LOLRMM is a curated list of Remote Monitoring and Management (RMM) tools that could potentially be abused by threat actors. Inspired by the original LOLBAS project for tracking binaries and closely associated with LOLDrivers for malicious drivers, this project aims to assist security professionals in staying informed about these tools and their potential for misuse. For a collection of similar "Living Off The Land" projects, visit lolol.farm.
A new notification appears
A new notification appears
A new notification appears
LOLRMM provides detection capabilities for various SIEM platforms to help you identify unauthorized RMM tools in your environment. Select your preferred platform below:
Detecting Unauthorized RMM Domains in Microsoft Defender for Endpoint
LOLRMM provides a comprehensive list of known RMM domains that you can use to detect unauthorized RMM tools in your environment. The domains list is available via API in CSV format. Below is a sample KQL query for Microsoft Defender for Endpoint:
// Detecting Unauthorized RMM Instances in Your MDE Environment
let ApprovedRMM = dynamic(["nomachine.com", "ivanti.com", "getgo.com"]); // Your approved RMM domains
let RMMList = externaldata(URI: string, RMMTool: string)
[h'https://raw.githubusercontent.com/magicsword-io/LOLRMM/main/website/public/api/rmm_domains.csv'];
let RMMUrl = RMMList | project URI;
DeviceNetworkEvents
| where TimeGenerated > ago(1h)
| where ActionType == @"ConnectionSuccess"
| where RemoteUrl has_any(RMMUrl)
| where not (RemoteUrl has_any(ApprovedRMM))
| summarize arg_max(TimeGenerated, *) by DeviceIdReplace YOUR_APPROVED_RMM_DOMAINS with your organization's approved RMM domains to exclude them from the detection.