/sigma/devolutions_remote_desktop_manager_processes_sigma.yml b/detections/sigma/devolutions_remote_desktop_manager_processes_sigma.yml index e0f09ffb..355b89cc 100644 --- a/detections/sigma/devolutions_remote_desktop_manager_processes_sigma.yml +++ b/detections/sigma/devolutions_remote_desktop_manager_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Devolutions Remote Desktop Manager RMM Tool Process Activity -id: e8b6dc64-4719-4dc0-bd10-c3a01531247d +id: c9a9c17f-0fb9-5266-96d1-4d33908c9c5f status: experimental description: | Detects potential processes activity of Devolutions Remote Desktop Manager RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,9 +15,9 @@ logsource: category: process_creation detection: selection_parent: - ParentImage|endswith: RemoteDesktopManager.exe + ParentImage|endswith: '*\RemoteDesktopManager.exe' selection_image: - Image|endswith: RemoteDesktopManager.exe + Image|endswith: '*\RemoteDesktopManager.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Devolutions Remote Desktop Manager diff --git a/detections/sigma/distant_desktop_network_sigma.yml b/detections/sigma/distant_desktop_network_sigma.yml index 30f28eee..6cb28c4c 100644 --- a/detections/sigma/distant_desktop_network_sigma.yml +++ b/detections/sigma/distant_desktop_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Distant Desktop RMM Tool Network Activity -id: 2f291701-fbc4-40b9-8c4b-447e1d64ab37 +id: 16b90e49-779d-53de-9296-18ccee322203 status: experimental description: | Detects potential network activity of Distant Desktop RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,8 +16,8 @@ logsource: detection: selection: DestinationHostname|endswith: - - *.distantdesktop.com - - *signalserver.xyz + - '*.distantdesktop.com' + - '*signalserver.xyz' condition: selection falsepositives: - Legitimate use of Distant Desktop diff --git a/detections/sigma/distant_desktop_processes_sigma.yml b/detections/sigma/distant_desktop_processes_sigma.yml index 1ce464f9..775cb420 100644 --- a/detections/sigma/distant_desktop_processes_sigma.yml +++ b/detections/sigma/distant_desktop_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Distant Desktop RMM Tool Process Activity -id: 9184b9f8-a983-4e99-a729-8a3b0c4d8b17 +id: b567fd28-af59-5ca8-9dd3-1de918bd52d4 status: experimental description: | Detects potential processes activity of Distant Desktop RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,14 +16,14 @@ logsource: detection: selection_parent: ParentImage|endswith: - - ddsystem.exe - - dd.exe - - distant-desktop.exe + - 'ddsystem.exe' + - 'dd.exe' + - 'distant-desktop.exe' selection_image: Image|endswith: - - ddsystem.exe - - dd.exe - - distant-desktop.exe + - 'ddsystem.exe' + - 'dd.exe' + - 'distant-desktop.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Distant Desktop diff --git a/detections/sigma/domotz_network_sigma.yml b/detections/sigma/domotz_network_sigma.yml index 9d96b381..cc90b709 100644 --- a/detections/sigma/domotz_network_sigma.yml +++ b/detections/sigma/domotz_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Domotz RMM Tool Network Activity -id: 441ff6b0-0c7d-4378-9b90-11bcb0959a73 +id: 7a70e801-7efa-5341-8fa0-9c2a50863134 status: experimental description: | Detects potential network activity of Domotz RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,9 +16,9 @@ logsource: detection: selection: DestinationHostname|endswith: - - *.domotz.co - - domotz.com - - *cell-1.domotz.com + - '*.domotz.co' + - 'domotz.com' + - '*cell-1.domotz.com' condition: selection falsepositives: - Legitimate use of Domotz diff --git a/detections/sigma/domotz_processes_sigma.yml b/detections/sigma/domotz_processes_sigma.yml index 88e7edec..fd2d1af9 100644 --- a/detections/sigma/domotz_processes_sigma.yml +++ b/detections/sigma/domotz_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Domotz RMM Tool Process Activity -id: cdebd910-7dad-4923-a4db-c40e4ae85d80 +id: d8380a02-7d07-5be1-8d33-be5762487a84 status: experimental description: | Detects potential processes activity of Domotz RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,20 +16,20 @@ logsource: detection: selection_parent: ParentImage|endswith: - - domotz.exe - - Domotz Pro Desktop App.exe - - domotz_bash.exe - - domotz*.exe - - Domotz Pro Desktop App Setup*.exe - - domotz-windows*.exe + - 'domotz.exe' + - 'Domotz Pro Desktop App.exe' + - 'domotz_bash.exe' + - 'domotz*.exe' + - 'Domotz Pro Desktop App Setup*.exe' + - 'domotz-windows*.exe' selection_image: Image|endswith: - - domotz.exe - - Domotz Pro Desktop App.exe - - domotz_bash.exe - - domotz*.exe - - Domotz Pro Desktop App Setup*.exe - - domotz-windows*.exe + - 'domotz.exe' + - 'Domotz Pro Desktop App.exe' + - 'domotz_bash.exe' + - 'domotz*.exe' + - 'Domotz Pro Desktop App Setup*.exe' + - 'domotz-windows*.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Domotz diff --git a/detections/sigma/dragondisk_processes_sigma.yml b/detections/sigma/dragondisk_processes_sigma.yml index 17d0386b..5300df0f 100644 --- a/detections/sigma/dragondisk_processes_sigma.yml +++ b/detections/sigma/dragondisk_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential DragonDisk RMM Tool Process Activity -id: 00fa5c3d-6dc6-447a-88dd-e3a222f365e6 +id: 0b572432-c86e-54d8-bfde-71a5d77f6ef6 status: experimental description: | Detects potential processes activity of DragonDisk RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,9 +15,9 @@ logsource: category: process_creation detection: selection_parent: - ParentImage|endswith: DragonDisk.exe + ParentImage|endswith: '*\DragonDisk.exe' selection_image: - Image|endswith: DragonDisk.exe + Image|endswith: '*\DragonDisk.exe' condition: 1 of selection_* falsepositives: - Legitimate use of DragonDisk diff --git a/detections/sigma/duet_display_network_sigma.yml b/detections/sigma/duet_display_network_sigma.yml new file mode 100644 index 00000000..fb1cf189 --- /dev/null +++ b/detections/sigma/duet_display_network_sigma.yml @@ -0,0 +1,27 @@ +title: Potential Duet Display RMM Tool Network Activity +id: f35b39c2-45b7-5beb-87f4-9586f5ec4374 +status: experimental +description: | + Detects potential network activity of Duet Display RMM tool +references: + - https://github.com/magicsword-io/LOLRMM +author: LOLRMM Project +date: 2026-02-03 +tags: + - attack.execution + - attack.t1219 +logsource: + product: windows + category: network_connection +detection: + selection: + DestinationHostname|endswith: + - '*.duetdisplay.com' + - 'rdp.duetdisplay.com' + - 'duetdisplay.com' + - '*.itagent.com' + - 'itagent.com' + condition: selection +falsepositives: + - Legitimate use of Duet Display +level: medium diff --git a/detections/sigma/duet_display_processes_sigma.yml b/detections/sigma/duet_display_processes_sigma.yml new file mode 100644 index 00000000..0c88576e --- /dev/null +++ b/detections/sigma/duet_display_processes_sigma.yml @@ -0,0 +1,30 @@ +title: Potential Duet Display RMM Tool Process Activity +id: e9133ac9-398c-5a2a-9a97-1b0006fcfe10 +status: experimental +description: | + Detects potential processes activity of Duet Display RMM tool +references: + - https://github.com/magicsword-io/LOLRMM +author: LOLRMM Project +date: 2026-02-03 +tags: + - attack.execution + - attack.t1219 +logsource: + product: windows + category: process_creation +detection: + selection_parent: + ParentImage|endswith: + - 'duet.exe' + - 'DuetSetup.exe' + - 'DuetDisp.exe' + selection_image: + Image|endswith: + - 'duet.exe' + - 'DuetSetup.exe' + - 'DuetDisp.exe' + condition: 1 of selection_* +falsepositives: + - Legitimate use of Duet Display +level: medium diff --git a/detections/sigma/duplicati_processes_sigma.yml b/detections/sigma/duplicati_processes_sigma.yml index d1502d5a..a0e704b7 100644 --- a/detections/sigma/duplicati_processes_sigma.yml +++ b/detections/sigma/duplicati_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Duplicati RMM Tool Process Activity -id: 9246a25b-e2de-4756-ad67-a9d3f2f798e6 +id: 8cc7086b-ff45-5b34-978c-32a7b65e5da3 status: experimental description: | Detects potential processes activity of Duplicati RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,12 +16,12 @@ logsource: detection: selection_parent: ParentImage|endswith: - - Duplicati.Server.exe - - Duplicati.Server.exe + - 'c:\Program Files\*\Duplicati.Server.exe' + - '*\*\Duplicati.Server.exe' selection_image: Image|endswith: - - Duplicati.Server.exe - - Duplicati.Server.exe + - 'c:\Program Files\*\Duplicati.Server.exe' + - '*\*\Duplicati.Server.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Duplicati diff --git a/detections/sigma/dw_service_network_sigma.yml b/detections/sigma/dw_service_network_sigma.yml index c1b6d39d..be1593e8 100644 --- a/detections/sigma/dw_service_network_sigma.yml +++ b/detections/sigma/dw_service_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential DW Service RMM Tool Network Activity -id: ac97424e-1da4-4940-9535-19a8d20c992a +id: fa86ead5-e0f6-5dfa-8889-c598457cd8fd status: experimental description: | Detects potential network activity of DW Service RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,7 +15,7 @@ logsource: category: network_connection detection: selection: - DestinationHostname|endswith: *.dwservice.net + DestinationHostname|endswith: '*.dwservice.net' condition: selection falsepositives: - Legitimate use of DW Service diff --git a/detections/sigma/dw_service_processes_sigma.yml b/detections/sigma/dw_service_processes_sigma.yml index 9392cbe2..694b0b33 100644 --- a/detections/sigma/dw_service_processes_sigma.yml +++ b/detections/sigma/dw_service_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential DW Service RMM Tool Process Activity -id: 41c78cb0-6366-4b2d-9e34-1caf2811f857 +id: e7d85314-f06d-55d5-95d2-4f26c0e5c6df status: experimental description: | Detects potential processes activity of DW Service RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,14 +16,14 @@ logsource: detection: selection_parent: ParentImage|endswith: - - dwagsvc.exe - - dwagent.exe - - dwagsvc.exe + - 'dwagsvc.exe' + - 'dwagent.exe' + - 'dwagsvc.exe' selection_image: Image|endswith: - - dwagsvc.exe - - dwagent.exe - - dwagsvc.exe + - 'dwagsvc.exe' + - 'dwagent.exe' + - 'dwagsvc.exe' condition: 1 of selection_* falsepositives: - Legitimate use of DW Service diff --git a/detections/sigma/echoware_processes_sigma.yml b/detections/sigma/echoware_processes_sigma.yml index 90273312..3fe00183 100644 --- a/detections/sigma/echoware_processes_sigma.yml +++ b/detections/sigma/echoware_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Echoware RMM Tool Process Activity -id: e03233d4-4bb0-41ed-a5e6-925ef0241a82 +id: 39fb08c9-1c02-5c5d-ba7f-4cafde574bca status: experimental description: | Detects potential processes activity of Echoware RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,9 +15,9 @@ logsource: category: process_creation detection: selection_parent: - ParentImage|endswith: echoserver*.exe + ParentImage|endswith: 'echoserver*.exe' selection_image: - Image|endswith: echoserver*.exe + Image|endswith: 'echoserver*.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Echoware diff --git a/detections/sigma/ehorus_network_sigma.yml b/detections/sigma/ehorus_network_sigma.yml index 7efd1d1c..ce328597 100644 --- a/detections/sigma/ehorus_network_sigma.yml +++ b/detections/sigma/ehorus_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential eHorus RMM Tool Network Activity -id: d077b7a1-3771-4db3-a281-b172ceb16a11 +id: a2bd3fa6-dd53-57eb-890d-8f260cc431c1 status: experimental description: | Detects potential network activity of eHorus RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,7 +15,7 @@ logsource: category: network_connection detection: selection: - DestinationHostname|endswith: ehorus.com + DestinationHostname|endswith: 'ehorus.com' condition: selection falsepositives: - Legitimate use of eHorus diff --git a/detections/sigma/ehorus_processes_sigma.yml b/detections/sigma/ehorus_processes_sigma.yml index b96fdaed..216117bf 100644 --- a/detections/sigma/ehorus_processes_sigma.yml +++ b/detections/sigma/ehorus_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential eHorus RMM Tool Process Activity -id: 740d017e-89db-4f2e-9cbe-74e08503bb76 +id: 8a763258-c629-561e-89ff-7459ec0349c7 status: experimental description: | Detects potential processes activity of eHorus RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,9 +15,19 @@ logsource: category: process_creation detection: selection_parent: - ParentImage|endswith: ehorus standalone.exe + ParentImage|endswith: + - 'ehorus standalone.exe' + - 'ehorus_agent.exe' + - 'ehorus_cmd.exe' + - 'ehorus_launcher.exe' + - 'ehorus_uit.exe' selection_image: - Image|endswith: ehorus standalone.exe + Image|endswith: + - 'ehorus standalone.exe' + - 'ehorus_agent.exe' + - 'ehorus_cmd.exe' + - 'ehorus_launcher.exe' + - 'ehorus_uit.exe' condition: 1 of selection_* falsepositives: - Legitimate use of eHorus diff --git a/detections/sigma/electric_ai__kaseya__network_sigma.yml b/detections/sigma/electric_ai__kaseya__network_sigma.yml index ded70831..90396a5b 100644 --- a/detections/sigma/electric_ai__kaseya__network_sigma.yml +++ b/detections/sigma/electric_ai__kaseya__network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Electric AI (Kaseya) RMM Tool Network Activity -id: bef256ea-20de-413d-86c4-c6b6c825b233 +id: 117eec80-86b3-5705-b69e-742638940486 status: experimental description: | Detects potential network activity of Electric AI (Kaseya) RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,7 +15,7 @@ logsource: category: network_connection detection: selection: - DestinationHostname|endswith: electric.ai + DestinationHostname|endswith: 'electric.ai' condition: selection falsepositives: - Legitimate use of Electric AI (Kaseya) diff --git a/detections/sigma/emco_remote_console_network_sigma.yml b/detections/sigma/emco_remote_console_network_sigma.yml index f1672d5c..36b2a112 100644 --- a/detections/sigma/emco_remote_console_network_sigma.yml +++ b/detections/sigma/emco_remote_console_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential EMCO Remote Console RMM Tool Network Activity -id: 44e12795-672a-4e2d-9507-820c799bbb4e +id: 0a625550-f7bb-501f-a966-c0ba16d3f217 status: experimental description: | Detects potential network activity of EMCO Remote Console RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,8 +16,8 @@ logsource: detection: selection: DestinationHostname|endswith: - - user_managed - - emcosoftware.com + - 'user_managed' + - 'emcosoftware.com' condition: selection falsepositives: - Legitimate use of EMCO Remote Console diff --git a/detections/sigma/emco_remote_console_processes_sigma.yml b/detections/sigma/emco_remote_console_processes_sigma.yml index 69e76189..784eaf67 100644 --- a/detections/sigma/emco_remote_console_processes_sigma.yml +++ b/detections/sigma/emco_remote_console_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential EMCO Remote Console RMM Tool Process Activity -id: e9d24069-d14f-4172-9d84-211e9ed6ae00 +id: 9aff3c62-1367-5320-bb29-8cc3de64491e status: experimental description: | Detects potential processes activity of EMCO Remote Console RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,9 +15,9 @@ logsource: category: process_creation detection: selection_parent: - ParentImage|endswith: remoteconsole.exe + ParentImage|endswith: 'remoteconsole.exe' selection_image: - Image|endswith: remoteconsole.exe + Image|endswith: 'remoteconsole.exe' condition: 1 of selection_* falsepositives: - Legitimate use of EMCO Remote Console diff --git a/detections/sigma/encapto_network_sigma.yml b/detections/sigma/encapto_network_sigma.yml index 6782d6e4..419c948e 100644 --- a/detections/sigma/encapto_network_sigma.yml +++ b/detections/sigma/encapto_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Encapto RMM Tool Network Activity -id: e4ebc834-c565-481c-9738-403e98cf56ff +id: cd3a032c-19f6-5ccd-bb5b-a250d977c0ff status: experimental description: | Detects potential network activity of Encapto RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,7 +15,7 @@ logsource: category: network_connection detection: selection: - DestinationHostname|endswith: encapto.com + DestinationHostname|endswith: 'encapto.com' condition: selection falsepositives: - Legitimate use of Encapto diff --git a/detections/sigma/ericom_accessnow_network_sigma.yml b/detections/sigma/ericom_accessnow_network_sigma.yml index 7ef39c89..bae7c175 100644 --- a/detections/sigma/ericom_accessnow_network_sigma.yml +++ b/detections/sigma/ericom_accessnow_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Ericom AccessNow RMM Tool Network Activity -id: 703a98a7-a3c1-4904-b15a-5036ecd321df +id: 3cc9326c-2884-521d-b06a-0ade9d255014 status: experimental description: | Detects potential network activity of Ericom AccessNow RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,8 +16,8 @@ logsource: detection: selection: DestinationHostname|endswith: - - user_managed - - ericom.com + - 'user_managed' + - 'ericom.com' condition: selection falsepositives: - Legitimate use of Ericom AccessNow diff --git a/detections/sigma/ericom_accessnow_processes_sigma.yml b/detections/sigma/ericom_accessnow_processes_sigma.yml index 770bf3d5..d6839b5f 100644 --- a/detections/sigma/ericom_accessnow_processes_sigma.yml +++ b/detections/sigma/ericom_accessnow_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Ericom AccessNow RMM Tool Process Activity -id: d690f9fc-4a5d-44e6-8a1a-b9ffe1704d80 +id: f77f551f-7c4f-58c4-85cb-af7d8cf941ed status: experimental description: | Detects potential processes activity of Ericom AccessNow RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,12 +16,12 @@ logsource: detection: selection_parent: ParentImage|endswith: - - accessserver*.exe - - accessserver.exe + - 'accessserver*.exe' + - 'accessserver.exe' selection_image: Image|endswith: - - accessserver*.exe - - accessserver.exe + - 'accessserver*.exe' + - 'accessserver.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Ericom AccessNow diff --git a/detections/sigma/ericom_connect_network_sigma.yml b/detections/sigma/ericom_connect_network_sigma.yml index fa8c8122..b368fac4 100644 --- a/detections/sigma/ericom_connect_network_sigma.yml +++ b/detections/sigma/ericom_connect_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Ericom Connect RMM Tool Network Activity -id: 61428f56-15e4-4f39-8aed-8d2b027024e0 +id: 0e1ba511-f87f-59af-a058-01efb0b57e5c status: experimental description: | Detects potential network activity of Ericom Connect RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,8 +16,8 @@ logsource: detection: selection: DestinationHostname|endswith: - - user_managed - - ericom.com + - 'user_managed' + - 'ericom.com' condition: selection falsepositives: - Legitimate use of Ericom Connect diff --git a/detections/sigma/ericom_connect_processes_sigma.yml b/detections/sigma/ericom_connect_processes_sigma.yml index c9dd724d..65e8dc37 100644 --- a/detections/sigma/ericom_connect_processes_sigma.yml +++ b/detections/sigma/ericom_connect_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Ericom Connect RMM Tool Process Activity -id: cf91f3b2-c602-46db-a818-561fb133d981 +id: be98e39d-09bf-5678-aa72-78672b5c2ddd status: experimental description: | Detects potential processes activity of Ericom Connect RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,12 +16,12 @@ logsource: detection: selection_parent: ParentImage|endswith: - - EricomConnectRemoteHost*.exe - - ericomconnnectconfigurationtool.exe + - 'EricomConnectRemoteHost*.exe' + - 'ericomconnnectconfigurationtool.exe' selection_image: Image|endswith: - - EricomConnectRemoteHost*.exe - - ericomconnnectconfigurationtool.exe + - 'EricomConnectRemoteHost*.exe' + - 'ericomconnnectconfigurationtool.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Ericom Connect diff --git a/detections/sigma/eset_remote_administrator_network_sigma.yml b/detections/sigma/eset_remote_administrator_network_sigma.yml index db14fe7a..8063971e 100644 --- a/detections/sigma/eset_remote_administrator_network_sigma.yml +++ b/detections/sigma/eset_remote_administrator_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential ESET Remote Administrator RMM Tool Network Activity -id: 1f07c61b-b329-4814-af2a-de7c4bf3e993 +id: d7182391-7192-5549-8695-9693099b144f status: experimental description: | Detects potential network activity of ESET Remote Administrator RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,8 +16,8 @@ logsource: detection: selection: DestinationHostname|endswith: - - user_managed - - eset.com/me/business/remote-management/remote-administrator/ + - 'user_managed' + - 'eset.com/me/business/remote-management/remote-administrator/' condition: selection falsepositives: - Legitimate use of ESET Remote Administrator diff --git a/detections/sigma/eset_remote_administrator_processes_sigma.yml b/detections/sigma/eset_remote_administrator_processes_sigma.yml index fdd50552..57d52f28 100644 --- a/detections/sigma/eset_remote_administrator_processes_sigma.yml +++ b/detections/sigma/eset_remote_administrator_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential ESET Remote Administrator RMM Tool Process Activity -id: 0d8dffd2-87ec-4672-8092-e31f3319c573 +id: 67a186c4-18bb-5757-aaa6-7da54a748b81 status: experimental description: | Detects potential processes activity of ESET Remote Administrator RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,18 +16,18 @@ logsource: detection: selection_parent: ParentImage|endswith: - - era.exe - - einstaller.exe - - ezhelp*.exe - - eratool.exe - - ERAAgent.exe + - 'era.exe' + - 'einstaller.exe' + - 'ezhelp*.exe' + - 'eratool.exe' + - 'ERAAgent.exe' selection_image: Image|endswith: - - era.exe - - einstaller.exe - - ezhelp*.exe - - eratool.exe - - ERAAgent.exe + - 'era.exe' + - 'einstaller.exe' + - 'ezhelp*.exe' + - 'eratool.exe' + - 'ERAAgent.exe' condition: 1 of selection_* falsepositives: - Legitimate use of ESET Remote Administrator diff --git a/detections/sigma/extraputty_processes_sigma.yml b/detections/sigma/extraputty_processes_sigma.yml index ce9b7a97..79a9980f 100644 --- a/detections/sigma/extraputty_processes_sigma.yml +++ b/detections/sigma/extraputty_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential ExtraPuTTY RMM Tool Process Activity -id: 8b630c38-e054-4ece-b4f9-fd5c36e31300 +id: c192fe2b-80af-529f-8073-59107307b310 status: experimental description: | Detects potential processes activity of ExtraPuTTY RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,14 +16,14 @@ logsource: detection: selection_parent: ParentImage|endswith: - - ExtraPuTTY-0.30-2016-01-28-installer.exe - - ExtraPuTTY-0.30-2016-01-28-installer.exe - - ExtraPuTTY-0.30-2016-01-28-installer.exe + - 'C:\Users\*\ExtraPuTTY-0.30-2016-01-28-installer.exe' + - '*Users\*\ExtraPuTTY-0.30-2016-01-28-installer.exe' + - '*\ExtraPuTTY-0.30-2016-01-28-installer.exe' selection_image: Image|endswith: - - ExtraPuTTY-0.30-2016-01-28-installer.exe - - ExtraPuTTY-0.30-2016-01-28-installer.exe - - ExtraPuTTY-0.30-2016-01-28-installer.exe + - 'C:\Users\*\ExtraPuTTY-0.30-2016-01-28-installer.exe' + - '*Users\*\ExtraPuTTY-0.30-2016-01-28-installer.exe' + - '*\ExtraPuTTY-0.30-2016-01-28-installer.exe' condition: 1 of selection_* falsepositives: - Legitimate use of ExtraPuTTY diff --git a/detections/sigma/ezhelp_network_sigma.yml b/detections/sigma/ezhelp_network_sigma.yml index a879cd4d..ae597bbf 100644 --- a/detections/sigma/ezhelp_network_sigma.yml +++ b/detections/sigma/ezhelp_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential ezHelp RMM Tool Network Activity -id: c2b0145b-04ca-4d20-9601-782f90628b95 +id: 1db1db8e-1c97-5ce9-9fcc-d7fdc6b7a9f6 status: experimental description: | Detects potential network activity of ezHelp RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,8 +16,8 @@ logsource: detection: selection: DestinationHostname|endswith: - - *.ezhelp.co.kr - - ezhelp.co.kr + - '*.ezhelp.co.kr' + - 'ezhelp.co.kr' condition: selection falsepositives: - Legitimate use of ezHelp diff --git a/detections/sigma/ezhelp_processes_sigma.yml b/detections/sigma/ezhelp_processes_sigma.yml index df7b649e..95e999bb 100644 --- a/detections/sigma/ezhelp_processes_sigma.yml +++ b/detections/sigma/ezhelp_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential ezHelp RMM Tool Process Activity -id: 2c222c93-0da9-42b1-9e95-66f095c16abd +id: c732e963-0046-590e-8794-0da34f0c7745 status: experimental description: | Detects potential processes activity of ezHelp RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,14 +16,14 @@ logsource: detection: selection_parent: ParentImage|endswith: - - ezhelpclientmanager.exe - - ezHelpManager.exe - - ezhelpclient.exe + - 'ezhelpclientmanager.exe' + - 'ezHelpManager.exe' + - 'ezhelpclient.exe' selection_image: Image|endswith: - - ezhelpclientmanager.exe - - ezHelpManager.exe - - ezhelpclient.exe + - 'ezhelpclientmanager.exe' + - 'ezHelpManager.exe' + - 'ezhelpclient.exe' condition: 1 of selection_* falsepositives: - Legitimate use of ezHelp diff --git a/detections/sigma/fastviewer_network_sigma.yml b/detections/sigma/fastviewer_network_sigma.yml index 636d5824..37966162 100644 --- a/detections/sigma/fastviewer_network_sigma.yml +++ b/detections/sigma/fastviewer_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential FastViewer RMM Tool Network Activity -id: ef6971eb-c3e3-4b4c-9187-aff39b218339 +id: b5fc2355-8eed-5627-9e29-50c8fa8b670f status: experimental description: | Detects potential network activity of FastViewer RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,8 +16,8 @@ logsource: detection: selection: DestinationHostname|endswith: - - *.fastviewer.com - - fastviewer.com + - '*.fastviewer.com' + - 'fastviewer.com' condition: selection falsepositives: - Legitimate use of FastViewer diff --git a/detections/sigma/fastviewer_processes_sigma.yml b/detections/sigma/fastviewer_processes_sigma.yml index 34c8078c..1dc1da26 100644 --- a/detections/sigma/fastviewer_processes_sigma.yml +++ b/detections/sigma/fastviewer_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential FastViewer RMM Tool Process Activity -id: 1832aa5d-1fb7-44c3-93df-af4e7e9c62b8 +id: 27b99c31-cc0f-5e88-85a0-3569eece8e34 status: experimental description: | Detects potential processes activity of FastViewer RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,14 +16,14 @@ logsource: detection: selection_parent: ParentImage|endswith: - - fastclient.exe - - fastmaster.exe - - FastViewer.exe + - 'fastclient.exe' + - 'fastmaster.exe' + - 'FastViewer.exe' selection_image: Image|endswith: - - fastclient.exe - - fastmaster.exe - - FastViewer.exe + - 'fastclient.exe' + - 'fastmaster.exe' + - 'FastViewer.exe' condition: 1 of selection_* falsepositives: - Legitimate use of FastViewer diff --git a/detections/sigma/fixme.it_network_sigma.yml b/detections/sigma/fixme.it_network_sigma.yml index 456e008b..73afc933 100644 --- a/detections/sigma/fixme.it_network_sigma.yml +++ b/detections/sigma/fixme.it_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential FixMe.it RMM Tool Network Activity -id: 5546797c-7d0f-4799-8252-b3c155a6d042 +id: 6fc3a419-b6a8-5700-b2c0-eac02aa73954 status: experimental description: | Detects potential network activity of FixMe.it RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,11 +16,11 @@ logsource: detection: selection: DestinationHostname|endswith: - - *.fixme.it - - *.techinline.net - - fixme.it - - *set.me - - *setme.net + - '*.fixme.it' + - '*.techinline.net' + - 'fixme.it' + - '*set.me' + - '*setme.net' condition: selection falsepositives: - Legitimate use of FixMe.it diff --git a/detections/sigma/fixme.it_processes_sigma.yml b/detections/sigma/fixme.it_processes_sigma.yml index f9851570..af56bf4f 100644 --- a/detections/sigma/fixme.it_processes_sigma.yml +++ b/detections/sigma/fixme.it_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential FixMe.it RMM Tool Process Activity -id: cbaa410d-82f2-4039-86cf-2fb13ab6bb75 +id: 8828950b-0e73-5dbd-867b-cd50fd421e36 status: experimental description: | Detects potential processes activity of FixMe.it RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,28 +16,28 @@ logsource: detection: selection_parent: ParentImage|endswith: - - FixMeit Client.exe - - TiExpertStandalone.exe - - FixMeitClient*.exe - - TiExpertCore.exe - - FixMeit Unattended Access Setup.exe - - FixMeit Expert Setup.exe - - TiExpertCore.exe - - fixmeitclient.exe - - TiClientCore.exe - - TiClientHelper*.exe + - 'FixMeit Client.exe' + - 'TiExpertStandalone.exe' + - 'FixMeitClient*.exe' + - 'TiExpertCore.exe' + - 'FixMeit Unattended Access Setup.exe' + - 'FixMeit Expert Setup.exe' + - 'TiExpertCore.exe' + - 'fixmeitclient.exe' + - 'TiClientCore.exe' + - 'TiClientHelper*.exe' selection_image: Image|endswith: - - FixMeit Client.exe - - TiExpertStandalone.exe - - FixMeitClient*.exe - - TiExpertCore.exe - - FixMeit Unattended Access Setup.exe - - FixMeit Expert Setup.exe - - TiExpertCore.exe - - fixmeitclient.exe - - TiClientCore.exe - - TiClientHelper*.exe + - 'FixMeit Client.exe' + - 'TiExpertStandalone.exe' + - 'FixMeitClient*.exe' + - 'TiExpertCore.exe' + - 'FixMeit Unattended Access Setup.exe' + - 'FixMeit Expert Setup.exe' + - 'TiExpertCore.exe' + - 'fixmeitclient.exe' + - 'TiClientCore.exe' + - 'TiClientHelper*.exe' condition: 1 of selection_* falsepositives: - Legitimate use of FixMe.it diff --git a/detections/sigma/fleetdeck.io_files_sigma.yml b/detections/sigma/fleetdeck.io_files_sigma.yml new file mode 100644 index 00000000..56f96eac --- /dev/null +++ b/detections/sigma/fleetdeck.io_files_sigma.yml @@ -0,0 +1,26 @@ +title: Potential FleetDeck.io RMM Tool File Activity +id: 21255c6b-9cfa-5dee-9e24-e56723fdb5b5 +status: experimental +description: | + Detects potential files activity of FleetDeck.io RMM tool +references: + - https://github.com/magicsword-io/LOLRMM +author: LOLRMM Project +date: 2026-02-03 +tags: + - attack.execution + - attack.t1219 +logsource: + product: windows + category: file_event +detection: + selection: + TargetFilename|endswith: + - 'C:\Program Files (x86)\FleetDeck Agent\fleetdeck_agent_svc.exe' + - 'C:\Program Files (x86)\FleetDeck Agent\*\fleetdeck_agent.exe' + - 'C:\Program Files (x86)\FleetDeck Agent\*\fd_agent.dll' + - 'C:\Windows\Temp\FleetDeck\*' + condition: selection +falsepositives: + - Legitimate use of FleetDeck.io +level: medium diff --git a/detections/sigma/fleetdeck.io_network_sigma.yml b/detections/sigma/fleetdeck.io_network_sigma.yml index ad11c944..77523676 100644 --- a/detections/sigma/fleetdeck.io_network_sigma.yml +++ b/detections/sigma/fleetdeck.io_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential FleetDeck.io RMM Tool Network Activity -id: 3a490684-6f45-489b-9941-0848466c09d6 +id: e001f555-c144-52c6-8e35-16d0d74d9556 status: experimental description: | Detects potential network activity of FleetDeck.io RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,9 +16,10 @@ logsource: detection: selection: DestinationHostname|endswith: - - *.fleetdeck.io - - cognito-idp.us-west-2.amazonaws.com - - fleetdeck.io + - '*.fleetdeck.io' + - 'fleetdeck.io' + - 'agentmqtt.fleetdeck.io' + - 'checkip.zmazonaws.com' condition: selection falsepositives: - Legitimate use of FleetDeck.io diff --git a/detections/sigma/fleetdeck.io_processes_sigma.yml b/detections/sigma/fleetdeck.io_processes_sigma.yml index a3b73100..b71a7236 100644 --- a/detections/sigma/fleetdeck.io_processes_sigma.yml +++ b/detections/sigma/fleetdeck.io_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential FleetDeck.io RMM Tool Process Activity -id: a0ba751b-8a05-491c-8063-c296a877a803 +id: d9764e9b-4c04-5024-af8d-83a5a869cf23 status: experimental description: | Detects potential processes activity of FleetDeck.io RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,18 +16,24 @@ logsource: detection: selection_parent: ParentImage|endswith: - - fleetdeck_agent_svc.exe - - fleetdeck_commander_svc.exe - - fleetdeck_installer.exe - - fleetdeck_commander_launcher.exe - - fleetdeck_agent.exe + - 'C:\Program Files (x86)\FleetDeck Agent\fleetdeck_agent_svc.exe' + - 'C:\Program Files (x86)\FleetDeck Agent\*\fleetdeck_agent.exe' + - 'fleetdeck-agent.exe' + - 'fleetdeck_agent_svc.exe' + - 'fleetdeck_commander_svc.exe' + - 'fleetdeck_installer.exe' + - 'fleetdeck_commander_launcher.exe' + - 'fleetdeck_agent.exe' selection_image: Image|endswith: - - fleetdeck_agent_svc.exe - - fleetdeck_commander_svc.exe - - fleetdeck_installer.exe - - fleetdeck_commander_launcher.exe - - fleetdeck_agent.exe + - 'C:\Program Files (x86)\FleetDeck Agent\fleetdeck_agent_svc.exe' + - 'C:\Program Files (x86)\FleetDeck Agent\*\fleetdeck_agent.exe' + - 'fleetdeck-agent.exe' + - 'fleetdeck_agent_svc.exe' + - 'fleetdeck_commander_svc.exe' + - 'fleetdeck_installer.exe' + - 'fleetdeck_commander_launcher.exe' + - 'fleetdeck_agent.exe' condition: 1 of selection_* falsepositives: - Legitimate use of FleetDeck.io diff --git a/detections/sigma/fleetdeck.io_registry_sigma.yml b/detections/sigma/fleetdeck.io_registry_sigma.yml new file mode 100644 index 00000000..3c9f6d2d --- /dev/null +++ b/detections/sigma/fleetdeck.io_registry_sigma.yml @@ -0,0 +1,22 @@ +title: Potential FleetDeck.io RMM Tool Registry Activity +id: 8dc300f4-b2b7-5e29-81e9-01791b62187b +status: experimental +description: | + Detects potential registry activity of FleetDeck.io RMM tool +references: + - https://github.com/magicsword-io/LOLRMM +author: LOLRMM Project +date: 2026-02-03 +tags: + - attack.execution + - attack.t1219 +logsource: + product: windows + category: registry_event +detection: + selection: + TargetObject|contains: 'HKLM\SYSTEM\CurrentControlSet\Services\FleetDeck Agent Service' + condition: selection +falsepositives: + - Legitimate use of FleetDeck.io +level: medium diff --git a/detections/sigma/fortra_network_sigma.yml b/detections/sigma/fortra_network_sigma.yml index c62a65e0..3509f18a 100644 --- a/detections/sigma/fortra_network_sigma.yml +++ b/detections/sigma/fortra_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Fortra RMM Tool Network Activity -id: b3f40b79-9a7a-4d17-9f43-cd0bb0de7e55 +id: 5b1f81b3-2746-5c4a-883c-8127fae1a2ee status: experimental description: | Detects potential network activity of Fortra RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,7 +15,7 @@ logsource: category: network_connection detection: selection: - DestinationHostname|endswith: fortra.com + DestinationHostname|endswith: 'fortra.com' condition: selection falsepositives: - Legitimate use of Fortra diff --git a/detections/sigma/freenx_processes_sigma.yml b/detections/sigma/freenx_processes_sigma.yml index 23932524..bf84d88c 100644 --- a/detections/sigma/freenx_processes_sigma.yml +++ b/detections/sigma/freenx_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential FreeNX RMM Tool Process Activity -id: 4c8f7191-0e4f-4083-9de9-b710c879543a +id: b0257923-185c-59b4-a566-1cf08a000d2c status: experimental description: | Detects potential processes activity of FreeNX RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,12 +16,12 @@ logsource: detection: selection_parent: ParentImage|endswith: - - nxplayer.exe - - nxplayer.exe + - 'C:\*\nxplayer.exe' + - '*\nxplayer.exe' selection_image: Image|endswith: - - nxplayer.exe - - nxplayer.exe + - 'C:\*\nxplayer.exe' + - '*\nxplayer.exe' condition: 1 of selection_* falsepositives: - Legitimate use of FreeNX diff --git a/detections/sigma/gatherplace-desktop_sharing_network_sigma.yml b/detections/sigma/gatherplace-desktop_sharing_network_sigma.yml index 9e763757..c9af3f6a 100644 --- a/detections/sigma/gatherplace-desktop_sharing_network_sigma.yml +++ b/detections/sigma/gatherplace-desktop_sharing_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential GatherPlace-desktop sharing RMM Tool Network Activity -id: bd0dc445-6398-43ee-9543-552b68f0ec72 +id: 2fc85694-447d-5dc8-b46e-162600f0e83a status: experimental description: | Detects potential network activity of GatherPlace-desktop sharing RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,9 +16,9 @@ logsource: detection: selection: DestinationHostname|endswith: - - *.gatherplace.com - - *.gatherplace.net - - gatherplace.com + - '*.gatherplace.com' + - '*.gatherplace.net' + - 'gatherplace.com' condition: selection falsepositives: - Legitimate use of GatherPlace-desktop sharing diff --git a/detections/sigma/gatherplace-desktop_sharing_processes_sigma.yml b/detections/sigma/gatherplace-desktop_sharing_processes_sigma.yml index 67f08530..021e3f7d 100644 --- a/detections/sigma/gatherplace-desktop_sharing_processes_sigma.yml +++ b/detections/sigma/gatherplace-desktop_sharing_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential GatherPlace-desktop sharing RMM Tool Process Activity -id: 2cf60806-d1b5-4899-b992-55bd26a5562d +id: 8b1cc2f8-ef9e-5821-91c8-eea73c9a6f78 status: experimental description: | Detects potential processes activity of GatherPlace-desktop sharing RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,14 +16,14 @@ logsource: detection: selection_parent: ParentImage|endswith: - - gp3.exe - - gp4.exe - - gp5.exe + - 'gp3.exe' + - 'gp4.exe' + - 'gp5.exe' selection_image: Image|endswith: - - gp3.exe - - gp4.exe - - gp5.exe + - 'gp3.exe' + - 'gp4.exe' + - 'gp5.exe' condition: 1 of selection_* falsepositives: - Legitimate use of GatherPlace-desktop sharing diff --git a/detections/sigma/getscreen_network_sigma.yml b/detections/sigma/getscreen_network_sigma.yml index bedaa1c3..a5c8f499 100644 --- a/detections/sigma/getscreen_network_sigma.yml +++ b/detections/sigma/getscreen_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential GetScreen RMM Tool Network Activity -id: c428ba60-3aba-4069-b9df-793995564173 +id: edcf66bd-9925-5361-a76d-9942e093e228 status: experimental description: | Detects potential network activity of GetScreen RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,9 +16,9 @@ logsource: detection: selection: DestinationHostname|endswith: - - getscreen.me - - GetScreen.me - - *.getscreen.me + - 'getscreen.me' + - 'GetScreen.me' + - '*.getscreen.me' condition: selection falsepositives: - Legitimate use of GetScreen diff --git a/detections/sigma/getscreen_processes_sigma.yml b/detections/sigma/getscreen_processes_sigma.yml index b67ff907..fdd9a022 100644 --- a/detections/sigma/getscreen_processes_sigma.yml +++ b/detections/sigma/getscreen_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential GetScreen RMM Tool Process Activity -id: 5fa801a1-fb76-4bf1-a42a-b017406c11c4 +id: a62e3743-71ff-53be-a998-4d75a742a582 status: experimental description: | Detects potential processes activity of GetScreen RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,12 +16,12 @@ logsource: detection: selection_parent: ParentImage|endswith: - - GetScreen.exe - - getscreen.exe + - 'GetScreen.exe' + - 'getscreen.exe' selection_image: Image|endswith: - - GetScreen.exe - - getscreen.exe + - 'GetScreen.exe' + - 'getscreen.exe' condition: 1 of selection_* falsepositives: - Legitimate use of GetScreen diff --git a/detections/sigma/gorelo_rmm_files_sigma.yml b/detections/sigma/gorelo_rmm_files_sigma.yml index 0e02ccfe..7707bac0 100644 --- a/detections/sigma/gorelo_rmm_files_sigma.yml +++ b/detections/sigma/gorelo_rmm_files_sigma.yml @@ -1,12 +1,12 @@ title: Potential Gorelo RMM RMM Tool File Activity -id: 301a3f86-aa1d-40d7-8f92-be35c7871b73 +id: 01db6cc2-ebee-5907-9507-54bb4b7d6aed status: experimental description: | Detects potential files activity of Gorelo RMM RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,29 +16,29 @@ logsource: detection: selection: TargetFilename|endswith: - - C:\Program Files\Gorelo\Agent\Plugins\Downloads\Gorelo.RemoteManagement.AppManagement.zip - - C:\Program Files\Gorelo\Agent\Plugins\Downloads\Gorelo.RemoteManagement.DeviceChat.zip - - C:\Program Files\Gorelo\Agent\Plugins\Downloads\Gorelo.RemoteManagement.IpAddressDetector.zip - - C:\Program Files\Gorelo\Agent\Plugins\Downloads\Gorelo.RemoteManagement.ScreenCapture.zip - - C:\Program Files\Gorelo\Agent\Plugins\Downloads\Gorelo.RemoteManagement.ScriptRunner.zip - - C:\Program Files\Gorelo\Agent\Plugins\Downloads\Gorelo.RemoteManagement.ServerMonitor.zip - - C:\Program Files\Gorelo\Agent\Plugins\Downloads\Gorelo.RemoteManagement.ShellCommand.zip - - C:\Program Files\Gorelo\Agent\Plugins\Downloads\Gorelo.RemoteManagement.SystemProfiler.zip - - C:\Program Files\Gorelo\Agent\Plugins\Downloads\Gorelo.RemoteManagement.SystemSecurityManagement.zip - - C:\Program Files\Gorelo\Agent\Plugins\Downloads\Gorelo.RemoteManagement.WindowsChecker.zip - - C:\Program Files\Gorelo\Agent\Plugins\Downloads\Gorelo.RemoteManagement.WindowsPatchManagement.zip - - C:\Program Files\Gorelo\Agent\RMMAgent\Gorelo.RemoteManagement.Agent\Gorelo.RemoteManagement.Agent.exe - - C:\Program Files\Gorelo\Agent\Shell\Gorelo.RemoteManagement.Shell\Gorelo.RemoteManagement.Shell.exe - - C:\Program Files\Gorelo\Installer\Downloads\Gorelo.RemoteManagement.Agent.zip - - C:\Program Files\Gorelo\Installer\Downloads\Gorelo.RemoteManagement.Shell.zip - - C:\Program Files\Gorelo\Installer\Downloads\Gorelo.Rmm.Installer.Handler.zip - - C:\Program Files\Gorelo\Installer\Downloads\Gorelo.Rmm.Installer.zip - - C:\Program Files\Gorelo\Installer\Gorelo.Rmm.Installer.Handler\Gorelo.Rmm.Installer.Handler.exe - - C:\Program Files\Gorelo\Installer\Gorelo.Rmm.Installer\Gorelo.Rmm.Installer.exe - - C:\Program Files\Gorelo\LogFiles\Agent\diagnostics-*.txt - - C:\Program Files\Gorelo\LogFiles\Installer\diagnostics-*.txt - - C:\Program Files\Gorelo\LogFiles\InstallerHandler\diagnostics-*.txt - - C:\Program Files\Gorelo\LogFiles\Shell\diagnostics-*.txt + - 'C:\Program Files\Gorelo\Agent\Plugins\Downloads\Gorelo.RemoteManagement.AppManagement.zip' + - 'C:\Program Files\Gorelo\Agent\Plugins\Downloads\Gorelo.RemoteManagement.DeviceChat.zip' + - 'C:\Program Files\Gorelo\Agent\Plugins\Downloads\Gorelo.RemoteManagement.IpAddressDetector.zip' + - 'C:\Program Files\Gorelo\Agent\Plugins\Downloads\Gorelo.RemoteManagement.ScreenCapture.zip' + - 'C:\Program Files\Gorelo\Agent\Plugins\Downloads\Gorelo.RemoteManagement.ScriptRunner.zip' + - 'C:\Program Files\Gorelo\Agent\Plugins\Downloads\Gorelo.RemoteManagement.ServerMonitor.zip' + - 'C:\Program Files\Gorelo\Agent\Plugins\Downloads\Gorelo.RemoteManagement.ShellCommand.zip' + - 'C:\Program Files\Gorelo\Agent\Plugins\Downloads\Gorelo.RemoteManagement.SystemProfiler.zip' + - 'C:\Program Files\Gorelo\Agent\Plugins\Downloads\Gorelo.RemoteManagement.SystemSecurityManagement.zip' + - 'C:\Program Files\Gorelo\Agent\Plugins\Downloads\Gorelo.RemoteManagement.WindowsChecker.zip' + - 'C:\Program Files\Gorelo\Agent\Plugins\Downloads\Gorelo.RemoteManagement.WindowsPatchManagement.zip' + - 'C:\Program Files\Gorelo\Agent\RMMAgent\Gorelo.RemoteManagement.Agent\Gorelo.RemoteManagement.Agent.exe' + - 'C:\Program Files\Gorelo\Agent\Shell\Gorelo.RemoteManagement.Shell\Gorelo.RemoteManagement.Shell.exe' + - 'C:\Program Files\Gorelo\Installer\Downloads\Gorelo.RemoteManagement.Agent.zip' + - 'C:\Program Files\Gorelo\Installer\Downloads\Gorelo.RemoteManagement.Shell.zip' + - 'C:\Program Files\Gorelo\Installer\Downloads\Gorelo.Rmm.Installer.Handler.zip' + - 'C:\Program Files\Gorelo\Installer\Downloads\Gorelo.Rmm.Installer.zip' + - 'C:\Program Files\Gorelo\Installer\Gorelo.Rmm.Installer.Handler\Gorelo.Rmm.Installer.Handler.exe' + - 'C:\Program Files\Gorelo\Installer\Gorelo.Rmm.Installer\Gorelo.Rmm.Installer.exe' + - 'C:\Program Files\Gorelo\LogFiles\Agent\diagnostics-*.txt' + - 'C:\Program Files\Gorelo\LogFiles\Installer\diagnostics-*.txt' + - 'C:\Program Files\Gorelo\LogFiles\InstallerHandler\diagnostics-*.txt' + - 'C:\Program Files\Gorelo\LogFiles\Shell\diagnostics-*.txt' condition: selection falsepositives: - Legitimate use of Gorelo RMM diff --git a/detections/sigma/gorelo_rmm_network_sigma.yml b/detections/sigma/gorelo_rmm_network_sigma.yml index 4ca972f8..961cfd0b 100644 --- a/detections/sigma/gorelo_rmm_network_sigma.yml +++ b/detections/sigma/gorelo_rmm_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Gorelo RMM RMM Tool Network Activity -id: aa9c32ed-6c98-4c9f-9512-7f55c993872e +id: f81ba29a-1bd3-5edb-9a5c-6e90e2fc90d5 status: experimental description: | Detects potential network activity of Gorelo RMM RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,13 +16,13 @@ logsource: detection: selection: DestinationHostname|endswith: - - app.gorelo.io - - gorelo-rmm.azurewebsites.net - - gw.usw.gorelo.tech - - lr.rmm.pod1.usw.gorelo.tech - - public.rmm.pod1.usw.gorelo.tech - - r1.rmm.uw.gorelo.tech - - sr.rmm.pod1.usw.gorelo.tech + - 'app.gorelo.io' + - 'gorelo-rmm.azurewebsites.net' + - 'gw.usw.gorelo.tech' + - 'lr.rmm.pod1.usw.gorelo.tech' + - 'public.rmm.pod1.usw.gorelo.tech' + - 'r1.rmm.uw.gorelo.tech' + - 'sr.rmm.pod1.usw.gorelo.tech' condition: selection falsepositives: - Legitimate use of Gorelo RMM diff --git a/detections/sigma/gotoassist__goto_resolve__processes_sigma.yml b/detections/sigma/gotoassist__goto_resolve__processes_sigma.yml new file mode 100644 index 00000000..4250a876 --- /dev/null +++ b/detections/sigma/gotoassist__goto_resolve__processes_sigma.yml @@ -0,0 +1,58 @@ +title: Potential GoToAssist (GoTo Resolve) RMM Tool Process Activity +id: 4e0ef8de-247d-5a7c-ac54-5d48051ad3fc +status: experimental +description: | + Detects potential processes activity of GoToAssist (GoTo Resolve) RMM tool +references: + - https://github.com/magicsword-io/LOLRMM +author: LOLRMM Project +date: 2026-02-03 +tags: + - attack.execution + - attack.t1219 +logsource: + product: windows + category: process_creation +detection: + selection_parent: + ParentImage|endswith: + - 'GoToResolveExternalModuleHandler.exe' + - 'GoToResolveFileManager.exe' + - 'GoToResolveLoggerProcess.exe' + - 'GoToResolveNetworkChecker.exe' + - 'GoToResolveProcessChecker.exe' + - 'GoToResolveQuickView.exe' + - 'GoToResolveRegistryEditor.exe' + - 'GoToResolveRemoteControl.exe' + - 'GoToResolveService.exe' + - 'GoToResolveServiceManager.exe' + - 'GoToResolveTerminal.exe' + - 'GoToResolveTools32.exe' + - 'GoToResolveTools64.exe' + - 'GoToResolveUi.exe' + - 'GoToResolveUnattended.exe' + - 'GoToResolveUnattendedRemover.exe' + - 'GoToResolveUnattendedUi.exe' + selection_image: + Image|endswith: + - 'GoToResolveExternalModuleHandler.exe' + - 'GoToResolveFileManager.exe' + - 'GoToResolveLoggerProcess.exe' + - 'GoToResolveNetworkChecker.exe' + - 'GoToResolveProcessChecker.exe' + - 'GoToResolveQuickView.exe' + - 'GoToResolveRegistryEditor.exe' + - 'GoToResolveRemoteControl.exe' + - 'GoToResolveService.exe' + - 'GoToResolveServiceManager.exe' + - 'GoToResolveTerminal.exe' + - 'GoToResolveTools32.exe' + - 'GoToResolveTools64.exe' + - 'GoToResolveUi.exe' + - 'GoToResolveUnattended.exe' + - 'GoToResolveUnattendedRemover.exe' + - 'GoToResolveUnattendedUi.exe' + condition: 1 of selection_* +falsepositives: + - Legitimate use of GoToAssist (GoTo Resolve) +level: medium diff --git a/detections/sigma/gotoassist__goto_resolve__registry_sigma.yml b/detections/sigma/gotoassist__goto_resolve__registry_sigma.yml new file mode 100644 index 00000000..d9689784 --- /dev/null +++ b/detections/sigma/gotoassist__goto_resolve__registry_sigma.yml @@ -0,0 +1,22 @@ +title: Potential GoToAssist (GoTo Resolve) RMM Tool Registry Activity +id: 10da59f2-c2e7-5d83-9a0e-82fbe57008b3 +status: experimental +description: | + Detects potential registry activity of GoToAssist (GoTo Resolve) RMM tool +references: + - https://github.com/magicsword-io/LOLRMM +author: LOLRMM Project +date: 2026-02-03 +tags: + - attack.execution + - attack.t1219 +logsource: + product: windows + category: registry_event +detection: + selection: + TargetObject|contains: 'HKLM\SOFTWARE\GoTo Resolve Unattended\' + condition: selection +falsepositives: + - Legitimate use of GoToAssist (GoTo Resolve) +level: medium diff --git a/detections/sigma/gotoassist_network_sigma.yml b/detections/sigma/gotoassist_network_sigma.yml index 922b38a6..3c494d5c 100644 --- a/detections/sigma/gotoassist_network_sigma.yml +++ b/detections/sigma/gotoassist_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential GoToAssist RMM Tool Network Activity -id: db374856-a793-461e-a33a-648ee4468d7e +id: cf90a14a-22da-5f1a-8249-c57fb435c831 status: experimental description: | Detects potential network activity of GoToAssist RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,15 +16,15 @@ logsource: detection: selection: DestinationHostname|endswith: - - goto.com - - *.getgo.com - - *.fastsupport.com - - *.gotoassist.com - - helpme.net - - *.gotoassist.me - - *.gotoassist.at - - *.desktopstreaming.com - - *.cdn.getgo.com + - 'goto.com' + - '*.getgo.com' + - '*.fastsupport.com' + - '*.gotoassist.com' + - 'helpme.net' + - '*.gotoassist.me' + - '*.gotoassist.at' + - '*.desktopstreaming.com' + - '*.cdn.getgo.com' condition: selection falsepositives: - Legitimate use of GoToAssist diff --git a/detections/sigma/gotoassist_processes_sigma.yml b/detections/sigma/gotoassist_processes_sigma.yml index c48747e8..ba1f742f 100644 --- a/detections/sigma/gotoassist_processes_sigma.yml +++ b/detections/sigma/gotoassist_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential GoToAssist RMM Tool Process Activity -id: 7e3932cf-416c-4e30-a60d-c4582183b355 +id: 09d394f5-8581-5511-94b8-a235f5868323 status: experimental description: | Detects potential processes activity of GoToAssist RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,20 +16,20 @@ logsource: detection: selection_parent: ParentImage|endswith: - - gotoassist.exe - - g2a*.exe - - GoTo Assist Opener.exe - - g2mcomm.exe - - goto opener.exe - - g2ax_comm_customer.exe + - 'gotoassist.exe' + - 'g2a*.exe' + - 'GoTo Assist Opener.exe' + - 'g2mcomm.exe' + - 'goto opener.exe' + - 'g2ax_comm_customer.exe' selection_image: Image|endswith: - - gotoassist.exe - - g2a*.exe - - GoTo Assist Opener.exe - - g2mcomm.exe - - goto opener.exe - - g2ax_comm_customer.exe + - 'gotoassist.exe' + - 'g2a*.exe' + - 'GoTo Assist Opener.exe' + - 'g2mcomm.exe' + - 'goto opener.exe' + - 'g2ax_comm_customer.exe' condition: 1 of selection_* falsepositives: - Legitimate use of GoToAssist diff --git a/detections/sigma/gotohttp_network_sigma.yml b/detections/sigma/gotohttp_network_sigma.yml index ef384ca5..e829ef83 100644 --- a/detections/sigma/gotohttp_network_sigma.yml +++ b/detections/sigma/gotohttp_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential GotoHTTP RMM Tool Network Activity -id: 1b6aea94-3773-4566-9ad5-073e438c94a8 +id: dd61a817-e828-53c3-92f0-5b661a6000e2 status: experimental description: | Detects potential network activity of GotoHTTP RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,8 +16,8 @@ logsource: detection: selection: DestinationHostname|endswith: - - *.gotohttp.com - - gotohttp.com + - '*.gotohttp.com' + - 'gotohttp.com' condition: selection falsepositives: - Legitimate use of GotoHTTP diff --git a/detections/sigma/gotohttp_processes_sigma.yml b/detections/sigma/gotohttp_processes_sigma.yml index 28eebed9..1731d849 100644 --- a/detections/sigma/gotohttp_processes_sigma.yml +++ b/detections/sigma/gotohttp_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential GotoHTTP RMM Tool Process Activity -id: 1cf1f017-5afb-4383-b9ba-dbd94949a8ac +id: 9c31656f-616b-5d2e-867d-4abf14f2d12c status: experimental description: | Detects potential processes activity of GotoHTTP RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,14 +16,14 @@ logsource: detection: selection_parent: ParentImage|endswith: - - GotoHTTP_x64.exe - - gotohttp.exe - - GotoHTTP*.exe + - 'GotoHTTP_x64.exe' + - 'gotohttp.exe' + - 'GotoHTTP*.exe' selection_image: Image|endswith: - - GotoHTTP_x64.exe - - gotohttp.exe - - GotoHTTP*.exe + - 'GotoHTTP_x64.exe' + - 'gotohttp.exe' + - 'GotoHTTP*.exe' condition: 1 of selection_* falsepositives: - Legitimate use of GotoHTTP diff --git a/detections/sigma/gotomypc_files_sigma.yml b/detections/sigma/gotomypc_files_sigma.yml index adc72ef4..d9504549 100644 --- a/detections/sigma/gotomypc_files_sigma.yml +++ b/detections/sigma/gotomypc_files_sigma.yml @@ -1,12 +1,12 @@ title: Potential GoToMyPC RMM Tool File Activity -id: 8feba83b-d300-484f-8341-8dd7d798f754 +id: 458ec4d0-048c-5e1f-92c7-0c55656be532 status: experimental description: | Detects potential files activity of GoToMyPC RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,7 +15,7 @@ logsource: category: file_event detection: selection: - TargetFilename|endswith: %AppData%\GoTo\Logs\goto.log + TargetFilename|endswith: '%AppData%\GoTo\Logs\goto.log' condition: selection falsepositives: - Legitimate use of GoToMyPC diff --git a/detections/sigma/gotomypc_network_sigma.yml b/detections/sigma/gotomypc_network_sigma.yml index c9c0d5bc..d19d57fd 100644 --- a/detections/sigma/gotomypc_network_sigma.yml +++ b/detections/sigma/gotomypc_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential GoToMyPC RMM Tool Network Activity -id: 54facc7d-0726-4e7e-ab2b-b2aa5936b281 +id: 54d94d2d-ad88-5120-820f-5bf0f9c32a4f status: experimental description: | Detects potential network activity of GoToMyPC RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,7 +15,7 @@ logsource: category: network_connection detection: selection: - DestinationHostname|endswith: *.GoToMyPC.com + DestinationHostname|endswith: '*.GoToMyPC.com' condition: selection falsepositives: - Legitimate use of GoToMyPC diff --git a/detections/sigma/gotomypc_registry_sigma.yml b/detections/sigma/gotomypc_registry_sigma.yml index 59eec4d3..d389900c 100644 --- a/detections/sigma/gotomypc_registry_sigma.yml +++ b/detections/sigma/gotomypc_registry_sigma.yml @@ -1,12 +1,12 @@ title: Potential GoToMyPC RMM Tool Registry Activity -id: beb98caf-9df0-4cc4-a8b8-80bc6a7e7e31 +id: bf5607f8-3121-5127-baef-5ea54ebfb2ca status: experimental description: | Detects potential registry activity of GoToMyPC RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,10 +16,10 @@ logsource: detection: selection: TargetObject|contains: - - HKEY_LOCAL_MACHINE\WOW6432Node\Citrix\GoToMyPc - - HKEY_LOCAL_MACHINE\WOW6432Node\Citrix\GoToMyPc\GuestInvite - - HKEY_CURRENT_USER\SOFTWARE\Citrix\GoToMyPc\FileTransfer\history - - HKEY_USERS\\SOFTWARE\Citrix\GoToMyPc\FileTransfer\history + - 'HKEY_LOCAL_MACHINE\WOW6432Node\Citrix\GoToMyPc' + - 'HKEY_LOCAL_MACHINE\WOW6432Node\Citrix\GoToMyPc\GuestInvite' + - 'HKEY_CURRENT_USER\SOFTWARE\Citrix\GoToMyPc\FileTransfer\history' + - 'HKEY_USERS\\SOFTWARE\Citrix\GoToMyPc\FileTransfer\history' condition: selection falsepositives: - Legitimate use of GoToMyPC diff --git a/detections/sigma/goverlan_network_sigma.yml b/detections/sigma/goverlan_network_sigma.yml index 41092169..9bcba751 100644 --- a/detections/sigma/goverlan_network_sigma.yml +++ b/detections/sigma/goverlan_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Goverlan RMM Tool Network Activity -id: a74bcadf-a635-4c4b-a522-f685abb84b3d +id: c0b88393-a1e8-5b95-8f5d-f9e583f22585 status: experimental description: | Detects potential network activity of Goverlan RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,8 +16,8 @@ logsource: detection: selection: DestinationHostname|endswith: - - user_managed - - goverlan.com + - 'user_managed' + - 'goverlan.com' condition: selection falsepositives: - Legitimate use of Goverlan diff --git a/detections/sigma/goverlan_processes_sigma.yml b/detections/sigma/goverlan_processes_sigma.yml index 2e037ee6..fd711ff3 100644 --- a/detections/sigma/goverlan_processes_sigma.yml +++ b/detections/sigma/goverlan_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Goverlan RMM Tool Process Activity -id: 615e510c-87dd-4294-92e0-7776b858589e +id: 2736e7de-784b-5e02-b860-422b94ad5a25 status: experimental description: | Detects potential processes activity of Goverlan RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,20 +16,20 @@ logsource: detection: selection_parent: ParentImage|endswith: - - goverrmc.exe - - govsrv*.exe - - GovAgentInstallHelper.exe - - GovAgentx64.exe - - GovReachClient.exe - - GovSrv.exe + - 'goverrmc.exe' + - 'govsrv*.exe' + - 'GovAgentInstallHelper.exe' + - 'GovAgentx64.exe' + - 'GovReachClient.exe' + - '*\GovSrv.exe' selection_image: Image|endswith: - - goverrmc.exe - - govsrv*.exe - - GovAgentInstallHelper.exe - - GovAgentx64.exe - - GovReachClient.exe - - GovSrv.exe + - 'goverrmc.exe' + - 'govsrv*.exe' + - 'GovAgentInstallHelper.exe' + - 'GovAgentx64.exe' + - 'GovReachClient.exe' + - '*\GovSrv.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Goverlan diff --git a/detections/sigma/guacamole_network_sigma.yml b/detections/sigma/guacamole_network_sigma.yml index 7b93eee7..d7d9cf63 100644 --- a/detections/sigma/guacamole_network_sigma.yml +++ b/detections/sigma/guacamole_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Guacamole RMM Tool Network Activity -id: 78a9a1c5-618c-4909-ad62-1ee4b902cc8d +id: a20f0ee0-7479-5306-9bf0-5974ac1c3b53 status: experimental description: | Detects potential network activity of Guacamole RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,8 +16,8 @@ logsource: detection: selection: DestinationHostname|endswith: - - user_managed - - guacamole.apache.org + - 'user_managed' + - 'guacamole.apache.org' condition: selection falsepositives: - Legitimate use of Guacamole diff --git a/detections/sigma/guacamole_processes_sigma.yml b/detections/sigma/guacamole_processes_sigma.yml index 093cc7f3..e9534b1e 100644 --- a/detections/sigma/guacamole_processes_sigma.yml +++ b/detections/sigma/guacamole_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Guacamole RMM Tool Process Activity -id: 3b8ab621-493a-4aaf-bdd0-d6080dcde19f +id: 8095d495-5970-5b25-8d8b-3767d37eee2b status: experimental description: | Detects potential processes activity of Guacamole RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,9 +15,9 @@ logsource: category: process_creation detection: selection_parent: - ParentImage|endswith: guacd.exe + ParentImage|endswith: 'guacd.exe' selection_image: - Image|endswith: guacd.exe + Image|endswith: 'guacd.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Guacamole diff --git a/detections/sigma/heartbeatrm_files_sigma.yml b/detections/sigma/heartbeatrm_files_sigma.yml new file mode 100644 index 00000000..3867ed91 --- /dev/null +++ b/detections/sigma/heartbeatrm_files_sigma.yml @@ -0,0 +1,25 @@ +title: Potential HeartbeatRM RMM Tool File Activity +id: 6068f888-107c-5be5-a931-c7fef5f8f22b +status: experimental +description: | + Detects potential files activity of HeartbeatRM RMM tool +references: + - https://github.com/magicsword-io/LOLRMM +author: LOLRMM Project +date: 2026-02-03 +tags: + - attack.execution + - attack.t1219 +logsource: + product: windows + category: file_event +detection: + selection: + TargetFilename|endswith: + - 'C:\Program Files (x86)\HeartbeatRM\*' + - 'C:\Program Files\HeartbeatRM\*' + - '*\agent-installer-any.exe' + condition: selection +falsepositives: + - Legitimate use of HeartbeatRM +level: medium diff --git a/detections/sigma/heartbeatrm_network_sigma.yml b/detections/sigma/heartbeatrm_network_sigma.yml new file mode 100644 index 00000000..e2e47033 --- /dev/null +++ b/detections/sigma/heartbeatrm_network_sigma.yml @@ -0,0 +1,24 @@ +title: Potential HeartbeatRM RMM Tool Network Activity +id: 6bf78314-f722-50d4-9a80-b0537b72dd9d +status: experimental +description: | + Detects potential network activity of HeartbeatRM RMM tool +references: + - https://github.com/magicsword-io/LOLRMM +author: LOLRMM Project +date: 2026-02-03 +tags: + - attack.execution + - attack.t1219 +logsource: + product: windows + category: network_connection +detection: + selection: + DestinationHostname|endswith: + - '*.heartbeatrm.com' + - 'heartbeatrm.com' + condition: selection +falsepositives: + - Legitimate use of HeartbeatRM +level: medium diff --git a/detections/sigma/heartbeatrm_processes_sigma.yml b/detections/sigma/heartbeatrm_processes_sigma.yml new file mode 100644 index 00000000..e16b4ba3 --- /dev/null +++ b/detections/sigma/heartbeatrm_processes_sigma.yml @@ -0,0 +1,30 @@ +title: Potential HeartbeatRM RMM Tool Process Activity +id: ca4f3aa9-5178-578f-9c94-12231e521d9f +status: experimental +description: | + Detects potential processes activity of HeartbeatRM RMM tool +references: + - https://github.com/magicsword-io/LOLRMM +author: LOLRMM Project +date: 2026-02-03 +tags: + - attack.execution + - attack.t1219 +logsource: + product: windows + category: process_creation +detection: + selection_parent: + ParentImage|endswith: + - 'agent-installer-any.exe' + - 'hbrm-x64.exe' + - 'hbrm-updater-x64.exe' + selection_image: + Image|endswith: + - 'agent-installer-any.exe' + - 'hbrm-x64.exe' + - 'hbrm-updater-x64.exe' + condition: 1 of selection_* +falsepositives: + - Legitimate use of HeartbeatRM +level: medium diff --git a/detections/sigma/helpbeam_network_sigma.yml b/detections/sigma/helpbeam_network_sigma.yml index 19cb0113..03987979 100644 --- a/detections/sigma/helpbeam_network_sigma.yml +++ b/detections/sigma/helpbeam_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential HelpBeam RMM Tool Network Activity -id: 858bb23e-4c2b-45b7-9fa5-aae194a58eb1 +id: 25b396bb-34a6-543b-809c-b6693514a244 status: experimental description: | Detects potential network activity of HelpBeam RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,7 +15,7 @@ logsource: category: network_connection detection: selection: - DestinationHostname|endswith: helpbeam.software.informer.com + DestinationHostname|endswith: 'helpbeam.software.informer.com' condition: selection falsepositives: - Legitimate use of HelpBeam diff --git a/detections/sigma/helpbeam_processes_sigma.yml b/detections/sigma/helpbeam_processes_sigma.yml index 14e06862..c76f4ebf 100644 --- a/detections/sigma/helpbeam_processes_sigma.yml +++ b/detections/sigma/helpbeam_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential HelpBeam RMM Tool Process Activity -id: a1f0aa0b-82ac-483f-8cad-c725eb5d1840 +id: a5fba669-ea3a-58d1-9515-a9ae53f14291 status: experimental description: | Detects potential processes activity of HelpBeam RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,9 +15,9 @@ logsource: category: process_creation detection: selection_parent: - ParentImage|endswith: helpbeam*.exe + ParentImage|endswith: 'helpbeam*.exe' selection_image: - Image|endswith: helpbeam*.exe + Image|endswith: 'helpbeam*.exe' condition: 1 of selection_* falsepositives: - Legitimate use of HelpBeam diff --git a/detections/sigma/helpu_network_sigma.yml b/detections/sigma/helpu_network_sigma.yml index c4a5c306..89b2ac5b 100644 --- a/detections/sigma/helpu_network_sigma.yml +++ b/detections/sigma/helpu_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential HelpU RMM Tool Network Activity -id: 85125665-6aba-478b-8d22-614dbfd48625 +id: bc2449da-6eba-5500-8b78-6a4a57ccf6f1 status: experimental description: | Detects potential network activity of HelpU RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,8 +16,8 @@ logsource: detection: selection: DestinationHostname|endswith: - - helpu.co.kr - - *.helpu.co.kr + - 'helpu.co.kr' + - '*.helpu.co.kr' condition: selection falsepositives: - Legitimate use of HelpU diff --git a/detections/sigma/helpu_processes_sigma.yml b/detections/sigma/helpu_processes_sigma.yml index 86edfe79..91e9ecfa 100644 --- a/detections/sigma/helpu_processes_sigma.yml +++ b/detections/sigma/helpu_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential HelpU RMM Tool Process Activity -id: b9d644d3-dc40-49ce-a18f-c54025834c5d +id: ab8363c3-a027-59f6-9e5a-49021fad7794 status: experimental description: | Detects potential processes activity of HelpU RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,14 +16,14 @@ logsource: detection: selection_parent: ParentImage|endswith: - - helpu_install.exe - - HelpuUpdater.exe - - HelpuManager.exe + - 'helpu_install.exe' + - 'HelpuUpdater.exe' + - 'HelpuManager.exe' selection_image: Image|endswith: - - helpu_install.exe - - HelpuUpdater.exe - - HelpuManager.exe + - 'helpu_install.exe' + - 'HelpuUpdater.exe' + - 'HelpuManager.exe' condition: 1 of selection_* falsepositives: - Legitimate use of HelpU diff --git a/detections/sigma/hoptodesk_files_sigma.yml b/detections/sigma/hoptodesk_files_sigma.yml index df79a67e..a968732d 100644 --- a/detections/sigma/hoptodesk_files_sigma.yml +++ b/detections/sigma/hoptodesk_files_sigma.yml @@ -1,12 +1,12 @@ title: Potential HopToDesk RMM Tool File Activity -id: f396f6d4-3cd9-4419-bc8f-01bfe3784c12 +id: 59d4a339-5201-5468-b224-3621cbd7cc4b status: experimental description: | Detects potential files activity of HopToDesk RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,13 +16,17 @@ logsource: detection: selection: TargetFilename|endswith: - - C:\Program Files (x86)\HopToDesk\HopToDesk.exe - - C:\Program Files (x86)\HopToDesk\privacyhelper.exe - - C:\Program Files (x86)\HopToDesk\PrivacyMode.dll - - C:\Program Files (x86)\HopToDesk\sciter.dll - - C:\Users\*\AppData\Roaming\HopToDesk\config\HopToDesk.toml - - C:\Users\*\AppData\Local\Temp\privacyhelper.exe - - /System/Volumes/Data/Users/*/Library/Logs/HopToDesk/hoptodesk_rCURRENT.log + - 'C:\Program Files (x86)\HopToDesk\HopToDesk.exe' + - 'C:\Program Files (x86)\HopToDesk\privacyhelper.exe' + - 'C:\Program Files (x86)\HopToDesk\PrivacyMode.dll' + - 'C:\Program Files (x86)\HopToDesk\sciter.dll' + - 'C:\Users\*\AppData\Local\Temp\sciter.dll' + - 'C:\Users\*\AppData\Local\Temp\privacyhelper.exe' + - 'C:\Users\*\AppData\Roaming\HopToDesk\config\*' + - 'C:\Users\*\AppData\Roaming\HopToDesk\config\hoptodesk.toml' + - 'C:\Users\*\AppData\Roaming\HopToDesk\config\HopToDesk.toml' + - 'C:\Users\*\AppData\Roaming\HopToDesk\config\HopToDesk_rCURRENT.log' + - '/System/Volumes/Data/Users/*/Library/Logs/HopToDesk/hoptodesk_rCURRENT.log' condition: selection falsepositives: - Legitimate use of HopToDesk diff --git a/detections/sigma/hoptodesk_network_sigma.yml b/detections/sigma/hoptodesk_network_sigma.yml index da52943f..093981f3 100644 --- a/detections/sigma/hoptodesk_network_sigma.yml +++ b/detections/sigma/hoptodesk_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential HopToDesk RMM Tool Network Activity -id: 68fd1e88-4536-42ee-8517-cd8fbc3df925 +id: 2c282894-f61a-5f05-ac32-2dc6b1f20859 status: experimental description: | Detects potential network activity of HopToDesk RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,9 +16,12 @@ logsource: detection: selection: DestinationHostname|endswith: - - signal.hoptodesk.com - - api.hoptodesk.com - - turn.hoptodesk.com + - 'hoptodesk.com' + - 'api.hoptodesk.com' + - 'signal.hoptodesk.com' + - 'turn.hoptodesk.com' + - 'download.hoptodesk.com' + - 'www.hoptodesk.com' condition: selection falsepositives: - Legitimate use of HopToDesk diff --git a/detections/sigma/hoptodesk_processes_sigma.yml b/detections/sigma/hoptodesk_processes_sigma.yml index 3986ed5d..23429429 100644 --- a/detections/sigma/hoptodesk_processes_sigma.yml +++ b/detections/sigma/hoptodesk_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential HopToDesk RMM Tool Process Activity -id: 74d7f991-3e52-4c08-bb51-85cc7be4b484 +id: 04a1bb01-5718-589a-ae21-08409f606b79 status: experimental description: | Detects potential processes activity of HopToDesk RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,9 +15,15 @@ logsource: category: process_creation detection: selection_parent: - ParentImage|endswith: hoptodesk.exe + ParentImage|endswith: + - 'C:\Program Files (x86)\HopToDesk\HopToDesk.exe' + - 'HopToDesk.exe' + - 'HopToDesk-Standalone.exe' selection_image: - Image|endswith: hoptodesk.exe + Image|endswith: + - 'C:\Program Files (x86)\HopToDesk\HopToDesk.exe' + - 'HopToDesk.exe' + - 'HopToDesk-Standalone.exe' condition: 1 of selection_* falsepositives: - Legitimate use of HopToDesk diff --git a/detections/sigma/hoptodesk_registry_sigma.yml b/detections/sigma/hoptodesk_registry_sigma.yml index bd20e1c6..b83bcf95 100644 --- a/detections/sigma/hoptodesk_registry_sigma.yml +++ b/detections/sigma/hoptodesk_registry_sigma.yml @@ -1,12 +1,12 @@ title: Potential HopToDesk RMM Tool Registry Activity -id: 5a643580-395d-4456-87d1-9a6055651987 +id: 4c0dbbe6-33c5-5268-aed0-aaf0c3344071 status: experimental description: | Detects potential registry activity of HopToDesk RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,7 +15,9 @@ logsource: category: registry_event detection: selection: - TargetObject|contains: HKEY_USERS\*_Classes\HopToDesk\* + TargetObject|contains: + - 'HKEY_CURRENT_USER\Software\Classes\HopToDesk\shell\open\command' + - 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\HopToDesk' condition: selection falsepositives: - Legitimate use of HopToDesk diff --git a/detections/sigma/i'm_intouch_network_sigma.yml b/detections/sigma/i'm_intouch_network_sigma.yml index 241e305b..96941b83 100644 --- a/detections/sigma/i'm_intouch_network_sigma.yml +++ b/detections/sigma/i'm_intouch_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential I'm InTouch RMM Tool Network Activity -id: 62eafab4-705e-4fe8-af20-975cf9ef229b +id: e8cfa90a-be6a-5f6e-a719-38d7ff697f36 status: experimental description: | Detects potential network activity of I'm InTouch RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,8 +16,8 @@ logsource: detection: selection: DestinationHostname|endswith: - - *.01com.com - - 01com.com/imintouch-remote-pc-desktop + - '*.01com.com' + - '01com.com/imintouch-remote-pc-desktop' condition: selection falsepositives: - Legitimate use of I'm InTouch diff --git a/detections/sigma/i'm_intouch_processes_sigma.yml b/detections/sigma/i'm_intouch_processes_sigma.yml index 06da1436..cc83dcf0 100644 --- a/detections/sigma/i'm_intouch_processes_sigma.yml +++ b/detections/sigma/i'm_intouch_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential I'm InTouch RMM Tool Process Activity -id: 1282f94c-8c40-40b4-9ee9-cdf370d58188 +id: d9ffc6cc-1bfd-578f-828a-31aeb6fe4fdb status: experimental description: | Detects potential processes activity of I'm InTouch RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,14 +16,14 @@ logsource: detection: selection_parent: ParentImage|endswith: - - iit.exe - - intouch.exe - - I'm InTouch Go Installer.exe + - 'iit.exe' + - 'intouch.exe' + - 'I''m InTouch Go Installer.exe' selection_image: Image|endswith: - - iit.exe - - intouch.exe - - I'm InTouch Go Installer.exe + - 'iit.exe' + - 'intouch.exe' + - 'I''m InTouch Go Installer.exe' condition: 1 of selection_* falsepositives: - Legitimate use of I'm InTouch diff --git a/detections/sigma/idrive_files_sigma.yml b/detections/sigma/idrive_files_sigma.yml new file mode 100644 index 00000000..c4c19cfb --- /dev/null +++ b/detections/sigma/idrive_files_sigma.yml @@ -0,0 +1,26 @@ +title: Potential iDrive RMM Tool File Activity +id: 6b92f296-e412-5864-806f-02120af6615f +status: experimental +description: | + Detects potential files activity of iDrive RMM tool +references: + - https://github.com/magicsword-io/LOLRMM +author: LOLRMM Project +date: 2026-02-03 +tags: + - attack.execution + - attack.t1219 +logsource: + product: windows + category: file_event +detection: + selection: + TargetFilename|endswith: + - 'C:\ProgramData\IDrive\*' + - 'C:\Program Files\IDrive\*' + - 'C:\Program Files (x86)\IDrive\*' + - 'C:\Users\*\AppData\Local\IDrive\*' + condition: selection +falsepositives: + - Legitimate use of iDrive +level: medium diff --git a/detections/sigma/idrive_network_sigma.yml b/detections/sigma/idrive_network_sigma.yml new file mode 100644 index 00000000..b52a041b --- /dev/null +++ b/detections/sigma/idrive_network_sigma.yml @@ -0,0 +1,25 @@ +title: Potential iDrive RMM Tool Network Activity +id: 0a2dacc5-f6e5-57ee-bd53-cbd15c182bf8 +status: experimental +description: | + Detects potential network activity of iDrive RMM tool +references: + - https://github.com/magicsword-io/LOLRMM +author: LOLRMM Project +date: 2026-02-03 +tags: + - attack.execution + - attack.t1219 +logsource: + product: windows + category: network_connection +detection: + selection: + DestinationHostname|endswith: + - 'idrive.com' + - '*.idrive.com' + - 'api.idrive.com' + condition: selection +falsepositives: + - Legitimate use of iDrive +level: medium diff --git a/detections/sigma/idrive_processes_sigma.yml b/detections/sigma/idrive_processes_sigma.yml new file mode 100644 index 00000000..1bd3f5ed --- /dev/null +++ b/detections/sigma/idrive_processes_sigma.yml @@ -0,0 +1,32 @@ +title: Potential iDrive RMM Tool Process Activity +id: 6bab72dd-8b13-56c0-9c96-5fcbaaed10fb +status: experimental +description: | + Detects potential processes activity of iDrive RMM tool +references: + - https://github.com/magicsword-io/LOLRMM +author: LOLRMM Project +date: 2026-02-03 +tags: + - attack.execution + - attack.t1219 +logsource: + product: windows + category: process_creation +detection: + selection_parent: + ParentImage|endswith: + - 'C:\Users\*\Downloads\IDriveWinSetup.exe' + - 'IDriveWinSetup.exe' + - 'IDriveEClassic.exe' + - 'id_tray.exe' + selection_image: + Image|endswith: + - 'C:\Users\*\Downloads\IDriveWinSetup.exe' + - 'IDriveWinSetup.exe' + - 'IDriveEClassic.exe' + - 'id_tray.exe' + condition: 1 of selection_* +falsepositives: + - Legitimate use of iDrive +level: medium diff --git a/detections/sigma/idrive_registry_sigma.yml b/detections/sigma/idrive_registry_sigma.yml new file mode 100644 index 00000000..149d44bd --- /dev/null +++ b/detections/sigma/idrive_registry_sigma.yml @@ -0,0 +1,24 @@ +title: Potential iDrive RMM Tool Registry Activity +id: 1192dc81-6a33-50b7-bb18-18b8f1034001 +status: experimental +description: | + Detects potential registry activity of iDrive RMM tool +references: + - https://github.com/magicsword-io/LOLRMM +author: LOLRMM Project +date: 2026-02-03 +tags: + - attack.execution + - attack.t1219 +logsource: + product: windows + category: registry_event +detection: + selection: + TargetObject|contains: + - 'HKEY_LOCAL_MACHINE\SOFTWARE\IDrive\*' + - 'HKEY_CURRENT_USER\SOFTWARE\IDrive\*' + condition: selection +falsepositives: + - Legitimate use of iDrive +level: medium diff --git a/detections/sigma/immybot_files_sigma.yml b/detections/sigma/immybot_files_sigma.yml new file mode 100644 index 00000000..21fc38c3 --- /dev/null +++ b/detections/sigma/immybot_files_sigma.yml @@ -0,0 +1,28 @@ +title: Potential ImmyBot RMM Tool File Activity +id: 86e417fd-8e4d-51a5-b6f4-68e57e4f8da5 +status: experimental +description: | + Detects potential files activity of ImmyBot RMM tool +references: + - https://github.com/magicsword-io/LOLRMM +author: LOLRMM Project +date: 2026-02-03 +tags: + - attack.execution + - attack.t1219 +logsource: + product: windows + category: file_event +detection: + selection: + TargetFilename|endswith: + - 'C:\Program Files\ImmyBot\*' + - 'C:\Program Files (x86)\ImmyBot\*' + - 'C:\ProgramData\ImmyBot\Logs\*' + - 'C:\ProgramData\ImmyBot\Scripts\*' + - 'C:\ProgramData\ImmyBotAgentService\config.json' + - 'C:\Windows\Temp\ImmyBot\*' + condition: selection +falsepositives: + - Legitimate use of ImmyBot +level: medium diff --git a/detections/sigma/immybot_network_sigma.yml b/detections/sigma/immybot_network_sigma.yml new file mode 100644 index 00000000..6437af91 --- /dev/null +++ b/detections/sigma/immybot_network_sigma.yml @@ -0,0 +1,24 @@ +title: Potential ImmyBot RMM Tool Network Activity +id: 8e1e10d1-5868-562d-93f2-d2a28c29068c +status: experimental +description: | + Detects potential network activity of ImmyBot RMM tool +references: + - https://github.com/magicsword-io/LOLRMM +author: LOLRMM Project +date: 2026-02-03 +tags: + - attack.execution + - attack.t1219 +logsource: + product: windows + category: network_connection +detection: + selection: + DestinationHostname|endswith: + - '*.immy.bot' + - 'immy.bot' + condition: selection +falsepositives: + - Legitimate use of ImmyBot +level: medium diff --git a/detections/sigma/immybot_processes_sigma.yml b/detections/sigma/immybot_processes_sigma.yml new file mode 100644 index 00000000..d39f7225 --- /dev/null +++ b/detections/sigma/immybot_processes_sigma.yml @@ -0,0 +1,38 @@ +title: Potential ImmyBot RMM Tool Process Activity +id: cb300985-1903-52c0-8d14-f514636826a5 +status: experimental +description: | + Detects potential processes activity of ImmyBot RMM tool +references: + - https://github.com/magicsword-io/LOLRMM +author: LOLRMM Project +date: 2026-02-03 +tags: + - attack.execution + - attack.t1219 +logsource: + product: windows + category: process_creation +detection: + selection_parent: + ParentImage|endswith: + - 'C:\Program Files\ImmyBot\ImmyAgent.exe' + - 'C:\Program Files\ImmyBot\ImmyUpdater.exe' + - 'C:\Program Files (x86)\ImmyBot\ImmyAgent.exe' + - 'C:\Program Files (x86)\ImmyBot\ImmyUpdater.exe' + - 'ImmyAgent.exe' + - 'ImmyUpdater.exe' + - 'ImmyBot.Agent.Ephemeral.exe' + selection_image: + Image|endswith: + - 'C:\Program Files\ImmyBot\ImmyAgent.exe' + - 'C:\Program Files\ImmyBot\ImmyUpdater.exe' + - 'C:\Program Files (x86)\ImmyBot\ImmyAgent.exe' + - 'C:\Program Files (x86)\ImmyBot\ImmyUpdater.exe' + - 'ImmyAgent.exe' + - 'ImmyUpdater.exe' + - 'ImmyBot.Agent.Ephemeral.exe' + condition: 1 of selection_* +falsepositives: + - Legitimate use of ImmyBot +level: medium diff --git a/detections/sigma/impero_connect_network_sigma.yml b/detections/sigma/impero_connect_network_sigma.yml index 36c920c9..0245be66 100644 --- a/detections/sigma/impero_connect_network_sigma.yml +++ b/detections/sigma/impero_connect_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Impero Connect RMM Tool Network Activity -id: 5842e2f4-7e26-4f0e-a65d-3f3abffe279a +id: 3477a96e-8bba-5e90-ad9a-0112aaeac735 status: experimental description: | Detects potential network activity of Impero Connect RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,7 +15,7 @@ logsource: category: network_connection detection: selection: - DestinationHostname|endswith: imperosoftware.com + DestinationHostname|endswith: 'imperosoftware.com' condition: selection falsepositives: - Legitimate use of Impero Connect diff --git a/detections/sigma/impero_connect_processes_sigma.yml b/detections/sigma/impero_connect_processes_sigma.yml index 801d0724..fa935fac 100644 --- a/detections/sigma/impero_connect_processes_sigma.yml +++ b/detections/sigma/impero_connect_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Impero Connect RMM Tool Process Activity -id: a4ad0fca-164c-4c1c-9562-056ddd888a75 +id: 88c1e21b-d987-5dcf-91c8-b11974b2bf40 status: experimental description: | Detects potential processes activity of Impero Connect RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,9 +15,9 @@ logsource: category: process_creation detection: selection_parent: - ParentImage|endswith: ImperoClientSVC.exe + ParentImage|endswith: 'ImperoClientSVC.exe' selection_image: - Image|endswith: ImperoClientSVC.exe + Image|endswith: 'ImperoClientSVC.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Impero Connect diff --git a/detections/sigma/instant_housecall_network_sigma.yml b/detections/sigma/instant_housecall_network_sigma.yml index f7a68d91..e02e9667 100644 --- a/detections/sigma/instant_housecall_network_sigma.yml +++ b/detections/sigma/instant_housecall_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Instant Housecall RMM Tool Network Activity -id: e65c0189-e2f8-4d59-ac5d-95550fd5a2ab +id: ce1de8ca-f922-527b-8f24-53e053a59af7 status: experimental description: | Detects potential network activity of Instant Housecall RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,10 +16,10 @@ logsource: detection: selection: DestinationHostname|endswith: - - *.instanthousecall.com - - *.instanthousecall.net - - instanthousecall.com - - secure.instanthousecall.com + - '*.instanthousecall.com' + - 'secure.instanthousecall.com' + - '*.instanthousecall.net' + - 'instanthousecall.com' condition: selection falsepositives: - Legitimate use of Instant Housecall diff --git a/detections/sigma/instant_housecall_processes_sigma.yml b/detections/sigma/instant_housecall_processes_sigma.yml index 515523dc..c595d9d0 100644 --- a/detections/sigma/instant_housecall_processes_sigma.yml +++ b/detections/sigma/instant_housecall_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Instant Housecall RMM Tool Process Activity -id: d1610f9a-a13c-4033-80f5-695b87d8506c +id: 858675f2-f128-59b5-806a-dad5ea80166e status: experimental description: | Detects potential processes activity of Instant Housecall RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,16 +16,16 @@ logsource: detection: selection_parent: ParentImage|endswith: - - hsloader.exe - - ihcserver.exe - - instanthousecall.exe - - instanthousecall.exe + - 'hsloader.exe' + - 'InstantHousecall.exe' + - 'ihcserver.exe' + - 'instanthousecall.exe' selection_image: Image|endswith: - - hsloader.exe - - ihcserver.exe - - instanthousecall.exe - - instanthousecall.exe + - 'hsloader.exe' + - 'InstantHousecall.exe' + - 'ihcserver.exe' + - 'instanthousecall.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Instant Housecall diff --git a/detections/sigma/insync_processes_sigma.yml b/detections/sigma/insync_processes_sigma.yml index e61ca802..9641b370 100644 --- a/detections/sigma/insync_processes_sigma.yml +++ b/detections/sigma/insync_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Insync RMM Tool Process Activity -id: bf409b31-7807-4329-b3f9-2e94d3447a68 +id: cbcf273c-7cf3-5374-bd3b-92f6970c1c81 status: experimental description: | Detects potential processes activity of Insync RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,14 +16,14 @@ logsource: detection: selection_parent: ParentImage|endswith: - - Insync.exe - - Insync.exe - - Insync.exe + - 'C:\Users\USERNAME\AppData\Roaming\Insync\App\Insync.exe' + - '*Users\*\AppData\Roaming\Insync\App\Insync.exe' + - '*\Insync.exe' selection_image: Image|endswith: - - Insync.exe - - Insync.exe - - Insync.exe + - 'C:\Users\USERNAME\AppData\Roaming\Insync\App\Insync.exe' + - '*Users\*\AppData\Roaming\Insync\App\Insync.exe' + - '*\Insync.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Insync diff --git a/detections/sigma/intelliadmin_remote_control_network_sigma.yml b/detections/sigma/intelliadmin_remote_control_network_sigma.yml index f4d23cff..87305e19 100644 --- a/detections/sigma/intelliadmin_remote_control_network_sigma.yml +++ b/detections/sigma/intelliadmin_remote_control_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential IntelliAdmin Remote Control RMM Tool Network Activity -id: 9fcf8472-8fab-4b74-8074-aae4143ddfa3 +id: eca70842-1e98-5233-83d3-3e272938d7e4 status: experimental description: | Detects potential network activity of IntelliAdmin Remote Control RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,9 +16,9 @@ logsource: detection: selection: DestinationHostname|endswith: - - user_managed - - *.intelliadmin.com - - intelliadmin.com/remote-control + - 'user_managed' + - '*.intelliadmin.com' + - 'intelliadmin.com/remote-control' condition: selection falsepositives: - Legitimate use of IntelliAdmin Remote Control diff --git a/detections/sigma/intelliadmin_remote_control_processes_sigma.yml b/detections/sigma/intelliadmin_remote_control_processes_sigma.yml index 0ce5273f..0af926b5 100644 --- a/detections/sigma/intelliadmin_remote_control_processes_sigma.yml +++ b/detections/sigma/intelliadmin_remote_control_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential IntelliAdmin Remote Control RMM Tool Process Activity -id: 75a46f4a-38f7-4d29-bcb4-56311293bbbc +id: dd332b60-bd1f-5155-9dbb-c6f9219e71ff status: experimental description: | Detects potential processes activity of IntelliAdmin Remote Control RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,18 +16,18 @@ logsource: detection: selection_parent: ParentImage|endswith: - - iadmin.exe - - intelliadmin.exe - - agent32.exe - - agent64.exe - - agent_setup_5.exe + - 'iadmin.exe' + - 'intelliadmin.exe' + - 'agent32.exe' + - 'agent64.exe' + - 'agent_setup_5.exe' selection_image: Image|endswith: - - iadmin.exe - - intelliadmin.exe - - agent32.exe - - agent64.exe - - agent_setup_5.exe + - 'iadmin.exe' + - 'intelliadmin.exe' + - 'agent32.exe' + - 'agent64.exe' + - 'agent_setup_5.exe' condition: 1 of selection_* falsepositives: - Legitimate use of IntelliAdmin Remote Control diff --git a/detections/sigma/iperius_remote_network_sigma.yml b/detections/sigma/iperius_remote_network_sigma.yml index fc159f80..85a45af6 100644 --- a/detections/sigma/iperius_remote_network_sigma.yml +++ b/detections/sigma/iperius_remote_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Iperius Remote RMM Tool Network Activity -id: ae72a6f3-4916-4519-89e7-f372c5626a87 +id: 32437e12-e41b-5dfb-8774-fd9e6d32ef19 status: experimental description: | Detects potential network activity of Iperius Remote RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,10 +16,10 @@ logsource: detection: selection: DestinationHostname|endswith: - - *.iperiusremote.com - - *.iperius.com - - *.iperius-rs.com - - iperiusremote.com + - '*.iperiusremote.com' + - '*.iperius.com' + - '*.iperius-rs.com' + - 'iperiusremote.com' condition: selection falsepositives: - Legitimate use of Iperius Remote diff --git a/detections/sigma/iperius_remote_processes_sigma.yml b/detections/sigma/iperius_remote_processes_sigma.yml index 74a7962c..6d216b1c 100644 --- a/detections/sigma/iperius_remote_processes_sigma.yml +++ b/detections/sigma/iperius_remote_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Iperius Remote RMM Tool Process Activity -id: 96613482-d916-418a-a12e-bf8511d25706 +id: 1d49e8d5-39d0-5eb9-94a3-35041cf802ef status: experimental description: | Detects potential processes activity of Iperius Remote RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,12 +16,12 @@ logsource: detection: selection_parent: ParentImage|endswith: - - iperius.exe - - iperiusremote.exe + - 'iperius.exe' + - 'iperiusremote.exe' selection_image: Image|endswith: - - iperius.exe - - iperiusremote.exe + - 'iperius.exe' + - 'iperiusremote.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Iperius Remote diff --git a/detections/sigma/isl_light_network_sigma.yml b/detections/sigma/isl_light_network_sigma.yml index 8b3d5a2b..42050ad0 100644 --- a/detections/sigma/isl_light_network_sigma.yml +++ b/detections/sigma/isl_light_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential ISL Light RMM Tool Network Activity -id: 8dbc103e-7cab-4d22-bc9c-c23aa637d88f +id: f3b285f1-e50e-5df3-abf9-014c6693bd7c status: experimental description: | Detects potential network activity of ISL Light RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,7 +15,7 @@ logsource: category: network_connection detection: selection: - DestinationHostname|endswith: islonline.com + DestinationHostname|endswith: 'islonline.com' condition: selection falsepositives: - Legitimate use of ISL Light diff --git a/detections/sigma/isl_light_processes_sigma.yml b/detections/sigma/isl_light_processes_sigma.yml index 75db88d3..43b8ac14 100644 --- a/detections/sigma/isl_light_processes_sigma.yml +++ b/detections/sigma/isl_light_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential ISL Light RMM Tool Process Activity -id: e825422e-f5da-4849-b0d1-47698c45ee7a +id: 63705d15-2d16-56da-bd7c-754600e7b401 status: experimental description: | Detects potential processes activity of ISL Light RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,14 +16,14 @@ logsource: detection: selection_parent: ParentImage|endswith: - - islalwaysonmonitor.exe - - isllight.exe - - isllightservice.exe + - 'islalwaysonmonitor.exe' + - 'isllight.exe' + - 'isllightservice.exe' selection_image: Image|endswith: - - islalwaysonmonitor.exe - - isllight.exe - - isllightservice.exe + - 'islalwaysonmonitor.exe' + - 'isllight.exe' + - 'isllightservice.exe' condition: 1 of selection_* falsepositives: - Legitimate use of ISL Light diff --git a/detections/sigma/isl_online_network_sigma.yml b/detections/sigma/isl_online_network_sigma.yml index 974a6e81..c836da22 100644 --- a/detections/sigma/isl_online_network_sigma.yml +++ b/detections/sigma/isl_online_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential ISL Online RMM Tool Network Activity -id: 8c13bf9e-e7c7-4b8d-a52d-959b916f58f0 +id: 462deddf-73d4-5b5e-8935-77612a0a93e1 status: experimental description: | Detects potential network activity of ISL Online RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,8 +16,8 @@ logsource: detection: selection: DestinationHostname|endswith: - - *.islonline.com - - *.islonline.net + - '*.islonline.com' + - '*.islonline.net' condition: selection falsepositives: - Legitimate use of ISL Online diff --git a/detections/sigma/isl_online_processes_sigma.yml b/detections/sigma/isl_online_processes_sigma.yml index 1ef4d249..6e80a3b6 100644 --- a/detections/sigma/isl_online_processes_sigma.yml +++ b/detections/sigma/isl_online_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential ISL Online RMM Tool Process Activity -id: eb9d5ff4-9478-4edd-b83f-daa9eb04d756 +id: bad7c55b-aef0-5d0a-89f2-248859d75ee4 status: experimental description: | Detects potential processes activity of ISL Online RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,18 +16,18 @@ logsource: detection: selection_parent: ParentImage|endswith: - - islalwaysonmonitor.exe - - isllight.exe - - isllightservice.exe - - ISLLightClient.exe - - ISLLight.exe + - 'islalwaysonmonitor.exe' + - 'isllight.exe' + - 'isllightservice.exe' + - 'ISLLightClient.exe' + - '*\ISLLight.exe' selection_image: Image|endswith: - - islalwaysonmonitor.exe - - isllight.exe - - isllightservice.exe - - ISLLightClient.exe - - ISLLight.exe + - 'islalwaysonmonitor.exe' + - 'isllight.exe' + - 'isllightservice.exe' + - 'ISLLightClient.exe' + - '*\ISLLight.exe' condition: 1 of selection_* falsepositives: - Legitimate use of ISL Online diff --git a/detections/sigma/itarian_network_sigma.yml b/detections/sigma/itarian_network_sigma.yml index 94611d68..a2e337c2 100644 --- a/detections/sigma/itarian_network_sigma.yml +++ b/detections/sigma/itarian_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Itarian RMM Tool Network Activity -id: 88046776-bd77-44e9-bd62-96501867b81c +id: e483963d-3f2c-52fb-9d17-789db8e9c4dc status: experimental description: | Detects potential network activity of Itarian RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,11 +16,11 @@ logsource: detection: selection: DestinationHostname|endswith: - - mdmsupport.comodo.com - - *.itsm-us1.comodo.com - - *.cmdm.comodo.com - - remoteaccess.itarian.com - - servicedesk.itarian.com + - 'mdmsupport.comodo.com' + - '*.itsm-us1.comodo.com' + - '*.cmdm.comodo.com' + - 'remoteaccess.itarian.com' + - 'servicedesk.itarian.com' condition: selection falsepositives: - Legitimate use of Itarian diff --git a/detections/sigma/itarian_processes_sigma.yml b/detections/sigma/itarian_processes_sigma.yml index 7e2629a3..69891864 100644 --- a/detections/sigma/itarian_processes_sigma.yml +++ b/detections/sigma/itarian_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Itarian RMM Tool Process Activity -id: c3e4f4a8-5086-404b-a03c-4e679e12125d +id: b9a56429-bc01-5884-8531-ec5aa1bb89a9 status: experimental description: | Detects potential processes activity of Itarian RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,28 +16,28 @@ logsource: detection: selection_parent: ParentImage|endswith: - - ITSMAgent.exe - - RViewer.exe - - ItsmRsp.exe - - RAccess.exe - - RmmService.exe - - ITarianRemoteAccessSetup.exe - - RDesktop.exe - - ComodoRemoteControl.exe - - ITSMService.exe - - RHost.exe + - 'ITSMAgent.exe' + - 'RViewer.exe' + - 'ItsmRsp.exe' + - 'RAccess.exe' + - 'RmmService.exe' + - 'ITarianRemoteAccessSetup.exe' + - 'RDesktop.exe' + - 'ComodoRemoteControl.exe' + - 'ITSMService.exe' + - 'RHost.exe' selection_image: Image|endswith: - - ITSMAgent.exe - - RViewer.exe - - ItsmRsp.exe - - RAccess.exe - - RmmService.exe - - ITarianRemoteAccessSetup.exe - - RDesktop.exe - - ComodoRemoteControl.exe - - ITSMService.exe - - RHost.exe + - 'ITSMAgent.exe' + - 'RViewer.exe' + - 'ItsmRsp.exe' + - 'RAccess.exe' + - 'RmmService.exe' + - 'ITarianRemoteAccessSetup.exe' + - 'RDesktop.exe' + - 'ComodoRemoteControl.exe' + - 'ITSMService.exe' + - 'RHost.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Itarian diff --git a/detections/sigma/itsupport247__connectwise__network_sigma.yml b/detections/sigma/itsupport247__connectwise__network_sigma.yml index b6a85a00..7f79f449 100644 --- a/detections/sigma/itsupport247__connectwise__network_sigma.yml +++ b/detections/sigma/itsupport247__connectwise__network_sigma.yml @@ -1,12 +1,12 @@ title: Potential ITSupport247 (ConnectWise) RMM Tool Network Activity -id: 2966b368-1e5b-4abb-9cde-30a84e747b6f +id: 149e5ada-ee4b-5243-949f-4d202109e786 status: experimental description: | Detects potential network activity of ITSupport247 (ConnectWise) RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,7 +15,9 @@ logsource: category: network_connection detection: selection: - DestinationHostname|endswith: *.itsupport247.net + DestinationHostname|endswith: + - '*.itsupport247.net' + - 'itsupport247.net' condition: selection falsepositives: - Legitimate use of ITSupport247 (ConnectWise) diff --git a/detections/sigma/itsupport247__connectwise__processes_sigma.yml b/detections/sigma/itsupport247__connectwise__processes_sigma.yml index 32ffb171..a46006c2 100644 --- a/detections/sigma/itsupport247__connectwise__processes_sigma.yml +++ b/detections/sigma/itsupport247__connectwise__processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential ITSupport247 (ConnectWise) RMM Tool Process Activity -id: 64c6625f-8cd0-4207-b7c0-2825a7d7b094 +id: a8f5117c-25ad-5f32-a6cf-aa4cec73dbab status: experimental description: | Detects potential processes activity of ITSupport247 (ConnectWise) RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,9 +15,9 @@ logsource: category: process_creation detection: selection_parent: - ParentImage|endswith: saazapsc.exe + ParentImage|endswith: 'saazapsc.exe' selection_image: - Image|endswith: saazapsc.exe + Image|endswith: 'saazapsc.exe' condition: 1 of selection_* falsepositives: - Legitimate use of ITSupport247 (ConnectWise) diff --git a/detections/sigma/ivanti_remote_control_network_sigma.yml b/detections/sigma/ivanti_remote_control_network_sigma.yml index aef955a8..6701fc9a 100644 --- a/detections/sigma/ivanti_remote_control_network_sigma.yml +++ b/detections/sigma/ivanti_remote_control_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Ivanti Remote Control RMM Tool Network Activity -id: af972e9e-571f-4f54-9e71-83b3f14b3521 +id: c7de30b2-80bf-5405-961d-ff8c89437abe status: experimental description: | Detects potential network activity of Ivanti Remote Control RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,7 +15,7 @@ logsource: category: network_connection detection: selection: - DestinationHostname|endswith: *.ivanticloud.com + DestinationHostname|endswith: '*.ivanticloud.com' condition: selection falsepositives: - Legitimate use of Ivanti Remote Control diff --git a/detections/sigma/ivanti_remote_control_processes_sigma.yml b/detections/sigma/ivanti_remote_control_processes_sigma.yml index 11a67c3b..43cf5eca 100644 --- a/detections/sigma/ivanti_remote_control_processes_sigma.yml +++ b/detections/sigma/ivanti_remote_control_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Ivanti Remote Control RMM Tool Process Activity -id: ee98c832-56bc-4162-97fd-4963cd37f428 +id: fa596aaf-dbf7-52be-90f0-10a4db037e02 status: experimental description: | Detects potential processes activity of Ivanti Remote Control RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,14 +16,14 @@ logsource: detection: selection_parent: ParentImage|endswith: - - IvantiRemoteControl.exe - - ArcUI.exe - - AgentlessRC.exe + - 'IvantiRemoteControl.exe' + - 'ArcUI.exe' + - 'AgentlessRC.exe' selection_image: Image|endswith: - - IvantiRemoteControl.exe - - ArcUI.exe - - AgentlessRC.exe + - 'IvantiRemoteControl.exe' + - 'ArcUI.exe' + - 'AgentlessRC.