Using LogMeIn Rescue Generates an Investigation

I use LogMeIn Rescue to support remote PCs.  Last week, Sophos EDR has started generating an Investigation after each use.  Has anyone else seen this of have any insignt?

Initial Detection: WIN-MITRE-Behavioral-TA0005-T1562.009

Risk 6

Category: Classifier

MITRE ATT&CK: Defense Evasion



Added TAGs
[edited by: Gladys at 3:35 PM (GMT -7) on 24 Mar 2023]
Parents
  • Hi, I am the PM for XDR:   

    It looks like the XDR behavior detection is accurately triggering the detection and creating the investigation. 

    To address these and other 'noise' where a suspect activity is being performed for legitimate reasons we will be adding custom suppression rules so that the admin can triage the detection and set a rule to suppress notification for the specific activity going forward.

    I expect that customer defined suppression of detections will be available in the product this summer/fall.

  •  

    I found this dated thread on my search for a means to suppress some of the investigations that are started upon detection of our remote management tools (SCCM in combination with PsExec to start a command shell) which, despite having excluded PsExec on our management PC's, always triggers an investigation.

    A separate ruleset to suppress them would be a great feature. Do you (or anyone who is reading this) know if this feature is still in the making?

Reply
  •  

    I found this dated thread on my search for a means to suppress some of the investigations that are started upon detection of our remote management tools (SCCM in combination with PsExec to start a command shell) which, despite having excluded PsExec on our management PC's, always triggers an investigation.

    A separate ruleset to suppress them would be a great feature. Do you (or anyone who is reading this) know if this feature is still in the making?

Children