JamesR88

As rule F1108a is only looking for execution of netsh processes, there is no need to specify the "FileName" item in your exclusions.
I will assume you are seeing something similar or identical to the following (screen is from my test environment):

 
 
The exclusion I would recommend:
<definition> <process> <operator type="AND"> <condition component="Module" property="SignatureType" condition="greaterOrEqual" value="90" /> <!-- Defining process name is not needed as the rule F1108a will only trigger for netsh. Including it is redundant --> <!--<condition component="FileItem" property="FileName" condition="is" value="netsh.exe" />--> <condition component="FileItem" property="Path" condition="is" value="%SYSTEM%\" /> <condition component="ProcessInfo" property="CommandLine" condition="is" value="interface tcp show global" /> <condition component="Module" property="SignerName" condition="is" value="Microsoft Windows" /> <condition component="ProcessInfo" property="ProcessOwner" condition="is" value="nt authority\system" /> </operator> </process> <parentprocess> <operator type="AND"> <condition component="Module" property="SignatureType" condition="greaterOrEqual" value="90" /> <condition component="FileItem" property="FileName" condition="is" value="msexchangehmworker.exe" /> <condition component="FileItem" property="Path" condition="is" value="%PROGRAMFILES%\microsoft\exchange server\v15\bin\" /> <!-- This OR operator is to list each possible command line you are seeing. Customize this to meet your needs--> <operator type="or"> <!-- I only had 5 of these -pipe: commands out of thousands of triggerd detections --> <operator type="and"> <condition component="ProcessInfo" property="CommandLine" condition="starts" value="-pipe:" /> <condition component="ProcessInfo" property="CommandLine" condition="ends" value=" -workerListening" /> </operator> <!-- This was the bulk of my detections where no command line was present...but these were also processes which were older than my retention and may not be needed for your environment --> <condition component="ProcessInfo" property="CommandLine" condition="isempty" /> </operator> <condition component="Module" property="SignerName" condition="is" value="Microsoft Corporation" /> <condition component="ProcessInfo" property="ProcessOwner" condition="is" value="nt authority\system" /> </operator> </parentprocess> </definition> As you can see, I am being a bit strict on this exclusion by clearly defining the behavior I want to exclude.  This is because this is an exchange server and likely has some portion of itself, exposed to the internet (Email flowing from the internet, OWA, etc...).  With the amount of Exchange exploits and zero days found in the past few years (ProxyShell, ProxyLogon, ProxyNotLogon, etc...), I would rather be very clear in what I am excluding on an exchange server.
If you have problems making this exclusion working, try commenting out or removing the "SignatureType" and "SignerName" items.  If your exclusion only works after that, let us know which EI Server and EI Connector versions you are using.

Hello everyone,
The recently discovered Log4j remote code execution vulnerability has affected organizations, ESET customers and their IT teams around the globe and as cybersecurity professionals we need to ensure their safety.
Our Research & Threat Analysis team has responded rapidly and done a great job of creating a package of 4 rules for detection of Log4j exploitation and more general Java runtime exploitation.
We advise to import these rules (the import procedure is very simply done from the Admin -> Detection Rules -> Import section of EEI as described here).
These rules will also be included in the upcoming hotfix for EEI 1.6, but we are making them available to you:
Possible Log4Shell (CVE-2021-44228) exploitation [D0532a] Possible Log4Shell (CVE-2021-44228) exploitation [D0532b] Potential Java Runtime exploitation [E0461] Java Runtime executing suspicious script/command interpreter [E0462] The first two rules are designed to detect the exploit itself so the false positives count should be absolutely minimal. However, these rules are using an experimental feature of EEI which is not currently fully supported, so the detection may not work in 100% of cases. E.g. when there is a detection already reported on the network layer, rule in EEI will not be triggered (but in this case you should have detection from at least one source and protection is in place). Because of the way how the feature is implemented it is more reliable when executed as re-run task for a retrospective threat hunt.
The last two rules are focused on more general types of cases, general exploitation of Java Runtime i.e. not only by CVE-2021-44228. That means that those rules may generate occasional false positives for the cases when some legitimate Java application is executing system components which may indicate an attacker's activity. We have tested these rules to not have an excess number of false positives, but in case you will observe unusual amount of FPs in your environments - please report them back to us.
The rule pack itself can be found here.
Thank you.