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Ivanti Remote Control diff --git a/detections/sigma/jump_cloud_network_sigma.yml b/detections/sigma/jump_cloud_network_sigma.yml index f0cebd05..c48a6613 100644 --- a/detections/sigma/jump_cloud_network_sigma.yml +++ b/detections/sigma/jump_cloud_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Jump Cloud RMM Tool Network Activity -id: 16b4a42b-f942-4593-bb05-442d1cce60ef +id: c98b5b05-3393-5678-9240-43f2866de11b status: experimental description: | Detects potential network activity of Jump Cloud RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,8 +16,8 @@ logsource: detection: selection: DestinationHostname|endswith: - - *.api.jumpcloud.com - - *.assist.jumpcloud.com + - '*.api.jumpcloud.com' + - '*.assist.jumpcloud.com' condition: selection falsepositives: - Legitimate use of Jump Cloud diff --git a/detections/sigma/jump_desktop_network_sigma.yml b/detections/sigma/jump_desktop_network_sigma.yml index 5a8d97b5..0a8fe7af 100644 --- a/detections/sigma/jump_desktop_network_sigma.yml +++ b/detections/sigma/jump_desktop_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Jump Desktop RMM Tool Network Activity -id: dece7c90-f789-4724-a787-e65445e232b2 +id: 8e92ecf4-39f1-5247-ba79-209fca410e73 status: experimental description: | Detects potential network activity of Jump Desktop RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,10 +16,10 @@ logsource: detection: selection: DestinationHostname|endswith: - - *.jumpdesktop.com - - jumpdesktop.com - - jumpto.me - - *.jumpto.me + - '*.jumpdesktop.com' + - 'jumpdesktop.com' + - 'jumpto.me' + - '*.jumpto.me' condition: selection falsepositives: - Legitimate use of Jump Desktop diff --git a/detections/sigma/jump_desktop_processes_sigma.yml b/detections/sigma/jump_desktop_processes_sigma.yml index e38048e4..228770ba 100644 --- a/detections/sigma/jump_desktop_processes_sigma.yml +++ b/detections/sigma/jump_desktop_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Jump Desktop RMM Tool Process Activity -id: 9acbccef-f6f9-4a81-83ef-38f04540ee4a +id: 652866d5-c987-5cc8-ac5a-2084a89665c7 status: experimental description: | Detects potential processes activity of Jump Desktop RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,18 +16,18 @@ logsource: detection: selection_parent: ParentImage|endswith: - - jumpclient.exe - - jumpdesktop.exe - - jumpservice.exe - - jumpconnect.exe - - jumpupdater.exe + - 'jumpclient.exe' + - 'jumpdesktop.exe' + - 'jumpservice.exe' + - 'jumpconnect.exe' + - 'jumpupdater.exe' selection_image: Image|endswith: - - jumpclient.exe - - jumpdesktop.exe - - jumpservice.exe - - jumpconnect.exe - - jumpupdater.exe + - 'jumpclient.exe' + - 'jumpdesktop.exe' + - 'jumpservice.exe' + - 'jumpconnect.exe' + - 'jumpupdater.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Jump Desktop diff --git a/detections/sigma/kabuto_network_sigma.yml b/detections/sigma/kabuto_network_sigma.yml index f847dbbe..a93872c3 100644 --- a/detections/sigma/kabuto_network_sigma.yml +++ b/detections/sigma/kabuto_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Kabuto RMM Tool Network Activity -id: 2e94d749-2e6d-4044-9982-58edf224ecdf +id: b6a4a650-8624-59f2-9dae-8885418002ca status: experimental description: | Detects potential network activity of Kabuto RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,8 +16,8 @@ logsource: detection: selection: DestinationHostname|endswith: - - *.kabuto.io - - repairtechsolutions.com/kabuto/ + - '*.kabuto.io' + - 'repairtechsolutions.com/kabuto/' condition: selection falsepositives: - Legitimate use of Kabuto diff --git a/detections/sigma/kabuto_processes_sigma.yml b/detections/sigma/kabuto_processes_sigma.yml index f6731e0b..453293d4 100644 --- a/detections/sigma/kabuto_processes_sigma.yml +++ b/detections/sigma/kabuto_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Kabuto RMM Tool Process Activity -id: eb031d9a-c5d6-431a-bf90-912eb8e614c4 +id: 62b8343d-71b4-570a-b2b4-f40f857392cf status: experimental description: | Detects potential processes activity of Kabuto RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,9 +15,9 @@ logsource: category: process_creation detection: selection_parent: - ParentImage|endswith: Kabuto.App.Runner.exe + ParentImage|endswith: 'Kabuto.App.Runner.exe' selection_image: - Image|endswith: Kabuto.App.Runner.exe + Image|endswith: 'Kabuto.App.Runner.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Kabuto diff --git a/detections/sigma/kaseya__vsa__files_sigma.yml b/detections/sigma/kaseya__vsa__files_sigma.yml index d757f01b..ae5681c1 100644 --- a/detections/sigma/kaseya__vsa__files_sigma.yml +++ b/detections/sigma/kaseya__vsa__files_sigma.yml @@ -1,12 +1,12 @@ title: Potential Kaseya (VSA) RMM Tool File Activity -id: 946d8fc9-9de3-40d6-b9dd-ffbfcf803f06 +id: 559d9ade-0adc-5304-9907-146feb748945 status: experimental description: | Detects potential files activity of Kaseya (VSA) RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,22 +16,22 @@ logsource: detection: selection: TargetFilename|endswith: - - %localappdata%\Kaseya\Log\KaseyaLiveConnect\* - - ~/Library/Logs/com.kaseya/KaseyaLiveConnect/* - - C:\ProgramData\Kaseya\Log\Endpoint\* - - C:\Program Files*\Kaseya\*\agentmon.log - - /var/log/system.log - - ~/opt/kaseya/*/logs* - - C:\Users\*\AppData\Local\Temp\KASetup.log - - C:\Windows\Temp\KASetup.log - - C:\ProgramData\Kaseya\Log\KaseyaEdgeServices\* - - C:\Kaseya\api\v1.0\logs\ - - C:\Kaseya\api\v1.5\endpoint\logs - - C:\Kaseya\api\v1.5\endpoints\logs - - C:\Windows\System32\config\systemprofile\AppData\Local\Kaseya\Log\MakeSelfSignedCert.exe\ - - C:\Kaseya\WebPages\install\makecert.txt - - C:\ProgramData\Kaseya\Log\Endpoint\Instance_*\KaseyaEndpoint* - - C:\ProgramData\Kaseya\Log\Endpoint\Instance_*\Session_* + - '%localappdata%\Kaseya\Log\KaseyaLiveConnect\*' + - '~/Library/Logs/com.kaseya/KaseyaLiveConnect/*' + - 'C:\ProgramData\Kaseya\Log\Endpoint\*' + - 'C:\Program Files*\Kaseya\*\agentmon.log' + - '/var/log/system.log' + - ' ~/opt/kaseya/*/logs*' + - 'C:\Users\*\AppData\Local\Temp\KASetup.log' + - 'C:\Windows\Temp\KASetup.log' + - 'C:\ProgramData\Kaseya\Log\KaseyaEdgeServices\*' + - 'C:\Kaseya\api\v1.0\logs\' + - 'C:\Kaseya\api\v1.5\endpoint\logs' + - 'C:\Kaseya\api\v1.5\endpoints\logs' + - 'C:\Windows\System32\config\systemprofile\AppData\Local\Kaseya\Log\MakeSelfSignedCert.exe\' + - 'C:\Kaseya\WebPages\install\makecert.txt' + - 'C:\ProgramData\Kaseya\Log\Endpoint\Instance_*\KaseyaEndpoint*' + - 'C:\ProgramData\Kaseya\Log\Endpoint\Instance_*\Session_*' condition: selection falsepositives: - Legitimate use of Kaseya (VSA) diff --git a/detections/sigma/kaseya__vsa__network_sigma.yml b/detections/sigma/kaseya__vsa__network_sigma.yml index 819a6c8c..378efde5 100644 --- a/detections/sigma/kaseya__vsa__network_sigma.yml +++ b/detections/sigma/kaseya__vsa__network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Kaseya (VSA) RMM Tool Network Activity -id: b50291cd-fc39-4416-af8e-e53be7c6eb51 +id: 17e5ca30-80b3-5197-bb20-e7ae2ac4ada8 status: experimental description: | Detects potential network activity of Kaseya (VSA) RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,10 +16,10 @@ logsource: detection: selection: DestinationHostname|endswith: - - deploy01.kaseya.com - - *managedsupport.kaseya.net - - *.kaseya.net - - kaseya.com + - 'deploy01.kaseya.com' + - '*managedsupport.kaseya.net' + - '*.kaseya.net' + - 'kaseya.com' condition: selection falsepositives: - Legitimate use of Kaseya (VSA) diff --git a/detections/sigma/khelpdesk_network_sigma.yml b/detections/sigma/khelpdesk_network_sigma.yml index b50522df..114e65a3 100644 --- a/detections/sigma/khelpdesk_network_sigma.yml +++ b/detections/sigma/khelpdesk_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential KHelpDesk RMM Tool Network Activity -id: 90775381-4d54-44e5-a6b5-d10cbef7b9c6 +id: 7fcb8e36-d01f-57b2-9d4a-6589f6b4a6ae status: experimental description: | Detects potential network activity of KHelpDesk RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,7 +15,7 @@ logsource: category: network_connection detection: selection: - DestinationHostname|endswith: *.khelpdesk.com.br + DestinationHostname|endswith: '*.khelpdesk.com.br' condition: selection falsepositives: - Legitimate use of KHelpDesk diff --git a/detections/sigma/khelpdesk_processes_sigma.yml b/detections/sigma/khelpdesk_processes_sigma.yml index 5bb22b59..2081ba3f 100644 --- a/detections/sigma/khelpdesk_processes_sigma.yml +++ b/detections/sigma/khelpdesk_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential KHelpDesk RMM Tool Process Activity -id: 8b496055-2cb4-40b1-8a3e-f6a038216ed4 +id: e3bcd5dc-0705-5991-9d0b-ba167039fe0e status: experimental description: | Detects potential processes activity of KHelpDesk RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,9 +15,9 @@ logsource: category: process_creation detection: selection_parent: - ParentImage|endswith: KHelpDesk.exe + ParentImage|endswith: 'KHelpDesk.exe' selection_image: - Image|endswith: KHelpDesk.exe + Image|endswith: 'KHelpDesk.exe' condition: 1 of selection_* falsepositives: - Legitimate use of KHelpDesk diff --git a/detections/sigma/kickidler_network_sigma.yml b/detections/sigma/kickidler_network_sigma.yml index 4899b780..a26e704e 100644 --- a/detections/sigma/kickidler_network_sigma.yml +++ b/detections/sigma/kickidler_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential KickIdler RMM Tool Network Activity -id: 7ebb5c84-5afb-4681-93eb-a021f4c2afd8 +id: a700629c-ef7e-5092-9dc0-dc4dd4fee2f6 status: experimental description: | Detects potential network activity of KickIdler RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,8 +16,8 @@ logsource: detection: selection: DestinationHostname|endswith: - - kickidler.com - - my.kickidler.com + - 'kickidler.com' + - 'my.kickidler.com' condition: selection falsepositives: - Legitimate use of KickIdler diff --git a/detections/sigma/kitty_processes_sigma.yml b/detections/sigma/kitty_processes_sigma.yml index d6c92e23..99b56b5d 100644 --- a/detections/sigma/kitty_processes_sigma.yml +++ b/detections/sigma/kitty_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential KiTTY RMM Tool Process Activity -id: 16f59187-85fc-4f5f-8701-0f7bec8dfcc7 +id: 832b997b-ade9-576d-b12a-1b8b0b703d49 status: experimental description: | Detects potential processes activity of KiTTY RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,12 +16,12 @@ logsource: detection: selection_parent: ParentImage|endswith: - - kitty.exe - - kitty.exe + - 'C:\*\kitty.exe' + - '*\kitty.exe' selection_image: Image|endswith: - - kitty.exe - - kitty.exe + - 'C:\*\kitty.exe' + - '*\kitty.exe' condition: 1 of selection_* falsepositives: - Legitimate use of KiTTY diff --git a/detections/sigma/labteach__connectwise_automate__processes_sigma.yml b/detections/sigma/labteach__connectwise_automate__processes_sigma.yml index 73fdc0a8..b9a544e5 100644 --- a/detections/sigma/labteach__connectwise_automate__processes_sigma.yml +++ b/detections/sigma/labteach__connectwise_automate__processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential LabTeach (Connectwise Automate) RMM Tool Process Activity -id: de783c6d-027e-41eb-b53d-6875cd09a7f1 +id: 3f3a9015-d1de-54fb-bf63-1aabda232baf status: experimental description: | Detects potential processes activity of LabTeach (Connectwise Automate) RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,9 +15,9 @@ logsource: category: process_creation detection: selection_parent: - ParentImage|endswith: ltsvc.exe + ParentImage|endswith: 'ltsvc.exe' selection_image: - Image|endswith: ltsvc.exe + Image|endswith: 'ltsvc.exe' condition: 1 of selection_* falsepositives: - Legitimate use of LabTeach (Connectwise Automate) diff --git a/detections/sigma/labtech_rmm__now_connectwise_automate__network_sigma.yml b/detections/sigma/labtech_rmm__now_connectwise_automate__network_sigma.yml index e19e165a..f4bcffdb 100644 --- a/detections/sigma/labtech_rmm__now_connectwise_automate__network_sigma.yml +++ b/detections/sigma/labtech_rmm__now_connectwise_automate__network_sigma.yml @@ -1,12 +1,12 @@ title: Potential LabTech RMM (Now ConnectWise Automate) RMM Tool Network Activity -id: 68683c0f-ea95-4c02-a77e-2bf328ce4678 +id: 0c3b86b8-b386-5b60-9d98-8de45fee5f99 status: experimental description: | Detects potential network activity of LabTech RMM (Now ConnectWise Automate) RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,7 +15,7 @@ logsource: category: network_connection detection: selection: - DestinationHostname|endswith: connectwise.com + DestinationHostname|endswith: 'connectwise.com' condition: selection falsepositives: - Legitimate use of LabTech RMM (Now ConnectWise Automate) diff --git a/detections/sigma/labtech_rmm__now_connectwise_automate__processes_sigma.yml b/detections/sigma/labtech_rmm__now_connectwise_automate__processes_sigma.yml index c6186d74..53aebac8 100644 --- a/detections/sigma/labtech_rmm__now_connectwise_automate__processes_sigma.yml +++ b/detections/sigma/labtech_rmm__now_connectwise_automate__processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential LabTech RMM (Now ConnectWise Automate) RMM Tool Process Activity -id: 734c8aa4-6b06-4d41-8127-00cc22d63e5e +id: a257dce9-9077-55a2-82c9-6258eb991649 status: experimental description: | Detects potential processes activity of LabTech RMM (Now ConnectWise Automate) RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,14 +16,14 @@ logsource: detection: selection_parent: ParentImage|endswith: - - ltsvc.exe - - ltsvcmon.exe - - lttray.exe + - 'ltsvc.exe' + - 'ltsvcmon.exe' + - 'lttray.exe' selection_image: Image|endswith: - - ltsvc.exe - - ltsvcmon.exe - - lttray.exe + - 'ltsvc.exe' + - 'ltsvcmon.exe' + - 'lttray.exe' condition: 1 of selection_* falsepositives: - Legitimate use of LabTech RMM (Now ConnectWise Automate) diff --git a/detections/sigma/landesk_network_sigma.yml b/detections/sigma/landesk_network_sigma.yml index 5a5bab02..177cf72e 100644 --- a/detections/sigma/landesk_network_sigma.yml +++ b/detections/sigma/landesk_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential LANDesk RMM Tool Network Activity -id: 6f8b6b90-e98a-4915-a977-f4e829e9bef6 +id: a6b3f45d-59b7-5c65-9a63-9ecda59571d7 status: experimental description: | Detects potential network activity of LANDesk RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,9 +16,9 @@ logsource: detection: selection: DestinationHostname|endswith: - - *.ivanticloud.com - - *.ivanti.com - - ivanti.com + - '*.ivanticloud.com' + - '*.ivanti.com' + - 'ivanti.com' condition: selection falsepositives: - Legitimate use of LANDesk diff --git a/detections/sigma/landesk_processes_sigma.yml b/detections/sigma/landesk_processes_sigma.yml index df850910..9c79c021 100644 --- a/detections/sigma/landesk_processes_sigma.yml +++ b/detections/sigma/landesk_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential LANDesk RMM Tool Process Activity -id: ee604e54-ca2b-4b4c-a6c8-1136da7601ce +id: 747e2541-2d4b-50f5-a101-7274dcfb6cbf status: experimental description: | Detects potential processes activity of LANDesk RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,24 +16,24 @@ logsource: detection: selection_parent: ParentImage|endswith: - - issuser.exe - - landeskagentbootstrap.exe - - LANDeskPortalManager.exe - - ldinv32.exe - - ldsensors.exe - - issuser.exe - - softmon.exe - - tmcsvc.exe + - 'issuser.exe' + - 'landeskagentbootstrap.exe' + - 'LANDeskPortalManager.exe' + - 'ldinv32.exe' + - 'ldsensors.exe' + - '*\issuser.exe' + - '*\softmon.exe' + - '*\tmcsvc.exe' selection_image: Image|endswith: - - issuser.exe - - landeskagentbootstrap.exe - - LANDeskPortalManager.exe - - ldinv32.exe - - ldsensors.exe - - issuser.exe - - softmon.exe - - tmcsvc.exe + - 'issuser.exe' + - 'landeskagentbootstrap.exe' + - 'LANDeskPortalManager.exe' + - 'ldinv32.exe' + - 'ldsensors.exe' + - '*\issuser.exe' + - '*\softmon.exe' + - '*\tmcsvc.exe' condition: 1 of selection_* falsepositives: - Legitimate use of LANDesk diff --git a/detections/sigma/laplink_everywhere_network_sigma.yml b/detections/sigma/laplink_everywhere_network_sigma.yml index 1c9b1be1..18abf7c9 100644 --- a/detections/sigma/laplink_everywhere_network_sigma.yml +++ b/detections/sigma/laplink_everywhere_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Laplink Everywhere RMM Tool Network Activity -id: 4a81a286-94d4-442d-9f11-0977a0c1a80c +id: bf3a6a41-397f-5601-96c3-81d1279eadf8 status: experimental description: | Detects potential network activity of Laplink Everywhere RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,9 +16,9 @@ logsource: detection: selection: DestinationHostname|endswith: - - everywhere.laplink.com - - le.laplink.com - - atled.syspectr.com + - 'everywhere.laplink.com' + - 'le.laplink.com' + - 'atled.syspectr.com' condition: selection falsepositives: - Legitimate use of Laplink Everywhere diff --git a/detections/sigma/laplink_everywhere_processes_sigma.yml b/detections/sigma/laplink_everywhere_processes_sigma.yml index 53746c94..378877ed 100644 --- a/detections/sigma/laplink_everywhere_processes_sigma.yml +++ b/detections/sigma/laplink_everywhere_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Laplink Everywhere RMM Tool Process Activity -id: 89579976-a789-4554-9ef3-926b38cbb1ed +id: 81dadd37-276a-56a9-a922-a122e0ee5ae0 status: experimental description: | Detects potential processes activity of Laplink Everywhere RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,20 +16,20 @@ logsource: detection: selection_parent: ParentImage|endswith: - - laplink.exe - - laplink-everywhere-setup*.exe - - laplinkeverywhere.exe - - llrcservice.exe - - serverproxyservice.exe - - OOSysAgent.exe + - 'laplink.exe' + - 'laplink-everywhere-setup*.exe' + - 'laplinkeverywhere.exe' + - 'llrcservice.exe' + - 'serverproxyservice.exe' + - 'OOSysAgent.exe' selection_image: Image|endswith: - - laplink.exe - - laplink-everywhere-setup*.exe - - laplinkeverywhere.exe - - llrcservice.exe - - serverproxyservice.exe - - OOSysAgent.exe + - 'laplink.exe' + - 'laplink-everywhere-setup*.exe' + - 'laplinkeverywhere.exe' + - 'llrcservice.exe' + - 'serverproxyservice.exe' + - 'OOSysAgent.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Laplink Everywhere diff --git a/detections/sigma/laplink_gold_network_sigma.yml b/detections/sigma/laplink_gold_network_sigma.yml index 46fe9c54..65d025af 100644 --- a/detections/sigma/laplink_gold_network_sigma.yml +++ b/detections/sigma/laplink_gold_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Laplink Gold RMM Tool Network Activity -id: bf3f2291-9d6d-43f2-bbd3-751b3a6b76b7 +id: 1eed379e-bdd8-5808-a400-4fcc82192b34 status: experimental description: | Detects potential network activity of Laplink Gold RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,8 +16,8 @@ logsource: detection: selection: DestinationHostname|endswith: - - user_managed - - wen.laplink.com/product/laplink-gold + - 'user_managed' + - 'wen.laplink.com/product/laplink-gold' condition: selection falsepositives: - Legitimate use of Laplink Gold diff --git a/detections/sigma/laplink_gold_processes_sigma.yml b/detections/sigma/laplink_gold_processes_sigma.yml index 667dd101..d1ac3c33 100644 --- a/detections/sigma/laplink_gold_processes_sigma.yml +++ b/detections/sigma/laplink_gold_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Laplink Gold RMM Tool Process Activity -id: af4b14bc-2afc-49ea-8767-0f0b75c0d2e9 +id: 66d2649c-b7fd-5dd1-a182-9cbf1bc9bd37 status: experimental description: | Detects potential processes activity of Laplink Gold RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,12 +16,12 @@ logsource: detection: selection_parent: ParentImage|endswith: - - tsircusr.exe - - laplink.exe + - 'tsircusr.exe' + - 'laplink.exe' selection_image: Image|endswith: - - tsircusr.exe - - laplink.exe + - 'tsircusr.exe' + - 'laplink.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Laplink Gold diff --git a/detections/sigma/level.io_files_sigma.yml b/detections/sigma/level.io_files_sigma.yml index 57280a3f..9e533d72 100644 --- a/detections/sigma/level.io_files_sigma.yml +++ b/detections/sigma/level.io_files_sigma.yml @@ -1,12 +1,12 @@ title: Potential Level.io RMM Tool File Activity -id: 283bfff1-1163-4f7f-89bb-7858dcc4c5de +id: cb4aef36-7b73-575d-9cf8-94a31f80a8b0 status: experimental description: | Detects potential files activity of Level.io RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,9 +16,9 @@ logsource: detection: selection: TargetFilename|endswith: - - C:\Program Files\Level\level.exe - - C:\Program Files\Level\osqueryi.exe - - C:\Program Files\Level\level.log + - 'C:\Program Files\Level\level.exe' + - 'C:\Program Files\Level\osqueryi.exe' + - 'C:\Program Files\Level\level.log' condition: selection falsepositives: - Legitimate use of Level.io diff --git a/detections/sigma/level.io_network_sigma.yml b/detections/sigma/level.io_network_sigma.yml index 08fb6935..1385d179 100644 --- a/detections/sigma/level.io_network_sigma.yml +++ b/detections/sigma/level.io_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Level.io RMM Tool Network Activity -id: 2c9f1b5f-26a7-4493-8f7f-c6f31776c7fe +id: 3741c941-c218-5b9f-9a42-ad021dff3b6b status: experimental description: | Detects potential network activity of Level.io RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,8 +16,8 @@ logsource: detection: selection: DestinationHostname|endswith: - - level.io - - *.level.io + - 'level.io' + - '*.level.io' condition: selection falsepositives: - Legitimate use of Level.io diff --git a/detections/sigma/level.io_processes_sigma.yml b/detections/sigma/level.io_processes_sigma.yml index e80e4250..fe505ce8 100644 --- a/detections/sigma/level.io_processes_sigma.yml +++ b/detections/sigma/level.io_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Level.io RMM Tool Process Activity -id: 7b0dc14e-d5e7-4b30-91f0-92a1ce61619c +id: 3f9cc3e9-7b29-5838-9f09-2c5513a9b3b8 status: experimental description: | Detects potential processes activity of Level.io RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,14 +16,14 @@ logsource: detection: selection_parent: ParentImage|endswith: - - level-windows-amd64.exe - - level.exe - - level-remote-control-ffmpeg.exe + - 'level-windows-amd64.exe' + - 'level.exe' + - 'level-remote-control-ffmpeg.exe' selection_image: Image|endswith: - - level-windows-amd64.exe - - level.exe - - level-remote-control-ffmpeg.exe + - 'level-windows-amd64.exe' + - 'level.exe' + - 'level-remote-control-ffmpeg.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Level.io diff --git a/detections/sigma/level_files_sigma.yml b/detections/sigma/level_files_sigma.yml index 6ca5ddae..3ce74d5a 100644 --- a/detections/sigma/level_files_sigma.yml +++ b/detections/sigma/level_files_sigma.yml @@ -1,12 +1,12 @@ title: Potential Level RMM Tool File Activity -id: df5537e8-61cf-45b6-8b07-0add771dd9d9 +id: 67f248b0-f625-5ec9-98de-5c18f29e50e2 status: experimental description: | Detects potential files activity of Level RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,9 +16,9 @@ logsource: detection: selection: TargetFilename|endswith: - - C:\Program Files\Level\level.exe - - C:\Program Files\Level\osqueryi.exe - - C:\Program Files\Level\level.log + - 'C:\Program Files\Level\level.exe' + - 'C:\Program Files\Level\osqueryi.exe' + - 'C:\Program Files\Level\level.log' condition: selection falsepositives: - Legitimate use of Level diff --git a/detections/sigma/level_network_sigma.yml b/detections/sigma/level_network_sigma.yml index df179655..209b053d 100644 --- a/detections/sigma/level_network_sigma.yml +++ b/detections/sigma/level_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Level RMM Tool Network Activity -id: ed6be521-b6af-47df-b0c9-7474d10f328f +id: c60f5a02-2d63-5efc-aa55-1d74fae56f5e status: experimental description: | Detects potential network activity of Level RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,11 +16,11 @@ logsource: detection: selection: DestinationHostname|endswith: - - level.io - - builds.level.io - - agents.level.io - - online.level.io - - downloads.io + - 'level.io' + - 'builds.level.io' + - 'agents.level.io' + - 'online.level.io' + - 'downloads.io' condition: selection falsepositives: - Legitimate use of Level diff --git a/detections/sigma/lite_manager_processes_sigma.yml b/detections/sigma/lite_manager_processes_sigma.yml index cdea5f9d..77281044 100644 --- a/detections/sigma/lite_manager_processes_sigma.yml +++ b/detections/sigma/lite_manager_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Lite Manager RMM Tool Process Activity -id: 782c9f5d-d41d-4064-ab38-01dac19fedba +id: f80775a3-778a-52c5-8cb2-562feee8d62e status: experimental description: | Detects potential processes activity of Lite Manager RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,9 +15,9 @@ logsource: category: process_creation detection: selection_parent: - ParentImage|endswith: LMNoIpServer.exe + ParentImage|endswith: '*\LMNoIpServer.exe' selection_image: - Image|endswith: LMNoIpServer.exe + Image|endswith: '*\LMNoIpServer.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Lite Manager diff --git a/detections/sigma/litemanager_network_sigma.yml b/detections/sigma/litemanager_network_sigma.yml index ef7da281..61e58b14 100644 --- a/detections/sigma/litemanager_network_sigma.yml +++ b/detections/sigma/litemanager_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential LiteManager RMM Tool Network Activity -id: 6e3e81a5-8133-4a43-ba08-31d8279ba7f1 +id: ecd3a3e3-d649-537d-b024-3afd70f6f621 status: experimental description: | Detects potential network activity of LiteManager RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,9 +16,9 @@ logsource: detection: selection: DestinationHostname|endswith: - - *.litemanager.ru - - *.litemanager.com - - litemanager.com + - '*.litemanager.ru' + - '*.litemanager.com' + - 'litemanager.com' condition: selection falsepositives: - Legitimate use of LiteManager diff --git a/detections/sigma/litemanager_processes_sigma.yml b/detections/sigma/litemanager_processes_sigma.yml index 054b5d94..813c7a2f 100644 --- a/detections/sigma/litemanager_processes_sigma.yml +++ b/detections/sigma/litemanager_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential LiteManager RMM Tool Process Activity -id: acfaf9ef-6248-4d0d-94f4-c5e78395fb9c +id: a49f184c-6d87-58d1-843f-030644ae8c8d status: experimental description: | Detects potential processes activity of LiteManager RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,20 +16,20 @@ logsource: detection: selection_parent: ParentImage|endswith: - - lmnoipserver.exe - - ROMFUSClient.exe - - romfusclient.exe - - romviewer.exe - - romserver.exe - - ROMServer.exe + - 'lmnoipserver.exe' + - 'ROMFUSClient.exe' + - 'romfusclient.exe' + - 'romviewer.exe' + - 'romserver.exe' + - 'ROMServer.exe' selection_image: Image|endswith: - - lmnoipserver.exe - - ROMFUSClient.exe - - romfusclient.exe - - romviewer.exe - - romserver.exe - - ROMServer.exe + - 'lmnoipserver.exe' + - 'ROMFUSClient.exe' + - 'romfusclient.exe' + - 'romviewer.exe' + - 'romserver.exe' + - 'ROMServer.exe' condition: 1 of selection_* falsepositives: - Legitimate use of LiteManager diff --git a/detections/sigma/logmein_network_sigma.yml b/detections/sigma/logmein_network_sigma.yml index 63479753..723ec364 100644 --- a/detections/sigma/logmein_network_sigma.yml +++ b/detections/sigma/logmein_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential LogMeIn RMM Tool Network Activity -id: 7aeba9ce-5883-4ea6-bc0c-394af2774b49 +id: 31dfeb50-5e94-56f9-ae23-91e4e5f7658c status: experimental description: | Detects potential network activity of LogMeIn RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,11 +16,11 @@ logsource: detection: selection: DestinationHostname|endswith: - - logmein-gateway.com - - *.logmein.com - - *.logmein.eu - - logmeinrescue.com - - *.logmeininc.com + - 'logmein-gateway.com' + - '*.logmein.com' + - '*.logmein.eu' + - 'logmeinrescue.com' + - '*.logmeininc.com' condition: selection falsepositives: - Legitimate use of LogMeIn diff --git a/detections/sigma/logmein_rescue_network_sigma.yml b/detections/sigma/logmein_rescue_network_sigma.yml index e1f7e1af..1ee85a38 100644 --- a/detections/sigma/logmein_rescue_network_sigma.yml +++ b/detections/sigma/logmein_rescue_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential LogMeIn rescue RMM Tool Network Activity -id: 4eaa85dd-e3db-4410-bd7f-89c855f69d39 +id: 61756274-30fa-514d-bb2f-81834a209c8b status: experimental description: | Detects potential network activity of LogMeIn rescue RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,11 +16,11 @@ logsource: detection: selection: DestinationHostname|endswith: - - *.logmeinrescue.com - - *.logmeinrescue.eu - - logmeinrescue.com - - rescue-list.*.logmein-gateway.com - - rescue-data-cetner.logmein-gateway.com + - '*.logmeinrescue.com' + - '*.logmeinrescue.eu' + - 'logmeinrescue.com' + - 'rescue-list.*.logmein-gateway.com' + - 'rescue-data-cetner.logmein-gateway.com' condition: selection falsepositives: - Legitimate use of LogMeIn rescue diff --git a/detections/sigma/logmein_rescue_processes_sigma.yml b/detections/sigma/logmein_rescue_processes_sigma.yml index 3f2773cc..9776a8dd 100644 --- a/detections/sigma/logmein_rescue_processes_sigma.yml +++ b/detections/sigma/logmein_rescue_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential LogMeIn rescue RMM Tool Process Activity -id: 10e05dda-0352-4bd9-a415-00d7cb5791e7 +id: 30ad9cfb-af50-58ba-a878-b08e7b080a94 status: experimental description: | Detects potential processes activity of LogMeIn rescue RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,20 +16,20 @@ logsource: detection: selection_parent: ParentImage|endswith: - - support-logmeinrescue*.exe - - support-logmeinrescue.exe - - lmi_rescue.exe - - lmi_rescue.exe - - lmi_rescue_srv.exe - - lmi_rescue.exe + - 'support-logmeinrescue*.exe' + - 'support-logmeinrescue.exe' + - 'lmi_rescue.exe' + - 'C:\Users\*\AppData\Local\LogMeIn Rescue Applet\LMIR*.tmp\lmi_rescue.exe' + - 'C:\Users\*\AppData\Local\LogMeIn Rescue Applet\LMIR*.tmp\lmi_rescue_srv.exe' + - 'C:\Users\*\AppData\Local\LogMeIn Rescue Applet\LMIR*.tmp\lmi_rescue.exe' selection_image: Image|endswith: - - support-logmeinrescue*.exe - - support-logmeinrescue.exe - - lmi_rescue.exe - - lmi_rescue.exe - - lmi_rescue_srv.exe - - lmi_rescue.exe + - 'support-logmeinrescue*.exe' + - 'support-logmeinrescue.exe' + - 'lmi_rescue.exe' + - 'C:\Users\*\AppData\Local\LogMeIn Rescue Applet\LMIR*.tmp\lmi_rescue.exe' + - 'C:\Users\*\AppData\Local\LogMeIn Rescue Applet\LMIR*.tmp\lmi_rescue_srv.exe' + - 'C:\Users\*\AppData\Local\LogMeIn Rescue Applet\LMIR*.tmp\lmi_rescue.exe' condition: 1 of selection_* falsepositives: - Legitimate use of LogMeIn rescue diff --git a/detections/sigma/manage_engine__desktop_central__network_sigma.yml b/detections/sigma/manage_engine__desktop_central__network_sigma.yml index 2104d25a..c21669c5 100644 --- a/detections/sigma/manage_engine__desktop_central__network_sigma.yml +++ b/detections/sigma/manage_engine__desktop_central__network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Manage Engine (Desktop Central) RMM Tool Network Activity -id: b8539c63-a524-43f9-bc41-05c7723b36e2 +id: daefac3a-be06-54d2-9f1f-689fe7832b0b status: experimental description: | Detects potential network activity of Manage Engine (Desktop Central) RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,12 +16,12 @@ logsource: detection: selection: DestinationHostname|endswith: - - desktopcentral.manageengine.com - - desktopcentral.manageengine.com.eu - - desktopcentral.manageengine.cn - - *.dms.zoho.com - - *.dms.zoho.com.eu - - *.-dms.zoho.com.cn + - 'desktopcentral.manageengine.com' + - 'desktopcentral.manageengine.com.eu' + - 'desktopcentral.manageengine.cn' + - '*.dms.zoho.com' + - '*.dms.zoho.com.eu' + - '*.-dms.zoho.com.cn' condition: selection falsepositives: - Legitimate use of Manage Engine (Desktop Central) diff --git a/detections/sigma/manage_engine__desktop_central__processes_sigma.yml b/detections/sigma/manage_engine__desktop_central__processes_sigma.yml index 2ff6604d..97568875 100644 --- a/detections/sigma/manage_engine__desktop_central__processes_sigma.yml +++ b/detections/sigma/manage_engine__desktop_central__processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Manage Engine (Desktop Central) RMM Tool Process Activity -id: c02588b6-85d8-472c-b291-634f7c6a2f0d +id: 2259fdc2-d043-5d36-a6dd-35938422f7c5 status: experimental description: | Detects potential processes activity of Manage Engine (Desktop Central) RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,12 +16,12 @@ logsource: detection: selection_parent: ParentImage|endswith: - - dcagentservice.exe - - dcagentregister.exe + - 'dcagentservice.exe' + - 'dcagentregister.exe' selection_image: Image|endswith: - - dcagentservice.exe - - dcagentregister.exe + - 'dcagentservice.exe' + - 'dcagentregister.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Manage Engine (Desktop Central) diff --git a/detections/sigma/manageengine_processes_sigma.yml b/detections/sigma/manageengine_processes_sigma.yml index 8cb1104c..cb8531c7 100644 --- a/detections/sigma/manageengine_processes_sigma.yml +++ b/detections/sigma/manageengine_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential ManageEngine RMM Tool Process Activity -id: 0353ecc9-a0d8-4819-8df9-b35f9e766318 +id: 6ad49f70-e663-5ea4-b682-35593d0bc851 status: experimental description: | Detects potential processes activity of ManageEngine RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,14 +16,14 @@ logsource: detection: selection_parent: ParentImage|endswith: - - InstallShield Setup.exe - - ManageEngine_Remote_Access_Plus.exe - - dcagentservice.exe + - 'InstallShield Setup.exe' + - 'ManageEngine_Remote_Access_Plus.exe' + - '*\dcagentservice.exe' selection_image: Image|endswith: - - InstallShield Setup.exe - - ManageEngine_Remote_Access_Plus.exe - - dcagentservice.exe + - 'InstallShield Setup.exe' + - 'ManageEngine_Remote_Access_Plus.exe' + - '*\dcagentservice.exe' condition: 1 of selection_* falsepositives: - Legitimate use of ManageEngine diff --git a/detections/sigma/manageengine_rmm_central_network_sigma.yml b/detections/sigma/manageengine_rmm_central_network_sigma.yml index f14f5385..c091a470 100644 --- a/detections/sigma/manageengine_rmm_central_network_sigma.yml +++ b/detections/sigma/manageengine_rmm_central_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential ManageEngine RMM Central RMM Tool Network Activity -id: 82413f33-db83-4780-a098-b58c4f70bad8 +id: d2da55d9-f98a-5e9b-879c-bef426f1bdda status: experimental description: | Detects potential network activity of ManageEngine RMM Central RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,7 +15,7 @@ logsource: category: network_connection detection: selection: - DestinationHostname|endswith: manageengine.com/remote-monitoring-management/ + DestinationHostname|endswith: 'manageengine.com/remote-monitoring-management/' condition: selection falsepositives: - Legitimate use of ManageEngine RMM Central diff --git a/detections/sigma/manageengine_servicedesk_plus_files_sigma.yml b/detections/sigma/manageengine_servicedesk_plus_files_sigma.yml new file mode 100644 index 00000000..a1fbffc1 --- /dev/null +++ b/detections/sigma/manageengine_servicedesk_plus_files_sigma.yml @@ -0,0 +1,25 @@ +title: Potential ManageEngine ServiceDesk Plus RMM Tool File Activity +id: 658deba9-eee6-57df-a85a-e1df304055e9 +status: experimental +description: | + Detects potential files activity of ManageEngine ServiceDesk Plus RMM tool +references: + - https://github.com/magicsword-io/LOLRMM +author: LOLRMM Project +date: 2026-02-03 +tags: + - attack.execution + - attack.t1219 +logsource: + product: windows + category: file_event +detection: + selection: + TargetFilename|endswith: + - 'C:\Program Files\ManageEngine\ServiceDesk\*' + - 'C:\Users\*\AppData\Local\Temp\{*}\ManageEngine_ServiceDesk_Plus.exe' + - 'C:\Users\*\AppData\Local\Temp\{*}\ISBEW64.exe' + condition: selection +falsepositives: + - Legitimate use of ManageEngine ServiceDesk Plus +level: medium diff --git a/detections/sigma/manageengine_servicedesk_plus_network_sigma.yml b/detections/sigma/manageengine_servicedesk_plus_network_sigma.yml new file mode 100644 index 00000000..f3830e44 --- /dev/null +++ b/detections/sigma/manageengine_servicedesk_plus_network_sigma.yml @@ -0,0 +1,24 @@ +title: Potential ManageEngine ServiceDesk Plus RMM Tool Network Activity +id: 491304ad-942a-5be3-8678-62efa8c09743 +status: experimental +description: | + Detects potential network activity of ManageEngine ServiceDesk Plus RMM tool +references: + - https://github.com/magicsword-io/LOLRMM +author: LOLRMM Project +date: 2026-02-03 +tags: + - attack.execution + - attack.t1219 +logsource: + product: windows + category: network_connection +detection: + selection: + DestinationHostname|endswith: + - '*.manageengine.com' + - 'manageengine.com' + condition: selection +falsepositives: + - Legitimate use of ManageEngine ServiceDesk Plus +level: medium diff --git a/detections/sigma/manageengine_servicedesk_plus_processes_sigma.yml b/detections/sigma/manageengine_servicedesk_plus_processes_sigma.yml new file mode 100644 index 00000000..ffdd06e5 --- /dev/null +++ b/detections/sigma/manageengine_servicedesk_plus_processes_sigma.yml @@ -0,0 +1,28 @@ +title: Potential ManageEngine ServiceDesk Plus RMM Tool Process Activity +id: ae1e12fd-17ee-567b-909e-08b137050836 +status: experimental +description: | + Detects potential processes activity of ManageEngine ServiceDesk Plus RMM tool +references: + - https://github.com/magicsword-io/LOLRMM +author: LOLRMM Project +date: 2026-02-03 +tags: + - attack.execution + - attack.t1219 +logsource: + product: windows + category: process_creation +detection: + selection_parent: + ParentImage|endswith: + - 'ManageEngine_ServiceDesk_Plus.exe' + - 'ISBEW64.exe' + selection_image: + Image|endswith: + - 'ManageEngine_ServiceDesk_Plus.exe' + - 'ISBEW64.exe' + condition: 1 of selection_* +falsepositives: + - Legitimate use of ManageEngine ServiceDesk Plus +level: medium diff --git a/detections/sigma/manageengine_servicedesk_plus_registry_sigma.yml b/detections/sigma/manageengine_servicedesk_plus_registry_sigma.yml new file mode 100644 index 00000000..878ee8e7 --- /dev/null +++ b/detections/sigma/manageengine_servicedesk_plus_registry_sigma.yml @@ -0,0 +1,22 @@ +title: Potential ManageEngine ServiceDesk Plus RMM Tool Registry Activity +id: bf3087c5-e5b8-550b-8820-d09b743cd72b +status: experimental +description: | + Detects potential registry activity of ManageEngine ServiceDesk Plus RMM tool +references: + - https://github.com/magicsword-io/LOLRMM +author: LOLRMM Project +date: 2026-02-03 +tags: + - attack.execution + - attack.t1219 +logsource: + product: windows + category: registry_event +detection: + selection: + TargetObject|contains: 'HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{*}' + condition: selection +falsepositives: + - Legitimate use of ManageEngine ServiceDesk Plus +level: medium diff --git a/detections/sigma/megasync_processes_sigma.yml b/detections/sigma/megasync_processes_sigma.yml index 49272818..bdadd51d 100644 --- a/detections/sigma/megasync_processes_sigma.yml +++ b/detections/sigma/megasync_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential MEGAsync RMM Tool Process Activity -id: cbf08552-4899-4a63-b019-d100a6f9036d +id: bbcee03f-c33d-5c95-a798-ea24c70f31e4 status: experimental description: | Detects potential processes activity of MEGAsync RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,12 +16,12 @@ logsource: detection: selection_parent: ParentImage|endswith: - - MEGAsyncSetup64.exe - - MEGAupdater.exe + - '*\MEGAsyncSetup64.exe' + - '*\MEGAupdater.exe' selection_image: Image|endswith: - - MEGAsyncSetup64.exe - - MEGAupdater.exe + - '*\MEGAsyncSetup64.exe' + - '*\MEGAupdater.exe' condition: 1 of selection_* falsepositives: - Legitimate use of MEGAsync diff --git a/detections/sigma/meshcentral_files_sigma.yml b/detections/sigma/meshcentral_files_sigma.yml index 99372ac9..6d2cfd79 100644 --- a/detections/sigma/meshcentral_files_sigma.yml +++ b/detections/sigma/meshcentral_files_sigma.yml @@ -1,12 +1,12 @@ title: Potential MeshCentral RMM Tool File Activity -id: 1bb123a1-a6df-4f6f-88ac-35881e1ba861 +id: f5ca3e14-c521-568f-84d2-eb99fee701f7 status: experimental description: | Detects potential files activity of MeshCentral RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,14 +16,14 @@ logsource: detection: selection: TargetFilename|endswith: - - C:\Program Files\Mesh Agent\MeshAgent.exe - - C:\Program Files\Mesh Agent\MeshAgent.msh - - /usr/local/mesh_services/meshagent/meshagent/meshagent - - /usr/local/mesh_services/meshagent/meshagent/meshagent.db - - /usr/local/mesh_services/meshagent/meshagent/meshagent.msh - - /usr/local/mesh_services/meshagent/meshagent - - /usr/local/mesh_services/meshagent/meshagent.db - - /usr/local/mesh_services/meshagent/meshagent.msh + - 'C:\Program Files\Mesh Agent\MeshAgent.exe' + - 'C:\Program Files\Mesh Agent\MeshAgent.msh' + - '/usr/local/mesh_services/meshagent/meshagent/meshagent' + - '/usr/local/mesh_services/meshagent/meshagent/meshagent.db' + - '/usr/local/mesh_services/meshagent/meshagent/meshagent.msh' + - '/usr/local/mesh_services/meshagent/meshagent' + - '/usr/local/mesh_services/meshagent/meshagent.db' + - '/usr/local/mesh_services/meshagent/meshagent.msh' condition: selection falsepositives: - Legitimate use of MeshCentral diff --git a/detections/sigma/meshcentral_network_sigma.yml b/detections/sigma/meshcentral_network_sigma.yml index 2f264905..ee238879 100644 --- a/detections/sigma/meshcentral_network_sigma.yml +++ b/detections/sigma/meshcentral_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential MeshCentral RMM Tool Network Activity -id: 1ce87195-1117-42e9-b017-4bb59a1b5528 +id: 2989a1a0-ade8-5594-8ec5-50b685b21b3c status: experimental description: | Detects potential network activity of MeshCentral RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,8 +16,8 @@ logsource: detection: selection: DestinationHostname|endswith: - - user_managed - - meshcentral.com + - 'user_managed' + - 'meshcentral.com' condition: selection falsepositives: - Legitimate use of MeshCentral diff --git a/detections/sigma/meshcentral_processes_sigma.yml b/detections/sigma/meshcentral_processes_sigma.yml index 6ffd7604..74c66163 100644 --- a/detections/sigma/meshcentral_processes_sigma.yml +++ b/detections/sigma/meshcentral_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential MeshCentral RMM Tool Process Activity -id: 14c902eb-2fb2-4fa9-a2da-adbd83861c1c +id: f4407101-4808-5bc9-b153-b27a5f366c39 status: experimental description: | Detects potential processes activity of MeshCentral RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,12 +16,12 @@ logsource: detection: selection_parent: ParentImage|endswith: - - meshcentral*.exe - - meshagent*.exe + - 'meshcentral*.exe' + - 'meshagent*.exe' selection_image: Image|endswith: - - meshcentral*.exe - - meshagent*.exe + - 'meshcentral*.exe' + - 'meshagent*.exe' condition: 1 of selection_* falsepositives: - Legitimate use of MeshCentral diff --git a/detections/sigma/microsoft_quick_assist_network_sigma.yml b/detections/sigma/microsoft_quick_assist_network_sigma.yml index c54d2725..cf4c2890 100644 --- a/detections/sigma/microsoft_quick_assist_network_sigma.yml +++ b/detections/sigma/microsoft_quick_assist_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Microsoft Quick Assist RMM Tool Network Activity -id: c6c92332-f901-4f45-a739-abc59797025f +id: 72658ef6-e3a6-502d-9af6-de433767aacc status: experimental description: | Detects potential network activity of Microsoft Quick Assist RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,8 +16,8 @@ logsource: detection: selection: DestinationHostname|endswith: - - user_managed - - *.support.services.microsoft.com + - 'user_managed' + - '*.support.services.microsoft.com' condition: selection falsepositives: - Legitimate use of Microsoft Quick Assist diff --git a/detections/sigma/microsoft_quick_assist_processes_sigma.yml b/detections/sigma/microsoft_quick_assist_processes_sigma.yml index 7342f605..780542fe 100644 --- a/detections/sigma/microsoft_quick_assist_processes_sigma.yml +++ b/detections/sigma/microsoft_quick_assist_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Microsoft Quick Assist RMM Tool Process Activity -id: 51d6179e-e5f6-4553-b0ae-5df8566b758b +id: 1ac34313-5efa-5fad-b056-4c9b336e6e35 status: experimental description: | Detects potential processes activity of Microsoft Quick Assist RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,9 +15,9 @@ logsource: category: process_creation detection: selection_parent: - ParentImage|endswith: quickassist.exe + ParentImage|endswith: 'quickassist.exe' selection_image: - Image|endswith: quickassist.exe + Image|endswith: 'quickassist.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Microsoft Quick Assist diff --git a/detections/sigma/microsoft_rdp_processes_sigma.yml b/detections/sigma/microsoft_rdp_processes_sigma.yml index 64b8ab5a..84a63b0c 100644 --- a/detections/sigma/microsoft_rdp_processes_sigma.yml +++ b/detections/sigma/microsoft_rdp_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Microsoft RDP RMM Tool Process Activity -id: 4122da1c-0f56-4d24-bcb4-afc2dc3f82b3 +id: fe4f29e4-6ede-5f3e-afb8-180ce93df2aa status: experimental description: | Detects potential processes activity of Microsoft RDP RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,12 +16,12 @@ logsource: detection: selection_parent: ParentImage|endswith: - - termsrv.exe - - mstsc.exe + - 'termsrv.exe' + - 'mstsc.exe' selection_image: Image|endswith: - - termsrv.exe - - mstsc.exe + - 'termsrv.exe' + - 'mstsc.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Microsoft RDP diff --git a/detections/sigma/microsoft_tsc_processes_sigma.yml b/detections/sigma/microsoft_tsc_processes_sigma.yml index 02144fa8..5e69d7d0 100644 --- a/detections/sigma/microsoft_tsc_processes_sigma.yml +++ b/detections/sigma/microsoft_tsc_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Microsoft TSC RMM Tool Process Activity -id: ea9f6f7d-1757-460a-906d-53d0ba6e422a +id: 6563a5e4-7b6e-5762-aff0-2dc4aa73db4f status: experimental description: | Detects potential processes activity of Microsoft TSC RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,12 +16,12 @@ logsource: detection: selection_parent: ParentImage|endswith: - - termsrv.exe - - mstsc.exe + - 'termsrv.exe' + - 'mstsc.exe' selection_image: Image|endswith: - - termsrv.exe - - mstsc.exe + - 'termsrv.exe' + - 'mstsc.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Microsoft TSC diff --git a/detections/sigma/mikogo_network_sigma.yml b/detections/sigma/mikogo_network_sigma.yml index a65ae693..a8e0a504 100644 --- a/detections/sigma/mikogo_network_sigma.yml +++ b/detections/sigma/mikogo_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Mikogo RMM Tool Network Activity -id: 8a8e4fac-2c46-4833-b0ef-aa845317ffc6 +id: a370bb98-6f65-5491-bb2b-d8c98a99b9c5 status: experimental description: | Detects potential network activity of Mikogo RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,10 +16,10 @@ logsource: detection: selection: DestinationHostname|endswith: - - *.real-time-collaboration.com - - *.mikogo4.com - - *.mikogo.com - - mikogo.com + - '*.real-time-collaboration.com' + - '*.mikogo4.com' + - '*.mikogo.com' + - 'mikogo.com' condition: selection falsepositives: - Legitimate use of Mikogo diff --git a/detections/sigma/mikogo_processes_sigma.yml b/detections/sigma/mikogo_processes_sigma.yml index cb62b826..4d063c61 100644 --- a/detections/sigma/mikogo_processes_sigma.yml +++ b/detections/sigma/mikogo_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Mikogo RMM Tool Process Activity -id: bf492f20-25e6-4891-867d-2da09dbe45ab +id: 15a0ff48-36e6-57db-b481-d8b9f9020670 status: experimental description: | Detects potential processes activity of Mikogo RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,20 +16,20 @@ logsource: detection: selection_parent: ParentImage|endswith: - - mikogo.exe - - mikogo-starter.exe - - mikogo-service.exe - - mikogolauncher.exe - - Mikogo-Service.exe - - Mikogo-Screen-Service.exe + - 'mikogo.exe' + - 'mikogo-starter.exe' + - 'mikogo-service.exe' + - 'mikogolauncher.exe' + - '*\Mikogo-Service.exe' + - '*\Mikogo-Screen-Service.exe' selection_image: Image|endswith: - - mikogo.exe - - mikogo-starter.exe - - mikogo-service.exe - - mikogolauncher.exe - - Mikogo-Service.exe - - Mikogo-Screen-Service.exe + - 'mikogo.exe' + - 'mikogo-starter.exe' + - 'mikogo-service.exe' + - 'mikogolauncher.exe' + - '*\Mikogo-Service.exe' + - '*\Mikogo-Screen-Service.