JamesR88 1 Posted March 18, 2023 Posted March 18, 2023 Hi guys, So I've got Rule F1108a triggering for a bunch of different reasons. The process tree looks like this: msexchangerelated.exe > netsh.exe The event is "ProcessCreated" and the triggering process of the alert is netsh.exe. I have tried a bunch of different exclusions to exclude those, but couldn't get any to work. Since the distance between them is always 1, I have tried this: <definition> <ancestor distance="1"> <operator type="AND"> <condition component="Module" property="SignatureType" condition="greaterOrEqual" value="90"/> <condition component="FileItem" property="FileName" condition="is" value="msexchangerelated.exe"/> <condition component="Module" property="SignerName" condition="is" value="Microsoft Windows"/> </operator> </ancestor> <process> <operator type="AND"> <condition component="Module" property="SignatureType" condition="greaterOrEqual" value="90"/> <condition component="FileItem" property="FileName" condition="is" value="netsh.exe"/> <condition component="Module" property="SignerName" condition="is" value="Microsoft Windows"/> </operator> </process> </definition> Didn't match any of the alerts. I have also tried adding the "CreateProcess" operation at the end without netsh.exe: <operations> <operation type="CreateProcess" /> </operations> Didn't match anything either. I double checked and I don't have any typos inside the exclusions and still can't match any of the alerts?
ESET Staff JamesR 58 Posted March 18, 2023 ESET Staff Posted March 18, 2023 As rule F1108a is only looking for execution of netsh processes, there is no need to specify the "FileName" item in your exclusions. I will assume you are seeing something similar or identical to the following (screen is from my test environment): The exclusion I would recommend: <definition> <process> <operator type="AND"> <condition component="Module" property="SignatureType" condition="greaterOrEqual" value="90" /> <!-- Defining process name is not needed as the rule F1108a will only trigger for netsh. Including it is redundant --> <!--<condition component="FileItem" property="FileName" condition="is" value="netsh.exe" />--> <condition component="FileItem" property="Path" condition="is" value="%SYSTEM%\" /> <condition component="ProcessInfo" property="CommandLine" condition="is" value="interface tcp show global" /> <condition component="Module" property="SignerName" condition="is" value="Microsoft Windows" /> <condition component="ProcessInfo" property="ProcessOwner" condition="is" value="nt authority\system" /> </operator> </process> <parentprocess> <operator type="AND"> <condition component="Module" property="SignatureType" condition="greaterOrEqual" value="90" /> <condition component="FileItem" property="FileName" condition="is" value="msexchangehmworker.exe" /> <condition component="FileItem" property="Path" condition="is" value="%PROGRAMFILES%\microsoft\exchange server\v15\bin\" /> <!-- This OR operator is to list each possible command line you are seeing. Customize this to meet your needs--> <operator type="or"> <!-- I only had 5 of these -pipe: commands out of thousands of triggerd detections --> <operator type="and"> <condition component="ProcessInfo" property="CommandLine" condition="starts" value="-pipe:" /> <condition component="ProcessInfo" property="CommandLine" condition="ends" value=" -workerListening" /> </operator> <!-- This was the bulk of my detections where no command line was present...but these were also processes which were older than my retention and may not be needed for your environment --> <condition component="ProcessInfo" property="CommandLine" condition="isempty" /> </operator> <condition component="Module" property="SignerName" condition="is" value="Microsoft Corporation" /> <condition component="ProcessInfo" property="ProcessOwner" condition="is" value="nt authority\system" /> </operator> </parentprocess> </definition> As you can see, I am being a bit strict on this exclusion by clearly defining the behavior I want to exclude. This is because this is an exchange server and likely has some portion of itself, exposed to the internet (Email flowing from the internet, OWA, etc...). With the amount of Exchange exploits and zero days found in the past few years (ProxyShell, ProxyLogon, ProxyNotLogon, etc...), I would rather be very clear in what I am excluding on an exchange server. If you have problems making this exclusion working, try commenting out or removing the "SignatureType" and "SignerName" items. If your exclusion only works after that, let us know which EI Server and EI Connector versions you are using. JamesR88 1
JamesR88 1 Posted March 19, 2023 Author Posted March 19, 2023 Thanks, it's working super well! It doesn't however when I change the parentprocess tag to <ancestor> ? That is: msexchangehmworker.exe > cmd.exe > netsh.exe
JamesR88 1 Posted March 19, 2023 Author Posted March 19, 2023 <definition> <process> <operator type="OR"> <condition component="Module" property="SignatureType" condition="greaterOrEqual" value="90" /> <!-- Defining process name is not needed as the rule F1108a will only trigger for netsh. Including it is redundant --> <!--<condition component="FileItem" property="FileName" condition="is" value="netsh.exe" />--> <condition component="FileItem" property="Path" condition="is" value="%SYSTEM%\" /> <condition component="ProcessInfo" property="CommandLine" condition="is" value="interface tcp show global" /> <condition component="ProcessInfo" property="CommandLine" condition="is" value="advfirewall show global" /> <condition component="Module" property="SignerName" condition="is" value="Microsoft Windows" /> <condition component="ProcessInfo" property="ProcessOwner" condition="is" value="nt authority\system" /> </operator> </process> <ancestor distance="2"> <operator type="AND"> <condition component="Module" property="SignatureType" condition="greaterOrEqual" value="90" /> <condition component="FileItem" property="FileName" condition="is" value="msexchangehmworker.exe" /> <condition component="FileItem" property="Path" condition="is" value="%PROGRAMFILES%\microsoft\exchange server\v15\bin\" /> <condition component="ProcessInfo" property="ProcessOwner" condition="is" value="nt authority\system" /> </operator> </ancestor> </definition> ^ Like so.
Recommended Posts