Hi.
We are leveraging the RMM detection rule however how can I run a search in Log Search for all RMM tools ran in my enviornment?
I am trying to use the Rule Logic but it’s not working:
from(
** event_type**
** IN [**
** “process_start_event”,**
** “local_service_installed”**
** ]**
)
where(
** SUBQUERY(“Remote Management Tools”)**
)
That is because SUBQUERY is not a supported feature of log search, essentially a subquery is a method we use to have dynamic lists of data, that update or a regular basis via our backend.
If you ask support we could provide a snapshot of the current subquery, however it would come with the caveat that this is subject to change and we cannot expose the subquery contents directly to end users currently.
David
Will that feature “subquery” eventually be available to customers for their own use cases in the near future?
Not in the near future no
David
Is the RMM list constantly updated? Also, if I wanted a list of RMM tools being monitored do I have to open a support case?
It wouldn’t be updated as frequently as some other SUBQUERIES, but we can’t guarantee or share the frequency of the updates currently.
Yes you would open a support case for that.
David
Thanks
Hi,
But how we (customers) are supposed to triage hundreds of Investigations and make the appropriate tuning/exceptions !? Currently we lack the dashboards, the log search and etc for such rules (SUBQUERIES), which in the end nullifies their usefulness.
PY
Hi Presian.
We have the RMM rule enabled. We simply White Listed all of our approved RMM tools and we get alerted on the ones we did not approve. We then have the End User Services group work with the user to uninstall the unapproved RMM tool. We also have settings in place with some of our security stack which allows us to BlackList (Block) the execution of the RMM tool. Hope this helps.
@presian_yankulov we can provide the list of entries within the SUBQUERY if you request it via a support ticket, I cannot share it here publicly
David
If I cannot use the SUBQUERY, how do I figure out how to make the exception? I don’t know how to make an exception. Please help. For example, bomgar.exe.
To create exceptions:
where(
process.name,
process.exe_file.orig_filename,
process.exe_path,
process.exe_file.product_name,
process.exe_file.author,
process.exe_file.signing_chain.*.subject,
service_name
ICONTAINS-ANY [
//insert match strings here, with qoutes and separated by a comma
]
)
For the match strings, please refer to the table below the following example I will show you for Bomgar:
where(
process.name,
process.exe_file.orig_filename,
process.exe_path,
process.exe_file.product_name,
process.exe_file.author,
process.exe_file.signing_chain.*.subject,
service_name
ICONTAINS-ANY [
“Bomgar”, “beyondtrust”
]
)
Rest of the tools that we have a list for:
| Application Name | Match Strings from “Process Name”, “Service Name”, “Exe File Path”, “Product and Version Info”, “Signer” |
|---|---|
| Access Remote PC | “Access Remote PC”, “rpcgrab.exe”, “rpcsetup.exe” |
| Action1 | “Action1”, “Action1 Corporation” |
| Addigy (MacOS, iOS) | “Addigy”, “go-agent”, “auditor”, “collector”, “lan-cache”, “mdmclient”, “launchd” |