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Mikogo diff --git a/detections/sigma/mionet__also_known_as_wd_anywhere_access__processes_sigma.yml b/detections/sigma/mionet__also_known_as_wd_anywhere_access__processes_sigma.yml index e2ef338d..4ff0f4a4 100644 --- a/detections/sigma/mionet__also_known_as_wd_anywhere_access__processes_sigma.yml +++ b/detections/sigma/mionet__also_known_as_wd_anywhere_access__processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential MioNet (Also known as WD Anywhere Access) RMM Tool Process Activity -id: d4760b62-9bb1-4481-b6df-39942575baf3 +id: 90de4c83-d340-5fca-83cf-6d90d934f940 status: experimental description: | Detects potential processes activity of MioNet (Also known as WD Anywhere Access) RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,12 +16,12 @@ logsource: detection: selection_parent: ParentImage|endswith: - - mionet.exe - - mionetmanager.exe + - 'mionet.exe' + - 'mionetmanager.exe' selection_image: Image|endswith: - - mionet.exe - - mionetmanager.exe + - 'mionet.exe' + - 'mionetmanager.exe' condition: 1 of selection_* falsepositives: - Legitimate use of MioNet (Also known as WD Anywhere Access) diff --git a/detections/sigma/mionet__wd_anywhere_access__processes_sigma.yml b/detections/sigma/mionet__wd_anywhere_access__processes_sigma.yml index eb48a58e..b9d2b3c1 100644 --- a/detections/sigma/mionet__wd_anywhere_access__processes_sigma.yml +++ b/detections/sigma/mionet__wd_anywhere_access__processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential MioNet (WD Anywhere Access) RMM Tool Process Activity -id: 203d2837-b19e-439f-a7f4-36ec4bbd6a39 +id: 4022f3a3-330a-5218-99a5-16d6abf019f4 status: experimental description: | Detects potential processes activity of MioNet (WD Anywhere Access) RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,12 +16,12 @@ logsource: detection: selection_parent: ParentImage|endswith: - - mionet.exe - - mionetmanager.exe + - 'mionet.exe' + - 'mionetmanager.exe' selection_image: Image|endswith: - - mionet.exe - - mionetmanager.exe + - 'mionet.exe' + - 'mionetmanager.exe' condition: 1 of selection_* falsepositives: - Legitimate use of MioNet (WD Anywhere Access) diff --git a/detections/sigma/miradore_files_sigma.yml b/detections/sigma/miradore_files_sigma.yml new file mode 100644 index 00000000..fb4ba180 --- /dev/null +++ b/detections/sigma/miradore_files_sigma.yml @@ -0,0 +1,24 @@ +title: Potential Miradore RMM Tool File Activity +id: 0c9a40bc-ba73-56f9-bca4-12d7c4511675 +status: experimental +description: | + Detects potential files activity of Miradore RMM tool +references: + - https://github.com/magicsword-io/LOLRMM +author: LOLRMM Project +date: 2026-02-03 +tags: + - attack.execution + - attack.t1219 +logsource: + product: windows + category: file_event +detection: + selection: + TargetFilename|endswith: + - 'C:\Program Files\Miradore\OnlineClient\bin\*' + - 'C:\Program Files\Miradore\OnlineClient\bin\7z.dll' + condition: selection +falsepositives: + - Legitimate use of Miradore +level: medium diff --git a/detections/sigma/miradore_network_sigma.yml b/detections/sigma/miradore_network_sigma.yml new file mode 100644 index 00000000..1015ab4b --- /dev/null +++ b/detections/sigma/miradore_network_sigma.yml @@ -0,0 +1,26 @@ +title: Potential Miradore RMM Tool Network Activity +id: 15edd57b-00a7-53f9-8d3c-0b8679e0360d +status: experimental +description: | + Detects potential network activity of Miradore RMM tool +references: + - https://github.com/magicsword-io/LOLRMM +author: LOLRMM Project +date: 2026-02-03 +tags: + - attack.execution + - attack.t1219 +logsource: + product: windows + category: network_connection +detection: + selection: + DestinationHostname|endswith: + - 'gateway.miradore.com' + - '*.miradore.com' + - 'miradore.com' + - 'gerwconline.blob.core.windows.net' + condition: selection +falsepositives: + - Legitimate use of Miradore +level: medium diff --git a/detections/sigma/mouse_without_borders_files_sigma.yml b/detections/sigma/mouse_without_borders_files_sigma.yml index 7e06a9aa..8cbb5ec6 100644 --- a/detections/sigma/mouse_without_borders_files_sigma.yml +++ b/detections/sigma/mouse_without_borders_files_sigma.yml @@ -1,12 +1,12 @@ title: Potential Mouse Without Borders RMM Tool File Activity -id: 1d638377-3e99-4f7c-8d9e-9dcf1d441e66 +id: 2d2731fb-27e6-52f4-ba4a-31e68ec6eba2 status: experimental description: | Detects potential files activity of Mouse Without Borders RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,9 +16,9 @@ logsource: detection: selection: TargetFilename|endswith: - - C:\Program Files (x86)\Microsoft Garage\Mouse without Borders\MouseWithoutBorders.exe - - C:\Program Files (x86)\Microsoft Garage\Mouse without Borders\MouseWithoutBordersSvc.exe - - C:\Program Files (x86)\Microsoft Garage\Mouse without Borders\MouseWithoutBordersHelper.exe + - 'C:\Program Files (x86)\Microsoft Garage\Mouse without Borders\MouseWithoutBorders.exe' + - 'C:\Program Files (x86)\Microsoft Garage\Mouse without Borders\MouseWithoutBordersSvc.exe' + - 'C:\Program Files (x86)\Microsoft Garage\Mouse without Borders\MouseWithoutBordersHelper.exe' condition: selection falsepositives: - Legitimate use of Mouse Without Borders diff --git a/detections/sigma/mremoteng_files_sigma.yml b/detections/sigma/mremoteng_files_sigma.yml index 0e1cbcf9..ca2a2e0c 100644 --- a/detections/sigma/mremoteng_files_sigma.yml +++ b/detections/sigma/mremoteng_files_sigma.yml @@ -1,12 +1,12 @@ title: Potential mRemoteNG RMM Tool File Activity -id: 453adbd6-da18-4d1f-b7f6-ef5cdbc43684 +id: 7d5db791-0b23-555d-acfc-6e01cd81795f status: experimental description: | Detects potential files activity of mRemoteNG RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,9 +16,9 @@ logsource: detection: selection: TargetFilename|endswith: - - C:\Users\*\AppData\Roaming\mRemoteNG\mRemoteNG.log - - C:\Users\*\AppData\Roaming\mRemoteNG\confCons.xml - - C:\Users\*\AppData\*\mRemoteNG\**10\user.config + - 'C:\Users\*\AppData\Roaming\mRemoteNG\mRemoteNG.log' + - 'C:\Users\*\AppData\Roaming\mRemoteNG\confCons.xml' + - 'C:\Users\*\AppData\*\mRemoteNG\**10\user.config' condition: selection falsepositives: - Legitimate use of mRemoteNG diff --git a/detections/sigma/mremoteng_network_sigma.yml b/detections/sigma/mremoteng_network_sigma.yml index 1d56746b..96a7675b 100644 --- a/detections/sigma/mremoteng_network_sigma.yml +++ b/detections/sigma/mremoteng_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential mRemoteNG RMM Tool Network Activity -id: c7ae64c2-1850-4c69-8831-ca9221bb0165 +id: 67bf7932-14c6-5b7d-bad2-e37d66dd94d4 status: experimental description: | Detects potential network activity of mRemoteNG RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,8 +16,8 @@ logsource: detection: selection: DestinationHostname|endswith: - - user_managed - - mremoteng.org + - 'user_managed' + - 'mremoteng.org' condition: selection falsepositives: - Legitimate use of mRemoteNG diff --git a/detections/sigma/mremoteng_processes_sigma.yml b/detections/sigma/mremoteng_processes_sigma.yml index 7366df5f..9d93a759 100644 --- a/detections/sigma/mremoteng_processes_sigma.yml +++ b/detections/sigma/mremoteng_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential mRemoteNG RMM Tool Process Activity -id: 24ca8be4-28b3-40e4-8e95-535710020505 +id: 2ecac090-231a-5618-a24e-2d3e07f47fbd status: experimental description: | Detects potential processes activity of mRemoteNG RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,14 +16,14 @@ logsource: detection: selection_parent: ParentImage|endswith: - - mRemoteNG.exe - - mRemoteNG.exe - - mRemoteNG.exe + - 'mRemoteNG.exe' + - '*\mRemoteNG.exe' + - '*\mRemoteNG.exe' selection_image: Image|endswith: - - mRemoteNG.exe - - mRemoteNG.exe - - mRemoteNG.exe + - 'mRemoteNG.exe' + - '*\mRemoteNG.exe' + - '*\mRemoteNG.exe' condition: 1 of selection_* falsepositives: - Legitimate use of mRemoteNG diff --git a/detections/sigma/msp360_network_sigma.yml b/detections/sigma/msp360_network_sigma.yml index fc4121fc..5d46388d 100644 --- a/detections/sigma/msp360_network_sigma.yml +++ b/detections/sigma/msp360_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential MSP360 RMM Tool Network Activity -id: 8340427d-d94f-4325-8c8c-1a0d97343214 +id: a64cdbdb-4bf3-5dc1-b61b-26086ecbe36f status: experimental description: | Detects potential network activity of MSP360 RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,10 +16,10 @@ logsource: detection: selection: DestinationHostname|endswith: - - *.cloudberrylab.com - - *.msp360.com - - *.mspbackups.com - - msp360.com + - '*.cloudberrylab.com' + - '*.msp360.com' + - '*.mspbackups.com' + - 'msp360.com' condition: selection falsepositives: - Legitimate use of MSP360 diff --git a/detections/sigma/msp360_processes_sigma.yml b/detections/sigma/msp360_processes_sigma.yml index 7b90b2b4..c21dcaf6 100644 --- a/detections/sigma/msp360_processes_sigma.yml +++ b/detections/sigma/msp360_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential MSP360 RMM Tool Process Activity -id: 14954416-e9cf-4b77-abf3-fc08526a7319 +id: c6652a7c-dfd8-5e13-8d4e-7a150157b708 status: experimental description: | Detects potential processes activity of MSP360 RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,30 +16,30 @@ logsource: detection: selection_parent: ParentImage|endswith: - - Online Backup.exe - - CBBackupPlan.exe - - Cloud.Backup.Scheduler.exe - - Cloud.Backup.RM.Service.exe - - cbb.exe - - CloudRaService.exe - - CloudRaSd.exe - - CloudRaCmd.exe - - CloudRaUtilities.exe - - Remote Desktop.exe - - Connect.exe + - 'Online Backup.exe' + - 'CBBackupPlan.exe' + - 'Cloud.Backup.Scheduler.exe' + - 'Cloud.Backup.RM.Service.exe' + - 'cbb.exe' + - 'CloudRaService.exe' + - 'CloudRaSd.exe' + - 'CloudRaCmd.exe' + - 'CloudRaUtilities.exe' + - 'Remote Desktop.exe' + - 'Connect.exe' selection_image: Image|endswith: - - Online Backup.exe - - CBBackupPlan.exe - - Cloud.Backup.Scheduler.exe - - Cloud.Backup.RM.Service.exe - - cbb.exe - - CloudRaService.exe - - CloudRaSd.exe - - CloudRaCmd.exe - - CloudRaUtilities.exe - - Remote Desktop.exe - - Connect.exe + - 'Online Backup.exe' + - 'CBBackupPlan.exe' + - 'Cloud.Backup.Scheduler.exe' + - 'Cloud.Backup.RM.Service.exe' + - 'cbb.exe' + - 'CloudRaService.exe' + - 'CloudRaSd.exe' + - 'CloudRaCmd.exe' + - 'CloudRaUtilities.exe' + - 'Remote Desktop.exe' + - 'Connect.exe' condition: 1 of selection_* falsepositives: - Legitimate use of MSP360 diff --git a/detections/sigma/mstsc_processes_sigma.yml b/detections/sigma/mstsc_processes_sigma.yml index c4ee0d51..6ff632ef 100644 --- a/detections/sigma/mstsc_processes_sigma.yml +++ b/detections/sigma/mstsc_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential mstsc RMM Tool Process Activity -id: 62ff9712-e354-40f9-91ad-f2983a08b301 +id: f42a99f1-6dcf-5f12-9a07-4e740ed9e79f status: experimental description: | Detects potential processes activity of mstsc RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,12 +16,12 @@ logsource: detection: selection_parent: ParentImage|endswith: - - mstsc.exe - - mstsc.exe + - 'C:\Windows\System32\mstsc.exe' + - '*Windows\System32\mstsc.exe' selection_image: Image|endswith: - - mstsc.exe - - mstsc.exe + - 'C:\Windows\System32\mstsc.exe' + - '*Windows\System32\mstsc.exe' condition: 1 of selection_* falsepositives: - Legitimate use of mstsc diff --git a/detections/sigma/mygreenpc_network_sigma.yml b/detections/sigma/mygreenpc_network_sigma.yml index f40f5056..905feadc 100644 --- a/detections/sigma/mygreenpc_network_sigma.yml +++ b/detections/sigma/mygreenpc_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential MyGreenPC RMM Tool Network Activity -id: 4a0e9fb7-f29b-42bc-922b-c0ca30a4550b +id: 60aa9b0a-534d-57d9-b96f-efe2cc22811c status: experimental description: | Detects potential network activity of MyGreenPC RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,7 +15,7 @@ logsource: category: network_connection detection: selection: - DestinationHostname|endswith: *mygreenpc.com + DestinationHostname|endswith: '*mygreenpc.com' condition: selection falsepositives: - Legitimate use of MyGreenPC diff --git a/detections/sigma/mygreenpc_processes_sigma.yml b/detections/sigma/mygreenpc_processes_sigma.yml index 44bb6688..9e96b03f 100644 --- a/detections/sigma/mygreenpc_processes_sigma.yml +++ b/detections/sigma/mygreenpc_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential MyGreenPC RMM Tool Process Activity -id: 3400131e-9dfe-488c-b132-cbcd02f58ded +id: 59f4d985-7b19-5f9d-a337-6119ee06df07 status: experimental description: | Detects potential processes activity of MyGreenPC RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,9 +15,9 @@ logsource: category: process_creation detection: selection_parent: - ParentImage|endswith: mygreenpc.exe + ParentImage|endswith: 'mygreenpc.exe' selection_image: - Image|endswith: mygreenpc.exe + Image|endswith: 'mygreenpc.exe' condition: 1 of selection_* falsepositives: - Legitimate use of MyGreenPC diff --git a/detections/sigma/myivo_network_sigma.yml b/detections/sigma/myivo_network_sigma.yml index 5becc19f..a4f6b4da 100644 --- a/detections/sigma/myivo_network_sigma.yml +++ b/detections/sigma/myivo_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential MyIVO RMM Tool Network Activity -id: 85f1f9d1-1cf6-4adf-bd87-b0a66390ce4d +id: d66ae447-2499-5096-9072-1bcf707db32b status: experimental description: | Detects potential network activity of MyIVO RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,7 +15,7 @@ logsource: category: network_connection detection: selection: - DestinationHostname|endswith: myivo-server.software.informer.com + DestinationHostname|endswith: 'myivo-server.software.informer.com' condition: selection falsepositives: - Legitimate use of MyIVO diff --git a/detections/sigma/myivo_processes_sigma.yml b/detections/sigma/myivo_processes_sigma.yml index 4a347c6c..41038ae4 100644 --- a/detections/sigma/myivo_processes_sigma.yml +++ b/detections/sigma/myivo_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential MyIVO RMM Tool Process Activity -id: 4af16164-365b-47f0-9b15-37ad38073d3a +id: 5d37d5ca-1700-5f8c-a3d1-ee03d893919d status: experimental description: | Detects potential processes activity of MyIVO RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,12 +16,12 @@ logsource: detection: selection_parent: ParentImage|endswith: - - myivomgr.exe - - myivomanager.exe + - 'myivomgr.exe' + - 'myivomanager.exe' selection_image: Image|endswith: - - myivomgr.exe - - myivomanager.exe + - 'myivomgr.exe' + - 'myivomanager.exe' condition: 1 of selection_* falsepositives: - Legitimate use of MyIVO diff --git a/detections/sigma/n-able_advanced_monitoring_agent_network_sigma.yml b/detections/sigma/n-able_advanced_monitoring_agent_network_sigma.yml index c9acb993..8eea927c 100644 --- a/detections/sigma/n-able_advanced_monitoring_agent_network_sigma.yml +++ b/detections/sigma/n-able_advanced_monitoring_agent_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential N-Able Advanced Monitoring Agent RMM Tool Network Activity -id: 343b65e8-9f87-4009-9649-fb77db5d1e7f +id: d0163483-f60a-55b7-9870-ede5e4ae5a9c status: experimental description: | Detects potential network activity of N-Able Advanced Monitoring Agent RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,17 +16,25 @@ logsource: detection: selection: DestinationHostname|endswith: - - *remote.management - - *.logicnow.com - - *systemmonitor.us - - *systemmonitor.eu.com - - *system-monitor.com - - systemmonitor.us.cdn.cloudflare.net - - *cloudbackup.management - - *systemmonitor.co.uk - - *.n-able.com - - *.beanywhere.com - - *.swi-tc.com + - '*.beanywhere.com ' + - 'systemmonitor.co.uk' + - '*system-monitor.com' + - 'cloudbackup.management' + - '*systemmonitor.co.uk' + - 'n-able.com' + - 'systemmonitor.us' + - '*systemmonitor.eu.com' + - '*.logicnow.com' + - '*.swi-tc.com' + - '*remote.management' + - 'systemmonitor.us.cdn.cloudflare.net' + - '*cloudbackup.management' + - 'remote.management' + - 'logicnow.com' + - 'system-monitor.com' + - '*systemmonitor.us' + - 'systemmonitor.eu.com' + - '*.n-able.com' condition: selection falsepositives: - Legitimate use of N-Able Advanced Monitoring Agent diff --git a/detections/sigma/n-able_advanced_monitoring_agent_processes_sigma.yml b/detections/sigma/n-able_advanced_monitoring_agent_processes_sigma.yml index 6d334931..da601b6f 100644 --- a/detections/sigma/n-able_advanced_monitoring_agent_processes_sigma.yml +++ b/detections/sigma/n-able_advanced_monitoring_agent_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential N-Able Advanced Monitoring Agent RMM Tool Process Activity -id: 9528e78f-1698-4561-8344-f45a6086bfc5 +id: d408a343-0206-5b2f-9896-de129c4f38d3 status: experimental description: | Detects potential processes activity of N-Able Advanced Monitoring Agent RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,20 +16,22 @@ logsource: detection: selection_parent: ParentImage|endswith: - - Agent_*_RW.exe - - BASEClient.exe - - BASupApp.exe - - BASupSrvc.exe - - BASupSrvcCnfg.exe - - BASupTSHelper.exe + - 'BASupSrvc.exe' + - 'winagent.exe' + - 'BASupApp.exe' + - 'BASupTSHelper.exe' + - 'Agent_*_RW.exe' + - 'BASEClient.exe' + - 'BASupSrvcCnfg.exe' selection_image: Image|endswith: - - Agent_*_RW.exe - - BASEClient.exe - - BASupApp.exe - - BASupSrvc.exe - - BASupSrvcCnfg.exe - - BASupTSHelper.exe + - 'BASupSrvc.exe' + - 'winagent.exe' + - 'BASupApp.exe' + - 'BASupTSHelper.exe' + - 'Agent_*_RW.exe' + - 'BASEClient.exe' + - 'BASupSrvcCnfg.exe' condition: 1 of selection_* falsepositives: - Legitimate use of N-Able Advanced Monitoring Agent diff --git a/detections/sigma/n-able_remote_access_software_network_sigma.yml b/detections/sigma/n-able_remote_access_software_network_sigma.yml index 741ce6aa..e4f8038b 100644 --- a/detections/sigma/n-able_remote_access_software_network_sigma.yml +++ b/detections/sigma/n-able_remote_access_software_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential N-ABLE Remote Access Software RMM Tool Network Activity -id: f1771336-2160-4937-bea2-fe9f0c18bb87 +id: 59b992b5-26ec-5c13-8d1e-38cddb73111b status: experimental description: | Detects potential network activity of N-ABLE Remote Access Software RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,7 +15,7 @@ logsource: category: network_connection detection: selection: - DestinationHostname|endswith: n-able.com + DestinationHostname|endswith: 'n-able.com' condition: selection falsepositives: - Legitimate use of N-ABLE Remote Access Software diff --git a/detections/sigma/naverisk_network_sigma.yml b/detections/sigma/naverisk_network_sigma.yml index 0c9e0381..fb5829f6 100644 --- a/detections/sigma/naverisk_network_sigma.yml +++ b/detections/sigma/naverisk_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Naverisk RMM Tool Network Activity -id: d7052972-17c6-441e-aeb1-23a29bf9897f +id: 16288440-a197-5f45-a5d9-ea7ac8b99b7b status: experimental description: | Detects potential network activity of Naverisk RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,8 +16,8 @@ logsource: detection: selection: DestinationHostname|endswith: - - user_managed - - naverisk.com + - 'user_managed' + - 'naverisk.com' condition: selection falsepositives: - Legitimate use of Naverisk diff --git a/detections/sigma/naverisk_processes_sigma.yml b/detections/sigma/naverisk_processes_sigma.yml index b1dfbaa2..e52801aa 100644 --- a/detections/sigma/naverisk_processes_sigma.yml +++ b/detections/sigma/naverisk_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Naverisk RMM Tool Process Activity -id: f25559ec-34d5-43b9-9e4a-e77ef6f218ef +id: ea669337-716f-501a-b099-a0431ff3fa6e status: experimental description: | Detects potential processes activity of Naverisk RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,9 +15,9 @@ logsource: category: process_creation detection: selection_parent: - ParentImage|endswith: AgentSetup-*.exe + ParentImage|endswith: 'AgentSetup-*.exe' selection_image: - Image|endswith: AgentSetup-*.exe + Image|endswith: 'AgentSetup-*.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Naverisk diff --git a/detections/sigma/netbird_files_sigma.yml b/detections/sigma/netbird_files_sigma.yml new file mode 100644 index 00000000..bab50338 --- /dev/null +++ b/detections/sigma/netbird_files_sigma.yml @@ -0,0 +1,26 @@ +title: Potential NetBird RMM Tool File Activity +id: d7450e11-72aa-57b4-b835-9afeaa6eb423 +status: experimental +description: | + Detects potential files activity of NetBird RMM tool +references: + - https://github.com/magicsword-io/LOLRMM +author: LOLRMM Project +date: 2026-02-03 +tags: + - attack.execution + - attack.t1219 +logsource: + product: windows + category: file_event +detection: + selection: + TargetFilename|endswith: + - 'C:\Program Files\Netbird\netbird.exe' + - 'C:\ProgramData\Netbird\config.json' + - '/etc/netbird/config.json' + - '/var/log/netbird/*' + condition: selection +falsepositives: + - Legitimate use of NetBird +level: medium diff --git a/detections/sigma/netbird_network_sigma.yml b/detections/sigma/netbird_network_sigma.yml new file mode 100644 index 00000000..11766116 --- /dev/null +++ b/detections/sigma/netbird_network_sigma.yml @@ -0,0 +1,26 @@ +title: Potential NetBird RMM Tool Network Activity +id: b185f048-8668-5dba-a8fa-09e8d9fd2097 +status: experimental +description: | + Detects potential network activity of NetBird RMM tool +references: + - https://github.com/magicsword-io/LOLRMM +author: LOLRMM Project +date: 2026-02-03 +tags: + - attack.execution + - attack.t1219 +logsource: + product: windows + category: network_connection +detection: + selection: + DestinationHostname|endswith: + - 'netbird.io' + - '*.netbird.io' + - 'api.netbird.io' + - 'signal.netbird.io' + condition: selection +falsepositives: + - Legitimate use of NetBird +level: medium diff --git a/detections/sigma/netbird_processes_sigma.yml b/detections/sigma/netbird_processes_sigma.yml new file mode 100644 index 00000000..34c22722 --- /dev/null +++ b/detections/sigma/netbird_processes_sigma.yml @@ -0,0 +1,32 @@ +title: Potential NetBird RMM Tool Process Activity +id: 48b0db99-b021-5bd7-9a73-7a2733099102 +status: experimental +description: | + Detects potential processes activity of NetBird RMM tool +references: + - https://github.com/magicsword-io/LOLRMM +author: LOLRMM Project +date: 2026-02-03 +tags: + - attack.execution + - attack.t1219 +logsource: + product: windows + category: process_creation +detection: + selection_parent: + ParentImage|endswith: + - 'C:\Program Files\Netbird\netbird.exe' + - 'C:\Program Files\Netbird\netbird-ui.exe' + - 'netbird.exe' + - 'netbird-ui.exe' + selection_image: + Image|endswith: + - 'C:\Program Files\Netbird\netbird.exe' + - 'C:\Program Files\Netbird\netbird-ui.exe' + - 'netbird.exe' + - 'netbird-ui.exe' + condition: 1 of selection_* +falsepositives: + - Legitimate use of NetBird +level: medium diff --git a/detections/sigma/netlock_rmm_files_sigma.yml b/detections/sigma/netlock_rmm_files_sigma.yml index be3c10f4..bab4a4fb 100644 --- a/detections/sigma/netlock_rmm_files_sigma.yml +++ b/detections/sigma/netlock_rmm_files_sigma.yml @@ -1,12 +1,12 @@ title: Potential NetLock RMM RMM Tool File Activity -id: 60d10413-e93a-4f1a-b1cc-eb5d0cb861ca +id: 82c10301-9a7b-5116-9066-5e36877f8a7f status: experimental description: | Detects potential files activity of NetLock RMM RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,11 +16,11 @@ logsource: detection: selection: TargetFilename|endswith: - - C:\temp\netlock rmm\installer\logs\* - - C:\ProgramData\0x101 Cyber Security\NetLock RMM\Comm Agent\server_config.json - - /etc/systemd/system/netlock-rmm-agent-comm.service - - /Library/LaunchDaemons/com.netlock.rmm.agentcomm.plist - - /var/log/netlock-rmm-agent-comm.log + - 'C:\temp\netlock rmm\installer\logs\*' + - 'C:\ProgramData\0x101 Cyber Security\NetLock RMM\Comm Agent\server_config.json' + - '/etc/systemd/system/netlock-rmm-agent-comm.service' + - '/Library/LaunchDaemons/com.netlock.rmm.agentcomm.plist' + - '/var/log/netlock-rmm-agent-comm.log' condition: selection falsepositives: - Legitimate use of NetLock RMM diff --git a/detections/sigma/netlock_rmm_processes_sigma.yml b/detections/sigma/netlock_rmm_processes_sigma.yml index f1e06e8e..82c2daf6 100644 --- a/detections/sigma/netlock_rmm_processes_sigma.yml +++ b/detections/sigma/netlock_rmm_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential NetLock RMM RMM Tool Process Activity -id: 983bff01-624c-43c9-929f-e04756a7ac52 +id: 1b2c2f32-87eb-510c-b3ad-76395e0f9416 status: experimental description: | Detects potential processes activity of NetLock RMM RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,14 +16,14 @@ logsource: detection: selection_parent: ParentImage|endswith: - - NetLock_RMM_Agent_Installer.exe - - NetLock_RMM_User_Process.exe - - NetLock_RMM_User_UAC.exe + - 'NetLock_RMM_Agent_Installer.exe' + - 'C:\Program Files\0x101 Cyber Security\NetLock RMM\UserAgent\NetLock_RMM_User_Process.exe' + - 'C:\Program Files\0x101 Cyber Security\NetLock RMM\UserAgent\NetLock_RMM_User_UAC.exe' selection_image: Image|endswith: - - NetLock_RMM_Agent_Installer.exe - - NetLock_RMM_User_Process.exe - - NetLock_RMM_User_UAC.exe + - 'NetLock_RMM_Agent_Installer.exe' + - 'C:\Program Files\0x101 Cyber Security\NetLock RMM\UserAgent\NetLock_RMM_User_Process.exe' + - 'C:\Program Files\0x101 Cyber Security\NetLock RMM\UserAgent\NetLock_RMM_User_UAC.exe' condition: 1 of selection_* falsepositives: - Legitimate use of NetLock RMM diff --git a/detections/sigma/netop_remote_control__aka_impero_connect__network_sigma.yml b/detections/sigma/netop_remote_control__aka_impero_connect__network_sigma.yml index 0bfc0fa7..a37c8c20 100644 --- a/detections/sigma/netop_remote_control__aka_impero_connect__network_sigma.yml +++ b/detections/sigma/netop_remote_control__aka_impero_connect__network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Netop Remote Control (aka Impero Connect) RMM Tool Network Activity -id: 3edeb103-6164-49d5-a513-24025e8d9862 +id: 43bf44d0-5082-599b-a71e-e13c0e5a8287 status: experimental description: | Detects potential network activity of Netop Remote Control (aka Impero Connect) RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,7 +15,7 @@ logsource: category: network_connection detection: selection: - DestinationHostname|endswith: imperosoftware.com/impero-connect/ + DestinationHostname|endswith: 'imperosoftware.com/impero-connect/' condition: selection falsepositives: - Legitimate use of Netop Remote Control (aka Impero Connect) diff --git a/detections/sigma/netop_remote_control__aka_impero_connect__processes_sigma.yml b/detections/sigma/netop_remote_control__aka_impero_connect__processes_sigma.yml index 2ec50c7d..8a3038da 100644 --- a/detections/sigma/netop_remote_control__aka_impero_connect__processes_sigma.yml +++ b/detections/sigma/netop_remote_control__aka_impero_connect__processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Netop Remote Control (aka Impero Connect) RMM Tool Process Activity -id: ff29fc42-5515-4c51-9d48-b09fbcfeb22a +id: 23495f59-3214-5c86-95a5-ba058a0481d5 status: experimental description: | Detects potential processes activity of Netop Remote Control (aka Impero Connect) RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,16 +16,16 @@ logsource: detection: selection_parent: ParentImage|endswith: - - nhostsvc.exe - - nhstw32.exe - - nldrw32.exe - - rmserverconsolemediator.exe + - 'nhostsvc.exe' + - 'nhstw32.exe' + - 'nldrw32.exe' + - 'rmserverconsolemediator.exe' selection_image: Image|endswith: - - nhostsvc.exe - - nhstw32.exe - - nldrw32.exe - - rmserverconsolemediator.exe + - 'nhostsvc.exe' + - 'nhstw32.exe' + - 'nldrw32.exe' + - 'rmserverconsolemediator.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Netop Remote Control (aka Impero Connect) diff --git a/detections/sigma/netop_remote_control__impero_connect__network_sigma.yml b/detections/sigma/netop_remote_control__impero_connect__network_sigma.yml index 122960db..b0179be3 100644 --- a/detections/sigma/netop_remote_control__impero_connect__network_sigma.yml +++ b/detections/sigma/netop_remote_control__impero_connect__network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Netop Remote Control (Impero Connect) RMM Tool Network Activity -id: 42ac0f05-030b-4df0-b818-6980374579ab +id: 0a4f9206-b064-506b-a278-72a2c4b7e458 status: experimental description: | Detects potential network activity of Netop Remote Control (Impero Connect) RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,8 +16,8 @@ logsource: detection: selection: DestinationHostname|endswith: - - *.connect.backdrop.cloud - - *.netop.com + - '*.connect.backdrop.cloud' + - '*.netop.com' condition: selection falsepositives: - Legitimate use of Netop Remote Control (Impero Connect) diff --git a/detections/sigma/netop_remote_control__impero_connect__processes_sigma.yml b/detections/sigma/netop_remote_control__impero_connect__processes_sigma.yml index 054ac0ff..969e0da1 100644 --- a/detections/sigma/netop_remote_control__impero_connect__processes_sigma.yml +++ b/detections/sigma/netop_remote_control__impero_connect__processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Netop Remote Control (Impero Connect) RMM Tool Process Activity -id: 49c92cec-cc90-4a41-97cf-91e8e47a051a +id: 1b3e5bc8-ee76-55c8-a9e3-651fefbffb1d status: experimental description: | Detects potential processes activity of Netop Remote Control (Impero Connect) RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,26 +16,26 @@ logsource: detection: selection_parent: ParentImage|endswith: - - nhostsvc.exe - - nhstw32.exe - - ngstw32.exe - - Netop Ondemand.exe - - nldrw32.exe - - rmserverconsolemediator.exe - - ImperoInit.exe - - Connect.Backdrop.cloud*.exe - - ImperoClientSVC.exe + - 'nhostsvc.exe' + - 'nhstw32.exe' + - 'ngstw32.exe' + - 'Netop Ondemand.exe' + - 'nldrw32.exe' + - 'rmserverconsolemediator.exe' + - 'ImperoInit.exe' + - 'Connect.Backdrop.cloud*.exe' + - 'ImperoClientSVC.exe' selection_image: Image|endswith: - - nhostsvc.exe - - nhstw32.exe - - ngstw32.exe - - Netop Ondemand.exe - - nldrw32.exe - - rmserverconsolemediator.exe - - ImperoInit.exe - - Connect.Backdrop.cloud*.exe - - ImperoClientSVC.exe + - 'nhostsvc.exe' + - 'nhstw32.exe' + - 'ngstw32.exe' + - 'Netop Ondemand.exe' + - 'nldrw32.exe' + - 'rmserverconsolemediator.exe' + - 'ImperoInit.exe' + - 'Connect.Backdrop.cloud*.exe' + - 'ImperoClientSVC.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Netop Remote Control (Impero Connect) diff --git a/detections/sigma/netreo_network_sigma.yml b/detections/sigma/netreo_network_sigma.yml index 8e7a9538..9940746e 100644 --- a/detections/sigma/netreo_network_sigma.yml +++ b/detections/sigma/netreo_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Netreo RMM Tool Network Activity -id: cad3922b-33f7-4510-a4ea-5fd1c8915154 +id: 3f94e0d3-a8aa-5f6f-b9a4-0f5edd9589b0 status: experimental description: | Detects potential network activity of Netreo RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,10 +16,10 @@ logsource: detection: selection: DestinationHostname|endswith: - - charon.netreo.net - - activation.netreo.net - - *.api.netreo.com - - netreo.com + - 'charon.netreo.net' + - 'activation.netreo.net' + - '*.api.netreo.com' + - 'netreo.com' condition: selection falsepositives: - Legitimate use of Netreo diff --git a/detections/sigma/netsupport_manager_network_sigma.yml b/detections/sigma/netsupport_manager_network_sigma.yml index 94abe385..ca21d62b 100644 --- a/detections/sigma/netsupport_manager_network_sigma.yml +++ b/detections/sigma/netsupport_manager_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential NetSupport Manager RMM Tool Network Activity -id: 8097d92a-5bbf-4dcc-8dc0-28e0726f5ae3 +id: d947f549-6714-582d-b8bf-74f746be1cb2 status: experimental description: | Detects potential network activity of NetSupport Manager RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,8 +16,9 @@ logsource: detection: selection: DestinationHostname|endswith: - - *.netsupportmanager.com - - netsupportmanager.com + - 'geo.netsupportsoftware.com' + - 'netsupportmanager.com' + - '*.netsupportmanager.com' condition: selection falsepositives: - Legitimate use of NetSupport Manager diff --git a/detections/sigma/netsupport_manager_processes_sigma.yml b/detections/sigma/netsupport_manager_processes_sigma.yml index 74faf975..bc5ab787 100644 --- a/detections/sigma/netsupport_manager_processes_sigma.yml +++ b/detections/sigma/netsupport_manager_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential NetSupport Manager RMM Tool Process Activity -id: 922caa2b-af7d-4657-90f6-45dc003a6151 +id: 55368c9b-40aa-5aaf-984b-98ae73c3b699 status: experimental description: | Detects potential processes activity of NetSupport Manager RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,14 +16,14 @@ logsource: detection: selection_parent: ParentImage|endswith: - - pcictlui.exe - - pcicfgui.exe - - client32.exe + - 'pcictlui.exe' + - 'client32.exe' + - 'pcicfgui.exe' selection_image: Image|endswith: - - pcictlui.exe - - pcicfgui.exe - - client32.exe + - 'pcictlui.exe' + - 'client32.exe' + - 'pcicfgui.exe' condition: 1 of selection_* falsepositives: - Legitimate use of NetSupport Manager diff --git a/detections/sigma/neturo_network_sigma.yml b/detections/sigma/neturo_network_sigma.yml index 56b958ab..f7215798 100644 --- a/detections/sigma/neturo_network_sigma.yml +++ b/detections/sigma/neturo_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Neturo RMM Tool Network Activity -id: d5444bd0-18d8-431e-97dd-ebe0536fe820 +id: fe56e305-ad09-5262-ab73-b2bc3889c8db status: experimental description: | Detects potential network activity of Neturo RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,7 +15,7 @@ logsource: category: network_connection detection: selection: - DestinationHostname|endswith: neturo.uplus.co.kr + DestinationHostname|endswith: 'neturo.uplus.co.kr' condition: selection falsepositives: - Legitimate use of Neturo diff --git a/detections/sigma/neturo_processes_sigma.yml b/detections/sigma/neturo_processes_sigma.yml index ac56e0e0..e14707c7 100644 --- a/detections/sigma/neturo_processes_sigma.yml +++ b/detections/sigma/neturo_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Neturo RMM Tool Process Activity -id: f29ed784-7458-4c4a-ab7a-564d5a45baea +id: 177f4658-710b-5435-b765-bf43e3b721e6 status: experimental description: | Detects potential processes activity of Neturo RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,14 +16,14 @@ logsource: detection: selection_parent: ParentImage|endswith: - - neturo*.exe - - ntrntservice.exe - - neturo.exe + - 'neturo*.exe' + - 'ntrntservice.exe' + - 'neturo.exe' selection_image: Image|endswith: - - neturo*.exe - - ntrntservice.exe - - neturo.exe + - 'neturo*.exe' + - 'ntrntservice.exe' + - 'neturo.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Neturo diff --git a/detections/sigma/netviewer__gotomeet__processes_sigma.yml b/detections/sigma/netviewer__gotomeet__processes_sigma.yml index 68120761..d8012911 100644 --- a/detections/sigma/netviewer__gotomeet__processes_sigma.yml +++ b/detections/sigma/netviewer__gotomeet__processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Netviewer (GoToMeet) RMM Tool Process Activity -id: a6346afe-86d5-4f01-aada-e9b2f19cba58 +id: 231c6658-a998-5285-b41e-f29160ff9712 status: experimental description: | Detects potential processes activity of Netviewer (GoToMeet) RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,12 +16,12 @@ logsource: detection: selection_parent: ParentImage|endswith: - - nvClient.exe - - netviewer.exe + - 'nvClient.exe' + - 'netviewer.exe' selection_image: Image|endswith: - - nvClient.exe - - netviewer.exe + - 'nvClient.exe' + - 'netviewer.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Netviewer (GoToMeet) diff --git a/detections/sigma/netviewer_network_sigma.yml b/detections/sigma/netviewer_network_sigma.yml index 8fcc6e66..8d633b36 100644 --- a/detections/sigma/netviewer_network_sigma.yml +++ b/detections/sigma/netviewer_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Netviewer RMM Tool Network Activity -id: 486d8388-79a5-4f53-91ee-a815559c5a9e +id: 931fd1e9-6e0b-560d-994e-bb9476787a6c status: experimental description: | Detects potential network activity of Netviewer RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,7 +15,7 @@ logsource: category: network_connection detection: selection: - DestinationHostname|endswith: download.cnet.com/Net-Viewer/3000-2370_4-10034828.html + DestinationHostname|endswith: 'download.cnet.com/Net-Viewer/3000-2370_4-10034828.html' condition: selection falsepositives: - Legitimate use of Netviewer diff --git a/detections/sigma/netviewer_processes_sigma.yml b/detections/sigma/netviewer_processes_sigma.yml index fed6106f..2ae8ed8a 100644 --- a/detections/sigma/netviewer_processes_sigma.yml +++ b/detections/sigma/netviewer_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Netviewer RMM Tool Process Activity -id: c79e9209-c485-45bf-af98-777c7b1040a2 +id: 95cd51e4-0c54-59b0-8794-dea403d2cc7f status: experimental description: | Detects potential processes activity of Netviewer RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,12 +16,12 @@ logsource: detection: selection_parent: ParentImage|endswith: - - netviewer*.exe - - netviewer.exe + - 'netviewer*.exe' + - 'netviewer.exe' selection_image: Image|endswith: - - netviewer*.exe - - netviewer.exe + - 'netviewer*.exe' + - 'netviewer.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Netviewer diff --git a/detections/sigma/ngrok_network_sigma.yml b/detections/sigma/ngrok_network_sigma.yml index c96fc65e..73acf9cd 100644 --- a/detections/sigma/ngrok_network_sigma.yml +++ b/detections/sigma/ngrok_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential ngrok RMM Tool Network Activity -id: 36b3490a-8cac-4611-bfad-82f3f4c74ad6 +id: cfdb0abb-2923-5206-b15f-51ddcae9991d status: experimental description: | Detects potential network activity of ngrok RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,15 +16,15 @@ logsource: detection: selection: DestinationHostname|endswith: - - connect.ngrok-agent.com - - connect.us.ngrok-agent.com - - connect.eu.ngrok-agent.com - - connect.ap.ngrok-agent.com - - connect.au.ngrok-agent.com - - connect.sa.ngrok-agent.com - - connect.jp.ngrok-agent.com - - connect.in.ngrok-agent.com - - ngrok.com + - 'connect.ngrok-agent.com' + - 'connect.us.ngrok-agent.com' + - 'connect.eu.ngrok-agent.com' + - 'connect.ap.ngrok-agent.com' + - 'connect.au.ngrok-agent.com' + - 'connect.sa.ngrok-agent.com' + - 'connect.jp.ngrok-agent.com' + - 'connect.in.ngrok-agent.com' + - 'ngrok.com' condition: selection falsepositives: - Legitimate use of ngrok diff --git a/detections/sigma/ngrok_processes_sigma.yml b/detections/sigma/ngrok_processes_sigma.yml index 33ef15c6..5cae9815 100644 --- a/detections/sigma/ngrok_processes_sigma.yml +++ b/detections/sigma/ngrok_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential ngrok RMM Tool Process Activity -id: 9b44fabc-09e3-4205-8f07-fbf79aad5d7b +id: 060f3d4d-64f8-579d-9344-4c7bea0f390d status: experimental description: | Detects potential processes activity of ngrok RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,9 +15,9 @@ logsource: category: process_creation detection: selection_parent: - ParentImage|endswith: ngrok.exe + ParentImage|endswith: 'ngrok.exe' selection_image: - Image|endswith: ngrok.exe + Image|endswith: 'ngrok.exe' condition: 1 of selection_* falsepositives: - Legitimate use of ngrok diff --git a/detections/sigma/ninjarmm_network_sigma.yml b/detections/sigma/ninjarmm_network_sigma.yml index 1db67999..5e25d35b 100644 --- a/detections/sigma/ninjarmm_network_sigma.yml +++ b/detections/sigma/ninjarmm_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential NinjaRMM RMM Tool Network Activity -id: ff3c27a2-b2d4-4e65-820f-739b97e658de +id: 91ec854e-788e-5231-8365-bee358110458 status: experimental description: | Detects potential network activity of NinjaRMM RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,22 +16,22 @@ logsource: detection: selection: DestinationHostname|endswith: - - *.ninjarmm.com - - *.ninjaone.com - - resources.ninjarmm.com - - ninjaone.com - - ninjarmm.net - - *.ninjarmm.net - - rmmservice.eu - - *.rmmservice.eu - - rmmservice.eu - - *.rmmservice.eu - - rmmservice.com.au - - *.rmmservice.com.au - - rmmservice.ca - - *.rmmservice.ca - - ninja-backup.com - - *.ninja-backup.com + - '*.ninjarmm.com' + - '*.ninjaone.com' + - 'resources.ninjarmm.com' + - 'ninjaone.com' + - 'ninjarmm.net' + - '*.ninjarmm.net' + - 'rmmservice.eu' + - '*.rmmservice.eu' + - 'rmmservice.eu' + - '*.rmmservice.eu' + - 'rmmservice.com.au' + - '*.rmmservice.com.au' + - 'rmmservice.ca' + - '*.rmmservice.ca' + - 'ninja-backup.com' + - '*.ninja-backup.com' condition: selection falsepositives: - Legitimate use of NinjaRMM diff --git a/detections/sigma/ninjarmm_processes_sigma.yml b/detections/sigma/ninjarmm_processes_sigma.yml index 2dfa4d7d..44032be7 100644 --- a/detections/sigma/ninjarmm_processes_sigma.yml +++ b/detections/sigma/ninjarmm_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential NinjaRMM RMM Tool Process Activity -id: 75028b26-78a3-4dc3-acc1-f8b6d8ae5fc9 +id: e86bed40-ecf9-5a3b-a07e-9b9084710100 status: experimental description: | Detects potential processes activity of NinjaRMM RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,16 +16,14 @@ logsource: detection: selection_parent: ParentImage|endswith: - - ninjarmmagent.exe - - NinjaRMMAgent.exe - - NinjaRMMAgenPatcher.exe - - ninjarmm-cli.exe + - 'NinjaRMMAgent.exe' + - 'NinjaRMMAgentPatcher.exe' + - 'ninjarmm-cli.exe' selection_image: Image|endswith: - - ninjarmmagent.exe - - NinjaRMMAgent.exe - - NinjaRMMAgenPatcher.exe - - ninjarmm-cli.exe + - 'NinjaRMMAgent.exe' + - 'NinjaRMMAgentPatcher.exe' + - 'ninjarmm-cli.exe' condition: 1 of selection_* falsepositives: - Legitimate use of NinjaRMM diff --git a/detections/sigma/nomachine_network_sigma.yml b/detections/sigma/nomachine_network_sigma.yml index 5840d7dc..30b533bc 100644 --- a/detections/sigma/nomachine_network_sigma.yml +++ b/detections/sigma/nomachine_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential NoMachine RMM Tool Network Activity -id: 22d88358-700e-47d3-84df-d7951b17740a +id: 3a1f2607-e9bd-5087-beda-0d5adcbfa0fa status: experimental description: | Detects potential network activity of NoMachine RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,8 +16,8 @@ logsource: detection: selection: DestinationHostname|endswith: - - user_managed - - nomachine.com + - 'user_managed' + - 'nomachine.com' condition: selection falsepositives: - Legitimate use of NoMachine diff --git a/detections/sigma/nomachine_processes_sigma.yml b/detections/sigma/nomachine_processes_sigma.yml index e4e8409b..8ae9cf7c 100644 --- a/detections/sigma/nomachine_processes_sigma.yml +++ b/detections/sigma/nomachine_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential NoMachine RMM Tool Process Activity -id: 7b453f55-095c-4729-94f7-1739c63eca61 +id: fbc8d96c-60c1-5039-ac27-5e9e03304214 status: experimental description: | Detects potential processes activity of NoMachine RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,12 +16,12 @@ logsource: detection: selection_parent: ParentImage|endswith: - - nomachine*.exe - - nxd.exe + - 'nomachine*.exe' + - 'nxd.exe' selection_image: Image|endswith: - - nomachine*.exe - - nxd.exe + - 'nomachine*.exe' + - 'nxd.exe' condition: 1 of selection_* falsepositives: - Legitimate use of NoMachine diff --git a/detections/sigma/noteon-desktop_sharing_processes_sigma.yml b/detections/sigma/noteon-desktop_sharing_processes_sigma.yml index bf62f799..8446bbaf 100644 --- a/detections/sigma/noteon-desktop_sharing_processes_sigma.yml +++ b/detections/sigma/noteon-desktop_sharing_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential NoteOn-desktop sharing RMM Tool Process Activity -id: 9db042ba-6c3e-4e79-8622-e32e509340fc +id: 22282cb4-4b00-5b16-ba9c-379a99d192bd status: experimental description: | Detects potential processes activity of NoteOn-desktop sharing RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,14 +16,14 @@ logsource: detection: selection_parent: ParentImage|endswith: - - nateon*.exe - - nateon.exe - - nateonmain.exe + - 'nateon*.exe' + - 'nateon.exe' + - 'nateonmain.exe' selection_image: Image|endswith: - - nateon*.exe - - nateon.exe - - nateonmain.exe + - 'nateon*.exe' + - 'nateon.exe' + - 'nateonmain.exe' condition: 1 of selection_* falsepositives: - Legitimate use of NoteOn-desktop sharing diff --git a/detections/sigma/ntr_remote_network_sigma.yml b/detections/sigma/ntr_remote_network_sigma.yml index ab9c06b3..defc2af7 100644 --- a/detections/sigma/ntr_remote_network_sigma.yml +++ b/detections/sigma/ntr_remote_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential NTR Remote RMM Tool Network Activity -id: 2b92af57-0b89-44bd-a475-fe3afb7ba388 +id: f3169743-070d-5bb1-aaea-47c766214cdd status: experimental description: | Detects potential network activity of NTR Remote RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,7 +15,7 @@ logsource: category: network_connection detection: selection: - DestinationHostname|endswith: *.ntrsupport.com + DestinationHostname|endswith: '*.ntrsupport.com' condition: selection falsepositives: - Legitimate use of NTR Remote diff --git a/detections/sigma/ntr_remote_processes_sigma.yml b/detections/sigma/ntr_remote_processes_sigma.yml index efc7f667..eb19cc06 100644 --- a/detections/sigma/ntr_remote_processes_sigma.yml +++ b/detections/sigma/ntr_remote_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential NTR Remote RMM Tool Process Activity -id: 44ec1ea4-7d35-4aee-a5a2-65f78442aacd +id: d1ad5fe4-bf5d-5747-8c77-82c0a415c54f status: experimental description: | Detects potential processes activity of NTR Remote RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,9 +15,9 @@ logsource: category: process_creation detection: selection_parent: - ParentImage|endswith: NTRsupportPro_EN.exe + ParentImage|endswith: 'NTRsupportPro_EN.exe' selection_image: - Image|endswith: NTRsupportPro_EN.exe + Image|endswith: 'NTRsupportPro_EN.exe' condition: 1 of selection_* falsepositives: - Legitimate use of NTR Remote diff --git a/detections/sigma/nvda__non-visual_desktop_access__files_sigma.yml b/detections/sigma/nvda__non-visual_desktop_access__files_sigma.yml new file mode 100644 index 00000000..d5cc2d1b --- /dev/null +++ b/detections/sigma/nvda__non-visual_desktop_access__files_sigma.yml @@ -0,0 +1,26 @@ +title: Potential NVDA (Non-Visual Desktop Access) RMM Tool File Activity +id: 26110593-ccfd-510a-9d00-a877daa2ee99 +status: experimental +description: | + Detects potential files activity of NVDA (Non-Visual Desktop Access) RMM tool +references: + - https://github.com/magicsword-io/LOLRMM +author: LOLRMM Project +date: 2026-02-03 +tags: + - attack.execution + - attack.t1219 +logsource: + product: windows + category: file_event +detection: + selection: + TargetFilename|endswith: + - 'C:\Program Files (x86)\NVDA\nvda.exe' + - 'C:\Program Files\NVDA\nvda.exe' + - 'C:\Users\*\AppData\Roaming\nvda\nvda.log' + - 'C:\Users\*\AppData\Roaming\nvda\nvda.ini' + condition: selection +falsepositives: + - Legitimate use of NVDA (Non-Visual Desktop Access) +level: medium diff --git a/detections/sigma/nvda__non-visual_desktop_access__network_sigma.yml b/detections/sigma/nvda__non-visual_desktop_access__network_sigma.yml new file mode 100644 index 00000000..36a1f2ad --- /dev/null +++ b/detections/sigma/nvda__non-visual_desktop_access__network_sigma.yml @@ -0,0 +1,24 @@ +title: Potential NVDA (Non-Visual Desktop Access) RMM Tool Network Activity +id: 814532f6-267d-5e39-b304-2ea58274997d +status: experimental +description: | + Detects potential network activity of NVDA (Non-Visual Desktop Access) RMM tool +references: + - https://github.com/magicsword-io/LOLRMM +author: LOLRMM Project +date: 2026-02-03 +tags: + - attack.execution + - attack.t1219 +logsource: + product: windows + category: network_connection +detection: + selection: + DestinationHostname|endswith: + - 'nvaccess.org' + - '*.nvaccess.org' + condition: selection +falsepositives: + - Legitimate use of NVDA (Non-Visual Desktop Access) +level: medium diff --git a/detections/sigma/nvda__non-visual_desktop_access__processes_sigma.yml b/detections/sigma/nvda__non-visual_desktop_access__processes_sigma.yml new file mode 100644 index 00000000..c5830440 --- /dev/null +++ b/detections/sigma/nvda__non-visual_desktop_access__processes_sigma.yml @@ -0,0 +1,34 @@ +title: Potential NVDA (Non-Visual Desktop Access) RMM Tool Process Activity +id: 297637d7-5759-5d87-9c61-88f706f79bca +status: experimental +description: | + Detects potential processes activity of NVDA (Non-Visual Desktop Access) RMM tool +references: + - https://github.com/magicsword-io/LOLRMM +author: LOLRMM Project +date: 2026-02-03 +tags: + - attack.execution + - attack.t1219 +logsource: + product: windows + category: process_creation +detection: + selection_parent: + ParentImage|endswith: + - 'C:\Program Files (x86)\NVDA\nvda.exe' + - 'C:\Program Files\NVDA\nvda.exe' + - 'nvda.exe' + - 'nvda_service.exe' + - 'nvda_*.exe' + selection_image: + Image|endswith: + - 'C:\Program Files (x86)\NVDA\nvda.exe' + - 'C:\Program Files\NVDA\nvda.exe' + - 'nvda.exe' + - 'nvda_service.exe' + - 'nvda_*.exe' + condition: 1 of selection_* +falsepositives: + - Legitimate use of NVDA (Non-Visual Desktop Access) +level: medium diff --git a/detections/sigma/ocs_inventory_network_sigma.yml b/detections/sigma/ocs_inventory_network_sigma.yml index 2d2fa2cf..8fdefdbd 100644 --- a/detections/sigma/ocs_inventory_network_sigma.yml +++ b/detections/sigma/ocs_inventory_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential OCS inventory RMM Tool Network Activity -id: 6af3935a-ded4-413a-a175-7edea764de78 +id: 042f65ec-55ea-57cf-a636-bb6febb1b347 status: experimental description: | Detects potential network activity of OCS inventory RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,8 +16,8 @@ logsource: detection: selection: DestinationHostname|endswith: - - user_managed - - ocsinventory-ng.org + - 'user_managed' + - 'ocsinventory-ng.org' condition: selection falsepositives: - Legitimate use of OCS inventory diff --git a/detections/sigma/ocs_inventory_processes_sigma.yml b/detections/sigma/ocs_inventory_processes_sigma.yml index 0c0cc72a..9ce51147 100644 --- a/detections/sigma/ocs_inventory_processes_sigma.yml +++ b/detections/sigma/ocs_inventory_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential OCS inventory RMM Tool Process Activity -id: 7751f589-527f-4ada-ad90-ac026b8e6183 +id: 363fe317-cbbd-5f02-b435-48f411fb98fe status: experimental description: | Detects potential processes activity of OCS inventory RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,12 +16,12 @@ logsource: detection: selection_parent: ParentImage|endswith: - - ocsinventory.exe - - ocsservice.exe + - 'ocsinventory.exe' + - 'ocsservice.exe' selection_image: Image|endswith: - - ocsinventory.exe - - ocsservice.exe + - 'ocsinventory.exe' + - 'ocsservice.exe' condition: 1 of selection_* falsepositives: - Legitimate use of OCS inventory diff --git a/detections/sigma/onionshare_processes_sigma.yml b/detections/sigma/onionshare_processes_sigma.yml index 3d75bce0..8f62f3d3 100644 --- a/detections/sigma/onionshare_processes_sigma.yml +++ b/detections/sigma/onionshare_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Onionshare RMM Tool Process Activity -id: 3de011f3-7406-423a-b202-a39cd44327d0 +id: 81a87be7-d52b-5931-a1b8-3bf4bb169b1d status: experimental description: | Detects potential processes activity of Onionshare RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,9 +15,9 @@ logsource: category: process_creation detection: selection_parent: - ParentImage|endswith: onionshare*.exe + ParentImage|endswith: '*\onionshare*.exe' selection_image: - Image|endswith: onionshare*.exe + Image|endswith: '*\onionshare*.