Jump to content

Recommended Posts

Posted

Hi guys,

So I've got Rule F1108a triggering for a bunch of different reasons. The process tree looks like this: msexchangerelated.exe > netsh.exe

The event is "ProcessCreated" and the triggering process of the alert is netsh.exe. I have tried a bunch of different exclusions to exclude those, but couldn't get any to work. Since the distance between them is always 1, I have tried this:

<definition>

    <ancestor distance="1">

        <operator type="AND">

            <condition component="Module" property="SignatureType" condition="greaterOrEqual" value="90"/>

            <condition component="FileItem" property="FileName" condition="is" value="msexchangerelated.exe"/>

            <condition component="Module" property="SignerName" condition="is" value="Microsoft Windows"/>

        </operator>

    </ancestor>

    <process>

        <operator type="AND">

            <condition component="Module" property="SignatureType" condition="greaterOrEqual" value="90"/>

            <condition component="FileItem" property="FileName" condition="is" value="netsh.exe"/>

            <condition component="Module" property="SignerName" condition="is" value="Microsoft Windows"/>

        </operator>

    </process>

</definition>

Didn't match any of the alerts.

I have also tried adding the "CreateProcess" operation at the end without netsh.exe:

<operations>
  <operation type="CreateProcess" />
</operations>

Didn't match anything either. I double checked and I don't have any typos inside the exclusions and still can't match any of the alerts?

  • ESET Staff
Posted

As rule F1108a is only looking for execution of netsh processes, there is no need to specify the "FileName" item in your exclusions.

I will assume you are seeing something similar or identical to the following (screen is from my test environment):

image.png

 

 

The exclusion I would recommend:

<definition>
    <process>
        <operator type="AND">
            <condition component="Module" property="SignatureType" condition="greaterOrEqual" value="90" />
            <!-- Defining process name is not needed as the rule F1108a will only trigger for netsh.  Including it is redundant -->
            <!--<condition component="FileItem" property="FileName" condition="is" value="netsh.exe" />-->
            <condition component="FileItem" property="Path" condition="is" value="%SYSTEM%\" />
            <condition component="ProcessInfo" property="CommandLine" condition="is" value="interface tcp show global" />
            <condition component="Module" property="SignerName" condition="is" value="Microsoft Windows" />
            <condition component="ProcessInfo" property="ProcessOwner" condition="is" value="nt authority\system" />
        </operator>
    </process>
    <parentprocess>
        <operator type="AND">
            <condition component="Module" property="SignatureType" condition="greaterOrEqual" value="90" />
            <condition component="FileItem" property="FileName" condition="is" value="msexchangehmworker.exe" />
            <condition component="FileItem" property="Path" condition="is" value="%PROGRAMFILES%\microsoft\exchange server\v15\bin\" />
            <!-- This OR operator is to list each possible command line you are seeing.  Customize this to meet your needs-->
            <operator type="or">
                <!-- I only had 5 of these -pipe: commands out of thousands of triggerd detections -->
                <operator type="and">
                    <condition component="ProcessInfo" property="CommandLine" condition="starts" value="-pipe:" />
                    <condition component="ProcessInfo" property="CommandLine" condition="ends" value=" -workerListening" />
                </operator>
                <!-- This was the bulk of my detections where no command line was present...but these were also processes which were older than my retention and may not be needed for your environment -->
                <condition component="ProcessInfo" property="CommandLine" condition="isempty" />
            </operator>
            <condition component="Module" property="SignerName" condition="is" value="Microsoft Corporation" />
            <condition component="ProcessInfo" property="ProcessOwner" condition="is" value="nt authority\system" />
        </operator>
    </parentprocess>
</definition>

As you can see, I am being a bit strict on this exclusion by clearly defining the behavior I want to exclude.  This is because this is an exchange server and likely has some portion of itself, exposed to the internet (Email flowing from the internet, OWA, etc...).  With the amount of Exchange exploits and zero days found in the past few years (ProxyShell, ProxyLogon, ProxyNotLogon, etc...), I would rather be very clear in what I am excluding on an exchange server.

If you have problems making this exclusion working, try commenting out or removing the "SignatureType" and "SignerName" items.  If your exclusion only works after that, let us know which EI Server and EI Connector versions you are using.

Posted

Thanks, it's working super well!

It doesn't however when I change the parentprocess tag to <ancestor> ?

That is: msexchangehmworker.exe > cmd.exe > netsh.exe

Posted
<definition>
    <process>
        <operator type="OR">
            <condition component="Module" property="SignatureType" condition="greaterOrEqual" value="90" />
            <!-- Defining process name is not needed as the rule F1108a will only trigger for netsh.  Including it is redundant -->
            <!--<condition component="FileItem" property="FileName" condition="is" value="netsh.exe" />-->
            <condition component="FileItem" property="Path" condition="is" value="%SYSTEM%\" />
            <condition component="ProcessInfo" property="CommandLine" condition="is" value="interface tcp show global" />
            <condition component="ProcessInfo" property="CommandLine" condition="is" value="advfirewall show global" />
            <condition component="Module" property="SignerName" condition="is" value="Microsoft Windows" />
            <condition component="ProcessInfo" property="ProcessOwner" condition="is" value="nt authority\system" />
        </operator>
    </process>
    <ancestor distance="2">
        <operator type="AND">
            <condition component="Module" property="SignatureType" condition="greaterOrEqual" value="90" />
            <condition component="FileItem" property="FileName" condition="is" value="msexchangehmworker.exe" />
            <condition component="FileItem" property="Path" condition="is" value="%PROGRAMFILES%\microsoft\exchange server\v15\bin\" />
            <condition component="ProcessInfo" property="ProcessOwner" condition="is" value="nt authority\system" />
        </operator>
    </ancestor>
</definition>

^ Like so.

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...