089. Detecting RMMs from Ransomware Affiliate's Toolkit: NinjaRMM
Hello everyone! I think it's not a secret that ransomware gangs often abuse various RMMs. Some are quite well-know, while others are not seen that often.
Recently I spotted another RMM I don't often see in ransomware incidents - it's called NinjaRMM. For example, this tool was used by Medusa ransomware affiliates.
As always, we can start from detecting related network communications:
event_type: "dnsreq"
AND
dns_rname: "ninjarmm.com"
Next thing - common file names related to RMM components, for example:
event_type: "processcreatewin"
AND
proc_file_name: ("NinjaRMMAgent.exe" OR "NinjaRMMAgenPatcher.exe" OR "ninjarmm-cli.exe")
Finally, let's search for renamed binaries based on product name:
event_type: "processcreatewin"
AND
proc_file_productname: "NinjaRMM"
See you tomorrow!
Comments
Post a Comment