Ufoto 14 Posted August 17, 2023 Share Posted August 17, 2023 Hello, I've been struggling with this one for quite a while now and I would really appreciate if someone can point me in the right direction. We are getting a lot of false-positives by this rule and Connectwise: Since all other items are too generic, I want to configure an exclusion based on the process creation since this is the ConnectWise software which is supposed to be involved in such activities. I configured the following exception hoping that it will cover this exact behavior, however today I logged in and I still see a ton of the same alerts and the exclusion sits at 0 hit count: <definition> <operations> <operation type="CreateProcess"> <operator type="and"> <condition component="FileItem" property="FullPath" condition="starts" value="%WINDIR%\ltsvc\ltsvc.exe" /> </operator> </operation> </operations> </definition> Any idea why this exclusion is not working? Thank you in advance! Link to comment Share on other sites More sharing options...
ESET Staff Solution j91321 7 Posted August 18, 2023 ESET Staff Solution Share Posted August 18, 2023 I think you are a bit confused by the Event being ProcessCreated %WINDIR\ltsvc\ltsvc.exe%. If I understand it right the B1004 is connected to the bcedit.exe process. The process tree should look something like this: wininit.exe |-------> services.exe |-------> %WINDIR%\ltsvc\ltsvc.exe |-------> %SYSTEM%\bcdedit.exe +-------> Setting a dangerous boot configuration [B1004] What your exclusion is trying to do is exclude behavior when bcedit.exe would spawn ltsvc.exe, but it's the other way around, ltsvc.exe spawns bcedit.exe. You need to use parentprocess like this: <definition> <parentprocess> <operator type="AND"> <condition component="Module" condition="is" property="OriginalFileName" value="LTSVC.exe"/> <condition component="Module" condition="is" property="SignerName" value="Connectwise, LLC"/> <condition component="FileItem" condition="starts" property="FullPath" value="%WINDIR%\ltsvc\"/> </operator> </parentprocess> </definition> Ufoto 1 Link to comment Share on other sites More sharing options...
Ufoto 14 Posted August 22, 2023 Author Share Posted August 22, 2023 Hello, Oh I see, so this is actually the parent process. Yes, indeed in this case the exclusion can even be create using the exclusion builder UI. It still blows mu mind how the 'Event' section is not an option in the exclusion builder UI. Sometimes it is the only way to create viable exclusion such as IP or URLs listed there which are not found anywhere else in the event. Thus making us work with the advanced exclusion builder syntax which is not very well documented. Best Regards, Link to comment Share on other sites More sharing options...
Recommended Posts