Hi all - I wanted to create exceptions for a RMM tooling alert using SHA256 hashes. The issue that I’m facing is that if we have a RMM tool deployed (i.e. TeamViewer/AnyDesk/etc…) there are different versions of it out there due to lack of endpoint updating. I’ve been collecting hashes to use as an exception, and its getting to be a lot of hashes for the same program. Is any other field that I may be able to use from the logs create more of a blanket coverage exception?
Can you provide an example payload (without sensitive information) to review?
Sure, here’s the info that I’m looking at to create exceptions.
“description”: “TeamViewer Remote Control Application Installer”,
“product_name”: “TeamViewer Installer”,
“author”: “TeamViewer”,
“created”: “2024-08-20T13:31:56.589Z”,
“last_modified”: “2023-09-08T16:39:50.754Z”,
“size”: 1164280,
“hashes”: {
“md5”: “85b337f66d43b0858e8XXXXXX”,
“sha256”: “d452eab49dd003df76437cfc216e89d0814e6XXXXXXX”,
“sha1”: “f8a405844173fb67d693e0de775XXXXXX”
}
would using the key/value product_name ICONTAINS “TeamViewer” suffice?
Just to be sure, if this is in nested JSON it might need to be source_json.product_name
Or would that be considered too broad for your purposes?
David
It seems a little too broad for implementing an exception. The risk is that a malicious program can always be renamed.