Detecting Ammy Admin RMM Agent Execution
Detects the execution of the Ammy Admin RMM agent for remote management.
Sigma rule (View on GitHub)
1title: Detecting Ammy Admin RMM Agent Execution
2id: 7da7809e-f3d5-47a3-9d5d-fc9d019caf14
3status: experimental
4description: Detects the execution of the Ammy Admin RMM agent for remote management.
5author: '@kostastsale'
6references:
7 - https://www.ammyy.com/en/admin_features.html
8date: 2024/08/05
9tags:
10 - attack.execution
11 - attack.persistence
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection:
17 Image|endswith:
18 - '\rundll32.exe'
19 CommandLine|contains:
20 - 'AMMYY\aa_nts.dll",run'
21 condition: selection
22falsepositives:
23 - Legitimate use of Ammy Admin RMM agent for remote management by admins.
24level: medium```
References
-
Ammyy Admin - features of software for Remote Desktop Sharing, system administration and distance education.
Read More
Related rules
- ChromeLoader Malware Detection
- Detection of CMD Execution via AnyViewer RMM
- Detection of Suspicious triggering of ErrorHandler.cmd Execution
- Scheduled task executing powershell encoded payload from registry
- Remote Service Creation