Nasreddine Bencherchali nasbench

## ATPSiPolicy.xml
<?xml version="1.0"?>
<SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:schemas-microsoft-com:sipolicy">
  <VersionEx>10.0.0.0</VersionEx>
  <PolicyTypeID>{4E61C68C-97F6-430B-9CD7-9B1004706770}</PolicyTypeID>
  <PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
  <Rules>
    <Rule>
      <Option>Enabled:UMCI</Option>
    </Rule>
    <Rule>

## RMM-detection.md

      
              3 files
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                nasbench
                / RMM-detection.md
            
            
              Created
              May 7, 2023 13:07
                — forked from brokensound77/RMM-detection.md
            
              
                Detection Engineering: RMM analysis 
              
          
    Detecting RMM

The most difficult challenge with RMM detection is contextual awareness around usage to determine if it is valid or malicious.

if the software is not used in the envrionment

could it be legitimate by a random empoyee?
is it an attacker BYOL
even so, all occurrences could probably be considered suspicious


if it is used in the environment

is every use of it legitimate? Probably not


this also creates significant living off the land (LOL) opportunity


## shellBigInt.cs
sing System;
using System.Diagnostics;
using System.Reflection;
using System.Configuration.Install;
using System.Runtime.InteropServices;


/*
Author: Casey Smith, Twitter: @subTee

## howto.txt
800, AntiVirus
801, AntiSpyware
802, Antimalware
803, Full
804, Delta
805, Full Scan
806, Quick Scan
807, Custom Scan
808, Remove
809, Quarantine
	<?xml version="1.0"?>
	<SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:schemas-microsoft-com:sipolicy">
	<VersionEx>10.0.0.0</VersionEx>
	<PolicyTypeID>{4E61C68C-97F6-430B-9CD7-9B1004706770}</PolicyTypeID>
	<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
	<Rules>
	<Rule>
	<Option>Enabled:UMCI</Option>
	</Rule>
	<Rule>
	sing System;
	using System.Diagnostics;
	using System.Reflection;
	using System.Configuration.Install;
	using System.Runtime.InteropServices;



	/*
	Author: Casey Smith, Twitter: @subTee
	800, AntiVirus
	801, AntiSpyware
	802, Antimalware
	803, Full
	804, Delta
	805, Full Scan
	806, Quick Scan
	807, Custom Scan
	808, Remove
	809, Quarantine