Matthew Green mgreen27

Detecting RMM

ℹ️ This was duplicated to this blog for readability and reference

The most difficult challenge with RMM detection is contextual awareness around usage to determine if it is valid or malicious.

Term	Description	Link(s)
Alias	Another email address that people can use to email
App Password	An app password is a password that is created within the Azure portal and that allows the user to bypass MFA and continue to use their application.
Alternate email address	Required for admins to receive important notifications, or resetting the admin password which cannot be modified by the end users
AuditAdmin
AuditDelegate
Delegate	An account with assigned permissions to a mailbox.
Display Name	Name that appears in the Address Book & on the TO and From lines on an email.
EAC	"Exchange Admin Center"

	/*
	WARNING:

	the newest version of this rule is now hosted here:
	https://github.com/Neo23x0/god-mode-rules/blob/master/godmode.yar
	*/


	/*
	_____ __ __ ___ __

	function New-ModuleOverview {
	<#
	.SYNOPSIS
	Generates a Markdown file with a short description of each public command in a module.

	.DESCRIPTION
	Finds all the public commands in a specified module and produces a simple Markdown file detailing the description or synopsis (user choice) for each.

	.PARAMETER ModuleName
	Name of the module to generate an overview for. If the module isn't already loaded then it will be loaded.

	## Uploaded by @JohnLaTwC
	## Sample hash: fd334bb96b496592db6c9771f305a2ddca6610a59c6d45f5bbbb2b38859b4f36
	On Error Resume Next
	Dim objShell : Set objShell = CreateObject("WScript.Shell")

	If LCase(Right(WScript.FullName, 11)) = "wscript.exe" Then
	For Each vArg In WScript.Arguments
	sArgs = sArgs & " """ & vArg & """"
	Next
	objShell.Run("cmd.exe /k cscript.exe //nologo " & Chr(34) & WScript.ScriptFullName & Chr(34) & sArgs & " && exit")

	# Script author: Matt Graeber (@mattifestation)
	# logman start AMSITrace -p Microsoft-Antimalware-Scan-Interface Event1 -o AMSITrace.etl -ets
	# Do your malicious things here that would be logged by AMSI
	# logman stop AMSITrace -ets

	$OSArchProperty = Get-CimInstance -ClassName Win32_OperatingSystem -Property OSArchitecture
	$OSArch = $OSArchProperty.OSArchitecture

	$OSPointerSize = 32
	if ($OSArch -eq '64-bit') { $OSPointerSize = 64 }

	StorageUsage.dll,GetStorageUsageInfo
	acmigration.dll,ApplyMigrationShims
	acproxy.DLL,PerformAutochkOperations
	ppioobe.dll,setupcalendaraccountforuser
	edgehtml.dll,#125
	edgehtml.dll,#133
	davclnt.dll,davsetcookie
	appxdeploymentextensions.onecore.dll,shellrefresh
	pla.dll,plahost
	aeinv.dll,updatesoftwareinventory

	[POWERSHELL-DOWNLOAD-HUNT]
	dispatch.earliest_time = -24h@h
	dispatch.latest_time = now
	dispatchAs = user
	display.general.type = statistics
	display.page.search.mode = verbose
	display.page.search.tab = statistics
	display.visualizations.charting.chart = bar
	display.visualizations.show = 0
	search = FileName=powershell.exe (CommandLine=DownloadFile OR CommandLine=invoke-webrequest) \| stats values(CommandLine) as "commands" by ComputerName

	::
	::#######################################################################
	::
	:: Change file associations to protect against common ransomware attacks
	:: Note that if you legitimately use these extensions, like .bat, you will now need to execute them manually from cmd or powershell
	:: Alternatively, you can right-click on them and hit 'Run as Administrator' but ensure it's a script you want to run :)
	:: ---------------------
	ftype htafile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"
	ftype WSHFile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"
	ftype batfile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"