Jump to content

Issue with detections on Windows Terminal Server


Recommended Posts

I'm assuming that due to the nature of terminal services, pretty much everything is getting flagged as 'Injection into system process'

Is there a recommended method for handling these excessive alerts without actually defeating the purpose of EDR?

Link to comment
Share on other sites

  • ESET Staff
Posted (edited)

I am going to assume that you are seeing injections into the "mstsc.exe" process (visible in the "Trigger Event" of the detection).  If this is not correct, then please disregard the following

 

There are 3 rules for "Injection into system process" (EDIT: Only apply exclusion to the rules causing incorrect detections):

  • Injection into system process [F0413a][C]
  • Injection into system process [F0413b][C]
  • Injection into system process [F0413c][C]

All are looking for injection into process located in:

  • Windows\System32\ = %System%
  • Windows\SysWOW64\ = %WinDir%\SysWOW64

Armed with knowing this is only happening on your terminal services servers, I would build an exclusion that will only apply to your terminal servers.  The exclusion would look something like this:

 

<definition>
    <process>
        <!-- List of servers go here.  If only a single server, remove the operator tags from this process section -->
        <operator type="OR">
            <condition component="Enterprise" property="ComputerName" condition="is" value="TermSvr001"/>
            <condition component="Enterprise" property="ComputerName" condition="is" value="TermSvr002"/>
        </operator>
    </process>
    <operations>
        <operation type="CodeInjection">
            <!-- Describe the possible mstsc.exe processes which are being injected into.  Remove or add any different types of components you desire. Keep in mind that this exclusion will not exclude any mstsc.exe processes from "%WINDIR%\WinSxX\..." locations-->
            <operator type="and">
                <operator type="or">
                    <condition component="FileItem" property="FullPath" condition="is" value="%SYSTEM%\mstsc.exe"/>
                    <condition component="FileItem" property="FullPath" condition="is" value="%WINDIR%\SysWOW64\mstsc.exe"/>
                </operator>
                <condition component="Module" property="SignatureType" condition="greaterOrEqual" value="90"/>
                <condition component="Module" property="SignerName" condition="is" value=" Microsoft Windows"/>
            </operator>
        </operation>
    </operations>
</definition>

 

Edited by JamesR
Link to comment
Share on other sites

@JamesR Thanks for the detailed response. The triggering process is actually tssdis.exe (ApcQueue), so I'll adjust accordingly.

I'm sure that will do the trick, but will report back, regardless.

Thanks again.

Link to comment
Share on other sites

@JamesR I have the similar issue where Injection into system process [F0413b][C] generates a lot of detections for mstsc.exe from multiple processes. Most common one is chrome.exe. Endpoints are user PCs and I was not able to isolate this to a few endpoints. Almost all the endpoints in my environment trigger this. 

Link to comment
Share on other sites

  • ESET Staff

@isuruSam  You would simply need to alter the advanced exclusion to meet your needs.  This means you would have the following options to base your exclusion off of.

 

You may want to exclude all processes which are of higher global reputation, which means only less reputable applications will trigger when injecting into MSTSC.exe:

<definition>
    <process>
        <!-- Only exclude if the executable has a good global reputation (LiveGrid Rep) and has been seen globally on 100 or more computers -->
        <!-- You may need to change these numbers based on what you are seeing in your own environment -->
        <operator type="AND">
            <condition component="LiveGrid" property="Reputation" condition="greaterOrEqual" value="8"/>
            <condition component="LiveGrid" property="Popularity" condition="greaterOrEqual" value="100"/>
        </operator>
    </process>
    <operations>
        <operation type="CodeInjection">
            <!-- Describe the possible mstsc.exe processes which are being injected into.  Remove or add any different types of components you desire. Keep in mind that this exclusion will not exclude any mstsc.exe processes from "%WINDIR%\WinSxX\..." locations-->
            <operator type="and">
                <operator type="or">
                    <condition component="FileItem" property="FullPath" condition="is" value="%SYSTEM%\mstsc.exe"/>
                    <condition component="FileItem" property="FullPath" condition="is" value="%WINDIR%\SysWOW64\mstsc.exe"/>
                </operator>
                <condition component="Module" property="SignatureType" condition="greaterOrEqual" value="90"/>
                <condition component="Module" property="SignerName" condition="is" value=" Microsoft Windows"/>
            </operator>
        </operation>
    </operations>
</definition>

 

If to many different processes are causing this to trigger, on the vast majority of computers, then you may want to exclude any process injecting into mstsc.exe.  This means if something malicious does inject into mstsc.exe, you will not see it, but if MSTSC.exe starts doing other actions that are dangerous, you will still see those:

<definition>
    <operations>
        <operation type="CodeInjection">
            <!-- Describe the possible mstsc.exe processes which are being injected into.  Remove or add any different types of components you desire. Keep in mind that this exclusion will not exclude any mstsc.exe processes from "%WINDIR%\WinSxX\..." locations-->
            <operator type="and">
                <operator type="or">
                    <condition component="FileItem" property="FullPath" condition="is" value="%SYSTEM%\mstsc.exe"/>
                    <condition component="FileItem" property="FullPath" condition="is" value="%WINDIR%\SysWOW64\mstsc.exe"/>
                </operator>
                <condition component="Module" property="SignatureType" condition="greaterOrEqual" value="90"/>
                <condition component="Module" property="SignerName" condition="is" value=" Microsoft Windows"/>
            </operator>
        </operation>
    </operations>
</definition>

In the end, the final decision on how to exclude is yours to decide.  Feel free to use these examples as a base for building your own exclusion.  Hopefully this helps you out.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...