jakebutterfield 0 Posted August 10, 2023 Posted August 10, 2023 I am struggling to create a exclusion for our web server applications, We are getting a whole bunch of false positives for IIS Backdoor, I was hoping I could just *.* the pipe and inetpub but still not getting hit, Just hoping I can wipe out the false positives to any alerts we are getting on inspect so we only see things that need investigating,
ESET Staff JamesR 58 Posted August 10, 2023 ESET Staff Posted August 10, 2023 I believe you are building an exclusion for rule "Generic IIS backdoor activity - child process [F0403]" (the ID at the end of the rule name is the most important identifier of the rule. Your exclusion will need to be an Advanced Exclusion and will need to be built to describe the child process to w3wp.exe Here is how to start building the Advanced Exclusion. Begin creating your exclusion as usual. When you get to the criteria you showed in your screenshot, use the "Advanced Editor" button on the top right of the screen. Build XML similar to the following examples and your exclusion should work. Example 1 - excluding single process with single command line <definition> <operations> <operation type="CreateProcess"> <operator type="AND"> <condition component="FileItem" condition="is" property="FileName" value="NameOfProcessSeen.exe" /> <condition component="FileItem" property="Path" condition="starts" value="C:\path\to\expected\file\"/> <!-- change the condition from "is" to "starts/ends/contains" as needed --> <condition component="ProcessInfo" property="CommandLine" condition="is" value="/some command /line parameters"/> <condition component="Module" condition="is" property="SignatureType" value="Trusted" /> <condition component="Module" property="SignerName" condition="is" value="Im a signature"/> </operator> </operation> </operations> </definition> Example 2 - excluding single process with multiple possible command lines <definition> <operations> <operation type="CreateProcess"> <operator type="AND"> <condition component="FileItem" condition="is" property="FileName" value="NameOfProcessSeen.exe" /> <condition component="FileItem" property="Path" condition="starts" value="C:\path\to\expected\file\"/> <operator type="or"> <!-- change the condition from "is" to "starts/ends/contains" as needed --> <condition component="ProcessInfo" property="CommandLine" condition="is" value="/some command /line parameters"/> <condition component="ProcessInfo" property="CommandLine" condition="is" value="/other possibleCommand /line parameters /as needed"/> </operator> <condition component="Module" condition="is" property="SignatureType" value="Trusted" /> <condition component="Module" property="SignerName" condition="is" value="Im a signature"/> </operator> </operation> </operations> </definition> Example 3 - Excluding multiple proccesses <definition> <operations> <operation type="CreateProcess"> <operator type="or"> <operator type="AND"> <!-- First process to describe --> <condition component="FileItem" condition="is" property="FileName" value="NameOfProcessSeen.exe" /> <condition component="FileItem" property="Path" condition="starts" value="C:\path\to\expected\file\"/> <condition component="ProcessInfo" property="CommandLine" condition="is" value="/some command /line parameters"/> <condition component="Module" condition="is" property="SignatureType" value="Trusted" /> <condition component="Module" property="SignerName" condition="is" value="Im a signature"/> </operator> <operator type="AND"> <!-- Next process to describe --> <condition component="FileItem" condition="is" property="FileName" value="SecondProcess.exe" /> <condition component="FileItem" property="Path" condition="starts" value="C:\DifferentPath\to\expected\SecondFile\"/> <operator type="or"> <!-- change the condition from "is" to "starts/ends/contains" as needed --> <condition component="ProcessInfo" property="CommandLine" condition="is" value="/more command line items"/> <condition component="ProcessInfo" property="CommandLine" condition="is" value="/other possibleCommand /line parameters /as needed"/> </operator> <condition component="Module" condition="is" property="SignatureType" value="Trusted" /> <condition component="Module" property="SignerName" condition="is" value="Im a DIFFERENT signature"/> </operator> </operator> </operation> </operations> </definition>
jakebutterfield 0 Posted August 11, 2023 Author Posted August 11, 2023 Hi @JamesR That's really useful! I will give that a go and reply to this thread and let you know how I get on.
jakebutterfield 0 Posted August 11, 2023 Author Posted August 11, 2023 Hi James how would be best to format this into being recognisable as process info for detection For example -ap "Helpdesk-XYZ" -v "v4.0" -l "webengine4.dll" -a \\.\pipe\*.* -h "C:\inetpub\temp\*.*" -w "" -m 0 -t 20 -ta 0 I have tried "Helpdesk-XYZ" / "WebEngine4.dll" / c:\inetpub\temp\*.* or <condition component="ProcessInfo" property="CommandLine" condition="contains" value="Helpdesk-CustSupport" "webengine4.dll" "\\.\pipe\*.*" "C:\inetpub\temp\*.*" /> Neither seem to work 😐
ESET Staff JamesR 58 Posted August 17, 2023 ESET Staff Posted August 17, 2023 Appologies for the delay, I didn't see a notification in my inbox (#PEBKAC) Should be something like this: <definition> <operations> <operation type="CreateProcess"> <operator type="AND"> <condition component="FileItem" condition="is" property="FileName" value="NameOfProcessSeen.exe" /> <condition component="FileItem" property="Path" condition="starts" value="C:\path\to\expected\file\"/> <!-- change the condition from "is" to "starts/ends/contains" as needed --> <condition component="ProcessInfo" property="CommandLine" condition="is" value=""Helpdesk-XYZ" -v "v4.0" -l "webengine4.dll" -a \\.\pipe\*.* -h "C:\inetpub\temp\*.*""/> </operator> </operation> </operations> </definition> As you can see, all " became " There are many other characters that sometimes need to be converted to their HTML Entity equivalent. The ones I most commonly run into are: & = & " = " < = < > = > If needed, you can use cyberchef's "To HTML Entity" to change a lot of characters into their HTML equivalent ( https://gchq.github.io/CyberChef/#recipe=To_HTML_Entity(false,'Named entities') )
jakebutterfield 0 Posted August 21, 2023 Author Posted August 21, 2023 Hi James, Thanks a bunch for that I will give it ago
Recommended Posts