089. Detecting RMMs from Ransomware Affiliate's Toolkit: NinjaRMM

Hello everyone! I think it's not a secret that ransomware gangs often abuse various RMMs. Some are quite well-know, while others are not seen that often.

Recently I spotted another RMM I don't often see in ransomware incidents - it's called NinjaRMM. For example, this tool was used by Medusa ransomware affiliates.

As always, we can start from detecting related network communications:

event_type: "dnsreq"

AND

dns_rname: "ninjarmm.com"

Next thing - common file names related to RMM components, for example:

event_type: "processcreatewin"

AND

proc_file_name: ("NinjaRMMAgent.exe" OR "NinjaRMMAgenPatcher.exe" OR "ninjarmm-cli.exe")

Finally, let's search for renamed binaries based on product name:

event_type: "processcreatewin"

AND

proc_file_productname: "NinjaRMM"

See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

082. Huniting for Malicious Browser Extensions

001. The Zeltser Challenge