JamesR88 1 Posted March 14 Share Posted March 14 Hi guys, Can I please get your help regarding a Scheduled Task exclusion? I'm quite a lot of alerts from Rule F0109 about Scheduling script task. This is the syntax I came up with, but it didn't match any of the alerts yet: <definition> <process> <operator type="AND"> <operator type="or"> <condition component="FileItem" property="FileNameWithoutExtension" condition="is" value="schtasks" /> <condition component="Module" property="OriginalFileName" condition="is" value="schtasks.exe" /> </operator> <operator type="or"> <condition component="ProcessInfo" property="CommandLine" condition="starts" value="/CREATE " /> <condition component="ProcessInfo" property="CommandLine" condition="contains" value=" /create " /> <condition component="ProcessInfo" property="CommandLine" condition="starts" value="-create " /> <condition component="ProcessInfo" property="CommandLine" condition="contains" value=" -create " /> <condition component="ProcessInfo" property="CommandLine" condition="contains" value="program.exe" /> </operator> <condition component="ProcessInfo" property="ProcessOwner" condition="is" value="username" /> </operator> </process> </definition> There is a specific program that always appears in the CommandLine, usually in the middle of the cmdline, but I can't match any of the alerts with this. The triggering event is "ProcessCreated". My program starts the schtasks.exe to run some checks. Link to comment Share on other sites More sharing options...
Administrators Marcos 4,907 Posted March 14 Administrators Share Posted March 14 Did you clone the default rule F0109 and modified it? Asking since mine looks differently than yours: <definition> <process> <operator type="and"> <operator type="or"> <condition component="FileItem" condition="is" property="FileNameWithoutExtension" value="schtasks" /> <condition component="Module" property="OriginalFileName" condition="is" value="schtasks.exe" /> </operator> <operator type="or"> <condition component="ProcessInfo" property="CommandLine" condition="contains" value="/create" /> <condition component="ProcessInfo" property="CommandLine" condition="contains" value="-create" /> </operator> <operator type="or"> <condition component="ProcessInfo" property="CommandLine" condition="contains" value="wscript" /> <condition component="ProcessInfo" property="CommandLine" condition="contains" value="cscript" /> <condition component="ProcessInfo" property="CommandLine" condition="contains" value="mshta" /> <condition component="ProcessInfo" property="CommandLine" condition="contains" value="cmd" /> <condition component="ProcessInfo" property="CommandLine" condition="contains" value="powershell" /> <condition component="ProcessInfo" property="CommandLine" condition="contains" value="jscript" /> <condition component="ProcessInfo" property="CommandLine" condition="contains" value="vbscript" /> <condition component="ProcessInfo" property="CommandLine" condition="contains" value=".vbs" /> <condition component="ProcessInfo" property="CommandLine" condition="contains" value=".js" /> <condition component="ProcessInfo" property="CommandLine" condition="contains" value=".ps1" /> <condition component="ProcessInfo" property="CommandLine" condition="contains" value=".bat" /> </operator> </operator> </process> </definition> JamesR88 1 Link to comment Share on other sites More sharing options...
JamesR88 1 Posted March 14 Author Share Posted March 14 1 hour ago, Marcos said: Did you clone the default rule F0109 and modified it? Asking since mine looks differently then yours: *snip* Yes, I did take a look at the Rule bodies to find out how to create the best exclusions. It, together with the guide have proven very useful thus far. Link to comment Share on other sites More sharing options...
ESET Staff JamesR 50 Posted March 14 ESET Staff Share Posted March 14 For this detection, we need a bit more info to assist in building/recommending an exclusion. Can you provide the following info? Name of executable which is parent to schtasks: Command line which goes with the parent of schtasks: Command line of schtasks process you are starting: JamesR88 1 Link to comment Share on other sites More sharing options...
JamesR88 1 Posted March 14 Author Share Posted March 14 5 minutes ago, JamesR said: For this detection, we need a bit more info to assist in building/recommending an exclusion. Can you provide the following info? Name of executable which is parent to schtasks: Command line which goes with the parent of schtasks: Command line of schtasks process you are starting: Sorry, I'd rather not give specific program names but the tree (for most of the alerts) look like this: svchost.exe (Grandparent) > program.exe (parent) > schtasks.exe > conhost.exe Thing is, the CommandLine of schtasks is different each time. The program uses it to run different checks on several computers. These are the arguments that are always in the CommandLine: /RU SYSTEM /SC ONCE /ST HH:MM /RL HIGHEST /TR FullPath of program.exe Link to comment Share on other sites More sharing options...
ESET Staff Solution JamesR 50 Posted March 14 ESET Staff Solution Share Posted March 14 I think that will be enough info. I have 2 possibilities for you. Both use a parent child relationship. You will see I put a comment in both as you do not need to specify schtasks in the <process> section of the exclusion. Since the rule will only trigger on schtasks.exe, its not needed to include in the exclusion. But my exclusions do ensure your schtasks.exe is being run from expected locations. If all schtasks commands have a single unique item between every execution <definition> <process> <operator type="AND"> <!-- Not needed as rule is already confriming it must be this file name<condition component="FileItem" property="FileNameWithoutExtension" condition="is" value="schtasks"/>--> <condition component="FileItem" property="Path" condition="is" value="%SYSTEM%\"/> <condition component="ProcessInfo" property="CommandLine" condition="contains" value="/RU SYSTEM /SC ONCE /ST HH:MM /RL HIGHEST /TR FullPath of program.exe"/> </operator> </process> <parentprocess> <operator type="AND"> <condition component="FileItem" property="FileName" condition="is" value="program.exe"/> <condition component="FileItem" property="Path" condition="is" value="%SYSTEM%\"/> <condition component="ProcessInfo" property="CommandLine" condition="contains" value="-some /parent commandline"/> </operator> </parentprocess> </definition> If each execution of your schtasks could have more than one possible command line. Lets say you have 3 different unique parts to a command line. <definition> <process> <operator type="AND"> <!-- Not needed as rule is already confriming it must be this file name<condition component="FileItem" property="FileNameWithoutExtension" condition="is" value="schtasks"/>--> <condition component="FileItem" property="Path" condition="is" value="%SYSTEM%\"/> <operator type="or"> <condition component="ProcessInfo" property="CommandLine" condition="contains" value=" /RL HIGHEST "/> <condition component="ProcessInfo" property="CommandLine" condition="contains" value="/RU SYSTEM /SC ONCE "/> <condition component="ProcessInfo" property="CommandLine" condition="contains" value="/RU SYSTEM /ST HH:MM /TR FullPath of program.exe"/> </operator> </operator> </process> <parentprocess> <operator type="AND"> <condition component="FileItem" property="FileName" condition="is" value="program.exe"/> <condition component="FileItem" property="Path" condition="is" value="%SYSTEM%\"/> <condition component="ProcessInfo" property="CommandLine" condition="contains" value="-some /parent commandline"/> </operator> </parentprocess> </definition> JamesR88 1 Link to comment Share on other sites More sharing options...
JamesR88 1 Posted March 14 Author Share Posted March 14 This could work. I'll try this soon. Thank you! Link to comment Share on other sites More sharing options...
Recommended Posts