Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Nterl0k - T1219 RMM Must Die #2966

Closed
wants to merge 19 commits into from

Conversation

nterl0k
Copy link
Contributor

@nterl0k nterl0k commented Feb 23, 2024

Details

Updated the remote_access_software.csv with details from 3 reops as well as additional data from sandbox testing and official product documentation of the products (where possible). The result is a lookup that now contains many more RMM solutions as well as their known executables, usage domains, and reference documentation/sites.

Included are 3 detections that can be used to leverage this data across process, url, and dns datamodels.

Existing lookup data was shamelessly enhanced using these repos:
https://github.com/0x706972686f/RMM-Catalogue/blob/main/rmm.csv
https://github.com/redcanaryco/surveyor/blob/master/definitions/remote-admin.json
https://github.com/mr-r3b00t/KQL/blob/main/hunting/find_rmm_processes.kql
https://github.com/Azure/Azure-Sentinel/tree/master/Hunting%20Queries/Microsoft%20365%20Defender/RemoteManagementMonitoring

Pending data from: splunk/attack_data#877
and
splunk/attack_data#880

Checklist

  • Validate name matches <platform>_<mitre att&ck technique>_<short description> nomenclature
  • CI/CD jobs passed ✔️
  • Validated SPL logic.
  • Validated tags, description, and how to implement.
  • Verified references match analytic.

Added remote_domain to match updated lookup.
Corrected "remote_software" -> "remote_utility" to match lookup
@patel-bhavin patel-bhavin requested review from MHaggis and removed request for patel-bhavin and P4T12ICK February 27, 2024 23:28
@nterl0k nterl0k changed the title Nterl0k T1219 - RMM Must Die Nterl0k - T1219 RMM Must Die Mar 6, 2024
@patel-bhavin
Copy link
Contributor

Thank you Steven. We tested these using the attack data and have shipped these as a part of :

https://github.com/splunk/security_content/releases/tag/v4.26.0

Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants