A tool for collecting, normalizing, and managing Remote Monitoring and Management (RMM) tool data from multiple sources.

This repository aims to contribute to the CrowdStrike LogScale Community Content by maintaining an updated list of RMM tools that can be used in dashboards and custom queries for CrowdStrike deployments.

By aggregating data from multiple public sources, this project helps security teams:

• Detect RMM tools in their environment
• Monitor legitimate vs. potentially malicious remote access tools
• Hunt for suspicious RMM activity using CrowdStrike queries
• Stay updated with the latest RMM tools and their signatures

We're also planning to create a similar project for detectable Mouse Jigglers. While hardware-based jigglers are more challenging to detect, software-based ones and certain hardware patterns are not impossible to identify and will be investigated.

• ✅ Multi-source aggregation: Collects data from GitHub repositories, CSV files, JSON APIs, and YAML files
• ✅ Data normalization: Standardizes tool names, binary paths, and domains across sources
• ✅ CrowdStrike compatibility: Normalizes paths for CrowdStrike IOA (Indicator of Attack) rules
• ✅ Duplicate removal: Automatically deduplicates entries
• ✅ OS detection: Automatically detects OS (Windows/Linux/macOS) from binary paths
• ✅ Domain cleaning: Filters out generic download sites and extracts main domains
• ✅ Fuzzy matching: Uses fuzzy matching to normalize tool names
• ✅ Source management: CLI tool for managing data sources

• Python 3.10+
• Git
• GitHub API token (for accessing GitHub repositories)

1. Clone the repository:

git clone https://github.com/socketz/rmm-updater.git
cd rmm-updater

2. Create and activate virtual environment:

python3 -m venv .venv
source .venv/bin/activate  # On Linux/macOS
# or
.venv\Scripts\activate  # On Windows

3. Install dependencies:

pip install -r requirements.txt

4. Configure environment variables:

Create a .env file with your GitHub API token:

GITHUB_API=your_github_token_here

Generate the consolidated rmm_tools.csv and rmm_domains.csv files from all configured sources:

python rmm-updater.py

# Exclude specific tools
python rmm-updater.py -e "PuTTY" "WinSCP"

# Use custom output directory
python rmm-updater.py -o custom_output

# Use custom downloads directory
python rmm-updater.py -d custom_downloads

# Show statistics after generation
python rmm-updater.py -s

# Use custom sources configuration
python rmm-updater.py -c my-sources.yaml

The project includes a separate tool for managing data sources:

# List all configured sources
python source-manager.py list

# Add a new source
python source-manager.py create MySource https://example.com/data.csv "Description"
python source-manager.py add MySource_draft.yaml

# Validate a source
python source-manager.py validate source.yaml

# Show source details
python source-manager.py show RMM-Catalogue

# Remove a source
python source-manager.py remove MySource

For complete documentation, see:

• Source Manager Guide
• Quick Start Guide

The project includes a GitHub Action workflow to automatically generate and release the RMM data files with semantic versioning.

1. Go to the Actions tab in the GitHub repository
2. Select the "Generate and Release RMM Data" workflow
3. Click "Run workflow"
4. Enter the version number (e.g., v0.1.0, v0.2.0, etc.)
5. Click "Run workflow"

The workflow will:

• Set up Python environment
• Install dependencies
• Run rmm-updater.py to generate CSV files
• Create a GitHub release with the version tag
• Attach rmm_tools.csv and rmm_domains.csv as downloadable assets

To use the latest RMM data files in your CrowdStrike LogScale deployment:

1. Go to the Releases page
2. Download rmm_tools.csv and rmm_domains.csv from the latest release
3. Upload them to your LogScale instance

The project uses semantic versioning (semver):

• v0.1.0 - Initial release
• v0.2.0 - Minor updates (new tools, updated data)
• v1.0.0 - Major milestone or breaking changes

The tool aggregates data from multiple public sources:

• RMM-Catalogue - Community-maintained catalog of RMM tools
• RMML - RMM tool definitions in YAML format
• LOLRMM - Living Off The Land RMM tools database
• Additional community sources (see sources.yaml)

The tool generates two main CSV files:

Contains RMM tool binaries with columns:

• rmm_tool: Normalized tool name
• rmm_binary: Binary path (normalized for CrowdStrike)
• rmm_os: Operating system (win/lin/mac)

Contains RMM tool domains with columns:

• rmm_tool: Normalized tool name
• rmm_domain: Main domain (cleaned and normalized)

Binary paths are automatically normalized for CrowdStrike compatibility:

All paths are converted to lowercase for case-insensitive matching.

rmm-updater/
├── rmm-updater.py          # Main script
├── source-manager.py       # Source management CLI
├── sources.yaml            # Data source configurations
├── requirements.txt        # Python dependencies
├── .env                    # Environment variables (not in repo)
├── base/
│   └── rmm_tools.csv      # Canonical tool names for normalization
├── libs/
│   ├── __init__.py
│   └── utils.py           # Utility functions
├── rmm-sources/
│   ├── _schema_template.yaml    # Source schema template
│   └── *.yaml                   # Individual source definitions
├── output/
│   ├── rmm_tools.csv      # Generated binaries output
│   └── rmm_domains.csv    # Generated domains output
├── downloads/             # Downloaded source files
├── docs/                  # Documentation
└── scripts/              # Helper scripts

The output files from this project are designed to be used with CrowdStrike LogScale queries. Example usage:

// Hunt for RMM tool executions
#event_simpleName=ProcessRollup2
| lookup(file="rmm_tools.csv", field=FileName, include=[rmm_tool, rmm_os])
| rmm_tool=*

For integration with CrowdStrike LogScale Community Content:

1. Run python rmm-updater.py to generate updated CSV files
2. Review the output for accuracy
3. Submit updates to the logscale-community-content repository

The tool automatically excludes certain applications that are not true RMM tools, based on community consensus. See RMM_TOOLS_BLACKLIST in rmm-updater.py.

Generic download sites (e.g., softonic.com, cnet.com) are also filtered from domain lists.

# Run with statistics
python rmm-updater.py -s

# Test source manager
python source-manager.py list
bash scripts/demo_source_manager.sh

1. Create a source definition using the schema template:

python source-manager.py create MySource https://example.com/data.json "Description"

2. Edit the generated MySource_draft.yaml file

3. Validate and add:

python source-manager.py validate MySource_draft.yaml
python source-manager.py add MySource_draft.yaml

4. Run the updater to test:

python rmm-updater.py

• CrowdStrike LogScale Community Content
• Cool Query Friday: Hunting Windows RMM Tools
• Detecting RMM Tools
• LOLRMM Project

This project is provided as-is for community benefit. Please respect the licenses of the individual data sources used.

• CrowdStrike Community for the LogScale content repository
• All the maintainers of the data sources we aggregate
• The security community for their ongoing research into RMM tools

For issues, questions, or contributions:

• Open an issue on GitHub
• Check the documentation
• Review existing sources in sources.yaml

Note: This tool is for legitimate security purposes. Use responsibly and in accordance with your organization's policies.