Add common ToDesk FP exclusion

mgreen27 · Mar 6, 2025 · 3eaee41 · 3eaee41
1 parent d4d04c4
commit 3eaee41
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/vql/LolRMM.yaml b/vql/LolRMM.yaml
@@ -2,7 +2,7 @@ name: Windows.Detection.LolRMM
 author: Matt Green - @mgreen27
 description: |
   This artifact hunts for Remote Monitoring and Management (RMM) tools using the 
-  LolRMM project.
+  LolRMM project. The goal is to detect installed or running instances.
   
   Detectraptor generates a Regex csv that is pulled locally to the Velociraptor 
   server via the tools management capability.
@@ -65,6 +65,7 @@ sources:
                         ( Name AND DisplayName =~ Name )
                         OR ( PathRegex AND InstallLocation =~ PathRegex )
                 },workers=20)
+      WHERE NOT ( Name = 'ToDesk' AND Event.DisplayName =~ '^Autodesk' )
                 
   - name: Processes
     query: |
@@ -144,4 +145,4 @@ sources:
                 -- Try to filter by individual event to ensure we dont filter out TPs masquerading
                 AND NOT Event.DisplayName = 'Rapid7 Insight Agent' 
                 AND NOT ( Event.Authenticode.SubjectName = "C=US, ST=Massachusetts, L=Boston, O=Rapid7 LLC, CN=Rapid7 LLC" AND Event.Authenticode.Trusted = "trusted" ) 
-                AND NOT Event.DNSName =~ '''\.rapid7\.com$'''
+                AND NOT Event.DNSName =~ '''\.rapid7\.com$'''