Using LogMeIn Rescue Generates an Investigation

I use LogMeIn Rescue to support remote PCs. Last week, Sophos EDR has started generating an Investigation after each use. Has anyone else seen this of have any insignt?

Initial Detection: WIN-MITRE-Behavioral-TA0005-T1562.009

Risk 6

Category: Classifier

MITRE ATT&CK: Defense Evasion

Added TAGs
[edited by: Gladys at 3:35 PM (GMT -7) on 24 Mar 2023]

Top Replies

Karl_Ackerman over 2 years ago +4 verified

Hi, I am the PM for XDR: It looks like the XDR behavior detection is accurately triggering the detection and creating the investigation. To address these and other 'noise' where a suspect activity is…

0 Ed Gonzalez over 2 years ago

I would also like to know how to suppress this.

It seems that the reason for this is due to Rescue implementing registry keys so that it works in Safe Mode with Networking.

Description of the Mitre Detection: Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Tecnimex srl over 2 years ago

Same behavior for us, on a single workstation.

Any suggestion for further investigation ?

AC
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 FormerMember over 2 years ago

I have forwarded this thread to the PM who runs that product.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
+2 FormerMember over 2 years ago

I have confirmed with the PM that this is expected behavior. Also, he advises that they are working on suppression rules for later this year.
Cancel
Vote Up +2 Vote Down

Sign in to reply

Verify Answer

Reject Answer

Cancel
+2 Karl_Ackerman over 2 years ago

Hi, I am the PM for XDR:

It looks like the XDR behavior detection is accurately triggering the detection and creating the investigation.

To address these and other 'noise' where a suspect activity is being performed for legitimate reasons we will be adding custom suppression rules so that the admin can triage the detection and set a rule to suppress notification for the specific activity going forward.

I expect that customer defined suppression of detections will be available in the product this summer/fall.
Cancel
Vote Up +4 Vote Down

Sign in to reply

Verify Answer

Reject Answer

Cancel
0 Matt Schmitt over 2 years ago in reply to Karl_Ackerman

Thank you very much for the update!
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 JeroenD over 1 year ago in reply to Karl_Ackerman

Karl_Ackerman

I found this dated thread on my search for a means to suppress some of the investigations that are started upon detection of our remote management tools (SCCM in combination with PsExec to start a command shell) which, despite having excluded PsExec on our management PC's, always triggers an investigation.

A separate ruleset to suppress them would be a great feature. Do you (or anyone who is reading this) know if this feature is still in the making?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Karl_Ackerman over 1 year ago in reply to JeroenD

This work was deferred when we started work on adding additional sources for security alerts for the Managed Detection and Response product. Now that that work is complete this is back on the roadmap and expected late this calendar year. I am currently the product manager for Network Detection and Response, and will forward this to the PM for the XDR features. Stephen McKay. stephen.mckay@sophos.com
Cancel
Vote Up +1 Vote Down

Sign in to reply

Verify Answer

Cancel