This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
Webinar May 14th: Gemini's generative AI within Google SecOps
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps
Log in to ask a question

GoToMeeting in GCTI Remote Access Tools List

Posted on 10-08-2024 04:52 AM
MohamedA
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Does anyone have any idea why GoToMeeting hashes are present in this list? It's not a remote access tool, of course you could go into a meeting with a threat actor where he asks that you share your screen and give control, still that does not make it a remote access tool.

Any idea?

0 1 108
Topic Labels
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
jstoner
Staff
Reply posted on --/--/---- --:-- AM

The intent of that list is to drive awareness of tools that can and are abused for remote access. This tool unfortunately has been used for that purpose. Here is a recent example of the meetings app being used to load Remco.

https://www.gdatasoftware.com/blog/2024/05/37906-gotomeeting-loads-remcos

The intent is to provide a broad list of hashes that potentially could be utilized for Remote Access. There is a sample rule in the blogs and on our GitHub that demonstrates this, but with the caveat that tuning is needed because some of the hashes in that list are executables with legit purposes, but can be abused and may need to be allow listed for the environment they are operating in.

 

0 Likes
Top Solution Authors
View all