Create RMM_Agent_Install_Followed_By_First_Outbound_Connection.yml #3645
Conversation
Adds analytic `rmm_agent_install_first_outbound_connection.yml`. What it detects - Install/service registration of common RMM tools (AnyDesk, ScreenConnect/ConnectWise, Atera, Splashtop, TeamViewer) - Followed within 1 hour by the first outbound session to vendor cloud endpoints (living-off-RMM abuse) Data sources - Endpoint: Sysmon (EID 1), Windows System (7045), Windows Security (4697) - Network: Web proxy / firewall with dest_domain or app classification Tuning & FPs - Legit IT rollouts may trigger; use macro `rmm_agent_install_first_outbound_connection_filter` to allowlist approved hosts/OUs - Consider Geo/ASN enrichment for “new ASN/country” variants Performance - Narrow indexes/sourcetypes; 1h max window; coalesce domain fields to support PAN/Zscaler/Broadcom MITRE ATT&CK - T1219 Remote Access Software - T1071 Application Layer Protocol Author - Riyan Pratama (sudo3rs) No breaking changes.
| @@ -0,0 +1,117 @@ | |||
| name: RMM Agent Install Followed By First Outbound Connection | |||
| id: null | |||
There was a problem hiding this comment.
can we add a new uuid ?
| version: 1 | ||
| date: '2025-08-17' | ||
| author: Riyan Pratama (sudo3rs) | ||
| data_source: |
There was a problem hiding this comment.
Can we update this data source to match the name of the data_sources
- Windows Event Log System 7045
- Windows Event Log Security 4697
- Sysmon EventID 1
| | eval marker="install" | ||
| | table _time host user Image ServiceName ServiceFileName rmm_brand marker | ||
| | append [ | ||
| search (index=proxy OR index=fw OR index=network) |
There was a problem hiding this comment.
@Masriyan - Can you update the second search to not have index and instead provide an input macro that in this second SPL based on your attack_data
| - Splunk Enterprise Security | ||
| - Splunk Cloud | ||
| security_domain: endpoint | ||
| tests: [] |
There was a problem hiding this comment.
@Masriyan - In order to get this detection shipped in ESCU we would like to have sample events in this attack_data repository so that we can test this detection
Can you create a PR and add these sample attack events of process creation and network connection to this repository
|
@Masriyan - Thank you for the PR !we have added a few comments in order to get buil and unit-test actions pass in this CI. Also, on second thoughts queries involving transactions are expensive and hence we tend to not use them in detection queries. We have a good coverage to detect this exact behavior. Have you tried using these detections in your environment? |
| (Image="*anydesk*.exe" OR Image="*screenconnect*" OR Image="*connectwise*" OR Image="*atera*" OR Image="*splashtop*" OR Image="*teamviewer*" | ||
| OR ServiceFileName="*AnyDesk*" OR ServiceFileName="*ScreenConnect*" OR ServiceFileName="*ConnectWise*" OR ServiceFileName="*Atera*" OR ServiceFileName="*Splashtop*" OR ServiceFileName="*TeamViewer*") |
There was a problem hiding this comment.
We already have a lookup with binary names and domains. I suggest you use that as it can easily be updated instead https://github.com/splunk/security_content/blob/develop/lookups/remote_access_software.csv
| ( | ||
| dest_domain="*.anydesk.com" OR dest_domain="*.anydeskcontrol.com" OR | ||
| dest_domain="*.screenconnect.com" OR dest_domain="*.connectwise.com" OR | ||
| dest_domain="*.atera.com" OR dest_domain="*.splashtop.com" OR | ||
| dest_domain="*.teamviewer.com" | ||
| ) | ||
| OR (app IN ("anydesk","connectwise","atera","splashtop","teamviewer")) | ||
| | eval marker="connect" | ||
| | table _time host dest dest_ip dest_domain app marker | ||
| ] |
There was a problem hiding this comment.
Most if not all installation of an RMM agent will lead to a network connection to the vendor domain for various downloads and check.
For example anydesk will contact boot.net.anydesk.com.
For this the rule will trigger basically on any installation not just the first connection.
I suggest you add further conditions to strengthen the logic.
Adds analytic
rmm_agent_install_first_outbound_connection.yml.What it detects
Data sources
Tuning & FPs
rmm_agent_install_first_outbound_connection_filterto allowlist approved hosts/OUsPerformance
MITRE ATT&CK
Author
No breaking changes.
Details
What does this PR have in it? Screenshots are worth 1000 words 😄
Checklist
<platform>_<mitre att&ck technique>_<short description>nomenclatureNotes For Submitters and Reviewers
buildCI job when it fails will likely show an error about what is failing. You may have a very descriptive error of the specific field(s) in the specific file(s) that is causing an issue. In some cases, its also possible there is an issue with the YAML. Many of these can be caught with the pre-commit hooks if you set them up. These errors will be less descriptive as to what exactly is wrong, but will give you a column and row position in a specific file where the YAML processing breaks. If you're having trouble with this, feel free to add a comment to your PR tagging one of the maintainers and we'll be happy to help troubleshoot it.