Security, appsec, recovering triathlete formerly on twitter at https://twitter.com/living_syn
livinginsyn.01 on signal
I released v2.1.0 of RMML. The big changes in the past few days are:
- A full export of sigma rules for detections
- The addition of Jump Desktop signatures
NGC 6727: The Rampaging Baboon Nebula
Image Credit & Copyright: Alpha Zhang & Ting Yu
Someone wrote a cool blog post using RMML for building detections
Introduction This is a short write-up on using Kusto Query Language (KQL) to detect Remote Monitoring and Management (RMM) artefacts in your process- and network telemetry. It uses multiple open-source projects that aggregate and centrally collect information on available RMMs. Threat actors often make use of legitimate and well-known RMM solutions during real world intrusions. These remote access tools are typically used as initial access vectors after a successful social engineering campaign and then used as a beachhead into the compromised network to pivot, deploy new tooling or exfiltrate data.
Interesting notes from the RMML traffic (https://github.com/LivingInSyn/RMML)
The most looked up RMMs are:
- AnyDesk (49)
- ngrok (20)
- GoToMyPC (14)
- TeamViewer (14)
- N-Able (12)
@krausedw it's a fair point. This question first came up with ngrok and we had a debate on if we should include it or not. Ultimately we decided that we should since it fit the threat category even if it wasn't a true rmm
Maybe we can add a metadata tag to the definitions so if users only want RMMs they can exclude anything that isn't
I cut release v.1.5.0 of RMML (a list of RMMs designed to be used by security tools in an automated fashion) to include VSCode tunnels which are under use by threat actors
Pushed v1.4.1 of RMML: https://github.com/LivingInSyn/RMML (a repository of RMM definitions designed to be used in automations)
Includes two new contributors and some updated definitions!
Pushed v1.4.1 of RMML: https://github.com/LivingInSyn/RMML (a repository of RMM definitions designed to be used in automations)
Includes two new contributors and some updated definitions!
Niki
(moving) APOD