KrakenTech/RMM-Hunter
6
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Upgrade Scurvy library and add forced elevation logic with improved usage examples

Browse Source
This commit is contained in:
Evan Hosinski
2025-10-11 19:23:44 -04:00
parent d14b2837d0
commit a5d3623a72
3 changed files with 35 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files
cmd/root.go
+32 -13
View File
@@ -8,6 +8,7 @@ import (
"rmm-hunter/internal/tui" "rmm-hunter/internal/tui"
scurvy "github.com/Kraken-OffSec/Scurvy" scurvy "github.com/Kraken-OffSec/Scurvy"
"github.com/Kraken-OffSec/Scurvy/core/escalator"
"github.com/spf13/cobra" "github.com/spf13/cobra"
) )
@@ -24,7 +25,24 @@ var rootCmd = &cobra.Command{
Short: "RMM-Hunter - Detect and eliminate Remote Monitoring and Management software", Short: "RMM-Hunter - Detect and eliminate Remote Monitoring and Management software",
Long: `RMM-Hunter is a tool designed to detect and eliminate Remote Monitoring Long: `RMM-Hunter is a tool designed to detect and eliminate Remote Monitoring
and Management (RMM) software on Windows systems. It can hunt for suspicious and Management (RMM) software on Windows systems. It can hunt for suspicious
processes, services, binaries, and network connections associated with RMM tools.`, processes, services, binaries, and network connections associated with RMM tools.
Steps:
- Click start
- Type Powershell (see Windows Powershell)
- Right click and select "Run as administrator"
- Navigate to the directory containing rmm-hunter.exe
> If you downloaded the executable, it will be in your Downloads folder
> cd ~\Downloads\
- To start the enumeration process, run the following command:
> .\rmm-hunter.exe hunt
- To remove detected RMM software, run the following command:
> CLI - A command line interface with interactive prompts
-> .\rmm-hunter.exe eliminate--cli
> Web - A web interface for browser based elimination (Under Construction)
-> .\rmm-hunter.exe eliminate --web
`,
Version: "1.0.0", Version: "1.0.0",
} }
@@ -41,7 +59,10 @@ var huntCmd = &cobra.Command{
- Processes - Processes
- Outbound Network Connections - Outbound Network Connections
- Scheduled Tasks - Scheduled Tasks
- Registry Entries`, - Registry Entries
> .\rmm-hunter.exe hunt
`,
Run: func(cmd *cobra.Command, args []string) { Run: func(cmd *cobra.Command, args []string) {
fmt.Println("Starting RMM Hunt...") fmt.Println("Starting RMM Hunt...")
runHunt() runHunt()
@@ -54,21 +75,19 @@ var eliminateCmd = &cobra.Command{
Short: "Eliminate Sus software based on hunt results", Short: "Eliminate Sus software based on hunt results",
Long: `Eliminate mode removes detected RMM Software from the system. Long: `Eliminate mode removes detected RMM Software from the system.
Requires a JSON input file containing hunt results to determine what to remove. Requires a JSON input file containing hunt results to determine what to remove.
Administrative Privileges are required. Administrative Privileges are required. The executable will run a UAC prompt asking for escalation permissions to adjust.
