Expand README with detailed elimination module documentation, add new GIF assets, and refine feature descriptions for clarity.
This commit is contained in:
Evan Hosinski
Binary file not shown.
|
After Width: | Height: | Size: 1.7 MiB |
Binary file not shown.
|
After Width: | Height: | Size: 4.2 MiB |
Binary file not shown.
|
After Width: | Height: | Size: 1.6 MiB |
Binary file not shown.
|
After Width: | Height: | Size: 2.0 MiB |
Binary file not shown.
@@ -1,12 +1,12 @@
|
||||
# RMM-Hunter
|
||||
|
||||
A comprehensive Windows security tool designed to detect and analyze Remote Monitoring and Management (RMM) software deployments across enterprise environments.
|
||||
A comprehensive Windows security tool designed to detect and analyze Remote Monitoring and Management (RMM) software deployments.
|
||||
|
||||
|
||||
|
||||
## Overview
|
||||
|
||||
RMM-Hunter is a forensic analysis tool that identifies potentially malicious or unauthorized Remote Monitoring and Management software on Windows systems. Built on a proprietary detection framework called **Scurvy** (private repository), RMM-Hunter provides security teams with comprehensive visibility into RMM installations that may pose security risks or compliance concerns.
|
||||
RMM-Hunter is an analysis tool that identifies potentially malicious or unauthorized Remote Monitoring and Management software/connections on Windows systems. Built on **Scurvy**, a custom low-level OS exploitation repository (private), RMM-Hunter provides security teams with comprehensive visibility into RMM installations that may pose security risks or compliance concerns.
|
||||
|
||||
## Features
|
||||
|
||||
@@ -22,7 +22,7 @@ The hunt module performs deep system analysis across multiple detection vectors:
|
||||
- **Scheduled Task Detection** - Discovers RMM-related scheduled tasks used for persistence
|
||||
- **Directory Scanning** - Searches for RMM installation directories and artifacts
|
||||
|
||||
|
||||
|
||||
|
||||
### Detection Capabilities
|
||||
|
||||
@@ -42,15 +42,13 @@ RMM-Hunter generates comprehensive reports in multiple formats:
|
||||
- **JSON** - Machine-readable format for integration with SIEM and automation platforms
|
||||
- **HTML** - Interactive web-based report with filtering and search capabilities
|
||||
|
||||
|
||||
|
||||
The HTML report includes:
|
||||
- Executive summary with detection statistics
|
||||
- Detailed findings across all detection categories
|
||||
- Metadata including detection time and system information
|
||||
- Built-in search and filter functionality for large result sets
|
||||
|
||||
|
||||
|
||||
|
||||
## Installation
|
||||
|
||||
@@ -95,29 +93,81 @@ powershell .\rmm-hunter.exe hunt --exclude TeamViewer,AnyDesk
|
||||
|
||||
### Eliminate Mode
|
||||
|
||||
**Status: Under Construction**
|
||||
The elimination module provides an interactive command-line interface for removing detected RMM installations from your system. The CLI component is fully functional, while the web-based interface is currently under development.
|
||||
|
||||
The elimination module is currently under active development. This functionality will provide automated remediation capabilities for detected RMM installations.
|
||||
#### CLI Component
|
||||
|
||||
Planned features:
|
||||
- Service termination and removal
|
||||
- Process termination
|
||||
- Binary deletion
|
||||
- Registry cleanup
|
||||
- Scheduled task removal
|
||||
- Backup and rollback capabilities
|
||||
Launch the interactive CLI elimination interface:
|
||||
|
||||
```powershell
|
||||
powershell .\rmm-hunter.exe eliminate --cli
|
||||
```
|
||||
|
||||
The CLI component operates through a multi-stage interactive workflow designed to provide granular control over the elimination process. When launched, the interface guides you through the following stages:
|
||||
|
||||
**Stage 1: Report Selection**
|
||||
|
||||
The interface scans the current directory for JSON hunt reports and presents them in a navigable list. You can browse available reports using arrow keys and select one by pressing Enter. The file picker automatically filters for valid JSON files generated by previous hunt operations.
|
||||
|
||||
**Stage 2: Category Selection**
|
||||
|
||||
After loading a report, you are presented with seven elimination categories corresponding to the detection vectors from the hunt module. Each category is accessible via numeric keys (1-7):
|
||||
|
||||
1. AutoRuns - Registry-based persistence mechanisms
|
||||
2. Binaries - Executable files on disk
|
||||
3. Connections - Active network connections
|
||||
4. Directories - Installation directories
|
||||
5. Processes - Running processes
|
||||
6. Scheduled Tasks - Task Scheduler entries
|
||||
7. Services - Windows services
|
||||
|
||||
**Stage 3: Item List View**
|
||||
|
||||
Upon selecting a category, the interface displays all detected items within that category. Each item shows relevant identifying information such as process names, file paths, service names, or connection details. Items that have already been eliminated are marked with a checkmark and displayed in green to provide visual feedback on remediation progress. You can navigate through the list using arrow keys and select an item for detailed inspection by pressing Enter.
