Thread Info
  • State Verified Answer
  • +3 person also asked this people also asked this
  • Replies 8 replies
  • Subscribers 16 subscribers
  • Views 3080 views
  • Users 0 members are here
Options
Suggested

Using LogMeIn Rescue Generates an Investigation

Matt Schmitt

I use LogMeIn Rescue to support remote PCs.  Last week, Sophos EDR has started generating an Investigation after each use.  Has anyone else seen this of have any insignt?

Initial Detection: WIN-MITRE-Behavioral-TA0005-T1562.009

Risk 6

Category: Classifier

MITRE ATT&CK: Defense Evasion



Added TAGs
[edited by: Gladys at 3:35 PM (GMT -7) on 24 Mar 2023]

Top Replies

  • +4 verified

    Hi, I am the PM for XDR:   

    It looks like the XDR behavior detection is accurately triggering the detection and creating the investigation. 

    To address these and other 'noise' where a suspect activity is being performed for legitimate reasons we will be adding custom suppression rules so that the admin can triage the detection and set a rule to suppress notification for the specific activity going forward.

    I expect that customer defined suppression of detections will be available in the product this summer/fall.

    Jump to answer
Parents
  • 0

    I would also like to know how to suppress this.   

    It seems that the reason for this is due to Rescue implementing registry keys so that it works in Safe Mode with Networking.   

    Description of the Mitre Detection:     Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.

Reply
  • 0

    I would also like to know how to suppress this.   

    It seems that the reason for this is due to Rescue implementing registry keys so that it works in Safe Mode with Networking.   

    Description of the Mitre Detection:     Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.

Children
No Data