KQL Search

Query Details

HomeAI ToolsDevice Query

RMM Connection

Query

# RMM Tools with connections

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1219 | Remote Access Software | https://attack.mitre.org/techniques/T1219/ |

#### Description
This query used the [LOLRMM](https://lolrmm.io/) API to fetch all filenames related to RMM tools. Based on the executable filenames it looks into all the *DeviceNetworkEvents* to find RMM tools that have made successful connections, indicating that the tool is used within your environment.

Credits to @Antonlovesdnb for quickly developing the API connection with externaldata to collect this data ([Tweet](https://x.com/Antonlovesdnb/status/1840823846720385482)).

#### Risk
An actor uses RRM tools to gain remote access to your environment.

#### References
- https://lolrmm.io/
- https://x.com/Antonlovesdnb/status/1840823846720385482

## Defender For Endpoint
```KQL
// First part based on tweet by: @Antonlovesdnb https://x.com/Antonlovesdnb/status/1840823846720385482
let LOLRMM = externaldata(Name:string,Category:string,Description:string,Author:string,Date:datetime,LastModified:datetime,Website:string,Filename:string,OriginalFileName:string,PEDescription:string,Product:string,Privileges:string,Free:string,Verification:string,SupportedOS:string,Capabilities:string,
Vulnerabilities:string,InstallationPaths:string,Artifacts:string,Detections:string,References:string,Acknowledgement:string)[@"https://lolrmm.io/api/rmm_tools.csv"] with (format="csv", ignoreFirstRecord=True);
let ParsedExecutables = LOLRMM
    | distinct InstallationPaths
    | extend FileNames = extract_all(@"\b([a-zA-Z0-9 _-]+\.exe)", InstallationPaths)
    | mv-expand FileNames
    | where isnotempty(FileNames)
    | project FileNames = tolower(FileNames)
    | distinct FileNames;
DeviceNetworkEvents
| where tolower(InitiatingProcessFileName) in (ParsedExecutables)
| where ActionType == "ConnectionSuccess"
| summarize TotalEvents = count(), ExecutableCount = dcount(InitiatingProcessFileName), Executables = make_set(InitiatingProcessFileName) by DeviceName, DeviceId
```
## Sentinel
```KQL
// First part based on tweet by: @Antonlovesdnb https://x.com/Antonlovesdnb/status/1840823846720385482
let LOLRMM = externaldata(Name:string,Category:string,Description:string,Author:string,Date:datetime,LastModified:datetime,Website:string,Filename:string,OriginalFileName:string,PEDescription:string,Product:string,Privileges:string,Free:string,Verification:string,SupportedOS:string,Capabilities:string,
Vulnerabilities:string,InstallationPaths:string,Artifacts:string,Detections:string,References:string,Acknowledgement:string)[@"https://lolrmm.io/api/rmm_tools.csv"] with (format="csv", ignoreFirstRecord=True);
let ParsedExecutables = LOLRMM
    | distinct InstallationPaths
    | extend FileNames = extract_all(@"\b([a-zA-Z0-9 _-]+\.exe)", InstallationPaths)
    | mv-expand FileNames
    | where isnotempty(FileNames)
    | project FileNames = tolower(FileNames)
    | distinct FileNames;
DeviceNetworkEvents
| where tolower(InitiatingProcessFileName) in (ParsedExecutables)
| where ActionType == "ConnectionSuccess"
| summarize TotalEvents = count(), ExecutableCount = dcount(InitiatingProcessFileName), Executables = make_set(InitiatingProcessFileName) by DeviceName, DeviceId
```

Explanation

Summary of the Query

This query aims to identify Remote Monitoring and Management (RMM) tools that are being used within your environment by checking for successful network connections initiated by these tools. Here's a breakdown of the process:

  1. Fetch RMM Tool Data:

    • The query uses the LOLRMM API to retrieve a list of filenames associated with various RMM tools.

  2. Extract Executable Filenames:

    • It processes the data to extract executable filenames (e.g., toolname.exe) from the installation paths provided by the LOLRMM API.

  3. Check for Network Events:

    • It then looks into the DeviceNetworkEvents to find instances where these executable filenames have initiated successful network connections (ConnectionSuccess).

  4. Summarize Findings:

    • Finally, it summarizes the results by counting the total number of events, the number of unique executables, and lists the executables for each device.

Key Points

  • MITRE ATT&CK Technique: The query is related to the technique T1219 (Remote Access Software).
  • Risk: The use of RMM tools can indicate potential unauthorized remote access by malicious actors.
  • Data Source: The LOLRMM API provides the list of RMM tool filenames.
  • Output: The query outputs a summary of devices with successful connections initiated by RMM tools, including the count of events and unique executables.

Example Output

The output will include columns like:

  • DeviceName: The name of the device.
  • DeviceId: The ID of the device.
  • TotalEvents: The total number of successful connection events.
  • ExecutableCount: The number of unique RMM tool executables found.
  • Executables: A set of the executable filenames that initiated the connections.

This helps in identifying and monitoring the use of RMM tools within your network, which could be a sign of legitimate administrative activity or potential malicious behavior.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: October 2, 2024

Tables

DeviceNetworkEvents

Keywords

DeviceNetworkEventsExecutablesConnectionSuccess

Operators

externaldataletdistinctextendextract_allmv-expandwhereisnotemptyprojecttolowerinsummarizecountdcountmake_set

Actions