RMM Tools with connections
RMM Connection
Query
// First part based on tweet by: @Antonlovesdnb https://x.com/Antonlovesdnb/status/1840823846720385482
let LOLRMM = externaldata(Name:string,Category:string,Description:string,Author:string,Date:datetime,LastModified:datetime,Website:string,Filename:string,OriginalFileName:string,PEDescription:string,Product:string,Privileges:string,Free:string,Verification:string,SupportedOS:string,Capabilities:string,
Vulnerabilities:string,InstallationPaths:string,Artifacts:string,Detections:string,References:string,Acknowledgement:string)[@"https://lolrmm.io/api/rmm_tools.csv"] with (format="csv", ignoreFirstRecord=True);
// Exclude any allowed RMMs based on name, example: dynamic(["Rapid7"]);
let AllowedRMM_Name = dynamic([]);
// Exclude any RMM based on executable name, example: dynamic(["mstsc.exe", "winscp.exe"]), used by multiple rmms
let AllowedRMM_executable = dynamic([]);
let ParsedExecutables = LOLRMM
| where Name !in (AllowedRMM_Name)
| distinct InstallationPaths
| extend FileNames = extract_all(@"\b([a-zA-Z0-9 _-]+\.exe)", InstallationPaths)
| mv-expand FileNames to typeof(string)
| where isnotempty(FileNames)
| project FileNames = tolower(FileNames)
| distinct FileNames
| where FileNames !in (AllowedRMM_executable);
DeviceNetworkEvents
| where tolower(InitiatingProcessFileName) in (ParsedExecutables)
| where ActionType == "ConnectionSuccess"
| summarize TotalEvents = count(), ExecutableCount = dcount(InitiatingProcessFileName), Executables = make_set(InitiatingProcessFileName) by DeviceName, DeviceIdAbout this query
Explanation
This query is designed to identify Remote Monitoring and Management (RMM) tools that are actively being used within an organization's network. Here's a simple breakdown of what the query does:
-
Data Source: It uses an external API from LOLRMM to fetch a list of filenames associated with RMM tools. These tools can be used for remote access, which is a technique identified by MITRE ATT&CK as T1219.
-
Filtering: The query allows for the exclusion of certain RMM tools by name or executable filename if they are known and permitted within the organization. This is done using two lists:
AllowedRMM_NameandAllowedRMM_executable. -
Executable Extraction: From the fetched data, it extracts executable filenames that are associated with RMM tools, ensuring they are not in the allowed lists.
-
Network Events Analysis: It then checks the
DeviceNetworkEventsto find instances where these RMM tool executables have successfully made network connections. This indicates that the tools are being used on devices within the network. -
Summary: Finally, it summarizes the data by counting the total number of successful connection events, the number of unique executables involved, and lists the executables for each device.
This query helps in identifying potentially unauthorized or suspicious use of RMM tools, which could pose a security risk if used by malicious actors to gain remote access to the network.
