KQL Search

Query Details

HomeAI ToolsDevice Query

Undocumented RMM

Query

// Undocumented Remote Admin Tool
// list of toolS compiled from: https://github.com/0x706972686f/RMM-Catalogue
// NOTE: does not yet support file name wildcards
//------------------------------------------------------------------
// EXCLUSIONS GO HERE, PLEASE LEAVE A COMMENT WITH EXPLANATION
let ApprovedRMM = datatable(Software:string, DeviceSubstring:string) [
    "Quick Assist", ".",  // internally approved software -- "." == all devices
    "TeamViewer", "exampledevice1",  // X user allowed -- see ticket #12345
];
//------------------------------------------------------------------
let RMMCatalogue = materialize(
    (externaldata(response: string) [@"https://github.com/0x706972686f/RMM-Catalogue/raw/main/rmm.csv"] with (format="txt"))
    | where response !startswith "Software"
    | project response
    | extend data = parse_csv(response)
    | extend
        Software = tostring(data[0]),
        URL = tostring(data[1]),
        FileNames = parse_csv(tostring(data[2])),
        Category = tostring(data[3])
    | mv-expand FileName = FileNames
    | extend FileName = replace_string(tostring(FileName), "*", "")  // TODO: support wildcard search
    | project-away response, ['data'], FileNames
    | where Software !in~ ("Guacamole", "Royal Server", "Royal TS")  // client-only; no risk
    | where FileName !in~ ("vncviewer.exe")  // client-only; no risk
    | extend PackedRecord = pack_all()
);
// get all RMM file events and processes
let RMMFiles = (
    RMMCatalogue
    | extend FileName = tolower(FileName)
    | join kind=inner (
        union DeviceFileEvents, DeviceProcessEvents, DeviceNetworkEvents
        | where ActionType != "FileDeleted"
        | extend FileName = tolower(FileName)
    ) on FileName
);
RMMFiles
| join kind=leftouter ApprovedRMM on Software
| where DeviceSubstring == "" or DeviceName !contains DeviceSubstring  // approved use cases
| extend User = iff(AccountName != "", AccountName, InitiatingProcessAccountName)
| project-reorder User, Software, DeviceName, ActionType, FileName, FolderPath, RemoteUrl
| sort by Timestamp
| summarize Timestamp=max(Timestamp), Executables=make_set(FileName) by AccountName=User, Software, DeviceName
| project-reorder Timestamp, Software, DeviceName, AccountName, Executables
| sort by Timestamp

Explanation

This query retrieves information about Remote Admin Tools (RATs) from a catalog and analyzes file events and processes related to these tools. It filters out certain software and file names that are not relevant or pose no risk. It then joins the results with a list of approved RATs and filters based on approved use cases. Finally, it summarizes the data by timestamp, software, device name, account name, and the list of executable files.

Details

C.J. May profile picture

C.J. May

Released: September 6, 2023

Tables

RMMCatalogueDeviceFileEventsDeviceProcessEventsDeviceNetworkEventsApprovedRMM

Keywords

Devices,Intune,User,Software,DeviceSubstring,FileName,ActionType,FolderPath,RemoteUrl,AccountName,InitiatingProcessAccountName,Timestamp,Executables

Operators

datatableexternaldatawithformatwhereprojectextendparse_csvmv-expandreplace_stringproject-awayin~extendpack_alljoinuniononkindcontainsiffproject-reordersortsummarizemaxmake_set

Actions