| Aero Admin | “AeroAdmin”, “Aero Admin” |
| AliWangWang Remote Control | “AliWangWang”, “alitask.exe”, |
| Alpemix | “Alpemix”, “AlpemixWEB”, “Teknopars Bilisim”, “TEKNOPARS BİLİŞİM” |
| Ammyy Admin | “AA_v3.exe”, “Ammyy Admin”, “Ammyy” |
| AnyDesk | “AnyDesk”, “philandro software gmbh” |
| AnyPlace | “apc_host.exe”, “Anyplace Control”, “APC-Host” |
| AnyViewer | “AnyViewer”, “AOMEI International Network Limited” |
| Atera | “Atera”, “Atera Networks” |
| Auvik | “Auvik” |
| AweSun | “AweSun”, “AweRay”, “AweRay Limited” |
| Barracuda RMM | “Barracuda”, “BarracudaRMM”, “Level Platforms”, “LPI Level Platforms” |
| Basecamp | “Basecamp”," 37signals" |
| BeAnywhere | “BeAnywhere”, “basupsrvc”, “basuptshelper” |
| BlueTrait.io | “BlueTrait” |
| Bomgar , BeyondTrust | “Bomgar”, “beyondtrust” |
| Centurion | “ctiserv.exe” |
| Chrome Remote Desktop | “Chrome Remote Desktop”, “remote_assistance_host”, “remote_security_key”, “remoting_desktop”, “remoting_host”, “remoting_native_messaging_host”, “remoting_start_host” |
| Citrix Receiver | “Citrix Receiver” |
| Cloudflare Tunnel | “cloudflared.exe” |
| CrossLoop | “CrossLoop” |
| CrossTec Remote Control | “CrossTec” |
| Cruz RMM | “Cruz”, “Dorado Software” |
| DameWare | “Dameware”, “dntus”, “dwmirror”, “dwmrcs”, “dwvkbd”, “dwrcs”, “dwrcst”, “SolarWinds Remote Support Applet” |
| Datto / CentraStage | “Datto”, “Datto Inc”, “CentraStage” |
| DeskDay | “DeskDay” |
| DesktopNow | “NCH Software”, “DesktopNow”, “Desktop Now” |
| DistantDesktop | “Gorodokuplya”, “DistantDesktop” |
| Domotz | “Domotz” |
| DWService | “dwagentonfly”,“dwagsvc.exe”,“\dwagent.exe” |
| EchoWare | “EchoWare” |
| eHorus / Pandora Remote Control | “eHorus”, “Artica ST” |
| Electric AI | “ElectricAI”, “Electric AI” |
| Emco Remote Console | “Emco Software”, “remoteconsole.exe” |
| Encapto | “Encapto” |
| Ericom | “Ericom”, “accessserver.exe” |
| Eset Remote Administrator | “era.exe”, “eratool.exe” |
| ezHelp | “ezhelpclient.exe”, “ezhelpclientmanager.exe” |
| FastViewer | “fastclient.exe”, “fastmaster.exe” |
| FixMe.it | “fixmeitclient.exe” |
| FleetDeck | “FleetDeck”,“fleetdm” |
| GatherPlace-desktop sharing | “gp3.exe”, “gp4.exe”, “gp5.exe” |
| Meraki Systems Manager | “m_agent_service.exe”, “PCC Agent”, “Meraki” |
| GetScreen | “GetScreen”, “Point B Ltd” |
| GotoHTTP | “gotoHttp”, “Hefei Pingbo” |
| Goverlan | “Goverlan” |
| Guacamole | “guacd.exe” |
| HelpBeam | “helpbeam” |
| HelpWire | “helpwire” |
| I’m In Touch | “iit.exe”, “intouch.exe” |
| ISL Online | “ISLOnline”, “Xlab d.o.o”, “ISL Online” |
| Iperius Remote | “Iperius”, “Enter Srl”, “Enter S.R.L.” |
| Itarian / Comodo | “Itarian”, “itsmagent.exe” |
| JumpCloud | “JumpCloud” |
| Jump Desktop | “jumpclient.exe”,“jumpdesktop.exe”,“jumpservice.exe” |
| Kaseya | “kaseya” |
| LANDesk | “landeskagentbootstrap.exe”,“ldinv32.exe”,“ldsensors.exe” |
| Laplink Everywhere / Laplink Gold | “laplink.exe”, “laplinkeverywhere.exe”, “llrcservice.exe”, “serverproxyservice.exe” |
| Level | “Level Sofware” |
| LiteManager | “LiteManager”, “Yakhnovets Denis Aleksandrovich” |
| LogMeIn, GoToMyPC, Hamachi, GoToAssis, GoToResolve | “GoToMyPC”, “Hamachi”, “LogMeIn”, “g2comm”, “g2pre”, “g2tray”, “g2svc”, “join.me”, “callingcard”, “LMIGuardianSVC”, “LMITechConsole”, “LMI_Rescue”, “ramaint”, “gotoassist”,“gotoresolve” |
| MeshCentral | “MeshCentral” |
| Mikogo / BeamYourScreen | “mikogo”, “BeamYourScreen” |
| mRemoteNG | “mRemoteNG” |
| MSP360 / CloudBerry | “MSPBytes”, “Trichilia Consultants”, “CloudBerry” |
| N-Able / N-Sight / N-Central / LogicNow | “N-Able”, “LogicNow”, “N-Sight”, “N-Central” |
| Naverisk | “Naverisk”, “NavMK1”, “NavMK1 Limited” |
| NetSupport | “Netsupport”, “NetSupport LTD”, “nsclient32ui”, “nsmexec”, “nspowershell”, “nstoast” |
| Ninja RMM | “NinjaRMM” |
| NoMachine | “NoMachine”, “nxclient”, “nxnode”, “nxserver”, “nxnode.bin”, “nginxservice”, “nxfs”, “nxd.exe” |
| OpenVPN | “openvpn”, “ovpn-server” |
| OptiTune | “OptiTune”, “Bravura Software LLC” |
| PAExec (Power Admin) | “paexec”, “Power Admin LLC”, “PAExec Application”, “Power Admin LLC” |
| Panorama9 | “Panorama9” |
| pcAnywhere | “pcanywhere”, “awhost32”, “awhprobe” |
| parsec.app | “parsec”, “parsec Cloud” |
| PcVisit | “pcvisit”, “pcvisit software ag”, “pcvisit.de” |
| PDQ | "PDQ.com ", “PDQConnectAgent”, “pdq-connect-agent” |
| ProxyPro | “ProxyPro”, “Proxy host”, “Proxy Networks”, “phsession”, “phsvc”, “phtray” |
| PulseWay | “PulseWay”, “MMSoft Design” |
| PSExec | “psexec”, “psexesvc” |
| Quick Assist (Microsoft) | “quickassist”, “Quick Assist” |
| RAdmin | “r_server.exe”, “rserver3.exe”, ”Famatech” |
| Remote Desktop Plus | “remotedesktopplus”, “Remote Desktop Plus”, “donkz.nl” |
| RemotePC Suite | “RemotePCSuite”, “IDrive, Inc.” |
| RemoteUtilities | “RemoteUtilities”, “Remote Utilities” |
| RustDesk | “RustDesk” |
| ScreenConnect / ConnectWise | “ScreenConnect”, “ConnectWise”, “ScreenConnect.ClientService”, “ScreenConnect.WindowsClient”, “ScreenConnect Software” |
| ScreenMeet | “ScreenMeet”, “Projector.is”, “Projector Inc” |
| ServerEye | “ServerEye”, “mer IT Solutions GmbH” |
| ShowMyPC | “ShowMyPC” |
| SimpleHelp | “SimpleService”, |
| SplashTop | “Splashtop”, “srserver”, “srservice”, “ssuservice”, “ssuservice” |
| SSH Server (on MacOS) | “sshd” |
| Sunlogin | “Sunlogin” |
| Supremo | “Supremo.app”, “supremo.exe”, “supremo”, “Nanosystems” |
| SyncroMSP | “Servably”, “Syncro.”, “SyncroLive” |
| Syspectr | “O&O Software GmbH”, “Syspectr” |
| Tactical RMM | “tacticalrmm”, “AmidaWare”, “Tactical Techs” |
| TeamViewer | “TeamViewer_Service”, “tv_w32”, “tv_x64”, “TeamViewer” |
| TechInline | “TechInline” |
| Teramind | “Teramind”, “tsvchst”, “Teramind Inc.” |
| TigerVNC | “TigerVNC” |
| TSPlus | “TSplus”, “Remote Access World”, “JWTS” |
| UltraViewer | “UltraViewer”, “DUC FABULOUS CO” |
| VNC | “\uvnc”, “\realvnc”, “\tightvnc”, “\ultravnc”, “vncagent”, “vncserver”, “vncservice”, “winvnc”, “tvnserver”, “rport” |
| WinEXE | “winexecsvc” |
| XMReality | “xmreality” |
| Xeox | “xeox”, “hs2n Informationstechnologie” |
| XPC Proxy | “xpcproxy” |
| Zoho Assist (ManageEngine) | “Zoho”, “Zoho Assist”, “ZohoAssist” |
Hopefully the example LEQL will copy and paste ok into the box. Once you click convert to LEQL each line of the example I shared will be on it’s own numbered line