Chelopher

Hi Marcos, I was wondering the same, how did you relate hash 0eac99e0dd18eeba2b4609955086a1dc8fb913431b4303e76bc793bd62244b20 to this Adrozek MS detection?

Good evening @itman, Thanks for sharing that information. The reason why we want to use the ESET Inspector is because more than just blocking psexec, we want our support teams to use only a customized version we have of this tool. Having said that, we´re planing to have a rule that will compare the hashes and triggers a detection if the psexec used is other than the one we have whitelisted. Thinking beyond this particular pstools requirement, I'd like to understand how the pure <actions> feature works since we have in mind to take adavantage of it in our environment.

Hi Miroslav, Thanks for your quick response, really appreciate it. This is what we've been trying to do: The following rule is meant to detect when the psexec.exe (which is part of the PSTools ) is fired up in a particular machine: <?xml version="1.0" encoding="utf-8"?> <rule> <description> <os>Windows</os> <category>SOC-Customized</category> <explanation>This rule is triggered psexec is started. </explanation> <name>Not CISD autho

Hi there, I'm trying to understand how the <action> </action> feature works . According to the official rule manual implementation you can use several actions that will be triggered along with your rule: "actions—allow to block an executable immediately after rule triggering. Action names are: · TriggerDetection—if no actions specified in the actions tag field, this action is executed by default, and the detection is triggered in EEI. If other actions are specified, and the user still wants to trigger detection, this action has to be added · MarkAsScript—marks an