|
||||
|
||||
**Stage 4: Detail View and Elimination**
|
||||
|
||||
The detail view presents comprehensive information about the selected item, including all metadata collected during the hunt phase. For each item type, the interface displays specific details:
|
||||
|
||||
For processes, you see the process name, PID, parent PID, command-line arguments, creation time, and executable path. For services, the display includes service name, display name, service type, start type, binary path, start account, and description. For autoruns, you see the entry name, launch string, registry location, image path, arguments, and file hashes (MD5, SHA1, SHA256). For binaries and directories, the full path is shown. For network connections, local and remote addresses, remote hostname, connection state, associated PID, and process name are displayed. For scheduled tasks, the name, author, state, enabled status, last result, next run time, last run time, and task path are presented.
|
||||
|
||||
From the detail view, pressing the exclamation mark (!) key initiates the elimination process for that specific item. The system performs intelligent dependency checking before elimination to prevent system instability.
|
||||
|
||||
**Dependency Validation**
|
||||
|
||||
Before eliminating binaries or directories, the system checks whether any active processes or enabled services are currently using those resources. If a dependency is detected, a warning modal appears explaining the conflict and suggesting the proper elimination order. For example, if you attempt to delete a binary that is currently in use by a running process, the system will warn you to eliminate the process first. Similarly, if a directory contains binaries used by active services, you must stop and remove those services before the directory can be deleted.
|
||||
|
||||
|
||||
|
||||
**Elimination Actions**
|
||||
|
||||
Each category type performs specific elimination operations:
|
||||
|
||||
Processes are terminated using their PID. Services are stopped and then deleted from the service control manager. Binaries are removed from the filesystem. Directories are recursively deleted along with all contents. AutoRun entries are removed from their respective registry locations. Scheduled tasks are disabled and then deleted from the Task Scheduler. Network connections result in the creation of Windows Firewall outbound block rules for the remote host, preventing future connections to that destination.
|
||||
|
||||
|
||||
|
||||
**State Persistence**
|
||||
|
||||
After each successful elimination, the system updates the JSON report file to mark the item as eliminated. This ensures that if you exit and restart the elimination interface, previously eliminated items remain marked and visually distinguished. The persistent state allows you to work through large result sets across multiple sessions without losing track of your progress.
|
||||
|
||||
**Navigation**
|
||||
|
||||
Throughout the interface, you can navigate backward using the left arrow key to return to the previous screen. Pressing 'q', 'Esc', or 'Ctrl+C' at any point will exit the application. The interface provides contextual help at each stage, displaying available keyboard shortcuts and actions.
|
||||
|
||||
#### Web Component (Under Development)
|
||||
|
||||
The web-based elimination interface is planned for a future release and will provide browser-based remediation capabilities with enhanced visualization and reporting features.
|
||||
|
||||
```powershell
|
||||
powershell .\rmm-hunter.exe eliminate --web
|
||||
```
|
||||
|
||||
This functionality is not yet available.
|
||||
|
||||
## Architecture
|
||||
|
||||
RMM-Hunter is built on **Scurvy**, a proprietary Windows system analysis framework (private repository). Scurvy provides the core capabilities for:
|
||||
|
||||
- Low-level Windows API interactions
|
||||
- Process and service management
|
||||
- Registry operations
|
||||
- Network connection enumeration
|
||||
- WMI query execution
|
||||
|
||||
The modular architecture allows for extensible detection capabilities while maintaining performance and stability.
|
||||
RMM-Hunter is built on **Scurvy**, a custom low-level OS exploitation repository (private). Scurvy provides the core capabilities for low-level Windows API interactions, process and service management, registry operations, network connection enumeration, and WMI query execution. The modular architecture allows for extensible detection capabilities while maintaining performance and stability.
|
||||
|
||||
## Output Formats
|
||||
|
||||
@@ -144,17 +194,11 @@ RMM-Hunter employs multiple detection strategies:
|
||||
|
||||
## Limitations
|
||||
|
||||
- Requires administrative privileges for complete system visibility
|
||||
- May generate false positives in environments with legitimate RMM deployments
|
||||
- Network detection requires active connections at scan time
|
||||
- Elimination functionality not yet available
|
||||
Requires administrative privileges for complete system visibility. May generate false positives in environments with legitimate RMM deployments. Network detection requires active connections at scan time. The web-based elimination interface is not yet available.
|
||||
|
||||
## Contributing
|
||||
|
||||
Contributions are welcome. Please submit pull requests with:
|
||||
- Detailed description of changes
|
||||
- Test coverage for new detection signatures
|
||||
- Documentation updates
|
||||
Contributions are welcome. Please submit pull requests with detailed descriptions of changes, test coverage for new detection signatures, and documentation updates.
|
||||
|
||||
## License
|
||||
|
||||
@@ -180,7 +224,5 @@ This tool is intended for authorized security assessments and forensic analysis
|
||||
|
||||
For issues, questions, or feature requests, please open an issue on the GitHub repository.
|
||||
|
||||
---
|
||||
|
||||
**Note**: The underlying Scurvy framework is not publicly accessible and is maintained in a private repository.
|
||||
**Note**: The underlying Scurvy repository is a custom low-level OS exploitation framework that is not publicly accessible and is maintained privately.
|
||||
|
||||
|
||||
Reference in New Issue
Block a user