For this detection, we need a bit more info to assist in building/recommending an exclusion.  Can you provide the following info?
Name of executable which is parent to schtasks:  Command line which goes with the parent of schtasks:  Command line of schtasks process you are starting:   

Did you clone the default rule F0109 and modified it? Asking since mine looks differently than yours:
<definition> <process> <operator type="and"> <operator type="or"> <condition component="FileItem" condition="is" property="FileNameWithoutExtension" value="schtasks" /> <condition component="Module" property="OriginalFileName" condition="is" value="schtasks.exe" /> </operator> <operator type="or"> <condition component="ProcessInfo" property="CommandLine" condition="contains" value="/create" /> <condition component="ProcessInfo" property="CommandLine" condition="contains" value="-create" /> </operator> <operator type="or"> <condition component="ProcessInfo" property="CommandLine" condition="contains" value="wscript" /> <condition component="ProcessInfo" property="CommandLine" condition="contains" value="cscript" /> <condition component="ProcessInfo" property="CommandLine" condition="contains" value="mshta" /> <condition component="ProcessInfo" property="CommandLine" condition="contains" value="cmd" /> <condition component="ProcessInfo" property="CommandLine" condition="contains" value="powershell" /> <condition component="ProcessInfo" property="CommandLine" condition="contains" value="jscript" /> <condition component="ProcessInfo" property="CommandLine" condition="contains" value="vbscript" /> <condition component="ProcessInfo" property="CommandLine" condition="contains" value=".vbs" /> <condition component="ProcessInfo" property="CommandLine" condition="contains" value=".js" /> <condition component="ProcessInfo" property="CommandLine" condition="contains" value=".ps1" /> <condition component="ProcessInfo" property="CommandLine" condition="contains" value=".bat" /> </operator> </operator> </process> </definition>  

I think that will be enough info.
I have 2 possibilities for you.  Both use a parent child relationship.  You will see I put a comment in both as you do not need to specify schtasks in the <process> section of the exclusion.  Since the rule will only trigger on schtasks.exe, its not needed to include in the exclusion.  But my exclusions do ensure your schtasks.exe is being run from expected locations.
If all schtasks commands have a single unique item between every execution
<definition> <process> <operator type="AND"> <!-- Not needed as rule is already confriming it must be this file name<condition component="FileItem" property="FileNameWithoutExtension" condition="is" value="schtasks"/>--> <condition component="FileItem" property="Path" condition="is" value="%SYSTEM%\"/> <condition component="ProcessInfo" property="CommandLine" condition="contains" value="/RU SYSTEM /SC ONCE /ST HH:MM /RL HIGHEST /TR FullPath of program.exe"/> </operator> </process> <parentprocess> <operator type="AND"> <condition component="FileItem" property="FileName" condition="is" value="program.exe"/> <condition component="FileItem" property="Path" condition="is" value="%SYSTEM%\"/> <condition component="ProcessInfo" property="CommandLine" condition="contains" value="-some /parent commandline"/> </operator> </parentprocess> </definition>  
If each execution of your schtasks could have more than one possible command line.  Lets say you have 3 different unique parts to a command line.
<definition> <process> <operator type="AND"> <!-- Not needed as rule is already confriming it must be this file name<condition component="FileItem" property="FileNameWithoutExtension" condition="is" value="schtasks"/>--> <condition component="FileItem" property="Path" condition="is" value="%SYSTEM%\"/> <operator type="or"> <condition component="ProcessInfo" property="CommandLine" condition="contains" value=" /RL HIGHEST "/> <condition component="ProcessInfo" property="CommandLine" condition="contains" value="/RU SYSTEM /SC ONCE "/> <condition component="ProcessInfo" property="CommandLine" condition="contains" value="/RU SYSTEM /ST HH:MM /TR FullPath of program.exe"/> </operator> </operator> </process> <parentprocess> <operator type="AND"> <condition component="FileItem" property="FileName" condition="is" value="program.exe"/> <condition component="FileItem" property="Path" condition="is" value="%SYSTEM%\"/> <condition component="ProcessInfo" property="CommandLine" condition="contains" value="-some /parent commandline"/> </operator> </parentprocess> </definition>  

Hi @thae, thanks for replying. I eventually did it like so:
<operations> <operation type="UserLogin"> <operator type="AND"> <condition component="DoneByUser" property="Sid" condition="is" value="SYSTEM SID HERE" /> </operator> </operation> </operations>

<definition> <process> <operator type="AND"> <condition component="Module" property="SignatureType" condition="greaterOrEqual" value="90"/> <condition component="FileItem" property="FileName" condition="is" value="lsass.exe"/> <condition component="Module" property="SignerName" condition="is" value="Microsoft Windows Publisher"/> </operator> </process> <operations> <operation type="UserLogin"> <operator type="AND"> <condition component="UserLogonData" property="LogonType" condition="is" value="0" /> <condition component="Enterprise" property="ComputerGroupHierarchy" condition="contains" value="value" /> </operator> </operation> </operations> </definition> How about this rule?
I'm not sure if you can set exclusion without specifying a process and I'm not sure if your rule would even work.
Just from reading your rule I'd say it would exclude every logon type 0 event or if the device it happened on is in a specific OU/Group.
You can also change the last AND to OR in my example if you don't want both conditions to be met.