Threat Huntmediumtest

Remote Access Tool - Ammy Admin Agent Execution

Detects the execution of the Ammy Admin RMM agent for remote management.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

kostastsaleCreated Mon Aug 057da7809e-f3d5-47a3-9d5d-fc9d019caf14windows

Hunting Hypothesis

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection:
        Image|endswith: '\rundll32.exe'
        CommandLine|contains: 'AMMYY\aa_nts.dll",run'
    condition: selection

False Positives

Legitimate use of Ammy Admin RMM agent for remote management by admins.

References

MITRE ATT&CK

Tactics

Other

detection.threat-hunting

Rule Metadata

Rule ID

7da7809e-f3d5-47a3-9d5d-fc9d019caf14

Status

test

Level

medium

Type

Threat Hunt

Created

Mon Aug 05

Author

Path

rules-threat-hunting/windows/process_creation/proc_creation_win_remote_access_tools_ammyy_admin_execution.yml

Raw Tags

attack.executionattack.persistencedetection.threat-hunting