JamesR88
Members-
Posts
11 -
Joined
-
Last visited
About JamesR88
-
Rank
Newbie
Profile Information
-
Location
Israel
Recent Profile Visitors
The recent visitors block is disabled and is not being shown to other users.
-
Hi guys, I noticed the Time Date property in the pdf manual, but I couldn't' find any examples of its use in the ESET rules. I wanted to edit / create an exclusion for Rule F0900 based on the working hours, 08 - 17 for example.
-
Exclusions on F1108a
JamesR88 replied to JamesR88's topic in ESET Inspect On-prem (Detection and Response)
<definition> <process> <operator type="OR"> <condition component="Module" property="SignatureType" condition="greaterOrEqual" value="90" /> <!-- Defining process name is not needed as the rule F1108a will only trigger for netsh. Including it is redundant --> <!--<condition component="FileItem" property="FileName" condition="is" value="netsh.exe" />--> <condition component="FileItem" property="Path" condition="is" value="%SYSTEM%\" /> <condition component="ProcessInfo" property="CommandLine" condition="is" value="interface tcp show global" /> <condition component="ProcessInfo" property="CommandLine" condition="is" value="advfirewall show global" /> <condition component="Module" property="SignerName" condition="is" value="Microsoft Windows" /> <condition component="ProcessInfo" property="ProcessOwner" condition="is" value="nt authority\system" /> </operator> </process> <ancestor distance="2"> <operator type="AND"> <condition component="Module" property="SignatureType" condition="greaterOrEqual" value="90" /> <condition component="FileItem" property="FileName" condition="is" value="msexchangehmworker.exe" /> <condition component="FileItem" property="Path" condition="is" value="%PROGRAMFILES%\microsoft\exchange server\v15\bin\" /> <condition component="ProcessInfo" property="ProcessOwner" condition="is" value="nt authority\system" /> </operator> </ancestor> </definition> ^ Like so. -
Exclusions on F1108a
JamesR88 replied to JamesR88's topic in ESET Inspect On-prem (Detection and Response)
Thanks, it's working super well! It doesn't however when I change the parentprocess tag to <ancestor> ? That is: msexchangehmworker.exe > cmd.exe > netsh.exe -
JamesR88 reacted to a post in a topic: Exclusions on F1108a
-
Hi guys, So I've got Rule F1108a triggering for a bunch of different reasons. The process tree looks like this: msexchangerelated.exe > netsh.exe The event is "ProcessCreated" and the triggering process of the alert is netsh.exe. I have tried a bunch of different exclusions to exclude those, but couldn't get any to work. Since the distance between them is always 1, I have tried this: <definition> <ancestor distance="1"> <operator type="AND"> <condition component="Module" property="SignatureType" condition="greaterOrEqual" value="90"/> <condition component="FileItem" property="FileName" condition="is" value="msexchangerelated.exe"/> <condition component="Module" property="SignerName" condition="is" value="Microsoft Windows"/> </operator> </ancestor> <process> <operator type="AND"> <condition component="Module" property="SignatureType" condition="greaterOrEqual" value="90"/> <condition component="FileItem" property="FileName" condition="is" value="netsh.exe"/> <condition component="Module" property="SignerName" condition="is" value="Microsoft Windows"/> </operator> </process> </definition> Didn't match any of the alerts. I have also tried adding the "CreateProcess" operation at the end without netsh.exe: <operations> <operation type="CreateProcess" /> </operations> Didn't match anything either. I double checked and I don't have any typos inside the exclusions and still can't match any of the alerts?
-
JamesR88 reacted to a post in a topic: EEI Detection Rules Update Announcement: Log4j Critical Vulnerability
-
JamesR88 reacted to a post in a topic: Scheduled tasks exclusion
-
JamesR88 reacted to a post in a topic: Scheduled tasks exclusion
-
JamesR88 reacted to a post in a topic: Scheduled tasks exclusion
-
Scheduled tasks exclusion
JamesR88 replied to JamesR88's topic in ESET Inspect On-prem (Detection and Response)
This could work. I'll try this soon. Thank you! -
Scheduled tasks exclusion
JamesR88 replied to JamesR88's topic in ESET Inspect On-prem (Detection and Response)
Sorry, I'd rather not give specific program names but the tree (for most of the alerts) look like this: svchost.exe (Grandparent) > program.exe (parent) > schtasks.exe > conhost.exe Thing is, the CommandLine of schtasks is different each time. The program uses it to run different checks on several computers. These are the arguments that are always in the CommandLine: /RU SYSTEM /SC ONCE /ST HH:MM /RL HIGHEST /TR FullPath of program.exe -
Scheduled tasks exclusion
JamesR88 replied to JamesR88's topic in ESET Inspect On-prem (Detection and Response)
Yes, I did take a look at the Rule bodies to find out how to create the best exclusions. It, together with the guide have proven very useful thus far. -
Hi guys, Can I please get your help regarding a Scheduled Task exclusion? I'm quite a lot of alerts from Rule F0109 about Scheduling script task. This is the syntax I came up with, but it didn't match any of the alerts yet: <definition> <process> <operator type="AND"> <operator type="or"> <condition component="FileItem" property="FileNameWithoutExtension" condition="is" value="schtasks" /> <condition component="Module" property="OriginalFileName" condition="is" value="schtasks.exe" /> </operator> <operator type="or"> <condition component="ProcessInfo" property="CommandLine" condition="starts" value="/CREATE " /> <condition component="ProcessInfo" property="CommandLine" condition="contains" value=" /create " /> <condition component="ProcessInfo" property="CommandLine" condition="starts" value="-create " /> <condition component="ProcessInfo" property="CommandLine" condition="contains" value=" -create " /> <condition component="ProcessInfo" property="CommandLine" condition="contains" value="program.exe" /> </operator> <condition component="ProcessInfo" property="ProcessOwner" condition="is" value="username" /> </operator> </process> </definition> There is a specific program that always appears in the CommandLine, usually in the middle of the cmdline, but I can't match any of the alerts with this. The triggering event is "ProcessCreated". My program starts the schtasks.exe to run some checks.
-
thae reacted to a post in a topic: What's wrong with my exclusion?
-
JamesR88 reacted to a post in a topic: What's wrong with my exclusion?
-
What's wrong with my exclusion?
JamesR88 replied to JamesR88's topic in ESET Inspect On-prem (Detection and Response)
Hi @thae, thanks for replying. I eventually did it like so: <operations> <operation type="UserLogin"> <operator type="AND"> <condition component="DoneByUser" property="Sid" condition="is" value="SYSTEM SID HERE" /> </operator> </operation> </operations> -
What's wrong with my exclusion?
JamesR88 replied to JamesR88's topic in ESET Inspect On-prem (Detection and Response)
If anyone experiences the same problem, you can solve it with the UserLogin operation and "DonebyUser" condition component. Good luck. -
Hi there, I'm getting many False Positives from Rule F1002 about "Potential Pass the Hash". The main trigger seems to be Event UserLogin of nt auth/system, plus some other users related to system services. I wrote some Advanced exclusions successfully, but I'm at a loss with this one. What's wrong with it? <definition> <operations> <operation type="UserLogin"> <condition component="UserLogonData" property="LogonType" condition="is" value="0" /> </operation> </operations> <operator type="OR"> <condition component="Enterprise" property="ComputerGroupHierarchy" condition="contains" value="value" /> </operator> </definition> Any help would be appreciated.