search

magicsword-io / LOLRMM

LotL RMM
https://lolrmm.io
Apache License 2.0
40 stars 12 forks source link

[RMM Update]: AnyDesk event log artifacts missing event ID 4697 from Security events log #26

Closed Koifman closed 1 week ago

Koifman commented 1 week ago

RMM Tool Name

AnyDesk

Type of Update

Forensic Artifact

Update Details

Hi team! Thank you so much for this project, it is already of great use to me and for everyone else I believe.

I wanted to bring to your attention: https://lolrmm.io/tools/anydesk#event-log-artifacts

In here, we see only the "service installed" log from the system log file, but it seems like the 4697 event ID from the security log file is not present. I have tested installing Anydesk and it does indeed generate that event ID: image

I hope I'm not wasting your time with this, and it is actually something that can be added. Thank you in advance, Daniel.

References

Image attached in the ticket

nasbench commented 1 week ago

Thanks for opening the issue @Koifman

Just FYI everytime a service install an 7045 EID will occur as well as a 4697 if the policy is enabled. In some RMMs we were explicit in mentioning, and in others not. I will get this fixed but as a general rule one of them is enough.

Its like saying Sysmon EID 1 or Security 4688.

Thanks.