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Onionshare diff --git a/detections/sigma/optitune_network_sigma.yml b/detections/sigma/optitune_network_sigma.yml index 99a3ef40..12838e60 100644 --- a/detections/sigma/optitune_network_sigma.yml +++ b/detections/sigma/optitune_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential OptiTune RMM Tool Network Activity -id: 8991fa78-30c2-4504-9503-6b5d9d55878a +id: be3dd400-8dad-5cf3-a9dd-c96f4ac0da8d status: experimental description: | Detects potential network activity of OptiTune RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,8 +16,8 @@ logsource: detection: selection: DestinationHostname|endswith: - - *.optitune.us - - *.opti-tune.com + - '*.optitune.us' + - '*.opti-tune.com' condition: selection falsepositives: - Legitimate use of OptiTune diff --git a/detections/sigma/optitune_processes_sigma.yml b/detections/sigma/optitune_processes_sigma.yml index 95aedff2..90edab7d 100644 --- a/detections/sigma/optitune_processes_sigma.yml +++ b/detections/sigma/optitune_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential OptiTune RMM Tool Process Activity -id: 7d5d3bff-8d0f-4a03-adca-6638af47a37a +id: fd36d5bd-60ff-54e4-b0c1-fd0babcc4d2a status: experimental description: | Detects potential processes activity of OptiTune RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,12 +16,12 @@ logsource: detection: selection_parent: ParentImage|endswith: - - OTService.exe - - OTPowerShell.exe + - 'OTService.exe' + - 'OTPowerShell.exe' selection_image: Image|endswith: - - OTService.exe - - OTPowerShell.exe + - 'OTService.exe' + - 'OTPowerShell.exe' condition: 1 of selection_* falsepositives: - Legitimate use of OptiTune diff --git a/detections/sigma/pandora_rc__ehorus__network_sigma.yml b/detections/sigma/pandora_rc__ehorus__network_sigma.yml index 05fbbee8..1deb7b48 100644 --- a/detections/sigma/pandora_rc__ehorus__network_sigma.yml +++ b/detections/sigma/pandora_rc__ehorus__network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Pandora RC (eHorus) RMM Tool Network Activity -id: 25478da8-31ae-46a8-8002-2844a02a9517 +id: 359ba59f-ef84-5395-9d5a-9f4e34890ea0 status: experimental description: | Detects potential network activity of Pandora RC (eHorus) RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,7 +15,7 @@ logsource: category: network_connection detection: selection: - DestinationHostname|endswith: portal.ehorus.com + DestinationHostname|endswith: 'portal.ehorus.com' condition: selection falsepositives: - Legitimate use of Pandora RC (eHorus) diff --git a/detections/sigma/pandora_rc__ehorus__processes_sigma.yml b/detections/sigma/pandora_rc__ehorus__processes_sigma.yml index 2d0477f3..0dce5097 100644 --- a/detections/sigma/pandora_rc__ehorus__processes_sigma.yml +++ b/detections/sigma/pandora_rc__ehorus__processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Pandora RC (eHorus) RMM Tool Process Activity -id: e6720dbb-9fb8-47d9-9474-8364fa251cff +id: 1e7062ba-117d-515c-9500-8a5e430b7cf3 status: experimental description: | Detects potential processes activity of Pandora RC (eHorus) RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,12 +16,12 @@ logsource: detection: selection_parent: ParentImage|endswith: - - ehorus standalone.exe - - ehorus_agent.exe + - 'ehorus standalone.exe' + - 'ehorus_agent.exe' selection_image: Image|endswith: - - ehorus standalone.exe - - ehorus_agent.exe + - 'ehorus standalone.exe' + - 'ehorus_agent.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Pandora RC (eHorus) diff --git a/detections/sigma/panorama9_network_sigma.yml b/detections/sigma/panorama9_network_sigma.yml index c56e4947..52a30604 100644 --- a/detections/sigma/panorama9_network_sigma.yml +++ b/detections/sigma/panorama9_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Panorama9 RMM Tool Network Activity -id: c632c19c-4799-4af6-81dc-57b3212aee9d +id: 39e45491-4c6c-54c7-91d5-489906a43dad status: experimental description: | Detects potential network activity of Panorama9 RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,9 +16,9 @@ logsource: detection: selection: DestinationHostname|endswith: - - trusted.panorama9.com - - changes.panorama9.com - - panorama9.com + - 'trusted.panorama9.com' + - 'changes.panorama9.com' + - 'panorama9.com' condition: selection falsepositives: - Legitimate use of Panorama9 diff --git a/detections/sigma/panorama9_processes_sigma.yml b/detections/sigma/panorama9_processes_sigma.yml index ab1fadc4..4e26d743 100644 --- a/detections/sigma/panorama9_processes_sigma.yml +++ b/detections/sigma/panorama9_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Panorama9 RMM Tool Process Activity -id: 2e3c0b5f-cab3-49bd-97bb-6af3d7d8a9cc +id: 81cc765a-a177-5d16-a476-4ec28340a8c4 status: experimental description: | Detects potential processes activity of Panorama9 RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,9 +15,9 @@ logsource: category: process_creation detection: selection_parent: - ParentImage|endswith: p9agent*.exe + ParentImage|endswith: 'p9agent*.exe' selection_image: - Image|endswith: p9agent*.exe + Image|endswith: 'p9agent*.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Panorama9 diff --git a/detections/sigma/parallels_access_network_sigma.yml b/detections/sigma/parallels_access_network_sigma.yml index 71e5dbd5..c2497197 100644 --- a/detections/sigma/parallels_access_network_sigma.yml +++ b/detections/sigma/parallels_access_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Parallels Access RMM Tool Network Activity -id: 30ddd92c-43ea-47bc-9580-a2a5e9184321 +id: 0bb073e9-80d5-5404-834b-9388839f06b3 status: experimental description: | Detects potential network activity of Parallels Access RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,8 +16,8 @@ logsource: detection: selection: DestinationHostname|endswith: - - *.parallels.com - - parallels.com/products/ras/try + - '*.parallels.com' + - 'parallels.com/products/ras/try' condition: selection falsepositives: - Legitimate use of Parallels Access diff --git a/detections/sigma/parallels_access_processes_sigma.yml b/detections/sigma/parallels_access_processes_sigma.yml index c28b6004..120899d4 100644 --- a/detections/sigma/parallels_access_processes_sigma.yml +++ b/detections/sigma/parallels_access_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Parallels Access RMM Tool Process Activity -id: ddf0f6b8-619e-4d58-bf43-b6f52a396f6e +id: eb432fc1-db5e-5606-8676-b23da7c1e3d0 status: experimental description: | Detects potential processes activity of Parallels Access RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,18 +16,18 @@ logsource: detection: selection_parent: ParentImage|endswith: - - parallelsaccess-*.exe - - TSClient.exe - - prl_deskctl_agent.exe - - prl_deskctl_wizard.exe - - prl_pm_service.exe + - 'parallelsaccess-*.exe' + - 'TSClient.exe' + - 'prl_deskctl_agent.exe' + - 'prl_deskctl_wizard.exe' + - 'prl_pm_service.exe' selection_image: Image|endswith: - - parallelsaccess-*.exe - - TSClient.exe - - prl_deskctl_agent.exe - - prl_deskctl_wizard.exe - - prl_pm_service.exe + - 'parallelsaccess-*.exe' + - 'TSClient.exe' + - 'prl_deskctl_agent.exe' + - 'prl_deskctl_wizard.exe' + - 'prl_pm_service.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Parallels Access diff --git a/detections/sigma/parsec_files_sigma.yml b/detections/sigma/parsec_files_sigma.yml index 0f97f910..b3299e8f 100644 --- a/detections/sigma/parsec_files_sigma.yml +++ b/detections/sigma/parsec_files_sigma.yml @@ -1,12 +1,12 @@ title: Potential Parsec RMM Tool File Activity -id: 4bf000d7-7a91-470b-b42b-5593cf3307ed +id: 92d45705-b47b-574b-934d-b0fd41ae1488 status: experimental description: | Detects potential files activity of Parsec RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,9 +16,9 @@ logsource: detection: selection: TargetFilename|endswith: - - C:\Program Files\Parsec\parsecd.exe - - C:\Program Files\Parsec\pservice.exe - - C:\Program Files\Parsec\teams.exe + - 'C:\Program Files\Parsec\parsecd.exe' + - 'C:\Program Files\Parsec\pservice.exe' + - 'C:\Program Files\Parsec\teams.exe' condition: selection falsepositives: - Legitimate use of Parsec diff --git a/detections/sigma/parsec_network_sigma.yml b/detections/sigma/parsec_network_sigma.yml index f86e213a..41f8d563 100644 --- a/detections/sigma/parsec_network_sigma.yml +++ b/detections/sigma/parsec_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Parsec RMM Tool Network Activity -id: ee67c1ca-b3d3-4cda-b751-911181fc13a3 +id: bfa97730-7290-5520-bb73-bb48c798e490 status: experimental description: | Detects potential network activity of Parsec RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,9 +16,9 @@ logsource: detection: selection: DestinationHostname|endswith: - - parsec.app - - parsec.gg - - *.parsec.app + - 'parsec.app' + - 'parsec.gg' + - '*.parsec.app' condition: selection falsepositives: - Legitimate use of Parsec diff --git a/detections/sigma/parsec_processes_sigma.yml b/detections/sigma/parsec_processes_sigma.yml index 245c5443..f5185390 100644 --- a/detections/sigma/parsec_processes_sigma.yml +++ b/detections/sigma/parsec_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Parsec RMM Tool Process Activity -id: 80d9a3ec-c90e-4402-95c8-bd014975625e +id: 09915fc9-1fc4-59e2-a878-cfaa0b1a8218 status: experimental description: | Detects potential processes activity of Parsec RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,12 +16,12 @@ logsource: detection: selection_parent: ParentImage|endswith: - - parsecd.exe - - pservice.exe + - 'parsecd.exe' + - 'pservice.exe' selection_image: Image|endswith: - - parsecd.exe - - pservice.exe + - 'parsecd.exe' + - 'pservice.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Parsec diff --git a/detections/sigma/pcanywhere_network_sigma.yml b/detections/sigma/pcanywhere_network_sigma.yml index 76cc262d..69b43a63 100644 --- a/detections/sigma/pcanywhere_network_sigma.yml +++ b/detections/sigma/pcanywhere_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential pcAnywhere RMM Tool Network Activity -id: ed673768-6a23-4b61-994e-b410b2c36b65 +id: 7685e6b9-2dec-5e64-ba87-6d0fb871c8b7 status: experimental description: | Detects potential network activity of pcAnywhere RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,7 +15,7 @@ logsource: category: network_connection detection: selection: - DestinationHostname|endswith: user_managed + DestinationHostname|endswith: 'user_managed' condition: selection falsepositives: - Legitimate use of pcAnywhere diff --git a/detections/sigma/pcanywhere_processes_sigma.yml b/detections/sigma/pcanywhere_processes_sigma.yml index 458e74a0..96b78e82 100644 --- a/detections/sigma/pcanywhere_processes_sigma.yml +++ b/detections/sigma/pcanywhere_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential pcAnywhere RMM Tool Process Activity -id: ab6317ad-0d76-4778-9e9b-1dc463be1307 +id: cfac669a-b3d8-51a1-badd-760708ed50d1 status: experimental description: | Detects potential processes activity of pcAnywhere RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,16 +16,16 @@ logsource: detection: selection_parent: ParentImage|endswith: - - awhost32.exe - - awrem32.exe - - pcaquickconnect.exe - - winaw32.exe + - 'awhost32.exe' + - 'awrem32.exe' + - 'pcaquickconnect.exe' + - 'winaw32.exe' selection_image: Image|endswith: - - awhost32.exe - - awrem32.exe - - pcaquickconnect.exe - - winaw32.exe + - 'awhost32.exe' + - 'awrem32.exe' + - 'pcaquickconnect.exe' + - 'winaw32.exe' condition: 1 of selection_* falsepositives: - Legitimate use of pcAnywhere diff --git a/detections/sigma/pchelpware_files_sigma.yml b/detections/sigma/pchelpware_files_sigma.yml new file mode 100644 index 00000000..0daa7046 --- /dev/null +++ b/detections/sigma/pchelpware_files_sigma.yml @@ -0,0 +1,22 @@ +title: Potential PChelpware RMM Tool File Activity +id: e281b67b-7e79-5707-98ae-7f9974283302 +status: experimental +description: | + Detects potential files activity of PChelpware RMM tool +references: + - https://github.com/magicsword-io/LOLRMM +author: LOLRMM Project +date: 2026-02-03 +tags: + - attack.execution + - attack.t1219 +logsource: + product: windows + category: file_event +detection: + selection: + TargetFilename|endswith: 'C:\temp_phw' + condition: selection +falsepositives: + - Legitimate use of PChelpware +level: medium diff --git a/detections/sigma/pchelpware_processes_sigma.yml b/detections/sigma/pchelpware_processes_sigma.yml new file mode 100644 index 00000000..aa47e2ee --- /dev/null +++ b/detections/sigma/pchelpware_processes_sigma.yml @@ -0,0 +1,24 @@ +title: Potential PChelpware RMM Tool Process Activity +id: 5f13f547-7d1a-5498-b259-cd11c80edac4 +status: experimental +description: | + Detects potential processes activity of PChelpware RMM tool +references: + - https://github.com/magicsword-io/LOLRMM +author: LOLRMM Project +date: 2026-02-03 +tags: + - attack.execution + - attack.t1219 +logsource: + product: windows + category: process_creation +detection: + selection_parent: + ParentImage|endswith: '*\PcHelpWare_viewer.exe' + selection_image: + Image|endswith: '*\PcHelpWare_viewer.exe' + condition: 1 of selection_* +falsepositives: + - Legitimate use of PChelpware +level: medium diff --git a/detections/sigma/pcnow_network_sigma.yml b/detections/sigma/pcnow_network_sigma.yml index 40fceb0a..1a032d15 100644 --- a/detections/sigma/pcnow_network_sigma.yml +++ b/detections/sigma/pcnow_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Pcnow RMM Tool Network Activity -id: cddaeacc-ee3f-416f-96b9-48966475dd25 +id: 678c2c96-cbe5-556b-96ab-4d8539e1dde6 status: experimental description: | Detects potential network activity of Pcnow RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,7 +15,7 @@ logsource: category: network_connection detection: selection: - DestinationHostname|endswith: au.pcmag.com/utilities/21470/webex-pcnow + DestinationHostname|endswith: 'au.pcmag.com/utilities/21470/webex-pcnow' condition: selection falsepositives: - Legitimate use of Pcnow diff --git a/detections/sigma/pcnow_processes_sigma.yml b/detections/sigma/pcnow_processes_sigma.yml index de91696c..50f2cc49 100644 --- a/detections/sigma/pcnow_processes_sigma.yml +++ b/detections/sigma/pcnow_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Pcnow RMM Tool Process Activity -id: bbb73e66-a04a-4d8c-92bd-7973dd8f33e0 +id: 3e244db5-ab73-5143-855d-00f5eb161c13 status: experimental description: | Detects potential processes activity of Pcnow RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,14 +16,14 @@ logsource: detection: selection_parent: ParentImage|endswith: - - mwcliun.exe - - pcnmgr.exe - - webexpcnow.exe + - 'mwcliun.exe' + - 'pcnmgr.exe' + - 'webexpcnow.exe' selection_image: Image|endswith: - - mwcliun.exe - - pcnmgr.exe - - webexpcnow.exe + - 'mwcliun.exe' + - 'pcnmgr.exe' + - 'webexpcnow.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Pcnow diff --git a/detections/sigma/pcvisit_network_sigma.yml b/detections/sigma/pcvisit_network_sigma.yml index 43b30c5d..ca966192 100644 --- a/detections/sigma/pcvisit_network_sigma.yml +++ b/detections/sigma/pcvisit_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Pcvisit RMM Tool Network Activity -id: e6f75735-db2c-4b13-8b60-1b103989925a +id: 68b3df4e-fa3f-52c0-acb3-33804ef04498 status: experimental description: | Detects potential network activity of Pcvisit RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,8 +16,8 @@ logsource: detection: selection: DestinationHostname|endswith: - - *.pcvisit.de - - pcvisit.de + - '*.pcvisit.de' + - 'pcvisit.de' condition: selection falsepositives: - Legitimate use of Pcvisit diff --git a/detections/sigma/pcvisit_processes_sigma.yml b/detections/sigma/pcvisit_processes_sigma.yml index 625b776b..855f9d31 100644 --- a/detections/sigma/pcvisit_processes_sigma.yml +++ b/detections/sigma/pcvisit_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Pcvisit RMM Tool Process Activity -id: 257a4755-f13b-48c6-bab0-f2566315df94 +id: 69795c8e-afe5-51d8-92ca-0ac51ab59fa7 status: experimental description: | Detects potential processes activity of Pcvisit RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,16 +16,16 @@ logsource: detection: selection_parent: ParentImage|endswith: - - pcvisit.exe - - pcvisit_client.exe - - pcvisit-easysupport.exe - - pcvisit_service_client.exe + - 'pcvisit.exe' + - 'pcvisit_client.exe' + - 'pcvisit-easysupport.exe' + - 'pcvisit_service_client.exe' selection_image: Image|endswith: - - pcvisit.exe - - pcvisit_client.exe - - pcvisit-easysupport.exe - - pcvisit_service_client.exe + - 'pcvisit.exe' + - 'pcvisit_client.exe' + - 'pcvisit-easysupport.exe' + - 'pcvisit_service_client.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Pcvisit diff --git a/detections/sigma/pdq_connect_files_sigma.yml b/detections/sigma/pdq_connect_files_sigma.yml index e1e82284..d1631dc8 100644 --- a/detections/sigma/pdq_connect_files_sigma.yml +++ b/detections/sigma/pdq_connect_files_sigma.yml @@ -1,12 +1,12 @@ title: Potential PDQ Connect RMM Tool File Activity -id: 03c294e2-f70b-4ed7-9e0c-ce140ee787a3 +id: 93194b67-a5d4-5cb4-8dca-c89d5c4c8623 status: experimental description: | Detects potential files activity of PDQ Connect RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,7 +15,7 @@ logsource: category: file_event detection: selection: - TargetFilename|endswith: C:\ProgramData\PDQ\PDQConnectAgent\PDQConnectAgent.db-journal + TargetFilename|endswith: 'C:\ProgramData\PDQ\PDQConnectAgent\PDQConnectAgent.db-journal' condition: selection falsepositives: - Legitimate use of PDQ Connect diff --git a/detections/sigma/pdq_connect_network_sigma.yml b/detections/sigma/pdq_connect_network_sigma.yml index 2e1ccfe5..800ca438 100644 --- a/detections/sigma/pdq_connect_network_sigma.yml +++ b/detections/sigma/pdq_connect_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential PDQ Connect RMM Tool Network Activity -id: 89443d65-866c-4fde-8873-7e740f53c46a +id: 80d333e4-54cb-5d5e-bff6-58996d85a8d6 status: experimental description: | Detects potential network activity of PDQ Connect RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,9 +16,9 @@ logsource: detection: selection: DestinationHostname|endswith: - - app.pdq.com - - cfcdn.pdq.com - - pdqinstallers.*.r2.cloudflarestorage.com + - 'app.pdq.com' + - 'cfcdn.pdq.com' + - 'pdqinstallers.*.r2.cloudflarestorage.com' condition: selection falsepositives: - Legitimate use of PDQ Connect diff --git a/detections/sigma/pdq_connect_processes_sigma.yml b/detections/sigma/pdq_connect_processes_sigma.yml index f18e9c9e..547c8a21 100644 --- a/detections/sigma/pdq_connect_processes_sigma.yml +++ b/detections/sigma/pdq_connect_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential PDQ Connect RMM Tool Process Activity -id: b78b2eea-dd91-4d3d-8486-9a9cfde212b0 +id: 5bc9c821-407c-5600-8632-62401c4fba32 status: experimental description: | Detects potential processes activity of PDQ Connect RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,9 +15,9 @@ logsource: category: process_creation detection: selection_parent: - ParentImage|endswith: pdq-connect*.exe + ParentImage|endswith: 'pdq-connect*.exe' selection_image: - Image|endswith: pdq-connect*.exe + Image|endswith: 'pdq-connect*.exe' condition: 1 of selection_* falsepositives: - Legitimate use of PDQ Connect diff --git a/detections/sigma/pilixo_network_sigma.yml b/detections/sigma/pilixo_network_sigma.yml index 1958364b..ff9d51c1 100644 --- a/detections/sigma/pilixo_network_sigma.yml +++ b/detections/sigma/pilixo_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Pilixo RMM Tool Network Activity -id: 292ad909-5053-4e59-a922-af160a9f3c97 +id: e16838f9-d906-5bc8-a747-77b624715806 status: experimental description: | Detects potential network activity of Pilixo RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,9 +16,9 @@ logsource: detection: selection: DestinationHostname|endswith: - - pilixo.com - - download.pilixo.com - - *.pilixo.com + - 'pilixo.com' + - 'download.pilixo.com' + - '*.pilixo.com' condition: selection falsepositives: - Legitimate use of Pilixo diff --git a/detections/sigma/pilixo_processes_sigma.yml b/detections/sigma/pilixo_processes_sigma.yml index 2b00b7ab..69f002ee 100644 --- a/detections/sigma/pilixo_processes_sigma.yml +++ b/detections/sigma/pilixo_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Pilixo RMM Tool Process Activity -id: 9c373007-c7ca-443e-a4fd-cc6d77d6f745 +id: 7e5587df-38a8-5b9c-a649-06bcf09816a4 status: experimental description: | Detects potential processes activity of Pilixo RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,12 +16,12 @@ logsource: detection: selection_parent: ParentImage|endswith: - - rdp.exe - - Pilixo_Installer*.exe + - 'rdp.exe' + - 'Pilixo_Installer*.exe' selection_image: Image|endswith: - - rdp.exe - - Pilixo_Installer*.exe + - 'rdp.exe' + - 'Pilixo_Installer*.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Pilixo diff --git a/detections/sigma/pocket_cloud__wyse__processes_sigma.yml b/detections/sigma/pocket_cloud__wyse__processes_sigma.yml index f714194a..7d8f0669 100644 --- a/detections/sigma/pocket_cloud__wyse__processes_sigma.yml +++ b/detections/sigma/pocket_cloud__wyse__processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Pocket Cloud (Wyse) RMM Tool Process Activity -id: f29c2462-148d-488f-9e29-6e3c7d4661b7 +id: 09575c8d-2cd3-5200-a327-97299927f44e status: experimental description: | Detects potential processes activity of Pocket Cloud (Wyse) RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,12 +16,12 @@ logsource: detection: selection_parent: ParentImage|endswith: - - pocketcloud*.exe - - pocketcloudservice.exe + - 'pocketcloud*.exe' + - 'pocketcloudservice.exe' selection_image: Image|endswith: - - pocketcloud*.exe - - pocketcloudservice.exe + - 'pocketcloud*.exe' + - 'pocketcloudservice.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Pocket Cloud (Wyse) diff --git a/detections/sigma/pocket_controller__soti_xsight__network_sigma.yml b/detections/sigma/pocket_controller__soti_xsight__network_sigma.yml index 6ac3fd7e..53940a04 100644 --- a/detections/sigma/pocket_controller__soti_xsight__network_sigma.yml +++ b/detections/sigma/pocket_controller__soti_xsight__network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Pocket Controller (Soti Xsight) RMM Tool Network Activity -id: 2a266096-16af-486b-8f6b-3ba7a3fa636e +id: 38ff5e6c-6202-592c-a05f-cb532f28734d status: experimental description: | Detects potential network activity of Pocket Controller (Soti Xsight) RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,7 +15,7 @@ logsource: category: network_connection detection: selection: - DestinationHostname|endswith: *soti.net + DestinationHostname|endswith: '*soti.net' condition: selection falsepositives: - Legitimate use of Pocket Controller (Soti Xsight) diff --git a/detections/sigma/pocket_controller__soti_xsight__processes_sigma.yml b/detections/sigma/pocket_controller__soti_xsight__processes_sigma.yml index 9d52b9b9..606a4fb6 100644 --- a/detections/sigma/pocket_controller__soti_xsight__processes_sigma.yml +++ b/detections/sigma/pocket_controller__soti_xsight__processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Pocket Controller (Soti Xsight) RMM Tool Process Activity -id: e2c69ebb-436c-41d7-ae09-f5ec7d4e1db5 +id: c444b1f7-6f03-5e85-8f34-57aa4beda63a status: experimental description: | Detects potential processes activity of Pocket Controller (Soti Xsight) RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,14 +16,14 @@ logsource: detection: selection_parent: ParentImage|endswith: - - pocketcontroller.exe - - wysebrowser.exe - - XSightService.exe + - 'pocketcontroller.exe' + - 'wysebrowser.exe' + - 'XSightService.exe' selection_image: Image|endswith: - - pocketcontroller.exe - - wysebrowser.exe - - XSightService.exe + - 'pocketcontroller.exe' + - 'wysebrowser.exe' + - 'XSightService.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Pocket Controller (Soti Xsight) diff --git a/detections/sigma/pocket_controller_network_sigma.yml b/detections/sigma/pocket_controller_network_sigma.yml index 7b180e38..f655bc8f 100644 --- a/detections/sigma/pocket_controller_network_sigma.yml +++ b/detections/sigma/pocket_controller_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Pocket Controller RMM Tool Network Activity -id: 25c4f226-68c3-4a5e-8b73-cac5e7261c05 +id: b2fb8a2b-38ea-57ea-acb8-df14b19abd12 status: experimental description: | Detects potential network activity of Pocket Controller RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,7 +15,7 @@ logsource: category: network_connection detection: selection: - DestinationHostname|endswith: soti.net/products/soti-pocket-controller + DestinationHostname|endswith: 'soti.net/products/soti-pocket-controller' condition: selection falsepositives: - Legitimate use of Pocket Controller diff --git a/detections/sigma/pocket_controller_processes_sigma.yml b/detections/sigma/pocket_controller_processes_sigma.yml index 7ada3b29..80833945 100644 --- a/detections/sigma/pocket_controller_processes_sigma.yml +++ b/detections/sigma/pocket_controller_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Pocket Controller RMM Tool Process Activity -id: 39f8cf4e-8f16-4c78-9d57-e25d9da82f28 +id: 9d7eb737-44fe-5c4d-ae0e-d04ae3c9c26b status: experimental description: | Detects potential processes activity of Pocket Controller RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,14 +16,14 @@ logsource: detection: selection_parent: ParentImage|endswith: - - pocketcontroller.exe - - pocketcloudservice.exe - - wysebrowser.exe + - 'pocketcontroller.exe' + - 'pocketcloudservice.exe' + - 'wysebrowser.exe' selection_image: Image|endswith: - - pocketcontroller.exe - - pocketcloudservice.exe - - wysebrowser.exe + - 'pocketcontroller.exe' + - 'pocketcloudservice.exe' + - 'wysebrowser.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Pocket Controller diff --git a/detections/sigma/psexec__clone__network_sigma.yml b/detections/sigma/psexec__clone__network_sigma.yml index c2e30279..6fba67df 100644 --- a/detections/sigma/psexec__clone__network_sigma.yml +++ b/detections/sigma/psexec__clone__network_sigma.yml @@ -1,12 +1,12 @@ title: Potential PSEXEC (Clone) RMM Tool Network Activity -id: 68b4ff76-e552-4dbe-a835-04fcdf249d30 +id: ab770140-fbfc-509f-bb86-aea49ae83435 status: experimental description: | Detects potential network activity of PSEXEC (Clone) RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,7 +15,7 @@ logsource: category: network_connection detection: selection: - DestinationHostname|endswith: user_managed + DestinationHostname|endswith: 'user_managed' condition: selection falsepositives: - Legitimate use of PSEXEC (Clone) diff --git a/detections/sigma/psexec__clone__processes_sigma.yml b/detections/sigma/psexec__clone__processes_sigma.yml index 24e5160d..668942c2 100644 --- a/detections/sigma/psexec__clone__processes_sigma.yml +++ b/detections/sigma/psexec__clone__processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential PSEXEC (Clone) RMM Tool Process Activity -id: 598933f0-cccc-4996-9706-b5664854dbed +id: 2de2d4f1-5739-559e-8567-b4cb2ff30cfb status: experimental description: | Detects potential processes activity of PSEXEC (Clone) RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,20 +16,20 @@ logsource: detection: selection_parent: ParentImage|endswith: - - paexec.exe - - PAExec-*.exe - - remcom.exe - - remcomsvc.exe - - xcmd.exe - - xcmdsvc.exe + - 'paexec.exe' + - 'PAExec-*.exe' + - 'remcom.exe' + - 'remcomsvc.exe' + - 'xcmd.exe' + - 'xcmdsvc.exe' selection_image: Image|endswith: - - paexec.exe - - PAExec-*.exe - - remcom.exe - - remcomsvc.exe - - xcmd.exe - - xcmdsvc.exe + - 'paexec.exe' + - 'PAExec-*.exe' + - 'remcom.exe' + - 'remcomsvc.exe' + - 'xcmd.exe' + - 'xcmdsvc.exe' condition: 1 of selection_* falsepositives: - Legitimate use of PSEXEC (Clone) diff --git a/detections/sigma/psexec_network_sigma.yml b/detections/sigma/psexec_network_sigma.yml index ca17d9c5..b10227ff 100644 --- a/detections/sigma/psexec_network_sigma.yml +++ b/detections/sigma/psexec_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential PSEXEC RMM Tool Network Activity -id: 13e68481-5956-4632-a802-d8aa511b31b1 +id: 95851002-efc9-56f6-a7da-7019ae73f00d status: experimental description: | Detects potential network activity of PSEXEC RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,7 +15,7 @@ logsource: category: network_connection detection: selection: - DestinationHostname|endswith: user_managed + DestinationHostname|endswith: 'user_managed' condition: selection falsepositives: - Legitimate use of PSEXEC diff --git a/detections/sigma/psexec_processes_sigma.yml b/detections/sigma/psexec_processes_sigma.yml index c86ae5ce..50b9af34 100644 --- a/detections/sigma/psexec_processes_sigma.yml +++ b/detections/sigma/psexec_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential PSEXEC RMM Tool Process Activity -id: 411e84d4-b1af-418c-b1b0-83b09e8ada35 +id: dc1e6fbd-5122-59c5-9052-faab3db8acfa status: experimental description: | Detects potential processes activity of PSEXEC RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,12 +16,12 @@ logsource: detection: selection_parent: ParentImage|endswith: - - psexec.exe - - psexecsvc.exe + - 'psexec.exe' + - 'psexecsvc.exe' selection_image: Image|endswith: - - psexec.exe - - psexecsvc.exe + - 'psexec.exe' + - 'psexecsvc.exe' condition: 1 of selection_* falsepositives: - Legitimate use of PSEXEC diff --git a/detections/sigma/pulseway_network_sigma.yml b/detections/sigma/pulseway_network_sigma.yml index c7c3b110..73e58ee2 100644 --- a/detections/sigma/pulseway_network_sigma.yml +++ b/detections/sigma/pulseway_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Pulseway RMM Tool Network Activity -id: 7fcd5e3b-db33-4acc-b432-de03c31105b5 +id: 9f3debb0-52b8-5702-973c-96e787828291 status: experimental description: | Detects potential network activity of Pulseway RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,7 +15,7 @@ logsource: category: network_connection detection: selection: - DestinationHostname|endswith: pulseway.com + DestinationHostname|endswith: 'pulseway.com' condition: selection falsepositives: - Legitimate use of Pulseway diff --git a/detections/sigma/pulseway_processes_sigma.yml b/detections/sigma/pulseway_processes_sigma.yml index 8f33b64a..0e5344bb 100644 --- a/detections/sigma/pulseway_processes_sigma.yml +++ b/detections/sigma/pulseway_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Pulseway RMM Tool Process Activity -id: fddf0980-b359-442b-83f7-65e3e0a165cd +id: 05ce6735-42bd-591e-aceb-666947d99b7e status: experimental description: | Detects potential processes activity of Pulseway RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,12 +16,12 @@ logsource: detection: selection_parent: ParentImage|endswith: - - PCMonitorManager.exe - - pcmonitorsrv.exe + - 'PCMonitorManager.exe' + - 'pcmonitorsrv.exe' selection_image: Image|endswith: - - PCMonitorManager.exe - - pcmonitorsrv.exe + - 'PCMonitorManager.exe' + - 'pcmonitorsrv.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Pulseway diff --git a/detections/sigma/putty_processes_sigma.yml b/detections/sigma/putty_processes_sigma.yml index b6db7acc..76e9d560 100644 --- a/detections/sigma/putty_processes_sigma.yml +++ b/detections/sigma/putty_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential PuTTY RMM Tool Process Activity -id: 261c0863-b00c-4413-8339-23372e480275 +id: ff7f2dab-281d-5631-88b6-4ade4ec79ea9 status: experimental description: | Detects potential processes activity of PuTTY RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,9 +15,9 @@ logsource: category: process_creation detection: selection_parent: - ParentImage|endswith: putty.exe + ParentImage|endswith: '*\putty.exe' selection_image: - Image|endswith: putty.exe + Image|endswith: '*\putty.exe' condition: 1 of selection_* falsepositives: - Legitimate use of PuTTY diff --git a/detections/sigma/putty_tray_processes_sigma.yml b/detections/sigma/putty_tray_processes_sigma.yml index 049e9966..719c7f44 100644 --- a/detections/sigma/putty_tray_processes_sigma.yml +++ b/detections/sigma/putty_tray_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential PuTTY Tray RMM Tool Process Activity -id: f02e2a79-c165-4e04-b6f9-bcdb86685fe6 +id: 4e9d54c5-625a-5395-9392-7034ebdbb2a9 status: experimental description: | Detects potential processes activity of PuTTY Tray RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,12 +16,12 @@ logsource: detection: selection_parent: ParentImage|endswith: - - puttytray.exe - - puttytray.exe + - 'C:\*\puttytray.exe' + - '*\puttytray.exe' selection_image: Image|endswith: - - puttytray.exe - - puttytray.exe + - 'C:\*\puttytray.exe' + - '*\puttytray.exe' condition: 1 of selection_* falsepositives: - Legitimate use of PuTTY Tray diff --git a/detections/sigma/qq_im-remote_assistance_network_sigma.yml b/detections/sigma/qq_im-remote_assistance_network_sigma.yml index f6953982..7a0fd6e1 100644 --- a/detections/sigma/qq_im-remote_assistance_network_sigma.yml +++ b/detections/sigma/qq_im-remote_assistance_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential QQ IM-remote assistance RMM Tool Network Activity -id: f146fa65-ccd8-44e5-b3b0-d2250b042f1e +id: d27339cf-da2b-525d-b396-226c7f0c5b92 status: experimental description: | Detects potential network activity of QQ IM-remote assistance RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,10 +16,10 @@ logsource: detection: selection: DestinationHostname|endswith: - - *.mdt.qq.com - - *.desktop.qq.com - - upload_data.qq.com - - qq-messenger.en.softonic.com + - '*.mdt.qq.com' + - '*.desktop.qq.com' + - 'upload_data.qq.com' + - 'qq-messenger.en.softonic.com' condition: selection falsepositives: - Legitimate use of QQ IM-remote assistance diff --git a/detections/sigma/qq_im-remote_assistance_processes_sigma.yml b/detections/sigma/qq_im-remote_assistance_processes_sigma.yml index 546a9824..478147c1 100644 --- a/detections/sigma/qq_im-remote_assistance_processes_sigma.yml +++ b/detections/sigma/qq_im-remote_assistance_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential QQ IM-remote assistance RMM Tool Process Activity -id: f4d512cf-aa4a-4eaf-a4a2-fa4a037fcb71 +id: 5a12d2a7-336d-58ea-833c-9656eae3a393 status: experimental description: | Detects potential processes activity of QQ IM-remote assistance RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,14 +16,14 @@ logsource: detection: selection_parent: ParentImage|endswith: - - qq.exe - - QQProtect.exe - - qqpcmgr.exe + - 'qq.exe' + - 'QQProtect.exe' + - 'qqpcmgr.exe' selection_image: Image|endswith: - - qq.exe - - QQProtect.exe - - qqpcmgr.exe + - 'qq.exe' + - 'QQProtect.exe' + - 'qqpcmgr.exe' condition: 1 of selection_* falsepositives: - Legitimate use of QQ IM-remote assistance diff --git a/detections/sigma/quest_kace_agent__formerly_dell_kace__network_sigma.yml b/detections/sigma/quest_kace_agent__formerly_dell_kace__network_sigma.yml index 7175033c..f66ed56c 100644 --- a/detections/sigma/quest_kace_agent__formerly_dell_kace__network_sigma.yml +++ b/detections/sigma/quest_kace_agent__formerly_dell_kace__network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Quest KACE Agent (formerly Dell KACE) RMM Tool Network Activity -id: 81230670-0030-48a1-a02f-cba632fae825 +id: 6697725b-bd68-5546-b54e-d1c486bf235e status: experimental description: | Detects potential network activity of Quest KACE Agent (formerly Dell KACE) RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,8 +16,8 @@ logsource: detection: selection: DestinationHostname|endswith: - - *.kace.com - - www.quest.com/kace/ + - '*.kace.com' + - 'www.quest.com/kace/' condition: selection falsepositives: - Legitimate use of Quest KACE Agent (formerly Dell KACE) diff --git a/detections/sigma/quest_kace_agent__formerly_dell_kace__processes_sigma.yml b/detections/sigma/quest_kace_agent__formerly_dell_kace__processes_sigma.yml index 9bed5fb5..85124874 100644 --- a/detections/sigma/quest_kace_agent__formerly_dell_kace__processes_sigma.yml +++ b/detections/sigma/quest_kace_agent__formerly_dell_kace__processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Quest KACE Agent (formerly Dell KACE) RMM Tool Process Activity -id: 70edbdd3-5114-47ba-83de-f6b87609473b +id: d21690ff-ce70-5b88-aca6-b0133e33c615 status: experimental description: | Detects potential processes activity of Quest KACE Agent (formerly Dell KACE) RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,9 +15,9 @@ logsource: category: process_creation detection: selection_parent: - ParentImage|endswith: konea.exe + ParentImage|endswith: 'konea.exe' selection_image: - Image|endswith: konea.exe + Image|endswith: 'konea.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Quest KACE Agent (formerly Dell KACE) diff --git a/detections/sigma/quick_assist_network_sigma.yml b/detections/sigma/quick_assist_network_sigma.yml index 0f3c62c5..8a4eadff 100644 --- a/detections/sigma/quick_assist_network_sigma.yml +++ b/detections/sigma/quick_assist_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Quick Assist RMM Tool Network Activity -id: 6203a300-6eb8-4263-923e-8d4720702d58 +id: 9b2e974b-7045-5eab-9c3d-61970bd29ccb status: experimental description: | Detects potential network activity of Quick Assist RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,7 +15,7 @@ logsource: category: network_connection detection: selection: - DestinationHostname|endswith: *.support.services.microsoft.com + DestinationHostname|endswith: '*.support.services.microsoft.com' condition: selection falsepositives: - Legitimate use of Quick Assist diff --git a/detections/sigma/quick_assist_processes_sigma.yml b/detections/sigma/quick_assist_processes_sigma.yml index 745a075c..75e42b55 100644 --- a/detections/sigma/quick_assist_processes_sigma.yml +++ b/detections/sigma/quick_assist_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Quick Assist RMM Tool Process Activity -id: 1f1dc95b-45d0-47f3-8441-22beb37c18af +id: 1111ee49-0160-5425-be15-d187e08fe3ca status: experimental description: | Detects potential processes activity of Quick Assist RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,9 +15,9 @@ logsource: category: process_creation detection: selection_parent: - ParentImage|endswith: quickassist.exe + ParentImage|endswith: 'quickassist.exe' selection_image: - Image|endswith: quickassist.exe + Image|endswith: 'quickassist.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Quick Assist diff --git a/detections/sigma/radmin_files_sigma.yml b/detections/sigma/radmin_files_sigma.yml index d7bf5b5d..6016fb47 100644 --- a/detections/sigma/radmin_files_sigma.yml +++ b/detections/sigma/radmin_files_sigma.yml @@ -1,12 +1,12 @@ title: Potential RAdmin RMM Tool File Activity -id: 1dbf8a1b-b0a9-41dd-bffc-550ccf0968c9 +id: ff40caa8-c3b3-59ae-9853-502ebc39e7a8 status: experimental description: | Detects potential files activity of RAdmin RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,10 +16,10 @@ logsource: detection: selection: TargetFilename|endswith: - - C:\Windows\SysWOW64\rserver30\Radm_log.htm - - C:\Windows\System32\rserver30\Radm_log.htm - - C:\Windows\System32\rserver30\CHATLOGS\*\*.htm - - C:\Users\*\Documents\ChatLogs\*\*.htm + - 'C:\Windows\SysWOW64\rserver30\Radm_log.htm' + - 'C:\Windows\System32\rserver30\Radm_log.htm' + - 'C:\Windows\System32\rserver30\CHATLOGS\*\*.htm' + - 'C:\Users\*\Documents\ChatLogs\*\*.htm' condition: selection falsepositives: - Legitimate use of RAdmin diff --git a/detections/sigma/radmin_network_sigma.yml b/detections/sigma/radmin_network_sigma.yml index a6e3f82f..d1653477 100644 --- a/detections/sigma/radmin_network_sigma.yml +++ b/detections/sigma/radmin_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential RAdmin RMM Tool Network Activity -id: 9a07344a-5d8e-482e-bdf0-2cd3242165e7 +id: 3290858e-d681-59b4-b138-ab417db5aad1 status: experimental description: | Detects potential network activity of RAdmin RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,7 +15,7 @@ logsource: category: network_connection detection: selection: - DestinationHostname|endswith: radmin.com + DestinationHostname|endswith: 'radmin.com' condition: selection falsepositives: - Legitimate use of RAdmin diff --git a/detections/sigma/radmin_processes_sigma.yml b/detections/sigma/radmin_processes_sigma.yml index 741bd93d..14807272 100644 --- a/detections/sigma/radmin_processes_sigma.yml +++ b/detections/sigma/radmin_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential RAdmin RMM Tool Process Activity -id: c1830a71-6799-4206-98f6-225a833a569c +id: 6148f84e-eced-5f70-b0bd-fd11e9b54127 status: experimental description: | Detects potential processes activity of RAdmin RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,12 +16,12 @@ logsource: detection: selection_parent: ParentImage|endswith: - - Radmin.exe - - rserver3.exe + - 'C:\Program Files (x86)\Radmin Viewer 3\Radmin.exe' + - 'C:\Windows\SysWOW64\rserver30\rserver3.exe' selection_image: Image|endswith: - - Radmin.exe - - rserver3.exe + - 'C:\Program Files (x86)\Radmin Viewer 3\Radmin.exe' + - 'C:\Windows\SysWOW64\rserver30\rserver3.exe' condition: 1 of selection_* falsepositives: - Legitimate use of RAdmin diff --git a/detections/sigma/radmin_registry_sigma.yml b/detections/sigma/radmin_registry_sigma.yml index 9de13791..f5fc9103 100644 --- a/detections/sigma/radmin_registry_sigma.yml +++ b/detections/sigma/radmin_registry_sigma.yml @@ -1,12 +1,12 @@ title: Potential RAdmin RMM Tool Registry Activity -id: d713ab8a-cd9e-47b5-b66f-1a436ddd3f0c +id: 1d775e8b-5449-5110-a676-9357b5e128ef status: experimental description: | Detects potential registry activity of RAdmin RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,7 +15,7 @@ logsource: category: registry_event detection: selection: - TargetObject|contains: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Radmin\v3.0\Server\Parameters\Radmin Security + TargetObject|contains: 'HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Radmin\v3.0\Server\Parameters\Radmin Security' condition: selection falsepositives: - Legitimate use of RAdmin diff --git a/detections/sigma/rapid7_network_sigma.yml b/detections/sigma/rapid7_network_sigma.yml index 63c3f168..72a09775 100644 --- a/detections/sigma/rapid7_network_sigma.yml +++ b/detections/sigma/rapid7_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Rapid7 RMM Tool Network Activity -id: 4df2f4fe-07ea-4b8e-a942-dae22b02f59f +id: f299760a-aa77-5e23-8140-72319112b7a1 status: experimental description: | Detects potential network activity of Rapid7 RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,8 +16,8 @@ logsource: detection: selection: DestinationHostname|endswith: - - *.analytics.insight.rapid7.com - - *.endpoint.ingress.rapid7.com + - '*.analytics.insight.rapid7.com' + - '*.endpoint.ingress.rapid7.com' condition: selection falsepositives: - Legitimate use of Rapid7 diff --git a/detections/sigma/rapid7_processes_sigma.yml b/detections/sigma/rapid7_processes_sigma.yml index 87ea8387..5deb7e07 100644 --- a/detections/sigma/rapid7_processes_sigma.yml +++ b/detections/sigma/rapid7_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Rapid7 RMM Tool Process Activity -id: 9de5aaf3-eb1c-4641-b646-f1d525b85244 +id: 4894945e-5648-56c6-9e58-81c7cea0c118 status: experimental description: | Detects potential processes activity of Rapid7 RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,14 +16,14 @@ logsource: detection: selection_parent: ParentImage|endswith: - - ir_agent.exe - - rapid7_agent_core.exe - - rapid7_endpoint_broker.exe + - 'ir_agent.exe' + - 'rapid7_agent_core.exe' + - 'rapid7_endpoint_broker.exe' selection_image: Image|endswith: - - ir_agent.exe - - rapid7_agent_core.exe - - rapid7_endpoint_broker.exe + - 'ir_agent.exe' + - 'rapid7_agent_core.exe' + - 'rapid7_endpoint_broker.