Last active
October 15, 2023 14:43
-
-
Save b401/d947bdbe9c7ba333e994d121a09946a8 to your computer and use it in GitHub Desktop.
Sysmon - Block RMM software
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <Sysmon schemaversion="4.82"> | |
| <EventFiltering> | |
| <RuleGroup name="" groupRelation="or"> | |
| <FileBlockExecutable onmatch="include"> | |
| <!-- List used: https://github.com/0x706972686f/RMM-Catalogue/tree/main --> | |
| <TargetFilename name="RMM Software" condition="end with">rpcgrab.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">rpcsetup.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">action1_agent.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">aeroadmin.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">alitask.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">alpemix.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">AMMYY_Admin.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">apc_host.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">ateraagent.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">syncrosetup.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">beamyourscreen.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">beamyourscreen-host.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">basupsrvc.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">basupsrvcupdate.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">basuptshelper.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">bomgar-scc.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">CagService.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">ctiserv.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">remote_host.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">connectwisechat-customer.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">connectwisecontrol.client.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">itsmagent.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">rviewer.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">crossloopservice.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">PCIVIDEO.EXE</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">supporttool.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="contains all">dntus;.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">dwrcs.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">domotz_bash.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">echoserver</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">echoware.dll</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">ehorus standalone.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">remoteconsole.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">accessserver.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">ericomconnnectconfigurationtool.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">era.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="contains all">ezhelp</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">eratool.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">ezhelpclient.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">ezhelpclientmanager.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">fastclient.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">fastmaster.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">fixmeitclient.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">fleetdeck_agent_svc.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">gp3.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">gp4.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">gp5.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">getscreen.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="contains all">g2a;exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">gotoassist.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">gotohttp.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">g2file</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">g2quick.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">g2svc.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">g2tray.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">goverrmc.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="contains all">govsrv;exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">guacd.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">helpbeam*.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">iit.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">intouch.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">hsloader.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">ihcserver.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">instanthousecall.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">iadmin.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">intelliadmin.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">iperius.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">iperiusremote.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">islalwaysonmonitor.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">isllight.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">isllightservice.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">jumpclient.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">jumpdesktop.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">jumpservice.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">ltsvc.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">ltsvcmon.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">lttray.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">issuser.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">landeskagentbootstrap.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">ldinv32.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">ldsensors.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">laplink.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">laplinkeverywhere.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">llrcservice.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">serverproxyservice.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">laplink.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">tsircusr.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">romfusclient.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">romserver.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">romviewer.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">lmiguardiansvc.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">lmiignition.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">logmein.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">logmeinsystray.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="contains all">support-logmeinrescue;exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">support-logmeinrescue.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">lmi_rescue.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="contains all">mesh;.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">mikogo.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">mikogolauncher.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">mikogo-service.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">mikogo-starter.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">mionet.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">mionetmanager.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">myivomanager.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">myivomgr.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">nhostsvc.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">nhstw32.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">nldrw32.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">rmserverconsolemediator.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">client32.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">pcictlui.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">neturo.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">ntrntservice.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="contains all">netviewer;.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="contains all">nomachine;.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">nxd.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="contains all">nateon;exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">nateonmain.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">prl_deskctl_agent.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">prl_deskctl_wizard.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">prl_pm_service.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">awhost32.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">pcaquickconnect.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">winaw32.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">mwcliun.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">pcnmgr.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">webexpcnow.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">pcvisit.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">pcvisit_client.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">pcvisit-easysupport.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">pocketcontroller.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">pocketcloudservice.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">wysebrowser.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">qq.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">qqpcmgr.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">quickassist.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">radmin.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">tdp2tcp.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">remobo.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">remobo_client.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">remobo_tracker.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">rfusclient.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">rutserv.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">rutserv.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">rutview.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">rcengmgru.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">rcmgrsvc.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">remotesupportplayeru.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">rxstartsupport.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">remotepass-access.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">rpaccess.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">rpwhostscr.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">remotepcservice.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">rpcsuite.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">remoteview.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">rv.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">rvagent.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">rvagtray.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="contains all">wisshell;.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">wmc.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">wmc_deployer.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">wmcsvc.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">royalts.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">rd.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="contains all">rudesktop;.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">rustdesk.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="contains all">screenconnect;.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">screenconnect.windowsclient.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">seetrolcenter.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">seetrolclient.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">seetrolmyservice.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">seetrolremote.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">seetrolsetting.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="contains all">showmypc;.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">simplehelpcustomer.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">simpleservice.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">windowslauncher.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">remote access.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">simplegatewayservice.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">clientmrinit.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">mgntsvc.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">routernt.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">sragent.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">srmanager.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">srserver.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">srservice.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">supremo.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">supremohelper.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">supremoservice.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">supremosystem.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">tacticalrmm.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="contains all">teamviewer;.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">teamviewer_service.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">teamviewerqs.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">tv_w32.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">tv_w64.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">pstlaunch.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">ptdskclient.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">ptdskhost.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">todesk.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">pcstarter.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">turbomeeting.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">turbomeetingstarter.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">ultraviewer.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">ultraviewer_desktop.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">ultraviewer_service.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">vncserver.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">vncserverui.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">vncviewer.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="contains all">winvnc;.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">webrdp.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">weezo.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">weezohttpd.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">xeox-agent_x64.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">za_connect.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">zaservice.exe</TargetFilename> | |
| <TargetFilename name="RMM Software" condition="end with">zohotray.exe</TargetFilename> | |
| </FileBlockExecutable> | |
| </RuleGroup> | |
| </EventFiltering> | |
| </Sysmon> | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment