IDR Query for Vulnerable mRemoteNG?

hayden_redd · April 7, 2021, 8:10pm

is there a way to query where mRemoteNG version < 1.76 is installed in IDR?

david_smith · April 7, 2021, 8:51pm

Hi Hayden,

this sounds more like a use case for our Insight VM Product

hayden_redd · April 8, 2021, 6:15pm

could one create an IDR query at least to make a dashboard for most usage by users?

john_fenninger · April 8, 2021, 6:58pm

Hey Hayden - if we know the filepath for mRemoteNG we should be able to find use of this tool in Endpoint Agent—Process Start/Stop logs. Typically in those logs there is a FileVersion field as well where could work to narrow down which version returns in your query result. Note - these results would show the use of this tool vs. just having the tool installed.

Within InsightVM you could try this search:

SELECT
da.sites AS “Site_Name”,
da.ip_address AS “IP_Address”,
da.mac_address AS “MAC_Address”,
da.host_name AS “DNS_Hostname”,
ds.vendor AS “Vendor”,
ds.name AS “Software_Name”,
ds.family AS “Software_Family”,
ds.version AS “Software_Version”,
ds.software_class AS “Software_Class”
FROM dim_asset_software das
JOIN dim_software ds USING(software_id)
JOIN dim_asset da ON da.asset_id = das.asset_id
WHERE ds.software_class like’%’ AND ds.name like ‘%mRemoteNG%’
ORDER BY ds.name ASC

hayden_redd · April 8, 2021, 7:00pm

Id like to do the same for Remote Desktop Connection Manager too.

john_fenninger · April 8, 2021, 7:04pm

Within InsightIDR - something along these lines should help:

where(metadata.ProductName=/mRemoteNG/i)groupby(metadata.ProductName)calculate(count)

hayden_redd · April 8, 2021, 7:23pm

bingo! thanks!

hayden_redd · April 8, 2021, 7:45pm

found one

where(metadata.ProductName=/Remote Desktop Connection Manager/i)groupby(user)