Add files via upload

Author: rolling-code

generic/rmm_nrpt_block.ps1

@@ -0,0 +1,312 @@
+#requires -RunAsAdministrator
+<#
+Creates local NRPT rules to divert selected RMM-related namespaces to 127.0.0.1 for test blocking.
+Generated from rmm_domains.csv. This is LOCAL ONLY to the current machine.
+Notes:
+ - NRPT is DNS-based. It will not block raw IP connections.
+ - Some apps may experience DNS timeouts because 127.0.0.1 is used as a sinkhole nameserver.
+ - To remove rules created by this script later, run: .\rmm_nrpt_block.ps1 -Remove
+#>
+param([switch]$Remove)
+
+$Namespaces = @(
+    '.-dms.zoho.com.cn',
+    '.01com.com',
+    '.247ithelp.com',
+    '.acronis.com',
+    '.action1.com',
+    '.adobeconnect.com',
+    '.aeroadmin.com',
+    '.alpemix.com',
+    '.ammyy.com',
+    '.analytics.insight.rapid7.com',
+    '.anydesk.com',
+    '.anyplace-control.com',
+    '.anysupport.net',
+    '.anyviewer.com',
+    '.aomeisoftware.com',
+    '.api.jumpcloud.com',
+    '.api.netreo.com',
+    '.api.splashtop.com',
+    '.api.splashtop.eu',
+    '.assist.jumpcloud.com',
+    '.auvik.com',
+    '.aweray.net',
+    '.baramundi.com',
+    '.barracudamsp.com',
+    '.basecamp.com',
+    '.beamyourscreen.com',
+    '.beanywhere.com',
+    '.beinsync.com',
+    '.beinsync.net',
+    '.beyondtrustcloud.com',
+    '.bluetrait.io',
+    '.bomgarcloud.com',
+    '.cc.centrastage.net',
+    '.cdn.getgo.com',
+    '.cell-1.domotz.com',
+    '.centuriontech.com',
+    '.cloud.tanium.com',
+    '.cloudbackup.management',
+    '.cloudberrylab.com',
+    '.cmdm.comodo.com',
+    '.connect.backdrop.cloud',
+    '.connectwise.com',
+    '.content.rview.com',
+    '.crossloop.com',
+    '.dameware.com',
+    '.deskday.ai',
+    '.deskroll.com',
+    '.desktop.qq.com',
+    '.desktopstreaming.com',
+    '.devtunnels.ms',
+    '.distantdesktop.com',
+    '.dms.zoho.com',
+    '.dms.zoho.com.eu',
+    '.domotz.co',
+    '.domotz.com',
+    '.donkz.nl',
+    '.downloads.io',
+    '.duetdisplay.com',
+    '.dwservice.net',
+    '.ehorus.com',
+    '.electric.ai',
+    '.emcosoftware.com',
+    '.encapto.com',
+    '.endpoint.ingress.rapid7.com',
+    '.ericom.com',
+    '.ezhelp.co.kr',
+    '.fastsupport.com',
+    '.fastviewer.com',
+    '.fixme.it',
+    '.fleetdeck.io',
+    '.fortra.com',
+    '.gatherplace.com',
+    '.gatherplace.net',
+    '.getalphacontrol.com',
+    '.getgo.com',
+    '.getscreen.me',
+    '.goto.com',
+    '.gotoassist.at',
+    '.gotoassist.com',
+    '.gotoassist.me',
+    '.gotohttp.com',
+    '.gotomypc.com',
+    '.goverlan.com',
+    '.heartbeatrm.com',
+    '.helpme.net',
+    '.helpu.co.kr',
+    '.hoptodesk.com',
+    '.hostedrmm.com',
+    '.idrive.com',
+    '.immy.bot',
+    '.imperosoftware.com',
+    '.instanthousecall.com',
+    '.instanthousecall.net',
+    '.intelliadmin.com',
+    '.internetid.ru',
+    '.iperius-rs.com',
+    '.iperius.com',
+    '.iperiusremote.com',
+    '.islonline.com',
+    '.islonline.net',
+    '.itagent.com',
+    '.itsm-us1.comodo.com',
+    '.itsupport247.net',
+    '.ivanti.com',
+    '.ivanticloud.com',
+    '.jumpdesktop.com',
+    '.jumpto.me',
+    '.kabuto.io',
+    '.kabutoservices.com',
+    '.kace.com',
+    '.kaseya.com',
+    '.kaseya.net',
+    '.khelpdesk.com.br',
+    '.kickidler.com',
+    '.level.io',
+    '.litemanager.com',
+    '.litemanager.ru',
+    '.logicnow.com',
+    '.logmein-gateway.com',
+    '.logmein.com',
+    '.logmein.eu',
+    '.logmeininc.com',
+    '.logmeinrescue.com',
+    '.logmeinrescue.eu',
+    '.lunixar.com',
+    '.managedsupport.kaseya.net',
+    '.manageengine.com',
+    '.mdmsupport.comodo.com',
+    '.mdt.qq.com',
+    '.meshcentral.com',
+    '.mikogo.com',
+    '.mikogo4.com',
+    '.miradore.com',
+    '.mremoteng.org',
+    '.msp360.com',
+    '.mspbackups.com',
+    '.my.auvik.com',
+    '.mygreenpc.com',
+    '.mymeetinggoogle.com',
+    '.n-able.com',
+    '.naverisk.com',
+    '.nchuser.com',
+    '.net.anydesk.com',
+    '.netbird.io',
+    '.netop.com',
+    '.netreo.com',
+    '.netsupportmanager.com',
+    '.ngrok.com',
+    '.ninja-backup.com',
+    '.ninjaone.com',