Steps: > CLI - A command line interface with interactive prompts
- Click start -> .\rmm-hunter.exe eliminate --cli
- Type Powershell (see Windows Powershell) > Web - A web interface for browser based elimination (Under Construction)
- Right click and select "Run as administrator"
- Navigate to the directory containing rmm-hunter.exe
> cd ~\Downloads\
- Run the following command:
> CLI
-> .\rmm-hunter.exe eliminate--cli
> Web
-> .\rmm-hunter.exe eliminate --web -> .\rmm-hunter.exe eliminate --web
`, `,
Run: func(cmd *cobra.Command, args []string) { Run: func(cmd *cobra.Command, args []string) {
if admin, err := scurvy.IsAdmin(); err != nil || !admin { if admin, err := scurvy.IsAdmin(); err != nil || !admin {
escErr := escalator.RequireAdmin()
if err != nil {
fmt.Printf("Failed to elevate: %v\n", escErr)
os.Exit(1)
}
fmt.Println("User is not admin, please run as administrator") fmt.Println("User is not admin, please run as administrator")
os.Exit(1) os.Exit(1)
} }
go.mod
+1 -1
View File
@@ -3,7 +3,7 @@ module rmm-hunter
go 1.24.7 go 1.24.7
require ( require (
github.com/Kraken-OffSec/Scurvy v0.0.0-20251011220403-fbfc55b9d87a github.com/Kraken-OffSec/Scurvy v0.0.0-20251011230527-75a5d96453a7
github.com/charmbracelet/bubbles v0.21.0 github.com/charmbracelet/bubbles v0.21.0
github.com/charmbracelet/bubbletea v1.3.10 github.com/charmbracelet/bubbletea v1.3.10
github.com/charmbracelet/lipgloss v1.1.0 github.com/charmbracelet/lipgloss v1.1.0
go.sum
+2
View File
@@ -10,6 +10,8 @@ github.com/Kraken-OffSec/Scurvy v0.0.0-20251011211525-6bf6bee1b100 h1:Om4wnKb+fp
github.com/Kraken-OffSec/Scurvy v0.0.0-20251011211525-6bf6bee1b100/go.mod h1:0pPwYHy+r8KGzXZ8vBgyYd6qy3vX+AMRo9XLiGc8WGE= github.com/Kraken-OffSec/Scurvy v0.0.0-20251011211525-6bf6bee1b100/go.mod h1:0pPwYHy+r8KGzXZ8vBgyYd6qy3vX+AMRo9XLiGc8WGE=
github.com/Kraken-OffSec/Scurvy v0.0.0-20251011220403-fbfc55b9d87a h1:PWSQPeqWs5kKreTgIyddGWF+EwmlbYYZa4mRUVLpINc= github.com/Kraken-OffSec/Scurvy v0.0.0-20251011220403-fbfc55b9d87a h1:PWSQPeqWs5kKreTgIyddGWF+EwmlbYYZa4mRUVLpINc=
github.com/Kraken-OffSec/Scurvy v0.0.0-20251011220403-fbfc55b9d87a/go.mod h1:0pPwYHy+r8KGzXZ8vBgyYd6qy3vX+AMRo9XLiGc8WGE= github.com/Kraken-OffSec/Scurvy v0.0.0-20251011220403-fbfc55b9d87a/go.mod h1:0pPwYHy+r8KGzXZ8vBgyYd6qy3vX+AMRo9XLiGc8WGE=
github.com/Kraken-OffSec/Scurvy v0.0.0-20251011230527-75a5d96453a7 h1:bBfOGqMzoWM/9Dqg+f1EmgyrKquINqT8jBgk9PrrKWQ=
github.com/Kraken-OffSec/Scurvy v0.0.0-20251011230527-75a5d96453a7/go.mod h1:0pPwYHy+r8KGzXZ8vBgyYd6qy3vX+AMRo9XLiGc8WGE=
github.com/alwindoss/morse v1.0.1 h1:PkUh5m1UHMcZ1Upvl7CmSIBMxdEBejWoQ4rQQtgJsCQ= github.com/alwindoss/morse v1.0.1 h1:PkUh5m1UHMcZ1Upvl7CmSIBMxdEBejWoQ4rQQtgJsCQ=
github.com/alwindoss/morse v1.0.1/go.mod h1:qAqJOep3jEpIpiLgqSGgLk5Zh4BZKsyzMQHuAwVPMXc= github.com/alwindoss/morse v1.0.1/go.mod h1:qAqJOep3jEpIpiLgqSGgLk5Zh4BZKsyzMQHuAwVPMXc=
github.com/atotto/clipboard v0.1.4 h1:EH0zSVneZPSuFR11BlR9YppQTVDbh5+16AmcJi4g1z4= github.com/atotto/clipboard v0.1.4 h1:EH0zSVneZPSuFR11BlR9YppQTVDbh5+16AmcJi4g1z4=