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Rapid7 diff --git a/detections/sigma/rdclient_files_sigma.yml b/detections/sigma/rdclient_files_sigma.yml new file mode 100644 index 00000000..0590813d --- /dev/null +++ b/detections/sigma/rdclient_files_sigma.yml @@ -0,0 +1,22 @@ +title: Potential RdClient RMM Tool File Activity +id: 1d1198cd-d001-553c-9bce-3548b350a292 +status: experimental +description: | + Detects potential files activity of RdClient RMM tool +references: + - https://github.com/magicsword-io/LOLRMM +author: LOLRMM Project +date: 2026-02-03 +tags: + - attack.execution + - attack.t1219 +logsource: + product: windows + category: file_event +detection: + selection: + TargetFilename|endswith: '%APPDATA%\RdClient\*' + condition: selection +falsepositives: + - Legitimate use of RdClient +level: medium diff --git a/detections/sigma/rdclient_processes_sigma.yml b/detections/sigma/rdclient_processes_sigma.yml new file mode 100644 index 00000000..d11a45bf --- /dev/null +++ b/detections/sigma/rdclient_processes_sigma.yml @@ -0,0 +1,30 @@ +title: Potential RdClient RMM Tool Process Activity +id: 6d9f7f0d-f945-5cc2-aeac-a242f1b1a35c +status: experimental +description: | + Detects potential processes activity of RdClient RMM tool +references: + - https://github.com/magicsword-io/LOLRMM +author: LOLRMM Project +date: 2026-02-03 +tags: + - attack.execution + - attack.t1219 +logsource: + product: windows + category: process_creation +detection: + selection_parent: + ParentImage|endswith: + - 'rdclient.exe' + - 'RdClientInstaller.exe' + - 'SupportTool.exe' + selection_image: + Image|endswith: + - 'rdclient.exe' + - 'RdClientInstaller.exe' + - 'SupportTool.exe' + condition: 1 of selection_* +falsepositives: + - Legitimate use of RdClient +level: medium diff --git a/detections/sigma/rdclient_registry_sigma.yml b/detections/sigma/rdclient_registry_sigma.yml new file mode 100644 index 00000000..6e203075 --- /dev/null +++ b/detections/sigma/rdclient_registry_sigma.yml @@ -0,0 +1,22 @@ +title: Potential RdClient RMM Tool Registry Activity +id: 1488606f-9adc-50d0-8b3d-c620b0a64ed9 +status: experimental +description: | + Detects potential registry activity of RdClient RMM tool +references: + - https://github.com/magicsword-io/LOLRMM +author: LOLRMM Project +date: 2026-02-03 +tags: + - attack.execution + - attack.t1219 +logsource: + product: windows + category: registry_event +detection: + selection: + TargetObject|contains: 'HKLM\SOFTWARE\RdClient' + condition: selection +falsepositives: + - Legitimate use of RdClient +level: medium diff --git a/detections/sigma/rdcman_processes_sigma.yml b/detections/sigma/rdcman_processes_sigma.yml new file mode 100644 index 00000000..bed3a804 --- /dev/null +++ b/detections/sigma/rdcman_processes_sigma.yml @@ -0,0 +1,28 @@ +title: Potential RDCMan RMM Tool Process Activity +id: 9827602b-aa1f-5988-a1ff-a49e592818b7 +status: experimental +description: | + Detects potential processes activity of RDCMan RMM tool +references: + - https://github.com/magicsword-io/LOLRMM +author: LOLRMM Project +date: 2026-02-03 +tags: + - attack.execution + - attack.t1219 +logsource: + product: windows + category: process_creation +detection: + selection_parent: + ParentImage|endswith: + - '*\RDCMan.exe' + - '*\RDCMan-x86.exe' + selection_image: + Image|endswith: + - '*\RDCMan.exe' + - '*\RDCMan-x86.exe' + condition: 1 of selection_* +falsepositives: + - Legitimate use of RDCMan +level: medium diff --git a/detections/sigma/rdp2tcp_network_sigma.yml b/detections/sigma/rdp2tcp_network_sigma.yml index 02d11ac7..8f951b7a 100644 --- a/detections/sigma/rdp2tcp_network_sigma.yml +++ b/detections/sigma/rdp2tcp_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential rdp2tcp RMM Tool Network Activity -id: 7185a584-cd76-4bc8-bae0-1d6a0a3741a9 +id: 53e44c09-7cf3-5194-bd69-21e75f1a4c9f status: experimental description: | Detects potential network activity of rdp2tcp RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,8 +16,8 @@ logsource: detection: selection: DestinationHostname|endswith: - - user_managed - - github.com/V-E-O/rdp2tcp + - 'user_managed' + - 'github.com/V-E-O/rdp2tcp' condition: selection falsepositives: - Legitimate use of rdp2tcp diff --git a/detections/sigma/rdp2tcp_processes_sigma.yml b/detections/sigma/rdp2tcp_processes_sigma.yml index 3d8dbfeb..1d9e7772 100644 --- a/detections/sigma/rdp2tcp_processes_sigma.yml +++ b/detections/sigma/rdp2tcp_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential rdp2tcp RMM Tool Process Activity -id: 0037520d-ea12-4f04-94be-90c31c240a87 +id: ac838dad-c5a0-55f0-a790-ce39ff394ba8 status: experimental description: | Detects potential processes activity of rdp2tcp RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,9 +15,9 @@ logsource: category: process_creation detection: selection_parent: - ParentImage|endswith: tdp2tcp.exe + ParentImage|endswith: 'tdp2tcp.exe' selection_image: - Image|endswith: tdp2tcp.exe + Image|endswith: 'tdp2tcp.exe' condition: 1 of selection_* falsepositives: - Legitimate use of rdp2tcp diff --git a/detections/sigma/rdpview_network_sigma.yml b/detections/sigma/rdpview_network_sigma.yml index 2fdcf447..83785979 100644 --- a/detections/sigma/rdpview_network_sigma.yml +++ b/detections/sigma/rdpview_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential RDPView RMM Tool Network Activity -id: 57e3f8cc-3db4-45eb-8272-b62c96ac5c81 +id: ef98d04b-2662-5bb3-ac3e-572792754688 status: experimental description: | Detects potential network activity of RDPView RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,8 +16,8 @@ logsource: detection: selection: DestinationHostname|endswith: - - user_managed - - systemmanager.ru/dntu.en/rdp_view.htm + - 'user_managed' + - 'systemmanager.ru/dntu.en/rdp_view.htm' condition: selection falsepositives: - Legitimate use of RDPView diff --git a/detections/sigma/rdpview_processes_sigma.yml b/detections/sigma/rdpview_processes_sigma.yml index 26e4f2fc..4154e584 100644 --- a/detections/sigma/rdpview_processes_sigma.yml +++ b/detections/sigma/rdpview_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential RDPView RMM Tool Process Activity -id: 77fcb82b-5173-44b0-bab4-472eb1a09be8 +id: 49417a61-ac95-58de-a080-539211c71082 status: experimental description: | Detects potential processes activity of RDPView RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,9 +15,9 @@ logsource: category: process_creation detection: selection_parent: - ParentImage|endswith: dwrcs.exe + ParentImage|endswith: 'dwrcs.exe' selection_image: - Image|endswith: dwrcs.exe + Image|endswith: 'dwrcs.exe' condition: 1 of selection_* falsepositives: - Legitimate use of RDPView diff --git a/detections/sigma/rdpwrap_network_sigma.yml b/detections/sigma/rdpwrap_network_sigma.yml index 817a48c7..d508b4b5 100644 --- a/detections/sigma/rdpwrap_network_sigma.yml +++ b/detections/sigma/rdpwrap_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential rdpwrap RMM Tool Network Activity -id: 3394836f-d50e-4499-a581-db9b554ec64b +id: 1c9adf11-e4d9-5240-bd17-9431caa49f15 status: experimental description: | Detects potential network activity of rdpwrap RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,8 +16,8 @@ logsource: detection: selection: DestinationHostname|endswith: - - user_managed - - github.com/stascorp/rdpwrap + - 'user_managed' + - 'github.com/stascorp/rdpwrap' condition: selection falsepositives: - Legitimate use of rdpwrap diff --git a/detections/sigma/rdpwrap_processes_sigma.yml b/detections/sigma/rdpwrap_processes_sigma.yml index 22d7af3d..f6368919 100644 --- a/detections/sigma/rdpwrap_processes_sigma.yml +++ b/detections/sigma/rdpwrap_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential rdpwrap RMM Tool Process Activity -id: e193726e-dd20-4e5a-ac47-79169375390c +id: 7616e922-5463-5fa3-bbec-8e9a589e2d4c status: experimental description: | Detects potential processes activity of rdpwrap RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,14 +16,14 @@ logsource: detection: selection_parent: ParentImage|endswith: - - RDPWInst.exe - - RDPCheck.exe - - RDPConf.exe + - 'RDPWInst.exe' + - 'RDPCheck.exe' + - 'RDPConf.exe' selection_image: Image|endswith: - - RDPWInst.exe - - RDPCheck.exe - - RDPConf.exe + - 'RDPWInst.exe' + - 'RDPCheck.exe' + - 'RDPConf.exe' condition: 1 of selection_* falsepositives: - Legitimate use of rdpwrap diff --git a/detections/sigma/remcos_processes_sigma.yml b/detections/sigma/remcos_processes_sigma.yml index 682f2631..0701dbd5 100644 --- a/detections/sigma/remcos_processes_sigma.yml +++ b/detections/sigma/remcos_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Remcos RMM Tool Process Activity -id: 0e9a8ef3-1de8-4246-acaf-95f96963a300 +id: 72118c92-97ad-588f-aae7-5acacff5f05e status: experimental description: | Detects potential processes activity of Remcos RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,9 +15,9 @@ logsource: category: process_creation detection: selection_parent: - ParentImage|endswith: remcos*.exe + ParentImage|endswith: 'remcos*.exe' selection_image: - Image|endswith: remcos*.exe + Image|endswith: 'remcos*.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Remcos diff --git a/detections/sigma/remmon_processes_sigma.yml b/detections/sigma/remmon_processes_sigma.yml new file mode 100644 index 00000000..cf648961 --- /dev/null +++ b/detections/sigma/remmon_processes_sigma.yml @@ -0,0 +1,24 @@ +title: Potential Remmon RMM Tool Process Activity +id: 419832d4-8b4a-5375-9922-ec84b5770418 +status: experimental +description: | + Detects potential processes activity of Remmon RMM tool +references: + - https://github.com/magicsword-io/LOLRMM +author: LOLRMM Project +date: 2026-02-03 +tags: + - attack.execution + - attack.t1219 +logsource: + product: windows + category: process_creation +detection: + selection_parent: + ParentImage|endswith: '*\\Remmon.exe' + selection_image: + Image|endswith: '*\\Remmon.exe' + condition: 1 of selection_* +falsepositives: + - Legitimate use of Remmon +level: medium diff --git a/detections/sigma/remobo_network_sigma.yml b/detections/sigma/remobo_network_sigma.yml index bcbe7175..fed3cf50 100644 --- a/detections/sigma/remobo_network_sigma.yml +++ b/detections/sigma/remobo_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Remobo RMM Tool Network Activity -id: 346c9a37-5f2b-4fc8-90eb-7a547780a29d +id: 0ea3cb85-3ba6-52d7-bcde-aeaf59720860 status: experimental description: | Detects potential network activity of Remobo RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,8 +16,8 @@ logsource: detection: selection: DestinationHostname|endswith: - - user_managed - - remobo.en.softonic.com + - 'user_managed' + - 'remobo.en.softonic.com' condition: selection falsepositives: - Legitimate use of Remobo diff --git a/detections/sigma/remobo_processes_sigma.yml b/detections/sigma/remobo_processes_sigma.yml index 3a596172..12b1f1ec 100644 --- a/detections/sigma/remobo_processes_sigma.yml +++ b/detections/sigma/remobo_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Remobo RMM Tool Process Activity -id: d9e4fe5b-446f-4ae5-9852-d3ccb4ef1b59 +id: 8472c9da-bd2f-543a-96e8-612c089e2c1c status: experimental description: | Detects potential processes activity of Remobo RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,14 +16,14 @@ logsource: detection: selection_parent: ParentImage|endswith: - - remobo.exe - - remobo_client.exe - - remobo_tracker.exe + - 'remobo.exe' + - 'remobo_client.exe' + - 'remobo_tracker.exe' selection_image: Image|endswith: - - remobo.exe - - remobo_client.exe - - remobo_tracker.exe + - 'remobo.exe' + - 'remobo_client.exe' + - 'remobo_tracker.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Remobo diff --git a/detections/sigma/remote.it_network_sigma.yml b/detections/sigma/remote.it_network_sigma.yml index 4db5c3e5..3cf89402 100644 --- a/detections/sigma/remote.it_network_sigma.yml +++ b/detections/sigma/remote.it_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Remote.it RMM Tool Network Activity -id: d8ff159e-cd67-4295-9f1a-26db32b2ab06 +id: 717930c5-0cd3-5204-987a-a15f36972ee5 status: experimental description: | Detects potential network activity of Remote.it RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,9 +16,9 @@ logsource: detection: selection: DestinationHostname|endswith: - - auth.api.remote.it - - api.remote.it - - remote.it + - 'auth.api.remote.it' + - 'api.remote.it' + - 'remote.it' condition: selection falsepositives: - Legitimate use of Remote.it diff --git a/detections/sigma/remote.it_processes_sigma.yml b/detections/sigma/remote.it_processes_sigma.yml index 559f9643..f388c3c7 100644 --- a/detections/sigma/remote.it_processes_sigma.yml +++ b/detections/sigma/remote.it_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Remote.it RMM Tool Process Activity -id: cb14cab8-5e1b-4f79-a9ee-51e8bb1cb180 +id: 755b5af9-6732-5f4b-97ab-065f4a078a71 status: experimental description: | Detects potential processes activity of Remote.it RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,14 +16,14 @@ logsource: detection: selection_parent: ParentImage|endswith: - - remote-it-installer.exe - - remote.it.exe - - remoteit.exe + - 'remote-it-installer.exe' + - 'remote.it.exe' + - 'remoteit.exe' selection_image: Image|endswith: - - remote-it-installer.exe - - remote.it.exe - - remoteit.exe + - 'remote-it-installer.exe' + - 'remote.it.exe' + - 'remoteit.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Remote.it diff --git a/detections/sigma/remote_desktop_plus_network_sigma.yml b/detections/sigma/remote_desktop_plus_network_sigma.yml index 7586e397..41493573 100644 --- a/detections/sigma/remote_desktop_plus_network_sigma.yml +++ b/detections/sigma/remote_desktop_plus_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Remote Desktop Plus RMM Tool Network Activity -id: 97b1200b-aaa8-4202-b99c-778ae2b6daba +id: fcc9a415-0d84-53e1-9dd3-0db18f281ea5 status: experimental description: | Detects potential network activity of Remote Desktop Plus RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,7 +15,7 @@ logsource: category: network_connection detection: selection: - DestinationHostname|endswith: donkz.nl + DestinationHostname|endswith: 'donkz.nl' condition: selection falsepositives: - Legitimate use of Remote Desktop Plus diff --git a/detections/sigma/remote_desktop_plus_processes_sigma.yml b/detections/sigma/remote_desktop_plus_processes_sigma.yml index d574f664..76c95ba9 100644 --- a/detections/sigma/remote_desktop_plus_processes_sigma.yml +++ b/detections/sigma/remote_desktop_plus_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Remote Desktop Plus RMM Tool Process Activity -id: 9a1fb297-6332-43f6-823f-7ba772b3e15c +id: 5ab4a9cf-4d9f-53d2-baf0-190f10651132 status: experimental description: | Detects potential processes activity of Remote Desktop Plus RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,9 +15,9 @@ logsource: category: process_creation detection: selection_parent: - ParentImage|endswith: rdp.exe + ParentImage|endswith: 'rdp.exe' selection_image: - Image|endswith: rdp.exe + Image|endswith: 'rdp.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Remote Desktop Plus diff --git a/detections/sigma/remote_manipulator_system_network_sigma.yml b/detections/sigma/remote_manipulator_system_network_sigma.yml index cbb82dd6..0e9a8150 100644 --- a/detections/sigma/remote_manipulator_system_network_sigma.yml +++ b/detections/sigma/remote_manipulator_system_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Remote Manipulator System RMM Tool Network Activity -id: 4ab8f777-1476-417d-8ac4-9c70c46a79ee +id: 7f6770a9-c881-59d7-82cc-91aa187c4dea status: experimental description: | Detects potential network activity of Remote Manipulator System RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,8 +16,8 @@ logsource: detection: selection: DestinationHostname|endswith: - - *.internetid.ru - - rmansys.ru + - '*.internetid.ru' + - 'rmansys.ru' condition: selection falsepositives: - Legitimate use of Remote Manipulator System diff --git a/detections/sigma/remote_manipulator_system_processes_sigma.yml b/detections/sigma/remote_manipulator_system_processes_sigma.yml index 6e1c6125..978efd68 100644 --- a/detections/sigma/remote_manipulator_system_processes_sigma.yml +++ b/detections/sigma/remote_manipulator_system_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Remote Manipulator System RMM Tool Process Activity -id: 57f19ead-e923-4b3e-a9e8-772ba2ad56dc +id: e0daa6fe-97e2-53c1-8fd3-90d046748f75 status: experimental description: | Detects potential processes activity of Remote Manipulator System RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,12 +16,12 @@ logsource: detection: selection_parent: ParentImage|endswith: - - rfusclient.exe - - rutserv.exe + - 'rfusclient.exe' + - 'rutserv.exe' selection_image: Image|endswith: - - rfusclient.exe - - rutserv.exe + - 'rfusclient.exe' + - 'rutserv.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Remote Manipulator System diff --git a/detections/sigma/remote_ripple_files_sigma.yml b/detections/sigma/remote_ripple_files_sigma.yml new file mode 100644 index 00000000..19bd63d2 --- /dev/null +++ b/detections/sigma/remote_ripple_files_sigma.yml @@ -0,0 +1,24 @@ +title: Potential Remote Ripple RMM Tool File Activity +id: 34cea967-8327-5908-9e21-15cbd18a8be5 +status: experimental +description: | + Detects potential files activity of Remote Ripple RMM tool +references: + - https://github.com/magicsword-io/LOLRMM +author: LOLRMM Project +date: 2026-02-03 +tags: + - attack.execution + - attack.t1219 +logsource: + product: windows + category: file_event +detection: + selection: + TargetFilename|endswith: + - '%APPDATA%\GlavSoft\RemoteRipple\*' + - '%TEMP%\Remote_Ripple_*' + condition: selection +falsepositives: + - Legitimate use of Remote Ripple +level: medium diff --git a/detections/sigma/remote_ripple_processes_sigma.yml b/detections/sigma/remote_ripple_processes_sigma.yml new file mode 100644 index 00000000..6e832a5f --- /dev/null +++ b/detections/sigma/remote_ripple_processes_sigma.yml @@ -0,0 +1,24 @@ +title: Potential Remote Ripple RMM Tool Process Activity +id: af293487-04b8-5ead-9d22-5149ba77cdcd +status: experimental +description: | + Detects potential processes activity of Remote Ripple RMM tool +references: + - https://github.com/magicsword-io/LOLRMM +author: LOLRMM Project +date: 2026-02-03 +tags: + - attack.execution + - attack.t1219 +logsource: + product: windows + category: process_creation +detection: + selection_parent: + ParentImage|endswith: 'RemoteRipple.exe' + selection_image: + Image|endswith: 'RemoteRipple.exe' + condition: 1 of selection_* +falsepositives: + - Legitimate use of Remote Ripple +level: medium diff --git a/detections/sigma/remote_utilities_network_sigma.yml b/detections/sigma/remote_utilities_network_sigma.yml index 0e5194f2..5e775ce8 100644 --- a/detections/sigma/remote_utilities_network_sigma.yml +++ b/detections/sigma/remote_utilities_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Remote Utilities RMM Tool Network Activity -id: 568aba5a-6ff8-4af5-8e07-6397a91dae8e +id: 9f8807d9-8972-5fc5-b043-7383e19d2781 status: experimental description: | Detects potential network activity of Remote Utilities RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,7 +15,7 @@ logsource: category: network_connection detection: selection: - DestinationHostname|endswith: *.internetid.ru + DestinationHostname|endswith: '*.internetid.ru' condition: selection falsepositives: - Legitimate use of Remote Utilities diff --git a/detections/sigma/remote_utilities_processes_sigma.yml b/detections/sigma/remote_utilities_processes_sigma.yml index 72da66c7..9e2f6df7 100644 --- a/detections/sigma/remote_utilities_processes_sigma.yml +++ b/detections/sigma/remote_utilities_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Remote Utilities RMM Tool Process Activity -id: 2fb25913-43b1-485e-99ee-da7ca21fd75f +id: 70b03640-ee98-5202-bb2d-4a87f36b1e2e status: experimental description: | Detects potential processes activity of Remote Utilities RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,12 +16,12 @@ logsource: detection: selection_parent: ParentImage|endswith: - - rutview.exe - - rutserv.exe + - 'rutview.exe' + - 'rutserv.exe' selection_image: Image|endswith: - - rutview.exe - - rutserv.exe + - 'rutview.exe' + - 'rutserv.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Remote Utilities diff --git a/detections/sigma/remotecall_network_sigma.yml b/detections/sigma/remotecall_network_sigma.yml index 4b09f3a8..3ef796c2 100644 --- a/detections/sigma/remotecall_network_sigma.yml +++ b/detections/sigma/remotecall_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential RemoteCall RMM Tool Network Activity -id: 6a1fe908-f6e3-47ab-8b62-fbd02f3a0128 +id: bf467a07-e7dd-5a81-9fa6-5fdc1ac073fd status: experimental description: | Detects potential network activity of RemoteCall RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,9 +16,9 @@ logsource: detection: selection: DestinationHostname|endswith: - - *.remotecall.com - - *.startsupport.com - - remotecall.com + - '*.remotecall.com' + - '*.startsupport.com' + - 'remotecall.com' condition: selection falsepositives: - Legitimate use of RemoteCall diff --git a/detections/sigma/remotecall_processes_sigma.yml b/detections/sigma/remotecall_processes_sigma.yml index 8d7b6a6a..48c435a0 100644 --- a/detections/sigma/remotecall_processes_sigma.yml +++ b/detections/sigma/remotecall_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential RemoteCall RMM Tool Process Activity -id: 04f3918a-9d1e-4c5f-97d5-77b9b02166f3 +id: 69f25cbb-bb0d-5c9d-9eea-a093a87f2d5f status: experimental description: | Detects potential processes activity of RemoteCall RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,22 +16,22 @@ logsource: detection: selection_parent: ParentImage|endswith: - - rcengmgru.exe - - rcmgrsvc.exe - - rxstartsupport.exe - - rcstartsupport.exe - - raautoup.exe - - agentu.exe - - remotesupportplayeru.exe + - 'rcengmgru.exe' + - 'rcmgrsvc.exe' + - 'rxstartsupport.exe' + - 'rcstartsupport.exe' + - 'raautoup.exe' + - 'agentu.exe' + - 'remotesupportplayeru.exe' selection_image: Image|endswith: - - rcengmgru.exe - - rcmgrsvc.exe - - rxstartsupport.exe - - rcstartsupport.exe - - raautoup.exe - - agentu.exe - - remotesupportplayeru.exe + - 'rcengmgru.exe' + - 'rcmgrsvc.exe' + - 'rxstartsupport.exe' + - 'rcstartsupport.exe' + - 'raautoup.exe' + - 'agentu.exe' + - 'remotesupportplayeru.exe' condition: 1 of selection_* falsepositives: - Legitimate use of RemoteCall diff --git a/detections/sigma/remotepass_network_sigma.yml b/detections/sigma/remotepass_network_sigma.yml index 54581e94..250e9f11 100644 --- a/detections/sigma/remotepass_network_sigma.yml +++ b/detections/sigma/remotepass_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential RemotePass RMM Tool Network Activity -id: f4461751-f222-4de0-9993-9f6b7c4a2e8b +id: 52e9a124-141f-5be7-851f-f3f0f7d877f8 status: experimental description: | Detects potential network activity of RemotePass RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,7 +15,7 @@ logsource: category: network_connection detection: selection: - DestinationHostname|endswith: remotepass.com + DestinationHostname|endswith: 'remotepass.com' condition: selection falsepositives: - Legitimate use of RemotePass diff --git a/detections/sigma/remotepass_processes_sigma.yml b/detections/sigma/remotepass_processes_sigma.yml index 1a53ef64..7f4fd106 100644 --- a/detections/sigma/remotepass_processes_sigma.yml +++ b/detections/sigma/remotepass_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential RemotePass RMM Tool Process Activity -id: 86223db5-ec72-4fbb-8fa6-deca5afb0582 +id: 8952b8a6-f260-505c-a2d4-a352a87d294e status: experimental description: | Detects potential processes activity of RemotePass RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,14 +16,14 @@ logsource: detection: selection_parent: ParentImage|endswith: - - remotepass-access.exe - - rpaccess.exe - - rpwhostscr.exe + - 'remotepass-access.exe' + - 'rpaccess.exe' + - 'rpwhostscr.exe' selection_image: Image|endswith: - - remotepass-access.exe - - rpaccess.exe - - rpwhostscr.exe + - 'remotepass-access.exe' + - 'rpaccess.exe' + - 'rpwhostscr.exe' condition: 1 of selection_* falsepositives: - Legitimate use of RemotePass diff --git a/detections/sigma/remotepc_network_sigma.yml b/detections/sigma/remotepc_network_sigma.yml index 5c4818dd..5b0e5062 100644 --- a/detections/sigma/remotepc_network_sigma.yml +++ b/detections/sigma/remotepc_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential RemotePC RMM Tool Network Activity -id: e86ca73e-3392-4338-901e-03cd1fc5c2e2 +id: d04fb49c-3d9c-5d74-bfd0-5bee8d60adc3 status: experimental description: | Detects potential network activity of RemotePC RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,10 +16,10 @@ logsource: detection: selection: DestinationHostname|endswith: - - *.remotedesktop.com - - *.remotepc.com - - www.remotepc.com - - remotepc.com + - '*.remotedesktop.com' + - '*.remotepc.com' + - 'www.remotepc.com' + - 'remotepc.com' condition: selection falsepositives: - Legitimate use of RemotePC diff --git a/detections/sigma/remotepc_processes_sigma.yml b/detections/sigma/remotepc_processes_sigma.yml index e3519bcb..03ac6f40 100644 --- a/detections/sigma/remotepc_processes_sigma.yml +++ b/detections/sigma/remotepc_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential RemotePC RMM Tool Process Activity -id: 5b7c22f4-9bd6-4ec1-8624-6a0798fee565 +id: ba0e8fd7-94fb-54b4-abc9-29a370a98fe6 status: experimental description: | Detects potential processes activity of RemotePC RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,20 +16,20 @@ logsource: detection: selection_parent: ParentImage|endswith: - - remotepcservice.exe - - RemotePC.exe - - remotepchost.exe - - rpcsuite.exe - - RemotePCService.exe - - RemotePCService.exe + - 'remotepcservice.exe' + - 'RemotePC.exe' + - 'remotepchost.exe' + - 'rpcsuite.exe' + - '*\RemotePCService.exe' + - 'RemotePCService.exe' selection_image: Image|endswith: - - remotepcservice.exe - - RemotePC.exe - - remotepchost.exe - - rpcsuite.exe - - RemotePCService.exe - - RemotePCService.exe + - 'remotepcservice.exe' + - 'RemotePC.exe' + - 'remotepchost.exe' + - 'rpcsuite.exe' + - '*\RemotePCService.exe' + - 'RemotePCService.exe' condition: 1 of selection_* falsepositives: - Legitimate use of RemotePC diff --git a/detections/sigma/remoteutilities_network_sigma.yml b/detections/sigma/remoteutilities_network_sigma.yml index 5cc5e6ca..fb2c701d 100644 --- a/detections/sigma/remoteutilities_network_sigma.yml +++ b/detections/sigma/remoteutilities_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential RemoteUtilities RMM Tool Network Activity -id: 3b420f86-5285-40a3-829e-a86532bb4c65 +id: f8b97599-a738-5a59-9596-ae7339a1d686 status: experimental description: | Detects potential network activity of RemoteUtilities RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,7 +15,7 @@ logsource: category: network_connection detection: selection: - DestinationHostname|endswith: remoteutilities.com + DestinationHostname|endswith: 'remoteutilities.com' condition: selection falsepositives: - Legitimate use of RemoteUtilities diff --git a/detections/sigma/remoteutilities_processes_sigma.yml b/detections/sigma/remoteutilities_processes_sigma.yml index 350ea42e..59ec7d67 100644 --- a/detections/sigma/remoteutilities_processes_sigma.yml +++ b/detections/sigma/remoteutilities_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential RemoteUtilities RMM Tool Process Activity -id: e93cef04-7126-4b84-ba4c-d1c8344eeed4 +id: 011e691f-bca7-56c0-b9cf-65a58dff0302 status: experimental description: | Detects potential processes activity of RemoteUtilities RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,14 +16,14 @@ logsource: detection: selection_parent: ParentImage|endswith: - - rutview.exe - - rutserv.exe - - rutserv.exe + - 'rutview.exe' + - 'rutserv.exe' + - '*\rutserv.exe' selection_image: Image|endswith: - - rutview.exe - - rutserv.exe - - rutserv.exe + - 'rutview.exe' + - 'rutserv.exe' + - '*\rutserv.exe' condition: 1 of selection_* falsepositives: - Legitimate use of RemoteUtilities diff --git a/detections/sigma/remoteview_network_sigma.yml b/detections/sigma/remoteview_network_sigma.yml index ef858140..0cc80671 100644 --- a/detections/sigma/remoteview_network_sigma.yml +++ b/detections/sigma/remoteview_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential RemoteView RMM Tool Network Activity -id: 7159c8eb-d7b8-4802-a204-19b6c1983f38 +id: 6a280fcd-e104-5801-b142-c1fb8d5f69e2 status: experimental description: | Detects potential network activity of RemoteView RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,9 +16,9 @@ logsource: detection: selection: DestinationHostname|endswith: - - *content.rview.com - - *.rview.com - - content.rview.com + - '*content.rview.com' + - '*.rview.com' + - 'content.rview.com' condition: selection falsepositives: - Legitimate use of RemoteView diff --git a/detections/sigma/remoteview_processes_sigma.yml b/detections/sigma/remoteview_processes_sigma.yml index fa71150c..dbae9682 100644 --- a/detections/sigma/remoteview_processes_sigma.yml +++ b/detections/sigma/remoteview_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential RemoteView RMM Tool Process Activity -id: b9bdfb4d-21b8-44d8-8ca7-624b60cec151 +id: c10868e8-0080-5356-866e-633dd617d931 status: experimental description: | Detects potential processes activity of RemoteView RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,16 +16,16 @@ logsource: detection: selection_parent: ParentImage|endswith: - - remoteview.exe - - rv.exe - - rvagent.exe - - rvagtray.exe + - 'remoteview.exe' + - 'rv.exe' + - 'rvagent.exe' + - 'rvagtray.exe' selection_image: Image|endswith: - - remoteview.exe - - rv.exe - - rvagent.exe - - rvagtray.exe + - 'remoteview.exe' + - 'rv.exe' + - 'rvagent.exe' + - 'rvagtray.exe' condition: 1 of selection_* falsepositives: - Legitimate use of RemoteView diff --git a/detections/sigma/res_automation_manager_network_sigma.yml b/detections/sigma/res_automation_manager_network_sigma.yml index a4cd923d..7c4eb20f 100644 --- a/detections/sigma/res_automation_manager_network_sigma.yml +++ b/detections/sigma/res_automation_manager_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential RES Automation Manager RMM Tool Network Activity -id: 89b8bfe3-ba0a-4a8a-aee1-6059ccdd1daa +id: 9edc915d-f70e-5dc7-897c-4fbf03bfa374 status: experimental description: | Detects potential network activity of RES Automation Manager RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,8 +16,8 @@ logsource: detection: selection: DestinationHostname|endswith: - - user_managed - - ivanti.com/ + - 'user_managed' + - 'ivanti.com/' condition: selection falsepositives: - Legitimate use of RES Automation Manager diff --git a/detections/sigma/res_automation_manager_processes_sigma.yml b/detections/sigma/res_automation_manager_processes_sigma.yml index 714f7a10..76ae2f81 100644 --- a/detections/sigma/res_automation_manager_processes_sigma.yml +++ b/detections/sigma/res_automation_manager_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential RES Automation Manager RMM Tool Process Activity -id: ae4d8b43-a9f4-4db1-a54e-dfb30cf6efa5 +id: cd893476-80dc-554b-878b-7523ffa3e0c9 status: experimental description: | Detects potential processes activity of RES Automation Manager RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,16 +16,16 @@ logsource: detection: selection_parent: ParentImage|endswith: - - wisshell*.exe - - wmc.exe - - wmc_deployer.exe - - wmcsvc.exe + - 'wisshell*.exe' + - 'wmc.exe' + - 'wmc_deployer.exe' + - 'wmcsvc.exe' selection_image: Image|endswith: - - wisshell*.exe - - wmc.exe - - wmc_deployer.exe - - wmcsvc.exe + - 'wisshell*.exe' + - 'wmc.exe' + - 'wmc_deployer.exe' + - 'wmcsvc.exe' condition: 1 of selection_* falsepositives: - Legitimate use of RES Automation Manager diff --git a/detections/sigma/rocket_remote_desktop_processes_sigma.yml b/detections/sigma/rocket_remote_desktop_processes_sigma.yml index 3b432f7f..dd35a2f1 100644 --- a/detections/sigma/rocket_remote_desktop_processes_sigma.yml +++ b/detections/sigma/rocket_remote_desktop_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Rocket Remote Desktop RMM Tool Process Activity -id: 51cd69de-ebc1-43a8-8d7d-86d4e2a837cb +id: c925421c-80e2-5284-8602-7ac6554fd0c4 status: experimental description: | Detects potential processes activity of Rocket Remote Desktop RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,12 +16,12 @@ logsource: detection: selection_parent: ParentImage|endswith: - - RDConsole.exe - - RocketRemoteDesktop_Setup.exe + - 'RDConsole.exe' + - 'RocketRemoteDesktop_Setup.exe' selection_image: Image|endswith: - - RDConsole.exe - - RocketRemoteDesktop_Setup.exe + - 'RDConsole.exe' + - 'RocketRemoteDesktop_Setup.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Rocket Remote Desktop diff --git a/detections/sigma/royal_apps_network_sigma.yml b/detections/sigma/royal_apps_network_sigma.yml index 56430985..3e98d157 100644 --- a/detections/sigma/royal_apps_network_sigma.yml +++ b/detections/sigma/royal_apps_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Royal Apps RMM Tool Network Activity -id: 2048c611-6c70-4af6-a59b-282bf57a7dc9 +id: ad600cb3-bfe7-51a3-87cd-d95f5f131b65 status: experimental description: | Detects potential network activity of Royal Apps RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,7 +15,7 @@ logsource: category: network_connection detection: selection: - DestinationHostname|endswith: user_managed + DestinationHostname|endswith: 'user_managed' condition: selection falsepositives: - Legitimate use of Royal Apps diff --git a/detections/sigma/royal_apps_processes_sigma.yml b/detections/sigma/royal_apps_processes_sigma.yml index 832b3579..2d56e49e 100644 --- a/detections/sigma/royal_apps_processes_sigma.yml +++ b/detections/sigma/royal_apps_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Royal Apps RMM Tool Process Activity -id: 11d5df2c-21ac-4493-9ee7-d3b851c792bd +id: 3d572f57-1a49-5ab7-8448-ddabefd61cfd status: experimental description: | Detects potential processes activity of Royal Apps RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,12 +16,12 @@ logsource: detection: selection_parent: ParentImage|endswith: - - royalserver.exe - - royalts.exe + - 'royalserver.exe' + - 'royalts.exe' selection_image: Image|endswith: - - royalserver.exe - - royalts.exe + - 'royalserver.exe' + - 'royalts.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Royal Apps diff --git a/detections/sigma/royal_server_network_sigma.yml b/detections/sigma/royal_server_network_sigma.yml index 78a27206..7caa7728 100644 --- a/detections/sigma/royal_server_network_sigma.yml +++ b/detections/sigma/royal_server_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Royal Server RMM Tool Network Activity -id: 1ab09382-e7a9-4623-ad46-85d55a04ee6e +id: 00b0e261-540e-5a67-bda5-36bca12ff5d7 status: experimental description: | Detects potential network activity of Royal Server RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,7 +15,7 @@ logsource: category: network_connection detection: selection: - DestinationHostname|endswith: royalapps.com + DestinationHostname|endswith: 'royalapps.com' condition: selection falsepositives: - Legitimate use of Royal Server diff --git a/detections/sigma/royal_ts_network_sigma.yml b/detections/sigma/royal_ts_network_sigma.yml index 63aaea3b..1e5c9fa3 100644 --- a/detections/sigma/royal_ts_network_sigma.yml +++ b/detections/sigma/royal_ts_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Royal TS RMM Tool Network Activity -id: 17763b87-0675-4d9d-95ef-0fb00bb0aa0b +id: 70e858bf-d80d-5989-9d80-8688001be27d status: experimental description: | Detects potential network activity of Royal TS RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,7 +15,7 @@ logsource: category: network_connection detection: selection: - DestinationHostname|endswith: royalapps.com + DestinationHostname|endswith: 'royalapps.com' condition: selection falsepositives: - Legitimate use of Royal TS diff --git a/detections/sigma/royal_ts_processes_sigma.yml b/detections/sigma/royal_ts_processes_sigma.yml index 7cb9cedd..37154285 100644 --- a/detections/sigma/royal_ts_processes_sigma.yml +++ b/detections/sigma/royal_ts_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Royal TS RMM Tool Process Activity -id: 55dd0a0f-5654-4796-8917-35e281b63137 +id: 1921c89b-42a3-5918-9bd5-8c60913b5cde status: experimental description: | Detects potential processes activity of Royal TS RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,9 +15,9 @@ logsource: category: process_creation detection: selection_parent: - ParentImage|endswith: royalts.exe + ParentImage|endswith: 'royalts.exe' selection_image: - Image|endswith: royalts.exe + Image|endswith: 'royalts.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Royal TS diff --git a/detections/sigma/rport_network_sigma.yml b/detections/sigma/rport_network_sigma.yml index d2ccb9b9..e2563b31 100644 --- a/detections/sigma/rport_network_sigma.yml +++ b/detections/sigma/rport_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential RPort RMM Tool Network Activity -id: b958832e-79f5-406d-832a-d3da5ea9163a +id: 4730b65b-1328-5c9e-a8f8-1868a100bb24 status: experimental description: | Detects potential network activity of RPort RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,8 +16,8 @@ logsource: detection: selection: DestinationHostname|endswith: - - user_managed - - rport.io + - 'user_managed' + - 'rport.io' condition: selection falsepositives: - Legitimate use of RPort diff --git a/detections/sigma/rport_processes_sigma.yml b/detections/sigma/rport_processes_sigma.yml index e1bbf97d..5f946584 100644 --- a/detections/sigma/rport_processes_sigma.yml +++ b/detections/sigma/rport_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential RPort RMM Tool Process Activity -id: b8dcf4c1-927a-4f60-8772-37948e5a16dd +id: e0006f9a-f282-5220-90aa-06cb810791f7 status: experimental description: | Detects potential processes activity of RPort RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,9 +15,9 @@ logsource: category: process_creation detection: selection_parent: - ParentImage|endswith: rport.exe + ParentImage|endswith: 'rport.exe' selection_image: - Image|endswith: rport.exe + Image|endswith: 'rport.exe' condition: 1 of selection_* falsepositives: - Legitimate use of RPort diff --git a/detections/sigma/rudesktop_network_sigma.yml b/detections/sigma/rudesktop_network_sigma.yml index 3ab39833..559c3e33 100644 --- a/detections/sigma/rudesktop_network_sigma.yml +++ b/detections/sigma/rudesktop_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential RuDesktop RMM Tool Network Activity -id: bb51a404-4a69-4faf-a41d-644740ef3cae +id: ac669409-36a8-5336-858a-c30f1b64e335 status: experimental description: | Detects potential network activity of RuDesktop RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,8 +16,8 @@ logsource: detection: selection: DestinationHostname|endswith: - - *.rudesktop.ru - - rudesktop.ru + - '*.rudesktop.ru' + - 'rudesktop.ru' condition: selection falsepositives: - Legitimate use of RuDesktop diff --git a/detections/sigma/rudesktop_processes_sigma.yml b/detections/sigma/rudesktop_processes_sigma.yml index b9625c14..897eb293 100644 --- a/detections/sigma/rudesktop_processes_sigma.yml +++ b/detections/sigma/rudesktop_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential RuDesktop RMM Tool Process Activity -id: e515e095-e65b-420e-9843-e2a3528233bb +id: 24333420-9bbd-57e3-bd17-d05332ea87ff status: experimental description: | Detects potential processes activity of RuDesktop RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,12 +16,12 @@ logsource: detection: selection_parent: ParentImage|endswith: - - rd.exe - - rudesktop*.exe + - 'rd.exe' + - 'rudesktop*.exe' selection_image: Image|endswith: - - rd.exe - - rudesktop*.exe + - 'rd.exe' + - 'rudesktop*.exe' condition: 1 of selection_* falsepositives: - Legitimate use of RuDesktop diff --git a/detections/sigma/runsmart_network_sigma.yml b/detections/sigma/runsmart_network_sigma.yml index d2acc456..529ab2b7 100644 --- a/detections/sigma/runsmart_network_sigma.yml +++ b/detections/sigma/runsmart_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential RunSmart RMM Tool Network Activity -id: 5dea5c9a-652f-4ac4-a24e-08ee8bf5df82 +id: b4eb5db2-be4a-5ef7-bf7d-16f62520308c status: experimental description: | Detects potential network activity of RunSmart RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,7 +15,7 @@ logsource: category: network_connection detection: selection: - DestinationHostname|endswith: runsmart.io + DestinationHostname|endswith: 'runsmart.io' condition: selection falsepositives: - Legitimate use of RunSmart diff --git a/detections/sigma/rustdesk_files_sigma.yml b/detections/sigma/rustdesk_files_sigma.yml index 5c380342..fe7d6b85 100644 --- a/detections/sigma/rustdesk_files_sigma.yml +++ b/detections/sigma/rustdesk_files_sigma.yml @@ -1,12 +1,12 @@ title: Potential RustDesk RMM Tool File Activity -id: 08f48f25-fcee-48af-b7c3-8d8d128c7f64 +id: beb04428-e0e1-5207-b941-c75a913865e8 status: experimental description: | Detects potential files activity of RustDesk RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,7 +15,7 @@ logsource: category: file_event detection: selection: - TargetFilename|endswith: C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\RustDesk\* + TargetFilename|endswith: 'C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\RustDesk\*' condition: selection falsepositives: - Legitimate use of RustDesk diff --git a/detections/sigma/rustdesk_network_sigma.yml b/detections/sigma/rustdesk_network_sigma.yml index 1ff0dde8..7780ed92 100644 --- a/detections/sigma/rustdesk_network_sigma.yml +++ b/detections/sigma/rustdesk_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential RustDesk RMM Tool Network Activity -id: 56f0c5a9-a83b-41ec-b9cf-f90c69b2e142 +id: 036b78ca-f289-510c-a9d8-60d0a02b5fbd status: experimental description: | Detects potential network activity of RustDesk RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,11 +16,11 @@ logsource: detection: selection: DestinationHostname|endswith: - - rustdesk.com - - user_managed - - web.rustdesk.com - - api.rustdesk.com - - rs-ny.rustdesk.com + - 'rustdesk.com' + - 'user_managed' + - 'web.rustdesk.com' + - 'api.rustdesk.com' + - 'rs-ny.rustdesk.com' condition: selection falsepositives: - Legitimate use of RustDesk diff --git a/detections/sigma/rustdesk_processes_sigma.yml b/detections/sigma/rustdesk_processes_sigma.yml index 6c4d43d7..7fbbf330 100644 --- a/detections/sigma/rustdesk_processes_sigma.yml +++ b/detections/sigma/rustdesk_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential RustDesk RMM Tool Process Activity -id: c6a0e6ff-7653-446a-930e-d1c6f39629fa +id: d31a1b75-8ec6-56ad-961e-909eeb08ba7c status: experimental description: | Detects potential processes activity of RustDesk RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,14 +16,14 @@ logsource: detection: selection_parent: ParentImage|endswith: - - rustdesk*.exe - - rustdesk.exe - - rustdesk.exe + - 'rustdesk*.exe' + - 'rustdesk.exe' + - 'C:\Users\*\AppData\Local\rustdesk\rustdesk.exe' selection_image: Image|endswith: - - rustdesk*.exe - - rustdesk.exe - - rustdesk.exe + - 'rustdesk*.exe' + - 'rustdesk.exe' + - 'C:\Users\*\AppData\Local\rustdesk\rustdesk.exe' condition: 1 of selection_* falsepositives: - Legitimate use of RustDesk diff --git a/detections/sigma/s3_browser_processes_sigma.yml b/detections/sigma/s3_browser_processes_sigma.yml index 13f17cf4..216f1273 100644 --- a/detections/sigma/s3_browser_processes_sigma.yml +++ b/detections/sigma/s3_browser_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential S3 Browser RMM Tool Process Activity -id: 45e32160-b7aa-4cc3-9bd8-5e2e6cce0b57 +id: f58a2f0a-6b05-55d0-8f1c-60effb0c6d6e status: experimental description: | Detects potential processes activity of S3 Browser RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,9 +15,9 @@ logsource: category: process_creation detection: selection_parent: - ParentImage|endswith: s3browser*.exe + ParentImage|endswith: '*\s3browser*.exe' selection_image: - Image|endswith: s3browser*.exe + Image|endswith: '*\s3browser*.exe' condition: 1 of selection_* falsepositives: - Legitimate use of S3 Browser diff --git a/detections/sigma/screenconnect_files_sigma.yml b/detections/sigma/screenconnect_files_sigma.yml index 901ea66a..51b549bd 100644 --- a/detections/sigma/screenconnect_files_sigma.yml +++ b/detections/sigma/screenconnect_files_sigma.yml @@ -1,12 +1,12 @@ title: Potential ScreenConnect RMM Tool File Activity -id: fa0f2b6a-8f96-470e-b699-82e4c1bce912 +id: 1461da7e-2712-5195-9d57-86c6ef02ff2e status: experimental description: | Detects potential files activity of ScreenConnect RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,9 +16,9 @@ logsource: detection: selection: TargetFilename|endswith: - - C:\Program Files*\ScreenConnect\App_Data\Session.db - - C:\Program Files*\ScreenConnect\App_Data\User.xml - - C:\ProgramData\ScreenConnect Client*\user.config + - 'C:\Program Files*\ScreenConnect\App_Data\Session.db' + - 'C:\Program Files*\ScreenConnect\App_Data\User.xml' + - 'C:\ProgramData\ScreenConnect Client*\user.config' condition: selection falsepositives: - Legitimate use of ScreenConnect diff --git a/detections/sigma/screenconnect_network_sigma.yml b/detections/sigma/screenconnect_network_sigma.yml index b1fbe58f..57dcba57 100644 --- a/detections/sigma/screenconnect_network_sigma.yml +++ b/detections/sigma/screenconnect_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential ScreenConnect RMM Tool Network Activity -id: 74f512be-1adb-411e-962f-9f759996e8fe +id: 14bfeeea-00c1-5827-967d-8fde5b719a84 status: experimental description: | Detects potential network activity of ScreenConnect RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,9 +16,9 @@ logsource: detection: selection: DestinationHostname|endswith: - - control.connectwise.com - - *.connectwise.com - - *.screenconnect.com + - 'control.connectwise.com' + - '*.connectwise.com' + - '*.screenconnect.com' condition: selection falsepositives: - Legitimate use of ScreenConnect diff --git a/detections/sigma/screenconnect_processes_sigma.yml b/detections/sigma/screenconnect_processes_sigma.yml index 22f5275e..33d41954 100644 --- a/detections/sigma/screenconnect_processes_sigma.yml +++ b/detections/sigma/screenconnect_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential ScreenConnect RMM Tool Process Activity -id: 3c95a0d7-14e3-4464-90a1-234b5a686fac +id: 62934508-3b42-59ab-9030-02c83348d16c status: experimental description: | Detects potential processes activity of ScreenConnect RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,32 +16,32 @@ logsource: detection: selection_parent: ParentImage|endswith: - - ScreenConnect.ClientService.exe - - Remote Workforce Client.exe - - ScreenConnect.ClientService.exe - - ScreenConnect.WindowsClient.exe - - screenconnect*.exe - - screenconnect.windowsclient.exe - - Remote Workforce Client.exe - - screenconnect*.exe - - ConnectWiseControl*.exe - - connectwise*.exe - - screenconnect.windowsclient.exe - - screenconnect.clientservice.exe + - 'C:\Program Files (x86)\ScreenConnect Client (Random)\ScreenConnect.ClientService.exe' + - 'Remote Workforce Client.exe' + - '*\*\ScreenConnect.ClientService.exe' + - '*\*\ScreenConnect.WindowsClient.exe' + - 'screenconnect*.exe' + - 'screenconnect.windowsclient.exe' + - 'Remote Workforce Client.exe' + - 'screenconnect*.exe' + - 'ConnectWiseControl*.exe' + - 'connectwise*.exe' + - 'screenconnect.windowsclient.exe' + - 'screenconnect.clientservice.exe' selection_image: Image|endswith: - - ScreenConnect.ClientService.exe - - Remote Workforce Client.exe - - ScreenConnect.ClientService.exe - - ScreenConnect.WindowsClient.exe - - screenconnect*.exe - - screenconnect.windowsclient.exe - - Remote Workforce Client.exe - - screenconnect*.exe - - ConnectWiseControl*.exe - - connectwise*.exe - - screenconnect.windowsclient.exe - - screenconnect.clientservice.exe + - 'C:\Program Files (x86)\ScreenConnect Client (Random)\ScreenConnect.ClientService.exe' + - 'Remote Workforce Client.exe' + - '*\*\ScreenConnect.ClientService.exe' + - '*\*\ScreenConnect.WindowsClient.exe' + - 'screenconnect*.exe' + - 'screenconnect.windowsclient.exe' + - 'Remote Workforce Client.exe' + - 'screenconnect*.exe' + - 'ConnectWiseControl*.exe' + - 'connectwise*.exe' + - 'screenconnect.windowsclient.exe' + - 'screenconnect.clientservice.exe' condition: 1 of selection_* falsepositives: - Legitimate use of ScreenConnect diff --git a/detections/sigma/screenmeet_network_sigma.yml b/detections/sigma/screenmeet_network_sigma.yml index 30766d5a..fb4544ec 100644 --- a/detections/sigma/screenmeet_network_sigma.yml +++ b/detections/sigma/screenmeet_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential ScreenMeet RMM Tool Network Activity -id: 7c429563-cd6e-499e-9256-e3ef9fd65ebc +id: eb5441dd-9519-5e03-bd14-210c712aa4d1 status: experimental description: | Detects potential network activity of ScreenMeet RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,8 +16,8 @@ logsource: detection: selection: DestinationHostname|endswith: - - *.screenmeet.com - - *.scrn.mt + - '*.screenmeet.com' + - '*.scrn.mt' condition: selection falsepositives: - Legitimate use of ScreenMeet diff --git a/detections/sigma/screenmeet_processes_sigma.yml b/detections/sigma/screenmeet_processes_sigma.yml index 94928198..8be92222 100644 --- a/detections/sigma/screenmeet_processes_sigma.yml +++ b/detections/sigma/screenmeet_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential ScreenMeet RMM Tool Process Activity -id: 67448f35-4a27-4c04-ab31-3b05d5090b4d +id: bca8c37a-9a08-575c-b23c-419384cacc82 status: experimental description: | Detects potential processes activity of ScreenMeet RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,12 +16,12 @@ logsource: detection: selection_parent: ParentImage|endswith: - - ScreenMeetSupport.exe - - ScreenMeet.Support.exe + - 'ScreenMeetSupport.exe' + - 'ScreenMeet.Support.exe' selection_image: Image|endswith: - - ScreenMeetSupport.exe - - ScreenMeet.Support.exe + - 'ScreenMeetSupport.exe' + - 'ScreenMeet.Support.exe' condition: 1 of selection_* falsepositives: - Legitimate use of ScreenMeet diff --git a/detections/sigma/securecrt_processes_sigma.yml b/detections/sigma/securecrt_processes_sigma.yml index 2d34a599..5af86566 100644 --- a/detections/sigma/securecrt_processes_sigma.yml +++ b/detections/sigma/securecrt_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential SecureCRT RMM Tool Process Activity -id: 4931f903-150d-43b3-bed7-1772dbdbd8e3 +id: 00be54dd-11bc-5f95-bb4b-b8db1e9ffb0f status: experimental description: | Detects potential processes activity of SecureCRT RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,12 +16,12 @@ logsource: detection: selection_parent: ParentImage|endswith: - - SecureCRT.EXE - - SecureCRT.EXE + - 'C:\*\SecureCRT.EXE' + - '*\SecureCRT.EXE' selection_image: Image|endswith: - - SecureCRT.EXE - - SecureCRT.EXE + - 'C:\*\SecureCRT.EXE' + - '*\SecureCRT.EXE' condition: 1 of selection_* falsepositives: - Legitimate use of SecureCRT diff --git a/detections/sigma/seetrol_network_sigma.yml b/detections/sigma/seetrol_network_sigma.yml index ed6ee1a9..1ef5ea54 100644 --- a/detections/sigma/seetrol_network_sigma.yml +++ b/detections/sigma/seetrol_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Seetrol RMM Tool Network Activity -id: 03eaba5a-6077-4d7e-a431-1a72cb0c49ba +id: 867418ba-c0ab-5d7b-92be-73eddc096385 status: experimental description: | Detects potential network activity of Seetrol RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,7 +15,7 @@ logsource: category: network_connection detection: selection: - DestinationHostname|endswith: seetrol.co.kr + DestinationHostname|endswith: 'seetrol.co.kr' condition: selection falsepositives: - Legitimate use of Seetrol diff --git a/detections/sigma/seetrol_processes_sigma.yml b/detections/sigma/seetrol_processes_sigma.yml index cb181e85..79c969ab 100644 --- a/detections/sigma/seetrol_processes_sigma.yml +++ b/detections/sigma/seetrol_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Seetrol RMM Tool Process Activity -id: 2228b414-a2e0-494e-80f3-5748a36f9188 +id: 48ba3ded-4855-56c4-9798-e309cb87286f status: experimental description: | Detects potential processes activity of Seetrol RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,18 +16,18 @@ logsource: detection: selection_parent: ParentImage|endswith: - - seetrolcenter.exe - - seetrolclient.exe - - seetrolmyservice.exe - - seetrolremote.exe - - seetrolsetting.exe + - 'seetrolcenter.exe' + - 'seetrolclient.exe' + - 'seetrolmyservice.exe' + - 'seetrolremote.exe' + - 'seetrolsetting.exe' selection_image: Image|endswith: - - seetrolcenter.exe - - seetrolclient.exe - - seetrolmyservice.exe - - seetrolremote.exe - - seetrolsetting.exe + - 'seetrolcenter.exe' + - 'seetrolclient.exe' + - 'seetrolmyservice.exe' + - 'seetrolremote.exe' + - 'seetrolsetting.