Jump to content

Scheduled tasks exclusion

JamesR88
 Share

Recommended Posts

JamesR88

JamesR88 1

Posted
Posted

Hi guys,

Can I please get your help regarding a Scheduled Task exclusion? I'm quite a lot of alerts from Rule F0109 about Scheduling script task. This is the syntax I came up with, but it didn't match any of the alerts yet: 

<definition>
    <process>
        <operator type="AND">
            <operator type="or">
                <condition component="FileItem" property="FileNameWithoutExtension" condition="is" value="schtasks" />
                <condition component="Module" property="OriginalFileName" condition="is" value="schtasks.exe" />
            </operator>
            <operator type="or">
                <condition component="ProcessInfo" property="CommandLine" condition="starts" value="/CREATE " />
                <condition component="ProcessInfo" property="CommandLine" condition="contains" value=" /create " />
                <condition component="ProcessInfo" property="CommandLine" condition="starts" value="-create " />
                <condition component="ProcessInfo" property="CommandLine" condition="contains" value=" -create " />
                <condition component="ProcessInfo" property="CommandLine" condition="contains" value="program.exe" />
            </operator>
            <condition component="ProcessInfo" property="ProcessOwner" condition="is" value="username" />
        </operator>
    </process>
</definition>

There is a specific program that always appears in the CommandLine, usually in the middle of the cmdline, but I can't match any of the alerts with this. The triggering event is "ProcessCreated". My program starts the schtasks.exe to run some checks.

Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 4,609

Posted
  • Administrators
Posted

Did you clone the default rule F0109 and modified it? Asking since mine looks differently than yours: 

    <definition>
        <process>
            <operator type="and">
                <operator type="or">
                    <condition component="FileItem" condition="is" property="FileNameWithoutExtension" value="schtasks" />
                    <condition component="Module" property="OriginalFileName" condition="is" value="schtasks.exe" />
                </operator>
                <operator type="or">
                    <condition component="ProcessInfo" property="CommandLine" condition="contains" value="/create" />
                    <condition component="ProcessInfo" property="CommandLine" condition="contains" value="-create" />
                </operator>
                <operator type="or">
                    <condition component="ProcessInfo" property="CommandLine" condition="contains" value="wscript" />
                    <condition component="ProcessInfo" property="CommandLine" condition="contains" value="cscript" />
                    <condition component="ProcessInfo" property="CommandLine" condition="contains" value="mshta" />
                    <condition component="ProcessInfo" property="CommandLine" condition="contains" value="cmd" />
                    <condition component="ProcessInfo" property="CommandLine" condition="contains" value="powershell" />
                    <condition component="ProcessInfo" property="CommandLine" condition="contains" value="jscript" />
                    <condition component="ProcessInfo" property="CommandLine" condition="contains" value="vbscript" />
                    <condition component="ProcessInfo" property="CommandLine" condition="contains" value=".vbs" />
                    <condition component="ProcessInfo" property="CommandLine" condition="contains" value=".js" />
                    <condition component="ProcessInfo" property="CommandLine" condition="contains" value=".ps1" />
                    <condition component="ProcessInfo" property="CommandLine" condition="contains" value=".bat" />
                </operator>
            </operator>
        </process>
    </definition>

 

Link to comment
Share on other sites
  • Marcos changed the title to Scheduled tasks exclusion
JamesR88

JamesR88 1

Posted
  • Author
Posted
1 hour ago, Marcos said:

Did you clone the default rule F0109 and modified it? Asking since mine looks differently then yours: 

*snip*

 

Yes, I did take a look at the Rule bodies to find out how to create the best exclusions. It, together with the guide have proven very useful thus far.

Link to comment
Share on other sites
  • ESET Staff
JamesR

JamesR 48

Posted
  • ESET Staff
Posted

For this detection, we need a bit more info to assist in building/recommending an exclusion.  Can you provide the following info?

  • Name of executable which is parent to schtasks: 
  • Command line which goes with the parent of schtasks: 
  • Command line of schtasks process you are starting: 

 

Link to comment
Share on other sites
JamesR88

JamesR88 1

Posted
  • Author
Posted
5 minutes ago, JamesR said:

For this detection, we need a bit more info to assist in building/recommending an exclusion.  Can you provide the following info?

  • Name of executable which is parent to schtasks: 
  • Command line which goes with the parent of schtasks: 
  • Command line of schtasks process you are starting: 

 

Sorry, I'd rather not give specific program names but the tree (for most of the alerts) look like this:

svchost.exe (Grandparent) > program.exe (parent) > schtasks.exe > conhost.exe

Thing is, the CommandLine of schtasks is different each time. The program uses it to run different checks on several computers.

These are the arguments that are always in the CommandLine:

/RU SYSTEM /SC ONCE /ST HH:MM /RL HIGHEST /TR FullPath of program.exe

Link to comment
Share on other sites
  • ESET Staff
JamesR

JamesR 48

Posted
  • ESET Staff
Posted

I think that will be enough info.

I have 2 possibilities for you.  Both use a parent child relationship.  You will see I put a comment in both as you do not need to specify schtasks in the <process> section of the exclusion.  Since the rule will only trigger on schtasks.exe, its not needed to include in the exclusion.  But my exclusions do ensure your schtasks.exe is being run from expected locations.

If all schtasks commands have a single unique item between every execution 

<definition>
    <process>
        <operator type="AND">
            <!-- Not needed as rule is already confriming it must be this file name<condition component="FileItem" property="FileNameWithoutExtension" condition="is" value="schtasks"/>-->
            <condition component="FileItem" property="Path" condition="is" value="%SYSTEM%\"/>
            <condition component="ProcessInfo" property="CommandLine" condition="contains" value="/RU SYSTEM /SC ONCE /ST HH:MM /RL HIGHEST /TR FullPath of program.exe"/>
        </operator>
    </process>
    <parentprocess>
        <operator type="AND">
            <condition component="FileItem" property="FileName" condition="is" value="program.exe"/>
            <condition component="FileItem" property="Path" condition="is" value="%SYSTEM%\"/>
            <condition component="ProcessInfo" property="CommandLine" condition="contains" value="-some /parent commandline"/>
        </operator>
    </parentprocess>
</definition>

 

If each execution of your schtasks could have more than one possible command line.  Lets say you have 3 different unique parts to a command line. 

<definition>
    <process>
        <operator type="AND">
            <!-- Not needed as rule is already confriming it must be this file name<condition component="FileItem" property="FileNameWithoutExtension" condition="is" value="schtasks"/>-->
            <condition component="FileItem" property="Path" condition="is" value="%SYSTEM%\"/>
            <operator type="or">
                <condition component="ProcessInfo" property="CommandLine" condition="contains" value=" /RL HIGHEST "/>
                <condition component="ProcessInfo" property="CommandLine" condition="contains" value="/RU SYSTEM /SC ONCE "/>
                <condition component="ProcessInfo" property="CommandLine" condition="contains" value="/RU SYSTEM  /ST HH:MM /TR FullPath of program.exe"/>
            </operator>
        </operator>
    </process>
    <parentprocess>
        <operator type="AND">
            <condition component="FileItem" property="FileName" condition="is" value="program.exe"/>
            <condition component="FileItem" property="Path" condition="is" value="%SYSTEM%\"/>
            <condition component="ProcessInfo" property="CommandLine" condition="contains" value="-some /parent commandline"/>
        </operator>
    </parentprocess>
</definition>

 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...