ILoveESET 0 Posted April 13, 2020 Share Posted April 13, 2020 Hello, i was trying to create a rule which detects registry changes made by powershell that was generated from excel. Below is my rule sets. it passed the syntax check. The activity was re-produced by creating the registry HKCU:\Software\myEEIEx on endpoints with EEI agent installed. Detecting of registry key change worked, but when adding the logic of detecting process changes, it doesnt seem to trigger... <definition> <Process> <operator type="OR"> <Condition component="FileItem" condition="is" property="FileNameWithoutExtension" value="powershell" /> <Condition component="FileItem" condition="is" property="FileNameWithoutExtension" value="cscript" /> <Condition component="FileItem" condition="is" property="FileNameWithoutExtension" value="wscript" /> <Condition component="FileItem" condition="is" property="FileNameWithoutExtension" value="cmd" /> </operator> </Process> <operations> <operation type="RegSetValue"> <operator type="OR"> <condition component="RegistryItem" condition="starts" property="Key" value="HKCU:\Software\myEEIEx" /> </operator> </operation> </operations> </definition> Link to comment Share on other sites More sharing options...
ESET Staff MilanBA 0 Posted April 14, 2020 ESET Staff Share Posted April 14, 2020 Hello, try to remove the colon (:) character from HKCU path. Regards. Link to comment Share on other sites More sharing options...
ILoveESET 0 Posted April 14, 2020 Author Share Posted April 14, 2020 2 hours ago, MilanBA said: Hello, try to remove the colon (:) character from HKCU path. Regards. ah ha! that worked, thank you very much Link to comment Share on other sites More sharing options...
Recommended Posts