+    '.ninjarmm.com',
+    '.ninjarmm.net',
+    '.nomachine.com',
+    '.ntrsupport.com',
+    '.nvaccess.org',
+    '.ocsinventory-ng.org',
+    '.opti-tune.com',
+    '.optitune.us',
+    '.panorama9.com',
+    '.parallels.com',
+    '.parsec.app',
+    '.parsec.gg',
+    '.pcvisit.de',
+    '.pilixo.com',
+    '.pulseway.com',
+    '.r2.cloudflarestorage.com',
+    '.radmin.com',
+    '.real-time-collaboration.com',
+    '.rel.tunnels.api.visualstudio.com',
+    '.relay.splashtop.com',
+    '.remote.it',
+    '.remote.management',
+    '.remotecall.com',
+    '.remotedesktop-pa.googleapis.com',
+    '.remotedesktop.com',
+    '.remotedesktop.google.com',
+    '.remotepass.com',
+    '.remotepc.com',
+    '.remoteutilities.com',
+    '.repairshopr.com',
+    '.rmansys.ru',
+    '.rmm.datto.com',
+    '.rmmservice.ca',
+    '.rmmservice.com.au',
+    '.rmmservice.eu',
+    '.royalapps.com',
+    '.rport.io',
+    '.rudesktop.ru',
+    '.runsmart.io',
+    '.rustdesk.com',
+    '.rview.com',
+    '.screenconnect.com',
+    '.screenmeet.com',
+    '.scrn.mt',
+    '.search.namequery.com',
+    '.senso.cloud',
+    '.servably.com',
+    '.server-eye.de',
+    '.server.absolute.com',
+    '.set.me',
+    '.setme.net',
+    '.showmypc.com',
+    '.signalserver.xyz',
+    '.simple-help.com',
+    '.site24x7.cn',
+    '.site24x7.com',
+    '.site24x7.eu',
+    '.site24x7.in',
+    '.site24x7.net.au',
+    '.skyfex.com',
+    '.sophos.com',
+    '.sophosupd.com',
+    '.sophosupd.net',
+    '.sorillus.com',
+    '.soti.net',
+    '.splashtop.com',
+    '.spyanywhere.com',
+    '.spytech-web.com',
+    '.startsupport.com',
+    '.superops.ai',
+    '.superopsalpha.com',
+    '.superopsbeta.com',
+    '.support.services.microsoft.com',
+    '.supremocontrol.com',
+    '.swi-tc.com',
+    '.syncroapi.com',
+    '.syncromsp.com',
+    '.system-monitor.com',
+    '.systemmonitor.co.uk',
+    '.systemmonitor.eu.com',
+    '.systemmonitor.us',
+    '.tailscale.com',
+    '.tailscale.io',
+    '.teamviewer.com',
+    '.techinline.net',
+    '.teknopars.com',
+    '.tele-desk.com',
+    '.tightvnc.com',
+    '.tmate.io',
+    '.todesk.com',
+    '.todesktop.com',
+    '.ultraviewer.net',
+    '.ultravnc.com',
+    '.weezo.me',
+    '.weezo.net',
+    '.xeox.com',
+    '.zabbix.com',
+    '.zerotier.com',
+    '.zoho.com',
+    '.zoho.com.au',
+    '.zoho.com.cn',
+    '.zoho.eu',
+    '.zoho.in',
+    '.zohoassist.com',
+    '.zohoassist.com.cn',
+    '.zohoassist.jp'
+)
+
+$Tag = 'RMMBlockTest'
+
+function Test-IsAdmin {
+    $current = [Security.Principal.WindowsIdentity]::GetCurrent()
+    $principal = New-Object Security.Principal.WindowsPrincipal($current)
+    return $principal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
+}
+
+if (-not (Test-IsAdmin)) { throw "Run this script in an elevated PowerShell session." }
+
+if ($Remove) {
+    $existing = Get-DnsClientNrptRule | Where-Object { $_.Comment -eq $Tag -or $_.DisplayName -like "RMM block:*" }
+    foreach ($rule in $existing) {
+        try {
+            Remove-DnsClientNrptRule -Name $rule.Name -Force -ErrorAction Stop
+            Write-Host "Removed NRPT rule: $($rule.Name) [$($rule.Namespace -join ",")]" -ForegroundColor Yellow
+        } catch {
+            Write-Warning "Failed to remove NRPT rule $($rule.Name): $_"
+        }
+    }
+    return
+}
+
+$existingNs = @{}
+Get-DnsClientNrptRule | ForEach-Object {
+    foreach ($ns in $_.Namespace) { $existingNs[$ns.ToLower()] = $_.Name }
+}
+
+foreach ($ns in $Namespaces) {
+    if ($existingNs.ContainsKey($ns.ToLower())) {
+        Write-Host "Skipping existing namespace: $ns" -ForegroundColor DarkYellow
+        continue
+    }
+    try {
+        Add-DnsClientNrptRule -Namespace $ns -NameServers "127.0.0.1" -Comment $Tag -DisplayName "RMM block: $ns" -ErrorAction Stop | Out-Null
+        Write-Host "Added NRPT block rule for $ns" -ForegroundColor Green
+    } catch {
+        Write-Warning "Failed to add NRPT rule for ${ns}: $_"
+    }
+}
+
+Write-Host "Done. Review with: Get-DnsClientNrptRule | Where-Object Comment -eq "$Tag"" -ForegroundColor Cyan