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Seetrol diff --git a/detections/sigma/senso.cloud_network_sigma.yml b/detections/sigma/senso.cloud_network_sigma.yml index 8c182151..2052af61 100644 --- a/detections/sigma/senso.cloud_network_sigma.yml +++ b/detections/sigma/senso.cloud_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Senso.cloud RMM Tool Network Activity -id: f24b4c8f-3a80-42f7-b171-dafa5cf50360 +id: 4e19267c-7aee-555b-a281-d828d4bdb760 status: experimental description: | Detects potential network activity of Senso.cloud RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,8 +16,8 @@ logsource: detection: selection: DestinationHostname|endswith: - - *.senso.cloud - - senso.cloud + - '*.senso.cloud' + - 'senso.cloud' condition: selection falsepositives: - Legitimate use of Senso.cloud diff --git a/detections/sigma/senso.cloud_processes_sigma.yml b/detections/sigma/senso.cloud_processes_sigma.yml index 0bd71e7b..1ea9f572 100644 --- a/detections/sigma/senso.cloud_processes_sigma.yml +++ b/detections/sigma/senso.cloud_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Senso.cloud RMM Tool Process Activity -id: eae4036c-86e7-429d-bd5a-49dc2b2884c7 +id: 990e846e-260c-5725-b6f2-8f67ac449667 status: experimental description: | Detects potential processes activity of Senso.cloud RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,14 +16,14 @@ logsource: detection: selection_parent: ParentImage|endswith: - - SensoClient.exe - - SensoService.exe - - aadg.exe + - 'SensoClient.exe' + - 'SensoService.exe' + - 'aadg.exe' selection_image: Image|endswith: - - SensoClient.exe - - SensoService.exe - - aadg.exe + - 'SensoClient.exe' + - 'SensoService.exe' + - 'aadg.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Senso.cloud diff --git a/detections/sigma/servereye_network_sigma.yml b/detections/sigma/servereye_network_sigma.yml index 228420ec..2965d3f5 100644 --- a/detections/sigma/servereye_network_sigma.yml +++ b/detections/sigma/servereye_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential ServerEye RMM Tool Network Activity -id: 595143f2-0bc4-4e43-be6b-ed77c6d60afc +id: 73f14021-fba7-5cb6-b111-12e624b99392 status: experimental description: | Detects potential network activity of ServerEye RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,7 +15,7 @@ logsource: category: network_connection detection: selection: - DestinationHostname|endswith: *.server-eye.de + DestinationHostname|endswith: '*.server-eye.de' condition: selection falsepositives: - Legitimate use of ServerEye diff --git a/detections/sigma/servereye_processes_sigma.yml b/detections/sigma/servereye_processes_sigma.yml index 9d505946..82bfe499 100644 --- a/detections/sigma/servereye_processes_sigma.yml +++ b/detections/sigma/servereye_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential ServerEye RMM Tool Process Activity -id: 92d6dbe9-f502-45b3-bc89-d47577f5dd5d +id: dd27b5bb-3bac-5d5b-a4de-b154b23cc0cb status: experimental description: | Detects potential processes activity of ServerEye RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,12 +16,12 @@ logsource: detection: selection_parent: ParentImage|endswith: - - servereye*.exe - - ServiceProxyLocalSys.exe + - 'servereye*.exe' + - 'ServiceProxyLocalSys.exe' selection_image: Image|endswith: - - servereye*.exe - - ServiceProxyLocalSys.exe + - 'servereye*.exe' + - 'ServiceProxyLocalSys.exe' condition: 1 of selection_* falsepositives: - Legitimate use of ServerEye diff --git a/detections/sigma/showmypc_network_sigma.yml b/detections/sigma/showmypc_network_sigma.yml index 8fdaf166..2b2cef98 100644 --- a/detections/sigma/showmypc_network_sigma.yml +++ b/detections/sigma/showmypc_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential ShowMyPC RMM Tool Network Activity -id: eb3a9193-fd54-4d1e-a1c0-f36ee26c651c +id: 05dc597f-7f50-5a47-ba49-5e83cfb8124f status: experimental description: | Detects potential network activity of ShowMyPC RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,8 +16,8 @@ logsource: detection: selection: DestinationHostname|endswith: - - *.showmypc.com - - showmypc.com + - '*.showmypc.com' + - 'showmypc.com' condition: selection falsepositives: - Legitimate use of ShowMyPC diff --git a/detections/sigma/showmypc_processes_sigma.yml b/detections/sigma/showmypc_processes_sigma.yml index 3676077a..e64ade0b 100644 --- a/detections/sigma/showmypc_processes_sigma.yml +++ b/detections/sigma/showmypc_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential ShowMyPC RMM Tool Process Activity -id: bab7a004-50d6-47b6-93f5-5edaa30001b5 +id: 00c07d8e-ee88-5c2c-b7fe-af0caf9920d2 status: experimental description: | Detects potential processes activity of ShowMyPC RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,16 +16,16 @@ logsource: detection: selection_parent: ParentImage|endswith: - - SMPCSetup.exe - - showmypc*.exe - - showmypc.exe - - smpcsetup.exe + - 'SMPCSetup.exe' + - 'showmypc*.exe' + - 'showmypc.exe' + - 'smpcsetup.exe' selection_image: Image|endswith: - - SMPCSetup.exe - - showmypc*.exe - - showmypc.exe - - smpcsetup.exe + - 'SMPCSetup.exe' + - 'showmypc*.exe' + - 'showmypc.exe' + - 'smpcsetup.exe' condition: 1 of selection_* falsepositives: - Legitimate use of ShowMyPC diff --git a/detections/sigma/simplehelp_network_sigma.yml b/detections/sigma/simplehelp_network_sigma.yml index 4fbd107a..14cdebb1 100644 --- a/detections/sigma/simplehelp_network_sigma.yml +++ b/detections/sigma/simplehelp_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential SimpleHelp RMM Tool Network Activity -id: 5664ef88-4683-4f3c-9147-506eb5416d5e +id: 876dfc34-8e93-570e-b3a9-84bd2f9355ff status: experimental description: | Detects potential network activity of SimpleHelp RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,10 +16,10 @@ logsource: detection: selection: DestinationHostname|endswith: - - user_managed - - simple-help.com - - 51.255.19.178 - - 51.255.19.179 + - 'user_managed' + - 'simple-help.com' + - '51.255.19.178' + - '51.255.19.179' condition: selection falsepositives: - Legitimate use of SimpleHelp diff --git a/detections/sigma/simplehelp_processes_sigma.yml b/detections/sigma/simplehelp_processes_sigma.yml index 22aadb51..fa039867 100644 --- a/detections/sigma/simplehelp_processes_sigma.yml +++ b/detections/sigma/simplehelp_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential SimpleHelp RMM Tool Process Activity -id: 85602ba4-712d-4524-ac2e-7cf7511de816 +id: 04ac0573-4b50-5fca-b012-96e799cffe82 status: experimental description: | Detects potential processes activity of SimpleHelp RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,20 +16,20 @@ logsource: detection: selection_parent: ParentImage|endswith: - - simplehelpcustomer.exe - - simpleservice.exe - - simplegatewayservice.exe - - remote access.exe - - windowslauncher.exe - - spsrv.exe + - 'simplehelpcustomer.exe' + - 'simpleservice.exe' + - 'simplegatewayservice.exe' + - 'remote access.exe' + - 'windowslauncher.exe' + - 'spsrv.exe' selection_image: Image|endswith: - - simplehelpcustomer.exe - - simpleservice.exe - - simplegatewayservice.exe - - remote access.exe - - windowslauncher.exe - - spsrv.exe + - 'simplehelpcustomer.exe' + - 'simpleservice.exe' + - 'simplegatewayservice.exe' + - 'remote access.exe' + - 'windowslauncher.exe' + - 'spsrv.exe' condition: 1 of selection_* falsepositives: - Legitimate use of SimpleHelp diff --git a/detections/sigma/site24x7_network_sigma.yml b/detections/sigma/site24x7_network_sigma.yml index 75d5a82b..95aa92f0 100644 --- a/detections/sigma/site24x7_network_sigma.yml +++ b/detections/sigma/site24x7_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Site24x7 RMM Tool Network Activity -id: 5524bfef-3644-44dd-84a9-0e6116a35e78 +id: 28aa1aa8-bdd0-54ac-8651-925c4b54a0f1 status: experimental description: | Detects potential network activity of Site24x7 RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,12 +16,12 @@ logsource: detection: selection: DestinationHostname|endswith: - - plus*.site24x7.com - - plus*.site24x7.eu - - plus*.site24x7.in - - plus*.site24x7.cn - - plus*.site24x7.net.au - - site24x7.com/msp + - 'plus*.site24x7.com' + - 'plus*.site24x7.eu' + - 'plus*.site24x7.in' + - 'plus*.site24x7.cn' + - 'plus*.site24x7.net.au' + - 'site24x7.com/msp' condition: selection falsepositives: - Legitimate use of Site24x7 diff --git a/detections/sigma/site24x7_processes_sigma.yml b/detections/sigma/site24x7_processes_sigma.yml index e0101883..0d06c3df 100644 --- a/detections/sigma/site24x7_processes_sigma.yml +++ b/detections/sigma/site24x7_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Site24x7 RMM Tool Process Activity -id: 8ad21b7a-7b49-4680-8547-ba306fed6bc6 +id: 1d84c0b1-2770-5362-9fe8-98ca095d312a status: experimental description: | Detects potential processes activity of Site24x7 RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,16 +16,16 @@ logsource: detection: selection_parent: ParentImage|endswith: - - MEAgentHelper.exe - - MonitoringAgent.exe - - Site24x7WindowsAgentTrayIcon.exe - - Site24x7PluginAgent.exe + - 'MEAgentHelper.exe' + - 'MonitoringAgent.exe' + - 'Site24x7WindowsAgentTrayIcon.exe' + - 'Site24x7PluginAgent.exe' selection_image: Image|endswith: - - MEAgentHelper.exe - - MonitoringAgent.exe - - Site24x7WindowsAgentTrayIcon.exe - - Site24x7PluginAgent.exe + - 'MEAgentHelper.exe' + - 'MonitoringAgent.exe' + - 'Site24x7WindowsAgentTrayIcon.exe' + - 'Site24x7PluginAgent.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Site24x7 diff --git a/detections/sigma/skyfex_network_sigma.yml b/detections/sigma/skyfex_network_sigma.yml index 5a771a4c..b58e1bd9 100644 --- a/detections/sigma/skyfex_network_sigma.yml +++ b/detections/sigma/skyfex_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential SkyFex RMM Tool Network Activity -id: c7d7cb02-e36f-4f83-8927-acacbc54db0a +id: f9d72ac6-b274-556b-9dff-53aa7877015e status: experimental description: | Detects potential network activity of SkyFex RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,9 +16,9 @@ logsource: detection: selection: DestinationHostname|endswith: - - skyfex.com - - deskroll.com - - *.deskroll.com + - 'skyfex.com' + - 'deskroll.com' + - '*.deskroll.com' condition: selection falsepositives: - Legitimate use of SkyFex diff --git a/detections/sigma/skyfex_processes_sigma.yml b/detections/sigma/skyfex_processes_sigma.yml index a51ea8c9..3d95db6e 100644 --- a/detections/sigma/skyfex_processes_sigma.yml +++ b/detections/sigma/skyfex_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential SkyFex RMM Tool Process Activity -id: b4da400d-cfa2-48df-b0df-3af0bd829b2a +id: 4462cba6-53e7-5591-84c6-65a2c4b25ce7 status: experimental description: | Detects potential processes activity of SkyFex RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,12 +16,12 @@ logsource: detection: selection_parent: ParentImage|endswith: - - Deskroll.exe - - DeskRollUA.exe + - 'Deskroll.exe' + - 'DeskRollUA.exe' selection_image: Image|endswith: - - Deskroll.exe - - DeskRollUA.exe + - 'Deskroll.exe' + - 'DeskRollUA.exe' condition: 1 of selection_* falsepositives: - Legitimate use of SkyFex diff --git a/detections/sigma/smartty_processes_sigma.yml b/detections/sigma/smartty_processes_sigma.yml index 99cb3b58..59fe29cc 100644 --- a/detections/sigma/smartty_processes_sigma.yml +++ b/detections/sigma/smartty_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential SmarTTY RMM Tool Process Activity -id: b3993d3e-9624-4d2d-aafd-a3df18b3aedc +id: b6feeae2-c7d5-5408-8690-91c008d35a0c status: experimental description: | Detects potential processes activity of SmarTTY RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,9 +15,9 @@ logsource: category: process_creation detection: selection_parent: - ParentImage|endswith: SmarTTY.exe + ParentImage|endswith: '*\SmarTTY.exe' selection_image: - Image|endswith: SmarTTY.exe + Image|endswith: '*\SmarTTY.exe' condition: 1 of selection_* falsepositives: - Legitimate use of SmarTTY diff --git a/detections/sigma/solar-putty_processes_sigma.yml b/detections/sigma/solar-putty_processes_sigma.yml index f93f2dbe..a288795f 100644 --- a/detections/sigma/solar-putty_processes_sigma.yml +++ b/detections/sigma/solar-putty_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Solar-PuTTY RMM Tool Process Activity -id: 2c96b3a9-21f3-4c0d-9f4f-f587b639c0f5 +id: 696e7203-64d6-5354-8c88-aa6781173072 status: experimental description: | Detects potential processes activity of Solar-PuTTY RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,9 +15,9 @@ logsource: category: process_creation detection: selection_parent: - ParentImage|endswith: Solar-PuTTY.exe + ParentImage|endswith: '*\Solar-PuTTY.exe' selection_image: - Image|endswith: Solar-PuTTY.exe + Image|endswith: '*\Solar-PuTTY.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Solar-PuTTY diff --git a/detections/sigma/sophos-remote_management_system_network_sigma.yml b/detections/sigma/sophos-remote_management_system_network_sigma.yml index af141a11..b2119c37 100644 --- a/detections/sigma/sophos-remote_management_system_network_sigma.yml +++ b/detections/sigma/sophos-remote_management_system_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Sophos-Remote Management System RMM Tool Network Activity -id: a6e96201-a321-468f-9600-829c7a4a8b9c +id: 56570b61-4b48-57e7-afd5-834d6eaa37d4 status: experimental description: | Detects potential network activity of Sophos-Remote Management System RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,10 +16,10 @@ logsource: detection: selection: DestinationHostname|endswith: - - *.sophos.com - - *.sophosupd.com - - *.sophosupd.net - - community.sophos.com/on-premise-endpoint/f/sophos-endpoint-software/5725/sophos-remote-management-system + - '*.sophos.com' + - '*.sophosupd.com' + - '*.sophosupd.net' + - 'community.sophos.com/on-premise-endpoint/f/sophos-endpoint-software/5725/sophos-remote-management-system' condition: selection falsepositives: - Legitimate use of Sophos-Remote Management System diff --git a/detections/sigma/sophos-remote_management_system_processes_sigma.yml b/detections/sigma/sophos-remote_management_system_processes_sigma.yml index ecbb945a..74224bd5 100644 --- a/detections/sigma/sophos-remote_management_system_processes_sigma.yml +++ b/detections/sigma/sophos-remote_management_system_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Sophos-Remote Management System RMM Tool Process Activity -id: abca1601-eeac-4683-a666-e8ba592e46e3 +id: f311e841-cc26-5d4f-86ab-0704a9ad7acd status: experimental description: | Detects potential processes activity of Sophos-Remote Management System RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,14 +16,14 @@ logsource: detection: selection_parent: ParentImage|endswith: - - clientmrinit.exe - - mgntsvc.exe - - routernt.exe + - 'clientmrinit.exe' + - 'mgntsvc.exe' + - 'routernt.exe' selection_image: Image|endswith: - - clientmrinit.exe - - mgntsvc.exe - - routernt.exe + - 'clientmrinit.exe' + - 'mgntsvc.exe' + - 'routernt.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Sophos-Remote Management System diff --git a/detections/sigma/sorillus_network_sigma.yml b/detections/sigma/sorillus_network_sigma.yml index 8cbdaf6f..5193344f 100644 --- a/detections/sigma/sorillus_network_sigma.yml +++ b/detections/sigma/sorillus_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Sorillus RMM Tool Network Activity -id: 6e25b481-210b-4807-b66e-5d00b1d3fed7 +id: a45ed3ee-1dae-56ba-8b67-cc34308dc924 status: experimental description: | Detects potential network activity of Sorillus RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,8 +16,8 @@ logsource: detection: selection: DestinationHostname|endswith: - - *.sorillus.com - - sorillus.com + - '*.sorillus.com' + - 'sorillus.com' condition: selection falsepositives: - Legitimate use of Sorillus diff --git a/detections/sigma/sorillus_processes_sigma.yml b/detections/sigma/sorillus_processes_sigma.yml index 40a5a3be..41cfe1ba 100644 --- a/detections/sigma/sorillus_processes_sigma.yml +++ b/detections/sigma/sorillus_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Sorillus RMM Tool Process Activity -id: cb2e9d91-8fe8-424f-8b99-bcba5dba14c2 +id: a7651dd4-cca9-568d-8dc2-b1ad0f501cc6 status: experimental description: | Detects potential processes activity of Sorillus RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,12 +16,12 @@ logsource: detection: selection_parent: ParentImage|endswith: - - Sorillus-Launcher*.exe - - Sorillus Launcher.exe + - 'Sorillus-Launcher*.exe' + - 'Sorillus Launcher.exe' selection_image: Image|endswith: - - Sorillus-Launcher*.exe - - Sorillus Launcher.exe + - 'Sorillus-Launcher*.exe' + - 'Sorillus Launcher.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Sorillus diff --git a/detections/sigma/splashtop__beta__network_sigma.yml b/detections/sigma/splashtop__beta__network_sigma.yml index 7dab26d8..4f49fe7b 100644 --- a/detections/sigma/splashtop__beta__network_sigma.yml +++ b/detections/sigma/splashtop__beta__network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Splashtop (Beta) RMM Tool Network Activity -id: ec58aea4-96d6-46ff-851b-7afd1cbaa8f1 +id: d24f3c61-2827-5c5a-8692-830731d4ab72 status: experimental description: | Detects potential network activity of Splashtop (Beta) RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,7 +15,7 @@ logsource: category: network_connection detection: selection: - DestinationHostname|endswith: splashtop.com + DestinationHostname|endswith: 'splashtop.com' condition: selection falsepositives: - Legitimate use of Splashtop (Beta) diff --git a/detections/sigma/splashtop__beta__processes_sigma.yml b/detections/sigma/splashtop__beta__processes_sigma.yml index ec777d13..197ed8fb 100644 --- a/detections/sigma/splashtop__beta__processes_sigma.yml +++ b/detections/sigma/splashtop__beta__processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Splashtop (Beta) RMM Tool Process Activity -id: 5781e4e7-4a75-42d9-a600-f0df3bad10cc +id: a0accb06-f66f-5221-a52e-31412c14a54c status: experimental description: | Detects potential processes activity of Splashtop (Beta) RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,16 +16,16 @@ logsource: detection: selection_parent: ParentImage|endswith: - - SRServer.exe - - SplashtopSOS.exe - - Splashtop_Streamer_Windows*.exe - - SRManager.exe + - 'SRServer.exe' + - 'SplashtopSOS.exe' + - 'Splashtop_Streamer_Windows*.exe' + - 'SRManager.exe' selection_image: Image|endswith: - - SRServer.exe - - SplashtopSOS.exe - - Splashtop_Streamer_Windows*.exe - - SRManager.exe + - 'SRServer.exe' + - 'SplashtopSOS.exe' + - 'Splashtop_Streamer_Windows*.exe' + - 'SRManager.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Splashtop (Beta) diff --git a/detections/sigma/splashtop_files_sigma.yml b/detections/sigma/splashtop_files_sigma.yml index 206db435..602fdb54 100644 --- a/detections/sigma/splashtop_files_sigma.yml +++ b/detections/sigma/splashtop_files_sigma.yml @@ -1,12 +1,12 @@ title: Potential Splashtop RMM Tool File Activity -id: 47990f7f-bd65-4bb1-bf63-2614df261554 +id: 74f4ab6b-0930-5d18-925f-7f12c17703bd status: experimental description: | Detects potential files activity of Splashtop RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,19 +16,19 @@ logsource: detection: selection: TargetFilename|endswith: - - C:\windows\System32\winevt\Logs\Splashtop-Splashtop Streamer-Status%4Operational.evtx - - C:\windows\System32\winevt\Logs\Splashtop-Splashtop Streamer-Remote Session%4Operational.evtx - - %PROGRAMDATA%\Splashtop\Temp\log\FTCLog.txt - - C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\log\agent_log.txt - - C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\log\SPLog.txt - - C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\log\svcinfo.txt - - C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\log\sysinfo.txt - - C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe - - C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAgent.exe - - C:\Program Files (x86)\Splashtop\Splashtop Software Updater\SSUAgent.exe - - C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exe - - C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRFeature.exe - - C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\db\SRAgent.sqlite3 + - 'C:\windows\System32\winevt\Logs\Splashtop-Splashtop Streamer-Status%4Operational.evtx' + - 'C:\windows\System32\winevt\Logs\Splashtop-Splashtop Streamer-Remote Session%4Operational.evtx' + - '%PROGRAMDATA%\Splashtop\Temp\log\FTCLog.txt' + - 'C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\log\agent_log.txt' + - 'C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\log\SPLog.txt' + - 'C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\log\svcinfo.txt' + - 'C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\log\sysinfo.txt' + - 'C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe' + - 'C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAgent.exe' + - 'C:\Program Files (x86)\Splashtop\Splashtop Software Updater\SSUAgent.exe' + - 'C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exe' + - 'C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRFeature.exe' + - 'C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\db\SRAgent.sqlite3' condition: selection falsepositives: - Legitimate use of Splashtop diff --git a/detections/sigma/splashtop_network_sigma.yml b/detections/sigma/splashtop_network_sigma.yml index 6ecaa4ac..e06fd21a 100644 --- a/detections/sigma/splashtop_network_sigma.yml +++ b/detections/sigma/splashtop_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Splashtop RMM Tool Network Activity -id: 8ab5acdc-33d7-4a78-b75e-4be4f25972b9 +id: 80234a4c-fe3e-57b9-a0cd-1dba8fb6646b status: experimental description: | Detects potential network activity of Splashtop RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,7 +15,7 @@ logsource: category: network_connection detection: selection: - DestinationHostname|endswith: *.splashtop.com + DestinationHostname|endswith: '*.splashtop.com' condition: selection falsepositives: - Legitimate use of Splashtop diff --git a/detections/sigma/splashtop_processes_sigma.yml b/detections/sigma/splashtop_processes_sigma.yml index a581a055..790aa635 100644 --- a/detections/sigma/splashtop_processes_sigma.yml +++ b/detections/sigma/splashtop_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Splashtop RMM Tool Process Activity -id: 68675e5b-9b70-4883-8467-3598cb91279c +id: 6b196f14-02ea-526c-99fd-0e4f1c7beab4 status: experimental description: | Detects potential processes activity of Splashtop RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,9 +15,9 @@ logsource: category: process_creation detection: selection_parent: - ParentImage|endswith: strwinclt.exe + ParentImage|endswith: 'strwinclt.exe' selection_image: - Image|endswith: strwinclt.exe + Image|endswith: 'strwinclt.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Splashtop diff --git a/detections/sigma/splashtop_registry_sigma.yml b/detections/sigma/splashtop_registry_sigma.yml index dc99176d..658d4406 100644 --- a/detections/sigma/splashtop_registry_sigma.yml +++ b/detections/sigma/splashtop_registry_sigma.yml @@ -1,12 +1,12 @@ title: Potential Splashtop RMM Tool Registry Activity -id: 8c1fc139-d98a-4930-b6ea-46508bb60cc5 +id: db2f5b01-c1eb-5a92-8b64-cae5a68bfebe status: experimental description: | Detects potential registry activity of Splashtop RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,17 +16,17 @@ logsource: detection: selection: TargetObject|contains: - - KLM\SOFTWARE\WOW6432Node\Splashtop Inc.\* - - HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Splashtop Software Updater - - HKLM\SYSTEM\CurrentControlSet\Services\SplashtopRemoteService - - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Splashtop-Splashtop Streamer-Remote Session/Operational - - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Splashtop-Splashtop Streamer-Status/Operational - - HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Splashtop Software Updater\InstallRefCount - - HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SplashtopRemoteService - - HKU\.DEFAULT\Software\Splashtop Inc.\* - - HKU\SID\Software\Splashtop Inc.\* - - HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\Splashtop PDF Remote Printer - - HKLM\SOFTWARE\WOW6432Node\Splashtop Inc.\Splashtop Remote Server\ClientInfo\* + - 'KLM\SOFTWARE\WOW6432Node\Splashtop Inc.\*' + - 'HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Splashtop Software Updater' + - 'HKLM\SYSTEM\CurrentControlSet\Services\SplashtopRemoteService' + - 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Splashtop-Splashtop Streamer-Remote Session/Operational' + - 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Splashtop-Splashtop Streamer-Status/Operational' + - 'HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Splashtop Software Updater\InstallRefCount' + - 'HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SplashtopRemoteService' + - 'HKU\.DEFAULT\Software\Splashtop Inc.\*' + - 'HKU\SID\Software\Splashtop Inc.\*' + - 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\Splashtop PDF Remote Printer' + - 'HKLM\SOFTWARE\WOW6432Node\Splashtop Inc.\Splashtop Remote Server\ClientInfo\*' condition: selection falsepositives: - Legitimate use of Splashtop diff --git a/detections/sigma/splashtop_remote_network_sigma.yml b/detections/sigma/splashtop_remote_network_sigma.yml index aa85a458..f162333b 100644 --- a/detections/sigma/splashtop_remote_network_sigma.yml +++ b/detections/sigma/splashtop_remote_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Splashtop Remote RMM Tool Network Activity -id: 95772d6f-0c1d-4515-9779-85824ee59269 +id: 4c8438ac-87b3-51d9-9a2b-a46adb5dedff status: experimental description: | Detects potential network activity of Splashtop Remote RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,10 +16,10 @@ logsource: detection: selection: DestinationHostname|endswith: - - splashtop.com - - *.api.splashtop.com - - *.relay.splashtop.com - - *.api.splashtop.eu + - 'splashtop.com' + - '*.api.splashtop.com' + - '*.relay.splashtop.com' + - '*.api.splashtop.eu' condition: selection falsepositives: - Legitimate use of Splashtop Remote diff --git a/detections/sigma/splashtop_remote_processes_sigma.yml b/detections/sigma/splashtop_remote_processes_sigma.yml index 71e1257a..e59205fa 100644 --- a/detections/sigma/splashtop_remote_processes_sigma.yml +++ b/detections/sigma/splashtop_remote_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Splashtop Remote RMM Tool Process Activity -id: 628892d4-70d7-442f-9e46-163b4bd053d8 +id: 0e9d5a8b-d10f-5687-b6f8-f6025df6549c status: experimental description: | Detects potential processes activity of Splashtop Remote RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,22 +16,22 @@ logsource: detection: selection_parent: ParentImage|endswith: - - strwinclt.exe - - Splashtop_Streamer_Windows*.exe - - SplashtopSOS.exe - - sragent.exe - - srmanager.exe - - srserver.exe - - srservice.exe + - 'strwinclt.exe' + - 'Splashtop_Streamer_Windows*.exe' + - 'SplashtopSOS.exe' + - 'sragent.exe' + - 'srmanager.exe' + - 'srserver.exe' + - 'srservice.exe' selection_image: Image|endswith: - - strwinclt.exe - - Splashtop_Streamer_Windows*.exe - - SplashtopSOS.exe - - sragent.exe - - srmanager.exe - - srserver.exe - - srservice.exe + - 'strwinclt.exe' + - 'Splashtop_Streamer_Windows*.exe' + - 'SplashtopSOS.exe' + - 'sragent.exe' + - 'srmanager.exe' + - 'srserver.exe' + - 'srservice.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Splashtop Remote diff --git a/detections/sigma/spyanywhere_network_sigma.yml b/detections/sigma/spyanywhere_network_sigma.yml index 8a1e16fe..62ff0d7a 100644 --- a/detections/sigma/spyanywhere_network_sigma.yml +++ b/detections/sigma/spyanywhere_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential SpyAnywhere RMM Tool Network Activity -id: 45151543-012c-4875-b809-cd3878b63def +id: a15d9463-7800-5896-8afb-f4806ca852d3 status: experimental description: | Detects potential network activity of SpyAnywhere RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,8 +16,8 @@ logsource: detection: selection: DestinationHostname|endswith: - - *.spytech-web.com - - spyanywhere.com + - '*.spytech-web.com' + - 'spyanywhere.com' condition: selection falsepositives: - Legitimate use of SpyAnywhere diff --git a/detections/sigma/spyanywhere_processes_sigma.yml b/detections/sigma/spyanywhere_processes_sigma.yml index 9bec7ca4..bf02553f 100644 --- a/detections/sigma/spyanywhere_processes_sigma.yml +++ b/detections/sigma/spyanywhere_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential SpyAnywhere RMM Tool Process Activity -id: 278b1ae9-f847-42e7-b3d6-38a349c1542b +id: 5760bb62-cabc-5fc9-b5f7-1b0eb352d67c status: experimental description: | Detects potential processes activity of SpyAnywhere RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,9 +15,9 @@ logsource: category: process_creation detection: selection_parent: - ParentImage|endswith: sysdiag.exe + ParentImage|endswith: 'sysdiag.exe' selection_image: - Image|endswith: sysdiag.exe + Image|endswith: 'sysdiag.exe' condition: 1 of selection_* falsepositives: - Legitimate use of SpyAnywhere diff --git a/detections/sigma/sunlogin_network_sigma.yml b/detections/sigma/sunlogin_network_sigma.yml index 33b83469..a72f9716 100644 --- a/detections/sigma/sunlogin_network_sigma.yml +++ b/detections/sigma/sunlogin_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential SunLogin RMM Tool Network Activity -id: 3e298919-e799-44b3-8122-35d2b02baa51 +id: ae9c3430-7e86-57bc-833e-0c2a33b8a544 status: experimental description: | Detects potential network activity of SunLogin RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,8 +16,8 @@ logsource: detection: selection: DestinationHostname|endswith: - - sunlogin.oray.com - - client.oray.net + - 'sunlogin.oray.com' + - 'client.oray.net' condition: selection falsepositives: - Legitimate use of SunLogin diff --git a/detections/sigma/sunlogin_processes_sigma.yml b/detections/sigma/sunlogin_processes_sigma.yml index dff9443b..ea3344cd 100644 --- a/detections/sigma/sunlogin_processes_sigma.yml +++ b/detections/sigma/sunlogin_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential SunLogin RMM Tool Process Activity -id: e3facbfa-0474-406e-a800-91a4ddf1b08e +id: 50661c23-9728-505e-92e5-7fcf68ba272c status: experimental description: | Detects potential processes activity of SunLogin RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,14 +16,14 @@ logsource: detection: selection_parent: ParentImage|endswith: - - OrayRemoteShell.exe - - OrayRemoteService.exe - - sunlogin*.exe + - 'OrayRemoteShell.exe' + - 'OrayRemoteService.exe' + - 'sunlogin*.exe' selection_image: Image|endswith: - - OrayRemoteShell.exe - - OrayRemoteService.exe - - sunlogin*.exe + - 'OrayRemoteShell.exe' + - 'OrayRemoteService.exe' + - 'sunlogin*.exe' condition: 1 of selection_* falsepositives: - Legitimate use of SunLogin diff --git a/detections/sigma/superops_network_sigma.yml b/detections/sigma/superops_network_sigma.yml index 7f4dee73..8b9bb693 100644 --- a/detections/sigma/superops_network_sigma.yml +++ b/detections/sigma/superops_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential SuperOps RMM Tool Network Activity -id: 79d52531-1c2f-4ca7-9625-c5bb6c5db1e2 +id: 7f604aa8-b2fd-5b59-9e74-c6591082cccb status: experimental description: | Detects potential network activity of SuperOps RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,11 +16,11 @@ logsource: detection: selection: DestinationHostname|endswith: - - *.superopsbeta.com - - superops.ai - - serv.superopsalpha.com - - *.superops.ai - - *.superopsalpha.com + - '*.superopsbeta.com' + - 'superops.ai' + - 'serv.superopsalpha.com' + - '*.superops.ai' + - '*.superopsalpha.com' condition: selection falsepositives: - Legitimate use of SuperOps diff --git a/detections/sigma/superops_processes_sigma.yml b/detections/sigma/superops_processes_sigma.yml index c0310240..d792c839 100644 --- a/detections/sigma/superops_processes_sigma.yml +++ b/detections/sigma/superops_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential SuperOps RMM Tool Process Activity -id: a7d2caf4-7fed-4e47-9a33-34f59c288d3c +id: a5b88b5e-4ee5-59fe-be77-a9dff94a4401 status: experimental description: | Detects potential processes activity of SuperOps RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,12 +16,12 @@ logsource: detection: selection_parent: ParentImage|endswith: - - superopsticket.exe - - superops.exe + - 'superopsticket.exe' + - 'superops.exe' selection_image: Image|endswith: - - superopsticket.exe - - superops.exe + - 'superopsticket.exe' + - 'superops.exe' condition: 1 of selection_* falsepositives: - Legitimate use of SuperOps diff --git a/detections/sigma/superputty_processes_sigma.yml b/detections/sigma/superputty_processes_sigma.yml index 381541bf..83853ca9 100644 --- a/detections/sigma/superputty_processes_sigma.yml +++ b/detections/sigma/superputty_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential SuperPuTTY RMM Tool Process Activity -id: 2c6cea3b-3a7e-466a-8a63-1d56929da07e +id: fae01e7f-2500-5086-b6cb-a1f14a24bcda status: experimental description: | Detects potential processes activity of SuperPuTTY RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,9 +15,9 @@ logsource: category: process_creation detection: selection_parent: - ParentImage|endswith: superputty.exe + ParentImage|endswith: '*\superputty.exe' selection_image: - Image|endswith: superputty.exe + Image|endswith: '*\superputty.exe' condition: 1 of selection_* falsepositives: - Legitimate use of SuperPuTTY diff --git a/detections/sigma/supremo_network_sigma.yml b/detections/sigma/supremo_network_sigma.yml index b4fb60f9..38546dd8 100644 --- a/detections/sigma/supremo_network_sigma.yml +++ b/detections/sigma/supremo_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Supremo RMM Tool Network Activity -id: 5f271e68-5abd-4da5-ac04-e534e222b913 +id: 8d3aa038-ebac-5535-97f5-fb2216b9c9d6 status: experimental description: | Detects potential network activity of Supremo RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,10 +15,7 @@ logsource: category: network_connection detection: selection: - DestinationHostname|endswith: - - supremocontrol.com - - *.supremocontrol.com - - * .nanosystems.it + DestinationHostname|endswith: '*.supremocontrol.com' condition: selection falsepositives: - Legitimate use of Supremo diff --git a/detections/sigma/supremo_processes_sigma.yml b/detections/sigma/supremo_processes_sigma.yml index e518ff40..04964176 100644 --- a/detections/sigma/supremo_processes_sigma.yml +++ b/detections/sigma/supremo_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Supremo RMM Tool Process Activity -id: 59402341-b4b2-4306-b9b5-d49d9c859700 +id: b415e3f0-1e76-55ff-a876-e3e344f36a3e status: experimental description: | Detects potential processes activity of Supremo RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,16 +16,18 @@ logsource: detection: selection_parent: ParentImage|endswith: - - supremo.exe - - supremoservice.exe - - supremosystem.exe - - supremohelper.exe + - '*\\supremoremotedesktop\\supremosystem.exe' + - 'supremo.exe' + - 'supremohelper.exe' + - 'supremoservice.exe' + - 'SupremoSystem.exe' selection_image: Image|endswith: - - supremo.exe - - supremoservice.exe - - supremosystem.exe - - supremohelper.exe + - '*\\supremoremotedesktop\\supremosystem.exe' + - 'supremo.exe' + - 'supremohelper.exe' + - 'supremoservice.exe' + - 'SupremoSystem.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Supremo diff --git a/detections/sigma/syncro_network_sigma.yml b/detections/sigma/syncro_network_sigma.yml index ee751da1..cc6c95c5 100644 --- a/detections/sigma/syncro_network_sigma.yml +++ b/detections/sigma/syncro_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Syncro RMM Tool Network Activity -id: 24964039-9f3a-40ac-a2e0-1a346b3278f7 +id: 6130e967-beb1-5b92-acb5-80939cc36dbd status: experimental description: | Detects potential network activity of Syncro RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,17 +16,17 @@ logsource: detection: selection: DestinationHostname|endswith: - - kabuto.io - - *.syncromsp.com - - *.syncroapi.com - - syncromsp.com - - servably.com - - ld.aurelius.host - - app.kabuto.io - - *.kabutoservices.com - - repairshopr.com - - kabutoservices.com - - attachments.servably.com + - 'kabuto.io' + - '*.syncromsp.com' + - '*.syncroapi.com' + - 'syncromsp.com' + - 'servably.com' + - 'ld.aurelius.host' + - 'app.kabuto.io ' + - '*.kabutoservices.com' + - 'repairshopr.com' + - 'kabutoservices.com' + - 'attachments.servably.com' condition: selection falsepositives: - Legitimate use of Syncro diff --git a/detections/sigma/syncro_processes_sigma.yml b/detections/sigma/syncro_processes_sigma.yml index 0257620e..6ec79790 100644 --- a/detections/sigma/syncro_processes_sigma.yml +++ b/detections/sigma/syncro_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Syncro RMM Tool Process Activity -id: cf4cd05a-5d37-4008-8783-ca04c7bc488d +id: b2477c9a-96ad-5bf0-8f04-c7bb5a2d59e8 status: experimental description: | Detects potential processes activity of Syncro RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,28 +16,28 @@ logsource: detection: selection_parent: ParentImage|endswith: - - Syncro.Installer.exe - - Kabuto.App.Runner.exe - - Syncro.Overmind.Service.exe - - Kabuto.Installer.exe - - KabutoSetup.exe - - Syncro.Service.exe - - Kabuto.Service.Runner.exe - - Syncro.App.Runner.exe - - SyncroLive.Service.exe - - SyncroLive.Agent.exe + - 'Syncro.Installer.exe' + - 'Kabuto.App.Runner.exe' + - 'Syncro.Overmind.Service.exe' + - 'Kabuto.Installer.exe' + - 'KabutoSetup.exe' + - 'Syncro.Service.exe' + - 'Kabuto.Service.Runner.exe' + - 'Syncro.App.Runner.exe' + - 'SyncroLive.Service.exe' + - 'SyncroLive.Agent.exe' selection_image: Image|endswith: - - Syncro.Installer.exe - - Kabuto.App.Runner.exe - - Syncro.Overmind.Service.exe - - Kabuto.Installer.exe - - KabutoSetup.exe - - Syncro.Service.exe - - Kabuto.Service.Runner.exe - - Syncro.App.Runner.exe - - SyncroLive.Service.exe - - SyncroLive.Agent.exe + - 'Syncro.Installer.exe' + - 'Kabuto.App.Runner.exe' + - 'Syncro.Overmind.Service.exe' + - 'Kabuto.Installer.exe' + - 'KabutoSetup.exe' + - 'Syncro.Service.exe' + - 'Kabuto.Service.Runner.exe' + - 'Syncro.App.Runner.exe' + - 'SyncroLive.Service.exe' + - 'SyncroLive.Agent.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Syncro diff --git a/detections/sigma/syncthing_processes_sigma.yml b/detections/sigma/syncthing_processes_sigma.yml index f67c6192..9ff2c115 100644 --- a/detections/sigma/syncthing_processes_sigma.yml +++ b/detections/sigma/syncthing_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Syncthing RMM Tool Process Activity -id: b7200f2a-41de-4da4-b20b-0b579e994623 +id: 9dbaff25-1bcd-5ecb-ab11-13f1bfcf223e status: experimental description: | Detects potential processes activity of Syncthing RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,9 +15,9 @@ logsource: category: process_creation detection: selection_parent: - ParentImage|endswith: Syncthing.exe + ParentImage|endswith: '*\Syncthing.exe' selection_image: - Image|endswith: Syncthing.exe + Image|endswith: '*\Syncthing.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Syncthing diff --git a/detections/sigma/synergy_network_sigma.yml b/detections/sigma/synergy_network_sigma.yml index 74436946..7dfec8a1 100644 --- a/detections/sigma/synergy_network_sigma.yml +++ b/detections/sigma/synergy_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Synergy RMM Tool Network Activity -id: d6093ed7-06f5-4c92-80d6-05478bc70c2d +id: 019bec4c-7356-533b-ae47-096857196607 status: experimental description: | Detects potential network activity of Synergy RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,7 +15,7 @@ logsource: category: network_connection detection: selection: - DestinationHostname|endswith: user_managed + DestinationHostname|endswith: 'user_managed' condition: selection falsepositives: - Legitimate use of Synergy diff --git a/detections/sigma/sysaid_processes_sigma.yml b/detections/sigma/sysaid_processes_sigma.yml index ddab9cbc..5ab5cb3a 100644 --- a/detections/sigma/sysaid_processes_sigma.yml +++ b/detections/sigma/sysaid_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential SysAid RMM Tool Process Activity -id: 0a51c575-0166-498c-9bb2-16918ac45dca +id: 8372e525-029b-58f3-9401-9bdbf90d7b08 status: experimental description: | Detects potential processes activity of SysAid RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,9 +15,9 @@ logsource: category: process_creation detection: selection_parent: - ParentImage|endswith: IliAS.exe + ParentImage|endswith: '*\IliAS.exe' selection_image: - Image|endswith: IliAS.exe + Image|endswith: '*\IliAS.exe' condition: 1 of selection_* falsepositives: - Legitimate use of SysAid diff --git a/detections/sigma/syspectr_network_sigma.yml b/detections/sigma/syspectr_network_sigma.yml index 845ef343..ce13e0e1 100644 --- a/detections/sigma/syspectr_network_sigma.yml +++ b/detections/sigma/syspectr_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Syspectr RMM Tool Network Activity -id: 7f19fc2c-6952-4582-84c7-70d1e19171f9 +id: 4518883d-c2f5-54db-89b5-f0c8fecee3a9 status: experimental description: | Detects potential network activity of Syspectr RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,8 +16,8 @@ logsource: detection: selection: DestinationHostname|endswith: - - atled.syspectr.com - - app.syspectr.com + - 'atled.syspectr.com' + - 'app.syspectr.com' condition: selection falsepositives: - Legitimate use of Syspectr diff --git a/detections/sigma/syspectr_processes_sigma.yml b/detections/sigma/syspectr_processes_sigma.yml index cdf8a158..855ff5a1 100644 --- a/detections/sigma/syspectr_processes_sigma.yml +++ b/detections/sigma/syspectr_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Syspectr RMM Tool Process Activity -id: 791169bf-9cc5-4962-a177-a4dd9d5efd07 +id: ca9a0bbb-2e6f-5a21-abea-25a0acdb5fef status: experimental description: | Detects potential processes activity of Syspectr RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,12 +16,12 @@ logsource: detection: selection_parent: ParentImage|endswith: - - oo-syspectr*.exe - - OOSysAgent.exe + - 'oo-syspectr*.exe' + - 'OOSysAgent.exe' selection_image: Image|endswith: - - oo-syspectr*.exe - - OOSysAgent.exe + - 'oo-syspectr*.exe' + - 'OOSysAgent.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Syspectr diff --git a/detections/sigma/tactical_rmm_network_sigma.yml b/detections/sigma/tactical_rmm_network_sigma.yml index d952db68..36fb2131 100644 --- a/detections/sigma/tactical_rmm_network_sigma.yml +++ b/detections/sigma/tactical_rmm_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Tactical RMM RMM Tool Network Activity -id: 1bd55201-587b-4d91-8c96-aac7b71b4086 +id: 25637f98-28c9-5675-829c-d78718f12acf status: experimental description: | Detects potential network activity of Tactical RMM RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,9 +16,9 @@ logsource: detection: selection: DestinationHostname|endswith: - - login.tailscale.com - - login.tailscale.com - - docs.tacticalrmm.com + - 'login.tailscale.com' + - 'login.tailscale.com' + - 'docs.tacticalrmm.com' condition: selection falsepositives: - Legitimate use of Tactical RMM diff --git a/detections/sigma/tactical_rmm_processes_sigma.yml b/detections/sigma/tactical_rmm_processes_sigma.yml index 82924efc..7f4aa8d4 100644 --- a/detections/sigma/tactical_rmm_processes_sigma.yml +++ b/detections/sigma/tactical_rmm_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Tactical RMM RMM Tool Process Activity -id: 77e5402e-b561-43ea-9203-963763b5609e +id: ff8e0328-c188-532e-bb12-0847ba9f15e3 status: experimental description: | Detects potential processes activity of Tactical RMM RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,12 +16,12 @@ logsource: detection: selection_parent: ParentImage|endswith: - - tacticalrmm.exe - - tacticalrmm.exe + - 'tacticalrmm.exe' + - 'tacticalrmm.exe' selection_image: Image|endswith: - - tacticalrmm.exe - - tacticalrmm.exe + - 'tacticalrmm.exe' + - 'tacticalrmm.