ESET Inspect Scheduled Task and Service Activity

[j91321]

ESET Inspect Scheduled Task Creation and Service Creation

Description

Please provide the below information so we can validate before merging:

1. Does the proposed EDR feature align with our definition of telemetry?(definition here)
2. Could you please provide documentation to support the telemetry you are proposing?(If it is held privately, please reach out to me or @inodee)
3. If no documentation is available for all the categories you are proposing, could you provide screenshots or sanitized logs?

1: Yes\ 2: No, the documentation has not been updated yet\ 3: Yes

Type of change

Please delete options that are not relevant.

• [ ] Feature Improvement (non-breaking change which fixes an issue)

How Has This Been Tested?

Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration.

• [ ] Atomic Red Team T1543.003 Test Number 2

• [ ] Atomic Red Team T1053.005 Test Number 2

Test Configuration:

• EDR version: ESET Inspect Connector Version 2.2.4065
• Operating System version: Windows 10

Checklist:

• [x] My code follows the style guidelines of this project
• [x] I have performed a self-review of my own code
• [x] I have made corresponding changes to the documentation
• [x] I have added tests that prove my corrections or additions are accurate
• [x] I have checked my code and corrected any misspellings

[tsale]

Hello @j91321 and thank you very much for this PR! Could you please try to create a new service using the parcel command below? The commands will be using the .NET API to create the service/schedule task.

I want to check if ESET is linking with the process sc.exe to carry out the installation of a new service and scheduling of task operations. I see that you are investigating process execution events. I understand that the report indicates that a new service was installed, but if they are only relying on process execution using those specific binaries, this PR will not meet the criteria. This is because they may be relying on command-line arguments and, by extension, process creation events on the system without looking into ETW calls or system calls to monitor new service/scheduled task creation events.

The PowerShell Commands to Run:(The example commands from below are taken directly from the Microsoft documentation

1. New-Service -Name "TestService" -BinaryPathName 'C:\WINDOWS\System32\svchost.exe -k netsvcs'

2. $trigger = New-ScheduledTaskTrigger -AtLogon
   $principal = "Contoso\Administrator"
   $settings = New-ScheduledTaskSettingsSet
   $task = New-ScheduledTask -Action $action -Principal $principal -Trigger $trigger -Settings $settings
   Register-ScheduledTask T1 -InputObject $task

Please let us know of your findings and attached screenshots if necessary.

[j91321]

Hi @tsale no problem at all.

Here is the output for the Service creation:

And here is output for the Scheduled Task

I don't think the Service one really proves, what you are trying to prove. In theory this could also be based on seeing the New-Service cmdlet in AMSI. With Register-ScheduledTask it's better since that works through CIM and you can see that it's attached to the wmiprvse.exe process.

However, I can confirm that ESET Inspect does utilize ETW for both events. Disclaimer, I work for ESET on Inspect.

FYI we also have Service Started event, but I don't see that as a category, something you might consider adding in the future if it's worth it.

[tsale]

Awesome,thanks for that @j91321 ! I'll go ahead and merge this PR.

Indeed, service start/stopped would be good to have. Same with scheduled tasks. We might end up adding it and start updating each vendor with it slowly.