Skip to content

Correct "remote_access_software" Lookup to Match macOS Processes from NVM Input #3569

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 7 commits into
base: develop
Choose a base branch
from
Open

Correct "remote_access_software" Lookup to Match macOS Processes from NVM Input #3569

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
6d909f9
Fix Detections For Remote Access Software Processes on macOS
Jun 17, 2025
729cc20
Revert "Fix Detections For Remote Access Software Processes on macOS"
gneff Jun 17, 2025
34c8626
Fix Detections For Remote Access Software Processes on macOS
gneff Jun 17, 2025
fcd2fc8
Revert "Fix Detections For Remote Access Software Processes on macOS"
gneff Jun 17, 2025
d0398ba
Fix Detections For Remote Access Software Processes on macOS
gneff Jun 17, 2025
72052cb
Merge branch 'develop' into develop
ljstella Jun 17, 2025
739ddd2
Merge branch 'develop' into develop
patel-bhavin Aug 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 7 additions & 3 deletions lookups/remote_access_software.csv
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
description,remote_domain,remote_utility,remote_utility_fileinfo,remote_appid,isutility,category,comment_reference,last_update
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This lookup is used by other analytics. Why not rename the field in your search instead?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The original query had a rename (left it in here commented out), but it never matched any processes on macOS hosts:

earliest=-24h index=nvm process_name=* AND dst_name!=*.cisco.com 
| stats values(dst_name) as Destination by logged_in_user_name, process_name 
| join process_name 
    [| inputlookup remote_access_software_combined
        ```| rename remote_utility as process_name``` 
    | where isnotnull(process_name) 
    | table process_name, category, comment_reference, description, remote_appid, remote_domain ]

Copy link
Contributor

@nasbench nasbench Jun 18, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here is a working example from the repo renaming the field to process for use

security_content/detections/endpoint/detect_remote_access_software_usage_process.yml

Lines 23 to 32 in 5fa7311

[| inputlookup remote_access_software where isutility=TRUE
| rename remote_utility AS Processes.process_name
| fields Processes.process_name]
AND Processes.dest!="unknown"
AND Processes.user!="unknown"
by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `drop_dm_object_name(Processes)`
| lookup remote_access_software remote_utility AS process_name OUTPUT isutility description AS signature comment_reference AS desc category

I'm no expert on SPL but I think this might be an issue in your search.

But imo the solution is not renaming the lookup to fit (only) your need.

description,remote_domain,process_name,remote_utility_fileinfo,remote_appid,isutility,category,comment_reference,last_update
Absolute (Computrace),*search.namequery.com,rpcnet.exe,Absolute Software*,absolute-manage,TRUE,RMM,https://community.absolute.com/s/article/Understanding-Absolutes-Endpoint-Agents-Rpcnet-CTES-and-search-namequery-com,6/18/2024
Absolute (Computrace),*server.absolute.com,ctes.exe,Absolute Persistence*,,TRUE,RMM,https://community.absolute.com/s/article/Understanding-Absolutes-Endpoint-Agents-Rpcnet-CTES-and-search-namequery-com,6/18/2024
Absolute (Computrace),,ctespersitence.exe,CTES*,,TRUE,RMM,https://community.absolute.com/s/article/Understanding-Absolutes-Endpoint-Agents-Rpcnet-CTES-and-search-namequery-com,6/18/2024
Expand Down Expand Up @@ -602,5 +602,9 @@ Microsoft SCCM Remote Control,,cmrcservice.exe,Configuration Manager Remote Cont
Microsoft SCCM Remote Control,,cmrcviewer.exe,ConfigMgr Remote Control Viewer,,TRUE,RMM,https://learn.microsoft.com/en-us/mem/configmgr/core/clients/manage/remote-control/introduction-to-remote-control,1/29/2025
NexThink,*.data.us.nexthink.cloud,nxtsvc.exe,Nexthink Collector*,,TRUE,RMM,https://docs.nexthink.com/platform/getting-started/planning-your-installation/techical-requirements/connectivity-requirements,1/24/2025
NexThink,*.data.eu.nexthink.cloud,nxtcod.exe,Nexthink Coordinator*,,TRUE,RMM,https://docs.nexthink.com/platform/getting-started/planning-your-installation/techical-requirements/connectivity-requirements,1/24/2025
NexThink,*.data.pac.nexthink.cloud,nxtcoordinator.exe,,,TRUE,RMM,https://docs.nexthink.com/platform/getting-started/planning-your-installation/techical-requirements/connectivity-requirements,1/24/2025
NexThink,*.data.meta.nexthink.cloud,nxtupdater.exe,,,TRUE,RMM,https://docs.nexthink.com/platform/getting-started/planning-your-installation/techical-requirements/connectivity-requirements,1/24/2025
Apple Remote Desktop,user_managed,ARDAgent,,Apple Remote Desktop,TRUE,RMM,https://support.apple.com/guide/remote-desktop/install-and-set-up-remote-desktop-apdf49e03a4/mac,2/24/2024
Jump Desktop Connect for macOS,*.jumpdesktop.com,JumpConnect,Jump Desktop Client Executable,Lets you configure your computer for remote access for free,TRUE,RMM,https://support.jumpdesktop.com/hc/en-us/articles/360042490351-Administrators-Guide-For-Jump-Desktop-Connect/,5/8/2025
Chrome Remote Desktop,*remotedesktop.google.com,remoting_agent_process_broker,Chrome Remote Desktop,chrome-remote-desktop,TRUE,RMM,https://remotedesktop.google.com/?pli=1,5/14/2025
Chrome Remote Desktop,*remotedesktop-pa.googleapis.com,remoting_me2me_host_service,Chrome Remote Desktop,chrome-remote-desktop,TRUE,RMM,https://remotedesktop.google.com/?pli=1,5/14/2025
AnyDesk,*net.anydesk.com,AnyDesk,AnyDesk.app,AnyDesk,TRUE,RMM,https://support.anydesk.com/knowledge/firewall,5/14/2025

4 changes: 2 additions & 2 deletions lookups/remote_access_software.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
name: remote_access_software
date: 2025-04-04
date: 2025-06-17
version: 4
id: f3b92ff9-667c-481f-b29d-458e10d48508
author: Splunk Threat Research Team
lookup_type: csv
description: A list of Remote Access Software
match_type:
- WILDCARD(remote_utility)
- WILDCARD(process_name)
- WILDCARD(remote_domain)
- WILDCARD(remote_utility_fileinfo)
min_matches: 1
Expand Down