j-gray 37 Posted August 16, 2022 Share Posted August 16, 2022 I'm assuming that due to the nature of terminal services, pretty much everything is getting flagged as 'Injection into system process' Is there a recommended method for handling these excessive alerts without actually defeating the purpose of EDR? Link to comment Share on other sites More sharing options...
ESET Staff JamesR 58 Posted August 16, 2022 ESET Staff Share Posted August 16, 2022 (edited) I am going to assume that you are seeing injections into the "mstsc.exe" process (visible in the "Trigger Event" of the detection). If this is not correct, then please disregard the following There are 3 rules for "Injection into system process" (EDIT: Only apply exclusion to the rules causing incorrect detections): Injection into system process [F0413a][C] Injection into system process [F0413b][C] Injection into system process [F0413c][C] All are looking for injection into process located in: Windows\System32\ = %System% Windows\SysWOW64\ = %WinDir%\SysWOW64 Armed with knowing this is only happening on your terminal services servers, I would build an exclusion that will only apply to your terminal servers. The exclusion would look something like this: <definition> <process> <!-- List of servers go here. If only a single server, remove the operator tags from this process section --> <operator type="OR"> <condition component="Enterprise" property="ComputerName" condition="is" value="TermSvr001"/> <condition component="Enterprise" property="ComputerName" condition="is" value="TermSvr002"/> </operator> </process> <operations> <operation type="CodeInjection"> <!-- Describe the possible mstsc.exe processes which are being injected into. Remove or add any different types of components you desire. Keep in mind that this exclusion will not exclude any mstsc.exe processes from "%WINDIR%\WinSxX\..." locations--> <operator type="and"> <operator type="or"> <condition component="FileItem" property="FullPath" condition="is" value="%SYSTEM%\mstsc.exe"/> <condition component="FileItem" property="FullPath" condition="is" value="%WINDIR%\SysWOW64\mstsc.exe"/> </operator> <condition component="Module" property="SignatureType" condition="greaterOrEqual" value="90"/> <condition component="Module" property="SignerName" condition="is" value=" Microsoft Windows"/> </operator> </operation> </operations> </definition> Edited August 16, 2022 by JamesR j-gray 1 Link to comment Share on other sites More sharing options...
j-gray 37 Posted August 16, 2022 Author Share Posted August 16, 2022 @JamesR Thanks for the detailed response. The triggering process is actually tssdis.exe (ApcQueue), so I'll adjust accordingly. I'm sure that will do the trick, but will report back, regardless. Thanks again. Link to comment Share on other sites More sharing options...
IsuruSam 0 Posted August 17, 2022 Share Posted August 17, 2022 @JamesR I have the similar issue where Injection into system process [F0413b][C] generates a lot of detections for mstsc.exe from multiple processes. Most common one is chrome.exe. Endpoints are user PCs and I was not able to isolate this to a few endpoints. Almost all the endpoints in my environment trigger this. Link to comment Share on other sites More sharing options...
ESET Staff JamesR 58 Posted August 17, 2022 ESET Staff Share Posted August 17, 2022 @isuruSam You would simply need to alter the advanced exclusion to meet your needs. This means you would have the following options to base your exclusion off of. You may want to exclude all processes which are of higher global reputation, which means only less reputable applications will trigger when injecting into MSTSC.exe: <definition> <process> <!-- Only exclude if the executable has a good global reputation (LiveGrid Rep) and has been seen globally on 100 or more computers --> <!-- You may need to change these numbers based on what you are seeing in your own environment --> <operator type="AND"> <condition component="LiveGrid" property="Reputation" condition="greaterOrEqual" value="8"/> <condition component="LiveGrid" property="Popularity" condition="greaterOrEqual" value="100"/> </operator> </process> <operations> <operation type="CodeInjection"> <!-- Describe the possible mstsc.exe processes which are being injected into. Remove or add any different types of components you desire. Keep in mind that this exclusion will not exclude any mstsc.exe processes from "%WINDIR%\WinSxX\..." locations--> <operator type="and"> <operator type="or"> <condition component="FileItem" property="FullPath" condition="is" value="%SYSTEM%\mstsc.exe"/> <condition component="FileItem" property="FullPath" condition="is" value="%WINDIR%\SysWOW64\mstsc.exe"/> </operator> <condition component="Module" property="SignatureType" condition="greaterOrEqual" value="90"/> <condition component="Module" property="SignerName" condition="is" value=" Microsoft Windows"/> </operator> </operation> </operations> </definition> If to many different processes are causing this to trigger, on the vast majority of computers, then you may want to exclude any process injecting into mstsc.exe. This means if something malicious does inject into mstsc.exe, you will not see it, but if MSTSC.exe starts doing other actions that are dangerous, you will still see those: <definition> <operations> <operation type="CodeInjection"> <!-- Describe the possible mstsc.exe processes which are being injected into. Remove or add any different types of components you desire. Keep in mind that this exclusion will not exclude any mstsc.exe processes from "%WINDIR%\WinSxX\..." locations--> <operator type="and"> <operator type="or"> <condition component="FileItem" property="FullPath" condition="is" value="%SYSTEM%\mstsc.exe"/> <condition component="FileItem" property="FullPath" condition="is" value="%WINDIR%\SysWOW64\mstsc.exe"/> </operator> <condition component="Module" property="SignatureType" condition="greaterOrEqual" value="90"/> <condition component="Module" property="SignerName" condition="is" value=" Microsoft Windows"/> </operator> </operation> </operations> </definition> In the end, the final decision on how to exclude is yours to decide. Feel free to use these examples as a base for building your own exclusion. Hopefully this helps you out. IsuruSam 1 Link to comment Share on other sites More sharing options...
IsuruSam 0 Posted August 18, 2022 Share Posted August 18, 2022 Thanks @JamesR I will evaluate both of your suggestion and select the best for our environment. Link to comment Share on other sites More sharing options...
Recommended Posts