Jump to content

EEI custom exclusion rule : using OR between two different items


Recommended Posts

Hello everyone,

My question should be a little trivial but I didn't obtain expected results when trying to use a "OR" condition between two different items (process and parent process)


Here is the context :

- We are dealing with a custom administration script which is detected by ESET Inspector. No issue on that point, we just want to exclude it.
- The script could be launched from 2 different methods : powershell from a .ps1 file or cmd from a .bat file

And here is my attempt to build a custom exclusion rule :

<definition>
    <operator operator="OR">
        <process>
            <operator type="AND">
                <condition component="FileItem" property="FileName" condition="is" value="powershell.exe" />
                <condition component="ProcessInfo" property="CommandLine" condition="contains" value="MyScript.ps1" />
            </operator>
        </process>
        <parentprocess>
            <operator type="AND">
                <condition component="FileItem" property="FileName" condition="is" value="cmd.exe" />
                <condition component="ProcessInfo" property="CommandLine" condition="contains" value="MyScript.bat" />
            </operator>
        </parentprocess>
    </operator>
</definition>

 

Thank you for your help !

Link to comment
Share on other sites

Hi,

I only just started with ESET Inspect, so don't take my input too seriously.

I think you have the structure wrong.

With your rule it would allow either the process powershell.exe coming from your .ps1 or a parent process cmd.exe coming from your .bat file.

I guess only the powershell.exe wouldn't generate any more events with your rule, but the cmd one might get ignored, because you specify it as a parent process.

Here's my correction, see if that one helps:

<definition>
    <process>
        <operator operator="OR">
            <operator type="AND">
                <condition component="FileItem" property="FileName" condition="is" value="powershell.exe" />
                <condition component="ProcessInfo" property="CommandLine" condition="contains" value="MyScript.ps1" />
            </operator>
            <operator type="AND">
                <condition component="FileItem" property="FileName" condition="is" value="cmd.exe" />
                <condition component="ProcessInfo" property="CommandLine" condition="contains" value="MyScript.bat" />
            </operator>
        </operator>
    </process>
</definition> 

Here it would exclude processes from cmd and its script name or powershell and its script name.

Be sure that not everyone can write to these files, otherwise they could be used from malicious persons. Maybe include a hash for these files and the company name.

Link to comment
Share on other sites

  • Administrators

I guess changing
<operator operator="OR">
to
<operator operator="AND">
would do the trick since the parent of powershell.exe must be cmd.exe, at least that seems to me what you wanted to achieve.

Link to comment
Share on other sites

  • ESET Staff

From @Artemis AWAD's description, I made an exclusion (which matches @thae's exclusion).  I added some notes to mine to help explain the flow of logic.  If this does not work, we will need the following info:

  • Which Rule or Rules are being triggered by these commands?  Sometimes you need to add an <operations> section, which is a bit more advanced to create.
  • An example of the Triggering Event
    • Open the details of a detection, and scroll down to the "Triggering Process" section.  Provide this as a screenshot and blur out any sensitive data.
  • Notes or Screenshot of Parent to Child relationship
    • If the parent to PowerShell or CMD is always the same, it could be used to make the exclusion more specific.

 

<definition>
    <process><!-- Single 'OR' Statement which contains a list of processes -->
        <operator type="OR">
            <operator type="AND"><!-- PowerShell Process which can run your PS1 script -->
                <condition component="FileItem" property="FileName" condition="is" value="powershell.exe" />
                <condition component="ProcessInfo" property="CommandLine" condition="contains" value="MyScript.ps1" />
            </operator>
            <operator type="AND"><!-- CMD Process which can run your BAT script -->
                <condition component="FileItem" property="FileName" condition="is" value="cmd.exe" />
                <condition component="ProcessInfo" property="CommandLine" condition="contains" value="MyScript.bat" />
            </operator>
        </operator>
    </process>
</definition>

 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...