yara-lApache-2.0from chronicle/detection-rules

win_pua_detection_of_uncommon_rmm

This detection rule identifies uncommon or suspicious Remote Monitoring and Management (RMM) tools, leveraging intelligence from the LOL-RMM (Living Off the Land RMM) project. While RMM tools are widely used for IT administration, remote support, and network management, they are also frequently abused by attackers, initial access brokers (IABs), and ransomware operators to establish persistent remote access, execute malicious commands, or deploy additional payloads. This rule detects RMM software that is not commonly observed in the environment, indicating potential unauthorized access or lateral movement.

Quality

FP risk

—

Forks

Views

ATT&CK techniques

T1219

Rule source🔒 locked

title: ████████████████████████
id: ████████-████-████-████-████████████
status: ██████████
description: ██████████████████████████████████████████
             ████████████████████████████████████████
author: ████████
tags:
  - attack.████
  - attack.████
logsource:
  product: ████████
  category: ████████████
detection:
  selection:
    Image|endswith: '████████████████'
    CommandLine|contains:
      - '████████████████████████'
      - '████████████████████████'
      - '██████████████████'
  condition: selection
level: ████████
falsepositives:
  - ████████████████████

🔒

Sign in to view the rule source

Free accounts can view the source for the top-ranked rules. Create one in seconds — no credit card required.