Jump to content

Advanced exclusion - please help

Ufoto
 Share
Go to solution Solved by j91321,

Recommended Posts

Ufoto

Ufoto 14

Posted
Posted

Hello, 

I've been struggling with this one for quite a while now and I would really appreciate if someone can point me in the right direction. 

We are getting a lot of false-positives by this rule and Connectwise:

image.png.d616c747b1a9562a5d0cf01e0172980f.png

Since all other items are too generic, I want to configure an exclusion based on the process creation since this is the ConnectWise software which is supposed to be involved in such activities. I configured the following exception hoping that it will cover this exact behavior, however today I logged in and I still see a ton of the same alerts and the exclusion sits at 0 hit count:

<definition>
    <operations>
        <operation type="CreateProcess">
            <operator type="and">
                <condition component="FileItem" property="FullPath" condition="starts" value="%WINDIR%\ltsvc\ltsvc.exe" />
            </operator>
        </operation>
    </operations>
</definition>

Any idea why this exclusion is not working? Thank you in advance!

 

Link to comment
Share on other sites
  • Solution
j91321

j91321 3

Posted
  • Solution
Posted

I think you are a bit confused by the Event being ProcessCreated %WINDIR\ltsvc\ltsvc.exe%. If I understand it right the B1004 is connected to the bcedit.exe process. The process tree should look something like this: 

wininit.exe
|-------> services.exe
          |-------> %WINDIR%\ltsvc\ltsvc.exe
                    |-------> %SYSTEM%\bcdedit.exe
                              +-------> Setting a dangerous boot configuration [B1004]

What your exclusion is trying to do is exclude behavior when bcedit.exe would spawn ltsvc.exe, but it's the other way around, ltsvc.exe spawns bcedit.exe. You need to use parentprocess like this: 

<definition>
  <parentprocess>
    <operator type="AND">
      <condition component="Module" condition="is" property="OriginalFileName" value="LTSVC.exe"/>
      <condition component="Module" condition="is" property="SignerName" value="Connectwise, LLC"/>
      <condition component="FileItem" condition="starts" property="FullPath" value="%WINDIR%\ltsvc\"/>
    </operator>
  </parentprocess>
</definition>

 

Link to comment
Share on other sites
Ufoto

Ufoto 14

Posted
  • Author
Posted

Hello,

 

Oh I see, so this is actually the parent process. Yes, indeed in this case the exclusion can even be create using the exclusion builder UI. 

It still blows mu mind how the 'Event' section is not an option in the exclusion builder UI. Sometimes it is the only way to create viable exclusion such as IP or URLs listed there which are not found anywhere else in the event. Thus making us work with the advanced exclusion builder syntax which is not very well documented.

 

Best Regards,

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...