Removal of non-RMM tools: What is a RMM?

[SecurityAura]

Hi!

While showing the LOLRMM website to some colleagues, I noticed that MEGAsync was listed as a RMM, which is odd, since to my knowledge, it has no RMM features or else.

https://lolrmm.io/tools/megasync

The website lists it as being not verified yet, but just its presence could be misleading. I took a quick glance at the list and extracted other tools that, to my knowledge, do not fit the RMM criteria:

Adobe Connect
Basecamp
Cloudflare Tunnel
Free Ping Tool
MultCloud
ngrok
Yandesk.disk

While some of them would be very good candidates for a LOLEXFIL project winkwink, they are not RMM-tools compared to others such as AnyDesk, Atera, Splashtop, MeshAgent, etc.

There are probably a few more tools overall in the list that do not fit the definition of a RMM, but these are the ones that jumped at me.

At this point: what criteria is/are being used to define if a tool is a RMM or not? If we're talking about every single tool that can be (ab)used by threat actors, we could also throw in FileZilla and WinSCP in the list for instance. Same goes for Google Drive, OneDrive, etc.

Happy to do a more comprehensive review of the tools listed in LOLRMM should there was really an oversight in the addition of non-RMM tools.

Thank you!

[josehelps]

@SecurityAura we started with a massive dump of tools we had and some if you squint hard enough might be """RMMs""" triple emphatic quotes on that. With that said if you are willing and able to do a quick scan pick the questionable ones happy to remove them and put them on some sort of tribunal with the team make sure they are ok with exclude or including them. I will take any help you can offer. TY again for raising this!

[SecurityAura]

Sorry for the late reply, busy week! 😂

I see that @nasbench already did a huge PR to remove most of the tools I had identified. I'll give it a look this weekend to see if I can identify any other and make a PR if I do.

If not, I'll comeback here to confirm that this issue has been addressed and can be closed. Thank you!

And thanks Nas for the quick and massive PR 🔥

[SecurityAura]

Below is a first pass I did. However, I think it would be better to merge @nasbench pull first because it seems like his PR is removing a few of the tools I also identified below. So once that PR is merged, I could go ahead and do another one that removes the extra tools.

Following Nas' lead, I also included a bunch of "client-only" apps such as PuTTY and all the PuTTY clones that can exists. On top of PsExec, PsExec (clone), etc. as they would not fit the RMM definition.

Also, I noticed that there are some duplicate entries as well, for instance:

3x Splashtop
2x Tanium
2x UltraVNC
2x Visual Studio Dev Tunnels
2x VNC (which seems to be RealVNC anyway and the actual RealVNC is empty)

I think they should all be merged together should they all point to the same software. I can do a PR for this as well if you're okay with that.

Another question: Do you think it would be possible to add the Verification status in the CSV and even add it as a filter in the website? This would allow people ingesting the CSV or browsing the website to actually filter on RMMs that have been verified AS actual RMMs and not entries that are pending analysis, verdict or else.

Edit: On a side note, removing Microsoft RDP, Microsoft TSC, mstsc, etc. would also take care of this issue:

#43

Not a RMM

Adobe Connect - Tricky
Basecamp - Collaboration Software
BeInSync - Collaboration Software
Centurion - Not a lot of information on it
Deskday - Not really a RMM
Desknets - Collaboration Software
DragonDisk - AWS S3 File Manager
Duplicati - Backup
Encapto - Management for WiFi and network appliances
Free Ping Tool - Based on the name alone ...
Free Tools Launcher - Based on the name alone ... One component of ManageEngine?
InSync - Assuming it's from Druva: Backup Software
Koofr - Storage/Backup Client
MegaSYNC - The Mega backup client (cloud storage)
MultCloud - Backup
NordLocker - Backup/Storage
OnionShare - File Sharing and so on.
RemotePass - HR and Payroll Management
S3 Browser - AWS S3 Client
Syncthing - File Synchronization
TurboMeeting - Web Conferencing and the likes
WinSCP - File Transfer Software
Yandesk.disk - Cloud Storage

Client Applications, not RMM

Bitvise SSH Client - SSH Client
ExtraPuTTY - It's PuTTY
KiTTY - It's PuTTY
Microsoft RDP - We're talking about the client here
Microsoft TSC - We're talking about the client here
Mstsc - We're talking about the client here
PsExec - Not a RMM
PsExec Clone - Not a RMM either (e.g.: PAExec)
PuTTY - It's PuTTY
RDPWrap - Extend Terminal Services, but not a RMM in itself
SmartFTP - FTP solution
Smartty - PuTTY like
Solar PuTTY - PuTTY like
SuperPuTTY - PuTTY like
Terminals - Assuming it's this (https://github.com/Terminals-Origin/Terminals), it's a client
XSHELL - SSH Client

Actual Malware ?

Sorillus - The actual malware?
Remcos - The actual malware?

[SecurityAura]

Just checking in to see if there's any plan to go ahead with Nas merge to remove the non-RMM tools he flagged and then I can clean up the list I have an PR the rest? 👀