JamesR88

Hi guys, I noticed the Time Date property in the pdf manual, but I couldn't' find any examples of its use in the ESET rules. I wanted to edit / create an exclusion for Rule F0900 based on the working hours, 08 - 17 for example.

<definition> <process> <operator type="OR"> <condition component="Module" property="SignatureType" condition="greaterOrEqual" value="90" /> <!-- Defining process name is not needed as the rule F1108a will only trigger for netsh. Including it is redundant --> <!--<condition component="FileItem" property="FileName" condition="is" value="netsh.exe" />--> <condition component="FileItem" property="Path" condition="is" value="%SYSTEM%\" /> <condition component="ProcessInfo" property="CommandLine" condition="is" value="interface tcp show global" /> <condition component="ProcessInfo" property="CommandLine" condition="is" value="advfirewall show global" /> <condition component="Module" property="SignerName" condition="is" value="Microsoft Windows" /> <condition component="ProcessInfo" property="ProcessOwner" condition="is" value="nt authority\system" /> </operator> </process> <ancestor distance="2"> <operator type="AND"> <condition component="Module" property="SignatureType" condition="greaterOrEqual" value="90" /> <condition component="FileItem" property="FileName" condition="is" value="msexchangehmworker.exe" /> <condition component="FileItem" property="Path" condition="is" value="%PROGRAMFILES%\microsoft\exchange server\v15\bin\" /> <condition component="ProcessInfo" property="ProcessOwner" condition="is" value="nt authority\system" /> </operator> </ancestor> </definition> ^ Like so.

Thanks, it's working super well! It doesn't however when I change the parentprocess tag to <ancestor> ? That is: msexchangehmworker.exe > cmd.exe > netsh.exe

Hi guys, So I've got Rule F1108a triggering for a bunch of different reasons. The process tree looks like this: msexchangerelated.exe > netsh.exe The event is "ProcessCreated" and the triggering process of the alert is netsh.exe. I have tried a bunch of different exclusions to exclude those, but couldn't get any to work. Since the distance between them is always 1, I have tried this: <definition> <ancestor distance="1"> <operator type="AND"> <condition component="Module" property="SignatureType" condition="greaterOrEqual" value="90"/> <condition component="FileItem" property="FileName" condition="is" value="msexchangerelated.exe"/> <condition component="Module" property="SignerName" condition="is" value="Microsoft Windows"/> </operator> </ancestor> <process> <operator type="AND"> <condition component="Module" property="SignatureType" condition="greaterOrEqual" value="90"/> <condition component="FileItem" property="FileName" condition="is" value="netsh.exe"/> <condition component="Module" property="SignerName" condition="is" value="Microsoft Windows"/> </operator> </process> </definition> Didn't match any of the alerts. I have also tried adding the "CreateProcess" operation at the end without netsh.exe: <operations> <operation type="CreateProcess" /> </operations> Didn't match anything either. I double checked and I don't have any typos inside the exclusions and still can't match any of the alerts?

This could work. I'll try this soon. Thank you!

Sorry, I'd rather not give specific program names but the tree (for most of the alerts) look like this: svchost.exe (Grandparent) > program.exe (parent) > schtasks.exe > conhost.exe Thing is, the CommandLine of schtasks is different each time. The program uses it to run different checks on several computers. These are the arguments that are always in the CommandLine: /RU SYSTEM /SC ONCE /ST HH:MM /RL HIGHEST /TR FullPath of program.exe

Yes, I did take a look at the Rule bodies to find out how to create the best exclusions. It, together with the guide have proven very useful thus far.

Hi guys, Can I please get your help regarding a Scheduled Task exclusion? I'm quite a lot of alerts from Rule F0109 about Scheduling script task. This is the syntax I came up with, but it didn't match any of the alerts yet: <definition> <process> <operator type="AND"> <operator type="or"> <condition component="FileItem" property="FileNameWithoutExtension" condition="is" value="schtasks" /> <condition component="Module" property="OriginalFileName" condition="is" value="schtasks.exe" /> </operator> <operator type="or"> <condition component="ProcessInfo" property="CommandLine" condition="starts" value="/CREATE " /> <condition component="ProcessInfo" property="CommandLine" condition="contains" value=" /create " /> <condition component="ProcessInfo" property="CommandLine" condition="starts" value="-create " /> <condition component="ProcessInfo" property="CommandLine" condition="contains" value=" -create " /> <condition component="ProcessInfo" property="CommandLine" condition="contains" value="program.exe" /> </operator> <condition component="ProcessInfo" property="ProcessOwner" condition="is" value="username" /> </operator> </process> </definition> There is a specific program that always appears in the CommandLine, usually in the middle of the cmdline, but I can't match any of the alerts with this. The triggering event is "ProcessCreated". My program starts the schtasks.exe to run some checks.

Hi @thae, thanks for replying. I eventually did it like so: <operations> <operation type="UserLogin"> <operator type="AND"> <condition component="DoneByUser" property="Sid" condition="is" value="SYSTEM SID HERE" /> </operator> </operation> </operations>

If anyone experiences the same problem, you can solve it with the UserLogin operation and "DonebyUser" condition component. Good luck.

Hi there, I'm getting many False Positives from Rule F1002 about "Potential Pass the Hash". The main trigger seems to be Event UserLogin of nt auth/system, plus some other users related to system services. I wrote some Advanced exclusions successfully, but I'm at a loss with this one. What's wrong with it? <definition> <operations> <operation type="UserLogin"> <condition component="UserLogonData" property="LogonType" condition="is" value="0" /> </operation> </operations> <operator type="OR"> <condition component="Enterprise" property="ComputerGroupHierarchy" condition="contains" value="value" /> </operator> </definition> Any help would be appreciated.