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Tactical RMM diff --git a/detections/sigma/tailscale_network_sigma.yml b/detections/sigma/tailscale_network_sigma.yml index 7d6c0ee1..8bea71b1 100644 --- a/detections/sigma/tailscale_network_sigma.yml +++ b/detections/sigma/tailscale_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Tailscale RMM Tool Network Activity -id: 6998cd3a-3c73-4211-9215-55a53ece55b6 +id: 5dcbc2c1-106f-5850-b055-ceb648d24f99 status: experimental description: | Detects potential network activity of Tailscale RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,9 +16,9 @@ logsource: detection: selection: DestinationHostname|endswith: - - *.tailscale.com - - *.tailscale.io - - tailscale.com + - '*.tailscale.com' + - '*.tailscale.io' + - 'tailscale.com' condition: selection falsepositives: - Legitimate use of Tailscale diff --git a/detections/sigma/tailscale_processes_sigma.yml b/detections/sigma/tailscale_processes_sigma.yml index ee5fcecb..7a2f726b 100644 --- a/detections/sigma/tailscale_processes_sigma.yml +++ b/detections/sigma/tailscale_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Tailscale RMM Tool Process Activity -id: 9e0cab82-8204-40d4-85ce-73915b1c7c61 +id: dab9913c-44e8-5ccd-8d37-11b9311059a4 status: experimental description: | Detects potential processes activity of Tailscale RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,14 +16,14 @@ logsource: detection: selection_parent: ParentImage|endswith: - - tailscale-*.exe - - tailscaled.exe - - tailscale-ipn.exe + - 'tailscale-*.exe' + - 'tailscaled.exe' + - 'tailscale-ipn.exe' selection_image: Image|endswith: - - tailscale-*.exe - - tailscaled.exe - - tailscale-ipn.exe + - 'tailscale-*.exe' + - 'tailscaled.exe' + - 'tailscale-ipn.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Tailscale diff --git a/detections/sigma/tanium_deploy_network_sigma.yml b/detections/sigma/tanium_deploy_network_sigma.yml index bf64775d..5a478f75 100644 --- a/detections/sigma/tanium_deploy_network_sigma.yml +++ b/detections/sigma/tanium_deploy_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Tanium Deploy RMM Tool Network Activity -id: f93aa9bc-cbc4-436d-89be-617d57b96db7 +id: 2c179bfe-afdd-5daf-9dee-fb29f55b4e6d status: experimental description: | Detects potential network activity of Tanium Deploy RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,7 +15,7 @@ logsource: category: network_connection detection: selection: - DestinationHostname|endswith: tanium.com/products/tanium-deploy + DestinationHostname|endswith: 'tanium.com/products/tanium-deploy' condition: selection falsepositives: - Legitimate use of Tanium Deploy diff --git a/detections/sigma/tanium_network_sigma.yml b/detections/sigma/tanium_network_sigma.yml index e5eefa9f..0124056b 100644 --- a/detections/sigma/tanium_network_sigma.yml +++ b/detections/sigma/tanium_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Tanium RMM Tool Network Activity -id: b0d305ba-1065-4f38-8b5d-9bac2121faad +id: 6d343c3e-f9b5-5158-86fa-001676e64397 status: experimental description: | Detects potential network activity of Tanium RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,8 +16,8 @@ logsource: detection: selection: DestinationHostname|endswith: - - cloud.tanium.com - - *.cloud.tanium.com + - 'cloud.tanium.com' + - '*.cloud.tanium.com' condition: selection falsepositives: - Legitimate use of Tanium diff --git a/detections/sigma/tanium_processes_sigma.yml b/detections/sigma/tanium_processes_sigma.yml index 5829facb..68cc2329 100644 --- a/detections/sigma/tanium_processes_sigma.yml +++ b/detections/sigma/tanium_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Tanium RMM Tool Process Activity -id: 3ed81efb-a88a-48df-a65e-eeae644b4dd9 +id: bfb48114-5a65-56de-91dd-b561a663a442 status: experimental description: | Detects potential processes activity of Tanium RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,18 +16,18 @@ logsource: detection: selection_parent: ParentImage|endswith: - - TaniumClient.exe - - TaniumCX.exe - - TaniumExecWrapper.exe - - TaniumFileInfo.exe - - TPowerShell.exe + - 'TaniumClient.exe' + - 'TaniumCX.exe' + - 'TaniumExecWrapper.exe' + - 'TaniumFileInfo.exe' + - 'TPowerShell.exe' selection_image: Image|endswith: - - TaniumClient.exe - - TaniumCX.exe - - TaniumExecWrapper.exe - - TaniumFileInfo.exe - - TPowerShell.exe + - 'TaniumClient.exe' + - 'TaniumCX.exe' + - 'TaniumExecWrapper.exe' + - 'TaniumFileInfo.exe' + - 'TPowerShell.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Tanium diff --git a/detections/sigma/teamviewer_files_sigma.yml b/detections/sigma/teamviewer_files_sigma.yml index 509a99e9..5a1a5719 100644 --- a/detections/sigma/teamviewer_files_sigma.yml +++ b/detections/sigma/teamviewer_files_sigma.yml @@ -1,12 +1,12 @@ title: Potential TeamViewer RMM Tool File Activity -id: fe921b8e-7f8f-4e35-a91e-a4579aa4fd09 +id: b6d63ccd-6c8c-5afd-b750-79aeb7542dea status: experimental description: | Detects potential files activity of TeamViewer RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,23 +16,23 @@ logsource: detection: selection: TargetFilename|endswith: - - C:\Users\\AppData\Local\Temp\TeamViewer\TV15Install.log - - TeamViewer\d\d_Logfile\.log - - C:\Program Files\TeamViewer\Connections_incoming.txt - - C:\Program Files\TeamViewer\TVNetwork.log - - %LOCALAPPDATA%\Temp\TeamViewer\TV15Install.log - - %APPDATA%\\TeamViewer\\TeamViewer\d\d_Logfile\.log - - teamviewerqs.exe - - tv_w32.exe - - tv_w64.exe - - tv_x64.exe - - teamviewer.exe - - teamviewer_service.exe - - %LOCALAPPDATA%\TeamViewer\Database\tvchatfilecache.db - - %LOCALAPPDATA%\TeamViewer\RemotePrinting\tvprint.db - - %PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\TeamViewer.lnk - - C:\Program Files*\TeamViewer\connections*.txt - - C:\Users\*\AppData\Roaming\TeamViewer\MRU\RemoteSupport\*tvc + - 'C:\Users\\AppData\Local\Temp\TeamViewer\TV15Install.log' + - 'TeamViewer\d\d_Logfile\.log' + - 'C:\Program Files\TeamViewer\Connections_incoming.txt' + - 'C:\Program Files\TeamViewer\TVNetwork.log' + - '%LOCALAPPDATA%\Temp\TeamViewer\TV15Install.log' + - '%APPDATA%\\TeamViewer\\TeamViewer\d\d_Logfile\.log' + - 'teamviewerqs.exe' + - 'tv_w32.exe' + - 'tv_w64.exe' + - 'tv_x64.exe' + - 'teamviewer.exe' + - 'teamviewer_service.exe' + - '%LOCALAPPDATA%\TeamViewer\Database\tvchatfilecache.db' + - '%LOCALAPPDATA%\TeamViewer\RemotePrinting\tvprint.db' + - '%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\TeamViewer.lnk' + - 'C:\Program Files*\TeamViewer\connections*.txt' + - 'C:\Users\*\AppData\Roaming\TeamViewer\MRU\RemoteSupport\*tvc' condition: selection falsepositives: - Legitimate use of TeamViewer diff --git a/detections/sigma/teamviewer_network_sigma.yml b/detections/sigma/teamviewer_network_sigma.yml index 365c3cfd..1ea9670e 100644 --- a/detections/sigma/teamviewer_network_sigma.yml +++ b/detections/sigma/teamviewer_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential TeamViewer RMM Tool Network Activity -id: dfe972f9-9cae-4e5a-b7a6-faf64a589059 +id: a184776b-5fcc-5637-bf07-45a2d30db029 status: experimental description: | Detects potential network activity of TeamViewer RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,10 +16,10 @@ logsource: detection: selection: DestinationHostname|endswith: - - *.teamviewer.com - - router15.teamviewer.com - - client.teamviewer.com - - taf.teamviewer.com + - '*.teamviewer.com' + - 'router15.teamviewer.com' + - 'client.teamviewer.com' + - 'taf.teamviewer.com' condition: selection falsepositives: - Legitimate use of TeamViewer diff --git a/detections/sigma/teamviewer_processes_sigma.yml b/detections/sigma/teamviewer_processes_sigma.yml index 079c8ddf..d0299742 100644 --- a/detections/sigma/teamviewer_processes_sigma.yml +++ b/detections/sigma/teamviewer_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential TeamViewer RMM Tool Process Activity -id: 42c7fcb9-0379-4b81-b03e-1bcfe16f27af +id: fb9bb911-7eac-5670-86ee-e90f1d9c80b3 status: experimental description: | Detects potential processes activity of TeamViewer RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,12 +16,12 @@ logsource: detection: selection_parent: ParentImage|endswith: - - teamviewer_desktop.exe - - teamviewer_service.exe + - 'teamviewer_desktop.exe' + - 'teamviewer_service.exe' selection_image: Image|endswith: - - teamviewer_desktop.exe - - teamviewer_service.exe + - 'teamviewer_desktop.exe' + - 'teamviewer_service.exe' condition: 1 of selection_* falsepositives: - Legitimate use of TeamViewer diff --git a/detections/sigma/teamviewer_registry_sigma.yml b/detections/sigma/teamviewer_registry_sigma.yml index 32ab2de0..0ebaa6dd 100644 --- a/detections/sigma/teamviewer_registry_sigma.yml +++ b/detections/sigma/teamviewer_registry_sigma.yml @@ -1,12 +1,12 @@ title: Potential TeamViewer RMM Tool Registry Activity -id: 6673bb39-482d-4b90-8ab2-a3ad594eb5eb +id: 6ef1effe-72f2-5dfd-820c-87e1fde05a26 status: experimental description: | Detects potential registry activity of TeamViewer RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,22 +16,22 @@ logsource: detection: selection: TargetObject|contains: - - HKLM\SOFTWARE\TeamViewer\* - - HKU\\SOFTWARE\TeamViewer\* - - HKLM\SYSTEM\CurrentControlSet\Services\TeamViewer\* - - HKLM\SOFTWARE\TeamViewer\ConnectionHistory - - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TeamViewer\* - - HKU\SID\SOFTWARE\TeamViewer\MainWindowHandle - - HKU\SID\SOFTWARE\TeamViewer\DesktopWallpaperSingleImage - - HKU\SID\SOFTWARE\TeamViewer\DesktopWallpaperSingleImagePath - - HKU\SID\SOFTWARE\TeamViewer\DesktopWallpaperSingleImagePosition - - HKU\SID\SOFTWARE\TeamViewer\MinimizeToTray - - HKU\SID\SOFTWARE\TeamViewer\MultiMedia\AudioUserSelectedCapturingEndpoint - - HKU\SID\SOFTWARE\TeamViewer\MultiMedia\AudioSendingVolumeV2 - - HKU\SID\SOFTWARE\TeamViewer\MultiMedia\AudioUserSelectedRenderingEndpoint - - HKLM\SOFTWARE\TeamViewer\ConnectionHistory - - HKU\SID\SOFTWARE\TeamViewer\ClientWindow_Mode - - HKU\SID\SOFTWARE\TeamViewer\ClientWindowPositions + - 'HKLM\SOFTWARE\TeamViewer\*' + - 'HKU\\SOFTWARE\TeamViewer\*' + - 'HKLM\SYSTEM\CurrentControlSet\Services\TeamViewer\*' + - 'HKLM\SOFTWARE\TeamViewer\ConnectionHistory' + - 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TeamViewer\*' + - 'HKU\SID\SOFTWARE\TeamViewer\MainWindowHandle' + - 'HKU\SID\SOFTWARE\TeamViewer\DesktopWallpaperSingleImage' + - 'HKU\SID\SOFTWARE\TeamViewer\DesktopWallpaperSingleImagePath' + - 'HKU\SID\SOFTWARE\TeamViewer\DesktopWallpaperSingleImagePosition' + - 'HKU\SID\SOFTWARE\TeamViewer\MinimizeToTray' + - 'HKU\SID\SOFTWARE\TeamViewer\MultiMedia\AudioUserSelectedCapturingEndpoint' + - 'HKU\SID\SOFTWARE\TeamViewer\MultiMedia\AudioSendingVolumeV2' + - 'HKU\SID\SOFTWARE\TeamViewer\MultiMedia\AudioUserSelectedRenderingEndpoint' + - 'HKLM\SOFTWARE\TeamViewer\ConnectionHistory' + - 'HKU\SID\SOFTWARE\TeamViewer\ClientWindow_Mode' + - 'HKU\SID\SOFTWARE\TeamViewer\ClientWindowPositions' condition: selection falsepositives: - Legitimate use of TeamViewer diff --git a/detections/sigma/teledesktop_network_sigma.yml b/detections/sigma/teledesktop_network_sigma.yml index 5735e6a3..f3982e98 100644 --- a/detections/sigma/teledesktop_network_sigma.yml +++ b/detections/sigma/teledesktop_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential TeleDesktop RMM Tool Network Activity -id: 6d77f583-7194-495b-af7c-9190730aaa31 +id: 73b58ef4-34eb-5c88-98d5-b8c4d7126937 status: experimental description: | Detects potential network activity of TeleDesktop RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,8 +16,8 @@ logsource: detection: selection: DestinationHostname|endswith: - - user_managed - - tele-desk.com + - 'user_managed' + - 'tele-desk.com' condition: selection falsepositives: - Legitimate use of TeleDesktop diff --git a/detections/sigma/teledesktop_processes_sigma.yml b/detections/sigma/teledesktop_processes_sigma.yml index 15988622..56b872f2 100644 --- a/detections/sigma/teledesktop_processes_sigma.yml +++ b/detections/sigma/teledesktop_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential TeleDesktop RMM Tool Process Activity -id: b76c775d-8892-4845-9f6b-cc206b73321e +id: e5eb90c4-d5a4-524c-8fcd-71339367b55e status: experimental description: | Detects potential processes activity of TeleDesktop RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,14 +16,14 @@ logsource: detection: selection_parent: ParentImage|endswith: - - pstlaunch.exe - - ptdskclient.exe - - ptdskhost.exe + - 'pstlaunch.exe' + - 'ptdskclient.exe' + - 'ptdskhost.exe' selection_image: Image|endswith: - - pstlaunch.exe - - ptdskclient.exe - - ptdskhost.exe + - 'pstlaunch.exe' + - 'ptdskclient.exe' + - 'ptdskhost.exe' condition: 1 of selection_* falsepositives: - Legitimate use of TeleDesktop diff --git a/detections/sigma/tigervnc_network_sigma.yml b/detections/sigma/tigervnc_network_sigma.yml index 2f79c054..c6769508 100644 --- a/detections/sigma/tigervnc_network_sigma.yml +++ b/detections/sigma/tigervnc_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential TigerVNC RMM Tool Network Activity -id: 659e4ee1-b114-4246-be15-50355953d8cd +id: 094dac23-39e5-566b-8698-1d7b7eeffc2d status: experimental description: | Detects potential network activity of TigerVNC RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,7 +15,7 @@ logsource: category: network_connection detection: selection: - DestinationHostname|endswith: user_managed + DestinationHostname|endswith: 'user_managed' condition: selection falsepositives: - Legitimate use of TigerVNC diff --git a/detections/sigma/tigervnc_processes_sigma.yml b/detections/sigma/tigervnc_processes_sigma.yml index 3aa5a0be..eb5d5cb1 100644 --- a/detections/sigma/tigervnc_processes_sigma.yml +++ b/detections/sigma/tigervnc_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential TigerVNC RMM Tool Process Activity -id: 0ccac845-e3f8-4479-86da-765ff423cf0e +id: 5157bfb1-f83b-5542-89a3-248bc11d602f status: experimental description: | Detects potential processes activity of TigerVNC RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,14 +16,14 @@ logsource: detection: selection_parent: ParentImage|endswith: - - tigervnc*.exe - - winvnc4.exe - - tvnserver.exe + - 'tigervnc*.exe' + - 'winvnc4.exe' + - '*\tvnserver.exe' selection_image: Image|endswith: - - tigervnc*.exe - - winvnc4.exe - - tvnserver.exe + - 'tigervnc*.exe' + - 'winvnc4.exe' + - '*\tvnserver.exe' condition: 1 of selection_* falsepositives: - Legitimate use of TigerVNC diff --git a/detections/sigma/tightvnc_network_sigma.yml b/detections/sigma/tightvnc_network_sigma.yml index 9df89a9e..8d88e932 100644 --- a/detections/sigma/tightvnc_network_sigma.yml +++ b/detections/sigma/tightvnc_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential TightVNC RMM Tool Network Activity -id: 73a58ada-ff6a-418b-b559-34f218bd577d +id: 47075227-f343-5bc0-a6f3-e2861796fdb5 status: experimental description: | Detects potential network activity of TightVNC RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,8 +16,8 @@ logsource: detection: selection: DestinationHostname|endswith: - - user_managed - - tightvnc.com + - 'user_managed' + - 'tightvnc.com' condition: selection falsepositives: - Legitimate use of TightVNC diff --git a/detections/sigma/tightvnc_processes_sigma.yml b/detections/sigma/tightvnc_processes_sigma.yml index 3999295c..23682c59 100644 --- a/detections/sigma/tightvnc_processes_sigma.yml +++ b/detections/sigma/tightvnc_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential TightVNC RMM Tool Process Activity -id: 0317447a-dc8d-4703-94b5-9404cdef80e9 +id: 5c52bdbd-fab1-5774-bcd8-ad8436091215 status: experimental description: | Detects potential processes activity of TightVNC RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,14 +16,14 @@ logsource: detection: selection_parent: ParentImage|endswith: - - tvnviewer.exe - - TightVNCViewerPortable*.exe - - tvnserver.exe + - 'tvnviewer.exe' + - 'TightVNCViewerPortable*.exe' + - 'tvnserver.exe' selection_image: Image|endswith: - - tvnviewer.exe - - TightVNCViewerPortable*.exe - - tvnserver.exe + - 'tvnviewer.exe' + - 'TightVNCViewerPortable*.exe' + - 'tvnserver.exe' condition: 1 of selection_* falsepositives: - Legitimate use of TightVNC diff --git a/detections/sigma/tmate_files_sigma.yml b/detections/sigma/tmate_files_sigma.yml new file mode 100644 index 00000000..dd265043 --- /dev/null +++ b/detections/sigma/tmate_files_sigma.yml @@ -0,0 +1,27 @@ +title: Potential tmate RMM Tool File Activity +id: 968e0dd1-f6ea-55d7-9587-0c8447bb9bb2 +status: experimental +description: | + Detects potential files activity of tmate RMM tool +references: + - https://github.com/magicsword-io/LOLRMM +author: LOLRMM Project +date: 2026-02-03 +tags: + - attack.execution + - attack.t1219 +logsource: + product: windows + category: file_event +detection: + selection: + TargetFilename|endswith: + - '/tmp/tmate*' + - '~/.tmate.conf' + - 'tmate.sock' + - 'tmate-ready' + - 'tmate.bashrc' + condition: selection +falsepositives: + - Legitimate use of tmate +level: medium diff --git a/detections/sigma/tmate_network_sigma.yml b/detections/sigma/tmate_network_sigma.yml new file mode 100644 index 00000000..8e253e3e --- /dev/null +++ b/detections/sigma/tmate_network_sigma.yml @@ -0,0 +1,24 @@ +title: Potential tmate RMM Tool Network Activity +id: ae1b648e-5cd4-50b6-931f-5f162038354b +status: experimental +description: | + Detects potential network activity of tmate RMM tool +references: + - https://github.com/magicsword-io/LOLRMM +author: LOLRMM Project +date: 2026-02-03 +tags: + - attack.execution + - attack.t1219 +logsource: + product: windows + category: network_connection +detection: + selection: + DestinationHostname|endswith: + - 'tmate.io' + - '*.tmate.io' + condition: selection +falsepositives: + - Legitimate use of tmate +level: medium diff --git a/detections/sigma/todesk_network_sigma.yml b/detections/sigma/todesk_network_sigma.yml index abd2726f..a35e53bc 100644 --- a/detections/sigma/todesk_network_sigma.yml +++ b/detections/sigma/todesk_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential ToDesk RMM Tool Network Activity -id: 8c9c2180-ab76-47b7-a82a-1c64c451c851 +id: 9c79deb6-7c74-54bb-9a48-829f3ef4b6e1 status: experimental description: | Detects potential network activity of ToDesk RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,10 +16,10 @@ logsource: detection: selection: DestinationHostname|endswith: - - todesk.com - - *.todesk.com - - *.todesk.com - - todesktop.com + - 'todesk.com' + - '*.todesk.com' + - '*.todesk.com' + - 'todesktop.com' condition: selection falsepositives: - Legitimate use of ToDesk diff --git a/detections/sigma/todesk_processes_sigma.yml b/detections/sigma/todesk_processes_sigma.yml index bcbb48c4..6988815e 100644 --- a/detections/sigma/todesk_processes_sigma.yml +++ b/detections/sigma/todesk_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential ToDesk RMM Tool Process Activity -id: 4a1e51ee-e208-4281-8977-492e0b98097a +id: 3c5eb466-4f0e-5099-8ebe-d003dbca2fb1 status: experimental description: | Detects potential processes activity of ToDesk RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,14 +16,14 @@ logsource: detection: selection_parent: ParentImage|endswith: - - todesk.exe - - ToDesk_Service.exe - - ToDesk_Setup.exe + - 'todesk.exe' + - 'ToDesk_Service.exe' + - 'ToDesk_Setup.exe' selection_image: Image|endswith: - - todesk.exe - - ToDesk_Service.exe - - ToDesk_Setup.exe + - 'todesk.exe' + - 'ToDesk_Service.exe' + - 'ToDesk_Setup.exe' condition: 1 of selection_* falsepositives: - Legitimate use of ToDesk diff --git a/detections/sigma/total_software_deployment_processes_sigma.yml b/detections/sigma/total_software_deployment_processes_sigma.yml index b806a298..fa090f82 100644 --- a/detections/sigma/total_software_deployment_processes_sigma.yml +++ b/detections/sigma/total_software_deployment_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Total Software Deployment RMM Tool Process Activity -id: 86a70a18-65cd-4cc9-a61f-7da595dbc84d +id: 199ce180-45e1-5711-a9b5-13f2adcc655e status: experimental description: | Detects potential processes activity of Total Software Deployment RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,12 +16,12 @@ logsource: detection: selection_parent: ParentImage|endswith: - - tniwinagent.exe - - Tsdservice.exe + - '*\tniwinagent.exe' + - '*\Tsdservice.exe' selection_image: Image|endswith: - - tniwinagent.exe - - Tsdservice.exe + - '*\tniwinagent.exe' + - '*\Tsdservice.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Total Software Deployment diff --git a/detections/sigma/turbomeeting_network_sigma.yml b/detections/sigma/turbomeeting_network_sigma.yml index b918c67d..7a0e49e6 100644 --- a/detections/sigma/turbomeeting_network_sigma.yml +++ b/detections/sigma/turbomeeting_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential TurboMeeting RMM Tool Network Activity -id: 9e471730-85a2-4a31-8315-a446863da409 +id: 2393007a-aee4-5dc1-9d8f-c9a7efff594e status: experimental description: | Detects potential network activity of TurboMeeting RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,8 +16,8 @@ logsource: detection: selection: DestinationHostname|endswith: - - user_managed - - acceo.com/turbomeeting/ + - 'user_managed' + - 'acceo.com/turbomeeting/' condition: selection falsepositives: - Legitimate use of TurboMeeting diff --git a/detections/sigma/turbomeeting_processes_sigma.yml b/detections/sigma/turbomeeting_processes_sigma.yml index 2937e333..0e9c3584 100644 --- a/detections/sigma/turbomeeting_processes_sigma.yml +++ b/detections/sigma/turbomeeting_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential TurboMeeting RMM Tool Process Activity -id: e228610d-452a-4cbb-b5ea-03680f210ff0 +id: 1e4882f8-0a0e-55fe-96c9-805f0189b56e status: experimental description: | Detects potential processes activity of TurboMeeting RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,14 +16,14 @@ logsource: detection: selection_parent: ParentImage|endswith: - - pcstarter.exe - - turbomeeting.exe - - turbomeetingstarter.exe + - 'pcstarter.exe' + - 'turbomeeting.exe' + - 'turbomeetingstarter.exe' selection_image: Image|endswith: - - pcstarter.exe - - turbomeeting.exe - - turbomeetingstarter.exe + - 'pcstarter.exe' + - 'turbomeeting.exe' + - 'turbomeetingstarter.exe' condition: 1 of selection_* falsepositives: - Legitimate use of TurboMeeting diff --git a/detections/sigma/ultra_vnc_processes_sigma.yml b/detections/sigma/ultra_vnc_processes_sigma.yml index 90a952e9..52ed3bfe 100644 --- a/detections/sigma/ultra_vnc_processes_sigma.yml +++ b/detections/sigma/ultra_vnc_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Ultra VNC RMM Tool Process Activity -id: d43e0555-49c5-4a10-bdda-7ed790de78e8 +id: a3df8613-a454-5c8f-a564-a2d3c3e641a5 status: experimental description: | Detects potential processes activity of Ultra VNC RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,14 +16,14 @@ logsource: detection: selection_parent: ParentImage|endswith: - - UVNC_Launch.exe - - winvnc.exe - - vncviewer.exe + - '*\UVNC_Launch.exe' + - '*\winvnc.exe' + - '*\vncviewer.exe' selection_image: Image|endswith: - - UVNC_Launch.exe - - winvnc.exe - - vncviewer.exe + - '*\UVNC_Launch.exe' + - '*\winvnc.exe' + - '*\vncviewer.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Ultra VNC diff --git a/detections/sigma/ultraviewer_network_sigma.yml b/detections/sigma/ultraviewer_network_sigma.yml index 85393011..74324731 100644 --- a/detections/sigma/ultraviewer_network_sigma.yml +++ b/detections/sigma/ultraviewer_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential UltraViewer RMM Tool Network Activity -id: 44060525-be85-4a53-8211-7592a6ea394d +id: 08fa8896-b18d-5512-a3ef-82a71d5594ed status: experimental description: | Detects potential network activity of UltraViewer RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,8 +16,8 @@ logsource: detection: selection: DestinationHostname|endswith: - - *.ultraviewer.net - - ultraviewer.net + - '*.ultraviewer.net' + - 'ultraviewer.net' condition: selection falsepositives: - Legitimate use of UltraViewer diff --git a/detections/sigma/ultraviewer_processes_sigma.yml b/detections/sigma/ultraviewer_processes_sigma.yml index af36bd34..3c23c8e8 100644 --- a/detections/sigma/ultraviewer_processes_sigma.yml +++ b/detections/sigma/ultraviewer_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential UltraViewer RMM Tool Process Activity -id: 28310552-4d99-4da6-96cd-f9ac9258f564 +id: 9512b4b0-ef0e-5f0f-abf3-1896eb5cd4e5 status: experimental description: | Detects potential processes activity of UltraViewer RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,26 +16,26 @@ logsource: detection: selection_parent: ParentImage|endswith: - - UltraViewer_Service.exe - - UltraViewer_Desktop.exe - - ultraviewer.exe - - UltraViewer_Desktop.exe - - UltraViewer_Desktop.exe - - ultraviewer_desktop.exe - - ultraviewer_service.exe - - UltraViewer_Desktop.exe - - UltraViewer_Service.exe + - 'UltraViewer_Service.exe' + - 'UltraViewer_Desktop.exe' + - 'ultraviewer.exe' + - 'C:\Program Files (x86)\UltraViewer\UltraViewer_Desktop.exe' + - '*\UltraViewer_Desktop.exe' + - 'ultraviewer_desktop.exe' + - 'ultraviewer_service.exe' + - 'UltraViewer_Desktop.exe' + - 'UltraViewer_Service.exe' selection_image: Image|endswith: - - UltraViewer_Service.exe - - UltraViewer_Desktop.exe - - ultraviewer.exe - - UltraViewer_Desktop.exe - - UltraViewer_Desktop.exe - - ultraviewer_desktop.exe - - ultraviewer_service.exe - - UltraViewer_Desktop.exe - - UltraViewer_Service.exe + - 'UltraViewer_Service.exe' + - 'UltraViewer_Desktop.exe' + - 'ultraviewer.exe' + - 'C:\Program Files (x86)\UltraViewer\UltraViewer_Desktop.exe' + - '*\UltraViewer_Desktop.exe' + - 'ultraviewer_desktop.exe' + - 'ultraviewer_service.exe' + - 'UltraViewer_Desktop.exe' + - 'UltraViewer_Service.exe' condition: 1 of selection_* falsepositives: - Legitimate use of UltraViewer diff --git a/detections/sigma/ultravnc_network_sigma.yml b/detections/sigma/ultravnc_network_sigma.yml index a6bb7cfc..40eb3036 100644 --- a/detections/sigma/ultravnc_network_sigma.yml +++ b/detections/sigma/ultravnc_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential UltraVNC RMM Tool Network Activity -id: c607606c-d7ad-4954-835e-eb32122885fb +id: 28a15bcc-889d-5471-8d62-bd8db1b07e65 status: experimental description: | Detects potential network activity of UltraVNC RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,8 +16,8 @@ logsource: detection: selection: DestinationHostname|endswith: - - ultravnc.com - - user_managed + - 'ultravnc.com' + - 'user_managed' condition: selection falsepositives: - Legitimate use of UltraVNC diff --git a/detections/sigma/ultravnc_processes_sigma.yml b/detections/sigma/ultravnc_processes_sigma.yml index 90c35c8e..fb1f8e4c 100644 --- a/detections/sigma/ultravnc_processes_sigma.yml +++ b/detections/sigma/ultravnc_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential UltraVNC RMM Tool Process Activity -id: 5d95a95f-430b-49da-881c-01b48b6615da +id: 771adda6-1d4b-5b1a-8db1-2c6cf26c168c status: experimental description: | Detects potential processes activity of UltraVNC RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,9 +15,9 @@ logsource: category: process_creation detection: selection_parent: - ParentImage|endswith: UltraVNC*.exe + ParentImage|endswith: 'UltraVNC*.exe' selection_image: - Image|endswith: UltraVNC*.exe + Image|endswith: 'UltraVNC*.exe' condition: 1 of selection_* falsepositives: - Legitimate use of UltraVNC diff --git a/detections/sigma/veyon_files_sigma.yml b/detections/sigma/veyon_files_sigma.yml new file mode 100644 index 00000000..ede69af4 --- /dev/null +++ b/detections/sigma/veyon_files_sigma.yml @@ -0,0 +1,25 @@ +title: Potential Veyon RMM Tool File Activity +id: 28734a12-8256-5f31-93cb-71bf1188207c +status: experimental +description: | + Detects potential files activity of Veyon RMM tool +references: + - https://github.com/magicsword-io/LOLRMM +author: LOLRMM Project +date: 2026-02-03 +tags: + - attack.execution + - attack.t1219 +logsource: + product: windows + category: file_event +detection: + selection: + TargetFilename|endswith: + - 'C:\Windows\Temp\VeyonServer.log' + - 'C:\Windows\Temp\VeyonService.log' + - 'C:\Users\*\AppData\Local\VeyonCLI.log' + condition: selection +falsepositives: + - Legitimate use of Veyon +level: medium diff --git a/detections/sigma/veyon_processes_sigma.yml b/detections/sigma/veyon_processes_sigma.yml new file mode 100644 index 00000000..9f3175a7 --- /dev/null +++ b/detections/sigma/veyon_processes_sigma.yml @@ -0,0 +1,34 @@ +title: Potential Veyon RMM Tool Process Activity +id: 14567547-1ca1-5c54-b074-422ba9d11087 +status: experimental +description: | + Detects potential processes activity of Veyon RMM tool +references: + - https://github.com/magicsword-io/LOLRMM +author: LOLRMM Project +date: 2026-02-03 +tags: + - attack.execution + - attack.t1219 +logsource: + product: windows + category: process_creation +detection: + selection_parent: + ParentImage|endswith: + - 'veyon-wcli.exe' + - 'veyon-worker.exe' + - 'veyon-server.exe' + - 'veyon-service.exe' + - 'veyon-master.exe' + selection_image: + Image|endswith: + - 'veyon-wcli.exe' + - 'veyon-worker.exe' + - 'veyon-server.exe' + - 'veyon-service.exe' + - 'veyon-master.exe' + condition: 1 of selection_* +falsepositives: + - Legitimate use of Veyon +level: medium diff --git a/detections/sigma/veyon_registry_sigma.yml b/detections/sigma/veyon_registry_sigma.yml new file mode 100644 index 00000000..1ae20aca --- /dev/null +++ b/detections/sigma/veyon_registry_sigma.yml @@ -0,0 +1,24 @@ +title: Potential Veyon RMM Tool Registry Activity +id: 98ca1fe3-5e9c-573e-a2d7-f3551edc1291 +status: experimental +description: | + Detects potential registry activity of Veyon RMM tool +references: + - https://github.com/magicsword-io/LOLRMM +author: LOLRMM Project +date: 2026-02-03 +tags: + - attack.execution + - attack.t1219 +logsource: + product: windows + category: registry_event +detection: + selection: + TargetObject|contains: + - 'HKLM\SOFTWARE\Veyon Solutions' + - 'HKLM\SYSTEM\CurrentControlSet\Services\VeyonService' + condition: selection +falsepositives: + - Legitimate use of Veyon +level: medium diff --git a/detections/sigma/visual_studio_dev_tunnel_network_sigma.yml b/detections/sigma/visual_studio_dev_tunnel_network_sigma.yml index 48177d05..1fe8d0be 100644 --- a/detections/sigma/visual_studio_dev_tunnel_network_sigma.yml +++ b/detections/sigma/visual_studio_dev_tunnel_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Visual Studio Dev Tunnel RMM Tool Network Activity -id: e6eb8f0f-6307-498d-87d1-4f008c6c92f5 +id: d38c740a-a7a2-54c5-b130-757a272e4c68 status: experimental description: | Detects potential network activity of Visual Studio Dev Tunnel RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,9 +16,9 @@ logsource: detection: selection: DestinationHostname|endswith: - - global.rel.tunnels.api.visualstudio.com - - *.rel.tunnels.api.visualstudio.com - - *.devtunnels.ms + - 'global.rel.tunnels.api.visualstudio.com' + - '*.rel.tunnels.api.visualstudio.com' + - '*.devtunnels.ms' condition: selection falsepositives: - Legitimate use of Visual Studio Dev Tunnel diff --git a/detections/sigma/vnc_network_sigma.yml b/detections/sigma/vnc_network_sigma.yml index af6a7a62..5e0ef0f8 100644 --- a/detections/sigma/vnc_network_sigma.yml +++ b/detections/sigma/vnc_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential VNC RMM Tool Network Activity -id: 9daee246-13b9-49b9-b68b-520b55b2eea8 +id: 577684d7-0362-5e0f-a75c-feafc46e1468 status: experimental description: | Detects potential network activity of VNC RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,8 +16,8 @@ logsource: detection: selection: DestinationHostname|endswith: - - user_managed - - realvnc.com/en/connect/download/vnc + - 'user_managed' + - 'realvnc.com/en/connect/download/vnc' condition: selection falsepositives: - Legitimate use of VNC diff --git a/detections/sigma/vnc_processes_sigma.yml b/detections/sigma/vnc_processes_sigma.yml index 1e8da376..b0372515 100644 --- a/detections/sigma/vnc_processes_sigma.yml +++ b/detections/sigma/vnc_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential VNC RMM Tool Process Activity -id: 09723726-df0c-4154-bb05-7b810b6c6c40 +id: a6780978-91a6-5984-8f8b-ac0a878172c4 status: experimental description: | Detects potential processes activity of VNC RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,22 +16,22 @@ logsource: detection: selection_parent: ParentImage|endswith: - - winvnc*.exe - - vncserver.exe - - winwvc.exe - - winvncsc.exe - - vncserverui.exe - - vncviewer.exe - - winvnc.exe + - 'winvnc*.exe' + - 'vncserver.exe' + - 'winwvc.exe' + - 'winvncsc.exe' + - 'vncserverui.exe' + - 'vncviewer.exe' + - 'winvnc.exe' selection_image: Image|endswith: - - winvnc*.exe - - vncserver.exe - - winwvc.exe - - winvncsc.exe - - vncserverui.exe - - vncviewer.exe - - winvnc.exe + - 'winvnc*.exe' + - 'vncserver.exe' + - 'winwvc.exe' + - 'winvncsc.exe' + - 'vncserverui.exe' + - 'vncviewer.exe' + - 'winvnc.exe' condition: 1 of selection_* falsepositives: - Legitimate use of VNC diff --git a/detections/sigma/webrdp_network_sigma.yml b/detections/sigma/webrdp_network_sigma.yml index 5d23dd3d..2106dc2d 100644 --- a/detections/sigma/webrdp_network_sigma.yml +++ b/detections/sigma/webrdp_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential WebRDP RMM Tool Network Activity -id: d6cf8756-43e2-4fa0-adfa-31a51dbf7602 +id: 7f1a2a6d-dd4f-5271-ba85-ee66faae9a5b status: experimental description: | Detects potential network activity of WebRDP RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,8 +16,8 @@ logsource: detection: selection: DestinationHostname|endswith: - - user_managed - - github.com/Mikej81/WebRDP + - 'user_managed' + - 'github.com/Mikej81/WebRDP' condition: selection falsepositives: - Legitimate use of WebRDP diff --git a/detections/sigma/webrdp_processes_sigma.yml b/detections/sigma/webrdp_processes_sigma.yml index 1538733e..18cae760 100644 --- a/detections/sigma/webrdp_processes_sigma.yml +++ b/detections/sigma/webrdp_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential WebRDP RMM Tool Process Activity -id: c231e758-93a2-4932-9dc7-dad4c8017bcb +id: 7c388ddb-7ef0-5eba-bcb4-ee10e08d5d1b status: experimental description: | Detects potential processes activity of WebRDP RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,9 +15,9 @@ logsource: category: process_creation detection: selection_parent: - ParentImage|endswith: webrdp.exe + ParentImage|endswith: 'webrdp.exe' selection_image: - Image|endswith: webrdp.exe + Image|endswith: 'webrdp.exe' condition: 1 of selection_* falsepositives: - Legitimate use of WebRDP diff --git a/detections/sigma/weezo_network_sigma.yml b/detections/sigma/weezo_network_sigma.yml index f2710c99..00d0905a 100644 --- a/detections/sigma/weezo_network_sigma.yml +++ b/detections/sigma/weezo_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Weezo RMM Tool Network Activity -id: e7a74923-a27d-4ac5-a165-c0a11b4ca4dc +id: 7fa8cbd5-7314-5a37-a70d-391dcd140e88 status: experimental description: | Detects potential network activity of Weezo RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,10 +16,10 @@ logsource: detection: selection: DestinationHostname|endswith: - - *.weezo.me - - weezo.net - - *.weezo.net - - weezo.en.softonic.com + - '*.weezo.me' + - 'weezo.net' + - '*.weezo.net' + - 'weezo.en.softonic.com' condition: selection falsepositives: - Legitimate use of Weezo diff --git a/detections/sigma/weezo_processes_sigma.yml b/detections/sigma/weezo_processes_sigma.yml index 46c9d5be..45a7159c 100644 --- a/detections/sigma/weezo_processes_sigma.yml +++ b/detections/sigma/weezo_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Weezo RMM Tool Process Activity -id: 8689f4e9-dfa2-491c-ab69-4c128db3bd35 +id: 5fbb569a-d96f-5136-a4af-b8d065c73189 status: experimental description: | Detects potential processes activity of Weezo RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,14 +16,14 @@ logsource: detection: selection_parent: ParentImage|endswith: - - weezohttpd.exe - - weezo.exe - - weezo setup*.exe + - 'weezohttpd.exe' + - 'weezo.exe' + - 'weezo setup*.exe' selection_image: Image|endswith: - - weezohttpd.exe - - weezo.exe - - weezo setup*.exe + - 'weezohttpd.exe' + - 'weezo.exe' + - 'weezo setup*.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Weezo diff --git a/detections/sigma/winscp_processes_sigma.yml b/detections/sigma/winscp_processes_sigma.yml index 12257dbd..79855d7d 100644 --- a/detections/sigma/winscp_processes_sigma.yml +++ b/detections/sigma/winscp_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential WinSCP RMM Tool Process Activity -id: 4c69afec-1230-4cb8-b9ab-7464b64395e8 +id: 3b9a7e39-aaa9-5629-84c9-818896913c5f status: experimental description: | Detects potential processes activity of WinSCP RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,9 +15,9 @@ logsource: category: process_creation detection: selection_parent: - ParentImage|endswith: WinSCP.exe + ParentImage|endswith: '*\WinSCP.exe' selection_image: - Image|endswith: WinSCP.exe + Image|endswith: '*\WinSCP.exe' condition: 1 of selection_* falsepositives: - Legitimate use of WinSCP diff --git a/detections/sigma/xeox_network_sigma.yml b/detections/sigma/xeox_network_sigma.yml index b1529a46..a33555c8 100644 --- a/detections/sigma/xeox_network_sigma.yml +++ b/detections/sigma/xeox_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Xeox RMM Tool Network Activity -id: 8505dded-1605-4b90-bcd4-c6d833c816c4 +id: 91c5e5d7-2754-59c5-b742-e014118d333d status: experimental description: | Detects potential network activity of Xeox RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,8 +16,8 @@ logsource: detection: selection: DestinationHostname|endswith: - - *.xeox.com - - xeox.com + - '*.xeox.com' + - 'xeox.com' condition: selection falsepositives: - Legitimate use of Xeox diff --git a/detections/sigma/xeox_processes_sigma.yml b/detections/sigma/xeox_processes_sigma.yml index 9648986c..28d2c93f 100644 --- a/detections/sigma/xeox_processes_sigma.yml +++ b/detections/sigma/xeox_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Xeox RMM Tool Process Activity -id: 5ea7cf79-3d87-4576-a46d-793783a0acb7 +id: 4b8c6f35-35ec-5acb-a290-2bff5acf4466 status: experimental description: | Detects potential processes activity of Xeox RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,16 +16,16 @@ logsource: detection: selection_parent: ParentImage|endswith: - - xeox-agent_x64.exe - - xeox_service_windows.exe - - xeox-agent_*.exe - - xeox-agent_x86.exe + - 'xeox-agent_x64.exe' + - 'xeox_service_windows.exe' + - 'xeox-agent_*.exe' + - 'xeox-agent_x86.exe' selection_image: Image|endswith: - - xeox-agent_x64.exe - - xeox_service_windows.exe - - xeox-agent_*.exe - - xeox-agent_x86.exe + - 'xeox-agent_x64.exe' + - 'xeox_service_windows.exe' + - 'xeox-agent_*.exe' + - 'xeox-agent_x86.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Xeox diff --git a/detections/sigma/xpra_processes_sigma.yml b/detections/sigma/xpra_processes_sigma.yml index 5498ccca..7a3dd581 100644 --- a/detections/sigma/xpra_processes_sigma.yml +++ b/detections/sigma/xpra_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Xpra RMM Tool Process Activity -id: 5f62f298-5f92-4bea-b9e1-dc6b01658142 +id: 24075721-f908-5404-9be8-b768d35a1479 status: experimental description: | Detects potential processes activity of Xpra RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,12 +16,12 @@ logsource: detection: selection_parent: ParentImage|endswith: - - Xpra-Launcher.exe - - Xpra-x86_64_Setup.exe + - '*\Xpra-Launcher.exe' + - '*\Xpra-x86_64_Setup.exe' selection_image: Image|endswith: - - Xpra-Launcher.exe - - Xpra-x86_64_Setup.exe + - '*\Xpra-Launcher.exe' + - '*\Xpra-x86_64_Setup.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Xpra diff --git a/detections/sigma/xshell_processes_sigma.yml b/detections/sigma/xshell_processes_sigma.yml index 8577124a..ee062d7f 100644 --- a/detections/sigma/xshell_processes_sigma.yml +++ b/detections/sigma/xshell_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Xshell RMM Tool Process Activity -id: 0ee932d7-49d1-47f8-83ef-a4845e8f4031 +id: 7145888a-b84f-5a6b-8fdf-3f4beb00de5b status: experimental description: | Detects potential processes activity of Xshell RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,9 +15,9 @@ logsource: category: process_creation detection: selection_parent: - ParentImage|endswith: xShell.exe + ParentImage|endswith: '*\xShell.exe' selection_image: - Image|endswith: xShell.exe + Image|endswith: '*\xShell.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Xshell diff --git a/detections/sigma/yandex.disk_processes_sigma.yml b/detections/sigma/yandex.disk_processes_sigma.yml index f200e826..581dad3c 100644 --- a/detections/sigma/yandex.disk_processes_sigma.yml +++ b/detections/sigma/yandex.disk_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Yandex.Disk RMM Tool Process Activity -id: 2a2194fb-fe2e-4905-a4f6-71b953cd8b85 +id: e9e53d43-bb2c-5b4e-83d9-c2c1b2f90e3e status: experimental description: | Detects potential processes activity of Yandex.Disk RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,9 +15,9 @@ logsource: category: process_creation detection: selection_parent: - ParentImage|endswith: YandexDisk2.exe + ParentImage|endswith: '*\YandexDisk2.exe' selection_image: - Image|endswith: YandexDisk2.exe + Image|endswith: '*\YandexDisk2.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Yandex.Disk diff --git a/detections/sigma/zabbix_agent_network_sigma.yml b/detections/sigma/zabbix_agent_network_sigma.yml index 8df45cf7..a21a7416 100644 --- a/detections/sigma/zabbix_agent_network_sigma.yml +++ b/detections/sigma/zabbix_agent_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Zabbix Agent RMM Tool Network Activity -id: 7f5b4e26-420b-46dd-a3c4-226256c4d84a +id: 7b136dc7-374f-58a6-9bc5-3b6d3aa08064 status: experimental description: | Detects potential network activity of Zabbix Agent RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,8 +16,8 @@ logsource: detection: selection: DestinationHostname|endswith: - - user_managed - - zabbix.com + - 'user_managed' + - 'zabbix.com' condition: selection falsepositives: - Legitimate use of Zabbix Agent diff --git a/detections/sigma/zabbix_agent_processes_sigma.yml b/detections/sigma/zabbix_agent_processes_sigma.yml index 9fb1c0c7..9ca15ccf 100644 --- a/detections/sigma/zabbix_agent_processes_sigma.yml +++ b/detections/sigma/zabbix_agent_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Zabbix Agent RMM Tool Process Activity -id: 708e407a-303b-4f30-9828-2ac83e94373b +id: ae15ddd2-9daa-5b4b-b007-ee3fd36e2aaf status: experimental description: | Detects potential processes activity of Zabbix Agent RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,9 +15,9 @@ logsource: category: process_creation detection: selection_parent: - ParentImage|endswith: zabbix_agent*.exe + ParentImage|endswith: 'zabbix_agent*.exe' selection_image: - Image|endswith: zabbix_agent*.exe + Image|endswith: 'zabbix_agent*.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Zabbix Agent diff --git a/detections/sigma/zerotier_network_sigma.yml b/detections/sigma/zerotier_network_sigma.yml index 8d4f0923..66d0a5ab 100644 --- a/detections/sigma/zerotier_network_sigma.yml +++ b/detections/sigma/zerotier_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential ZeroTier RMM Tool Network Activity -id: 13a878f9-2674-401d-9b1b-f2028c440910 +id: d9b12e95-f361-533b-8d97-38997338228e status: experimental description: | Detects potential network activity of ZeroTier RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,8 +16,8 @@ logsource: detection: selection: DestinationHostname|endswith: - - zerotier.com - - *.zerotier.com + - 'zerotier.com' + - '*.zerotier.com' condition: selection falsepositives: - Legitimate use of ZeroTier diff --git a/detections/sigma/zerotier_processes_sigma.yml b/detections/sigma/zerotier_processes_sigma.yml index 3599e5d6..98142858 100644 --- a/detections/sigma/zerotier_processes_sigma.yml +++ b/detections/sigma/zerotier_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential ZeroTier RMM Tool Process Activity -id: 4ec80451-936b-4a50-8956-7f0f0f55ce45 +id: d6729800-0602-5ceb-95e4-2e8c6f6aafe7 status: experimental description: | Detects potential processes activity of ZeroTier RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,12 +16,12 @@ logsource: detection: selection_parent: ParentImage|endswith: - - zerotier*.exe - - zero-powershell.exe + - 'zerotier*.exe' + - 'zero-powershell.exe' selection_image: Image|endswith: - - zerotier*.exe - - zero-powershell.exe + - 'zerotier*.exe' + - 'zero-powershell.exe' condition: 1 of selection_* falsepositives: - Legitimate use of ZeroTier diff --git a/detections/sigma/zoc_processes_sigma.yml b/detections/sigma/zoc_processes_sigma.yml index 8e5cb54e..8352a69b 100644 --- a/detections/sigma/zoc_processes_sigma.yml +++ b/detections/sigma/zoc_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential ZOC RMM Tool Process Activity -id: 0f2f8d37-6bf4-4d16-ba82-1634921d95c4 +id: 29a8c43e-86f1-5a56-bc98-b0535f3f4481 status: experimental description: | Detects potential processes activity of ZOC RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -15,9 +15,9 @@ logsource: category: process_creation detection: selection_parent: - ParentImage|endswith: zoc.exe + ParentImage|endswith: '*\zoc.exe' selection_image: - Image|endswith: zoc.exe + Image|endswith: '*\zoc.exe' condition: 1 of selection_* falsepositives: - Legitimate use of ZOC diff --git a/detections/sigma/zoho_assist_network_sigma.yml b/detections/sigma/zoho_assist_network_sigma.yml index 23b84a22..b103fe3b 100644 --- a/detections/sigma/zoho_assist_network_sigma.yml +++ b/detections/sigma/zoho_assist_network_sigma.yml @@ -1,12 +1,12 @@ title: Potential Zoho Assist RMM Tool Network Activity -id: 3ae241e0-ab8f-4e0a-8d6b-02f6687866cd +id: 6007dfb3-033e-50dd-a637-20dd48fc12eb status: experimental description: | Detects potential network activity of Zoho Assist RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,19 +16,19 @@ logsource: detection: selection: DestinationHostname|endswith: - - *.zoho.com.au - - *.zohoassist.jp - - assist.zoho.com - - zoho.com/assist/ - - *.zoho.in - - downloads.zohodl.com.cn - - *.zohoassist.com - - downloads.zohocdn.com - - gateway.zohoassist.com - - *.zohoassist.com.cn - - *.zoho.com.cn - - *.zoho.com - - *.zoho.eu + - '*.zoho.com.au' + - '*.zohoassist.jp' + - 'assist.zoho.com' + - 'zoho.com/assist/' + - '*.zoho.in' + - 'downloads.zohodl.com.cn' + - '*.zohoassist.com' + - 'downloads.zohocdn.com' + - 'gateway.zohoassist.com' + - '*.zohoassist.com.cn' + - '*.zoho.com.cn' + - '*.zoho.com' + - '*.zoho.eu' condition: selection falsepositives: - Legitimate use of Zoho Assist diff --git a/detections/sigma/zoho_assist_processes_sigma.yml b/detections/sigma/zoho_assist_processes_sigma.yml index b41a92fd..c4c9fe2b 100644 --- a/detections/sigma/zoho_assist_processes_sigma.yml +++ b/detections/sigma/zoho_assist_processes_sigma.yml @@ -1,12 +1,12 @@ title: Potential Zoho Assist RMM Tool Process Activity -id: f57c281c-5d94-43d1-8ba2-d2c95d01e871 +id: a7812b35-9329-5fed-99a3-df00e14ba031 status: experimental description: | Detects potential processes activity of Zoho Assist RMM tool references: - https://github.com/magicsword-io/LOLRMM author: LOLRMM Project -date: 2025-12-01 +date: 2026-02-03 tags: - attack.execution - attack.t1219 @@ -16,30 +16,30 @@ logsource: detection: selection_parent: ParentImage|endswith: - - zaservice.exe - - ZMAgent.exe - - ZA_Access.exe - - ZohoMeeting.exe - - Zohours.exe - - zohotray.exe - - ZohoURSService.exe - - ZA_Access.exe - - Zaservice.exe - - za_connect.exe - - connect.exe + - 'zaservice.exe' + - 'ZMAgent.exe' + - 'C:\*\ZA_Access.exe' + - 'ZohoMeeting.exe' + - 'Zohours.exe' + - 'zohotray.exe' + - 'ZohoURSService.exe' + - '*\ZA_Access.exe' + - 'Zaservice.exe' + - 'za_connect.exe' + - 'connect.exe' selection_image: Image|endswith: - - zaservice.exe - - ZMAgent.exe - - ZA_Access.exe - - ZohoMeeting.exe - - Zohours.exe - - zohotray.exe - - ZohoURSService.exe - - ZA_Access.exe - - Zaservice.exe - - za_connect.exe - - connect.exe + - 'zaservice.exe' + - 'ZMAgent.exe' + - 'C:\*\ZA_Access.exe' + - 'ZohoMeeting.exe' + - 'Zohours.exe' + - 'zohotray.exe' + - 'ZohoURSService.exe' + - '*\ZA_Access.exe' + - 'Zaservice.exe' + - 'za_connect.exe' + - 'connect.exe' condition: 1 of selection_* falsepositives: - Legitimate use of Zoho Assist