-
Notifications
You must be signed in to change notification settings - Fork 0
/
sigmaTacticalRMM.yml
111 lines (111 loc) · 2.66 KB
/
sigmaTacticalRMM.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
action: global
title: Detected potential Tactical RMM usage
id: 4159b47e-63ff-45a8-b8c0-f9cba06005df
status: experimental
description: Detects the installation (Linux) or usage (Windows) of Tactical RMM software
references:
- https://docs.tacticalrmm.com/
- https://github.com/amidaware/tacticalrmm
- https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/
author: kaixeb
date: 2023/07/17
tags:
- attack.ta0011
- attack.t1071.001
- attack.t1573.002
- attack.t1219
falsepositives: Legitimate use of Tactical RMM software
level: medium
---
logsource:
product: linux
service: auditd
detection:
selection1:
type: 'Privilege Escalation Succeeded'
selection2:
ProcessCommandLine|contains: '/usr/bin/psql -c CREATE DATABASE'
selection3:
- ProcessCommandLine|contains:
- 'sites-available'
- 'sites-enabled'
- HomeDirectory|contains:
- 'sites-available'
- 'sites-enabled'
ProcessCommandLine|contains:
- 'rmm.conf'
- 'frontend.conf'
selection4:
- selection:
HomeDirectory: '/etc'
ProcessCommandLine|contains: 'hosts'
- ProcessCommandLine|contains: '/etc/hosts'
selection5:
type: 'Service (daemon) start'
ServiceName:
- 'postgresql'
- 'nginx'
- 'nats'
- 'nats-api'
- 'rmm'
- 'daphne'
- 'celery'
- 'celerybeat'
condition: selection1 and (selection2 or selection3 or selection4) or selection5
---
logsource:
product: windows
service:
- security
- sysmon
detection:
selection1:
EventID:
- 7045
- 4697
- ServiceName|contains: 'TacticalRMM'
- ServiceFileName|contains:
- 'TacticalAgent'
- 'tacticalrmm.exe'
selection2:
EventID:
- 1
- 4688
- Image|contains:
- 'TacticalAgent'
- 'tacticalrmm.exe'
- ProcessCommandLine|contains|all:
- '--site-id'
- '-m install'
- '--api'
- '--client-id'
- '--agent-type'
- '--auth'
selection3:
EventID:
- 1
- 4688
- ProcessCommandLine|contains|all:
- 'tacticalrmm.exe'
- '-m checkrunner'
- ProcessCommandLine|contains|all:
- 'Tactical'
- 'python.exe'
selection4:
EventID: 4656
Image|re: 'TacticalAgent\\.*?(tacticalrmm|python)\.exe'
TargetObject|contains:
- 'Windows\System32\lsass.exe'
- 'Control\Lsa'
selection5:
EventID: 3
Image|contains: 'tacticalrmm.exe'
selection6:
EventID: 22
URL|contains: 'icanhazip.tacticalrmm.io'
selection7:
logsource:
product: WindowsDNS
service: dnsdebug
URL|contains: 'icanhazip.tacticalrmm.io'
condition: selection*