Query Details

RMM Tools with connections

RMM Connection

Query

// First part based on tweet by: @Antonlovesdnb https://x.com/Antonlovesdnb/status/1840823846720385482
let LOLRMM = externaldata(Name:string,Category:string,Description:string,Author:string,Date:datetime,LastModified:datetime,Website:string,Filename:string,OriginalFileName:string,PEDescription:string,Product:string,Privileges:string,Free:string,Verification:string,SupportedOS:string,Capabilities:string,
Vulnerabilities:string,InstallationPaths:string,Artifacts:string,Detections:string,References:string,Acknowledgement:string)[@"https://lolrmm.io/api/rmm_tools.csv"] with (format="csv", ignoreFirstRecord=True);
// Exclude any allowed RMMs based on name, example: dynamic(["Rapid7"]);
let AllowedRMM_Name = dynamic([]);
// Exclude any RMM based on executable name, example: dynamic(["mstsc.exe", "winscp.exe"]), used by multiple rmms
let AllowedRMM_executable = dynamic([]);
let ParsedExecutables = LOLRMM
    | where Name !in (AllowedRMM_Name)
    | distinct InstallationPaths
    | extend FileNames = extract_all(@"\b([a-zA-Z0-9 _-]+\.exe)", InstallationPaths)
    | mv-expand FileNames to typeof(string)
    | where isnotempty(FileNames)
    | project FileNames = tolower(FileNames)
    | distinct FileNames
    | where FileNames !in (AllowedRMM_executable);
DeviceNetworkEvents
| where tolower(InitiatingProcessFileName) in (ParsedExecutables)
| where ActionType == "ConnectionSuccess"
| summarize TotalEvents = count(), ExecutableCount = dcount(InitiatingProcessFileName), Executables = make_set(InitiatingProcessFileName) by DeviceName, DeviceId

About this query

Explanation

This query is designed to identify Remote Monitoring and Management (RMM) tools that are actively being used within an organization's network. Here's a simple breakdown of what the query does:

  1. Data Source: It uses an external API from LOLRMM to fetch a list of filenames associated with RMM tools. These tools can be used for remote access, which is a technique identified by MITRE ATT&CK as T1219.

  2. Filtering: The query allows for the exclusion of certain RMM tools by name or executable filename if they are known and permitted within the organization. This is done using two lists: AllowedRMM_Name and AllowedRMM_executable.

  3. Executable Extraction: From the fetched data, it extracts executable filenames that are associated with RMM tools, ensuring they are not in the allowed lists.

  4. Network Events Analysis: It then checks the DeviceNetworkEvents to find instances where these RMM tool executables have successfully made network connections. This indicates that the tools are being used on devices within the network.

  5. Summary: Finally, it summarizes the data by counting the total number of successful connection events, the number of unique executables involved, and lists the executables for each device.

This query helps in identifying potentially unauthorized or suspicious use of RMM tools, which could pose a security risk if used by malicious actors to gain remote access to the network.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: October 20, 2024

Tables

DeviceNetworkEvents

Keywords

DeviceNetworkEventsExecutablesConnectionSuccess

Operators

externaldataletdynamicwheredistinctextendextract_allmv-expandisnotemptyprojecttolowersummarizecountdcountmake_set

MITRE Techniques

Actions

GitHub