Jump to content

IIS Backdoor Exclusion

jakebutterfield
 Share

Recommended Posts

jakebutterfield

jakebutterfield 0

Posted
Posted

I am struggling to create a exclusion for our web server applications,

We are getting a whole bunch of false positives for IIS Backdoor, I was hoping I could just *.* the pipe and inetpub but still not getting hit,

Just hoping I can wipe out the false positives to any alerts we are getting on inspect so we only see things that need investigating,
9Lguwq8.png

Link to comment
Share on other sites
  • ESET Staff
JamesR

JamesR 52

Posted
  • ESET Staff
Posted

I believe you are building an exclusion for rule "Generic IIS backdoor activity - child process [F0403]" (the ID at the end of the rule name is the most important identifier of the rule.

 

Your exclusion will need to be an Advanced Exclusion and will need to be built to describe the child process to w3wp.exe

image.png

 

Here is how to start building the Advanced Exclusion.

  1. Begin creating your exclusion as usual.
  2. When you get to the criteria you showed in your screenshot, use the "Advanced Editor" button on the top right of the screen.
  3. Build XML similar to the following examples and your exclusion should work.

 

Example 1 - excluding single process with single command line 

<definition>
    <operations>
        <operation type="CreateProcess">
            <operator type="AND">
                <condition component="FileItem" condition="is" property="FileName" value="NameOfProcessSeen.exe" />
                <condition component="FileItem" property="Path" condition="starts" value="C:\path\to\expected\file\"/>
                <!-- change the condition from "is" to "starts/ends/contains" as needed -->
                <condition component="ProcessInfo" property="CommandLine" condition="is" value="/some command /line parameters"/>
                <condition component="Module" condition="is" property="SignatureType" value="Trusted" />
                <condition component="Module" property="SignerName" condition="is" value="Im a signature"/>
            </operator>
        </operation>
    </operations>
</definition>

 

Example 2 - excluding single process with multiple possible command lines 

<definition>
    <operations>
        <operation type="CreateProcess">
            <operator type="AND">
                <condition component="FileItem" condition="is" property="FileName" value="NameOfProcessSeen.exe" />
                <condition component="FileItem" property="Path" condition="starts" value="C:\path\to\expected\file\"/>
                <operator type="or">
                    <!-- change the condition from "is" to "starts/ends/contains" as needed -->
                    <condition component="ProcessInfo" property="CommandLine" condition="is" value="/some command /line parameters"/>
                    <condition component="ProcessInfo" property="CommandLine" condition="is" value="/other possibleCommand /line parameters /as needed"/>
                </operator>
                <condition component="Module" condition="is" property="SignatureType" value="Trusted" />
                <condition component="Module" property="SignerName" condition="is" value="Im a signature"/>
            </operator>
        </operation>
    </operations>
</definition>

 

Example 3 - Excluding multiple proccesses 

<definition>
    <operations>
        <operation type="CreateProcess">
            <operator type="or">
                <operator type="AND"> <!-- First process to describe -->
                    <condition component="FileItem" condition="is" property="FileName" value="NameOfProcessSeen.exe" />
                    <condition component="FileItem" property="Path" condition="starts" value="C:\path\to\expected\file\"/>
                    <condition component="ProcessInfo" property="CommandLine" condition="is" value="/some command /line parameters"/>
                    <condition component="Module" condition="is" property="SignatureType" value="Trusted" />
                    <condition component="Module" property="SignerName" condition="is" value="Im a signature"/>
                </operator>
                <operator type="AND"> <!-- Next process to describe -->
                    <condition component="FileItem" condition="is" property="FileName" value="SecondProcess.exe" />
                    <condition component="FileItem" property="Path" condition="starts" value="C:\DifferentPath\to\expected\SecondFile\"/>
                    <operator type="or">
                        <!-- change the condition from "is" to "starts/ends/contains" as needed -->
                        <condition component="ProcessInfo" property="CommandLine" condition="is" value="/more command line items"/>
                        <condition component="ProcessInfo" property="CommandLine" condition="is" value="/other possibleCommand /line parameters /as needed"/>
                    </operator>
                    <condition component="Module" condition="is" property="SignatureType" value="Trusted" />
                    <condition component="Module" property="SignerName" condition="is" value="Im a DIFFERENT signature"/>
                </operator>
            </operator>
        </operation>
    </operations>
</definition>

 

Link to comment
Share on other sites
jakebutterfield

jakebutterfield 0

Posted
  • Author
Posted

Hi James how would be best to format this into being recognisable as process info for detection

For example

-ap "Helpdesk-XYZ" -v "v4.0" -l "webengine4.dll" -a \\.\pipe\*.* -h "C:\inetpub\temp\*.*" -w "" -m 0 -t 20 -ta 0

I have tried "Helpdesk-XYZ" / "WebEngine4.dll" / c:\inetpub\temp\*.* 
or <condition component="ProcessInfo" property="CommandLine" condition="contains" value="Helpdesk-CustSupport"  "webengine4.dll" "\\.\pipe\*.*"  "C:\inetpub\temp\*.*" />

Neither seem to work 😐  
 

 

Link to comment
Share on other sites
  • ESET Staff
JamesR

JamesR 52

Posted
  • ESET Staff
Posted

Appologies for the delay, I didn't see a notification in my inbox (#PEBKAC)

Should be something like this: 

<definition>
    <operations>
        <operation type="CreateProcess">
            <operator type="AND">
                <condition component="FileItem" condition="is" property="FileName" value="NameOfProcessSeen.exe" />
                <condition component="FileItem" property="Path" condition="starts" value="C:\path\to\expected\file\"/>
                <!-- change the condition from "is" to "starts/ends/contains" as needed -->
                <condition component="ProcessInfo" property="CommandLine" condition="is" value="&quot;Helpdesk-XYZ&quot; -v &quot;v4.0&quot; -l &quot;webengine4.dll&quot; -a \\.\pipe\*.* -h &quot;C:\inetpub\temp\*.*&quot;"/>
            </operator>
        </operation>
    </operations>
</definition>

As you can see, all " became &quot;
There are many other characters that sometimes need to be converted to their HTML Entity equivalent.  The ones I most commonly run into are:

  • & = &amp;
  • " = &quot;
  • < = &lt;
  • > = &gt;


If needed, you can use cyberchef's "To HTML Entity" to change a lot of characters into their HTML equivalent ( https://gchq.github.io/CyberChef/#recipe=To_HTML_Entity(false,'Named entities') )

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...