Closed j91321 closed 2 weeks ago
Hello @j91321 and thank you very much for this PR! Could you please try to create a new service using the parcel command below? The commands will be using the .NET API to create the service/schedule task.
I want to check if ESET is linking with the process sc.exe to carry out the installation of a new service and scheduling of task operations. I see that you are investigating process execution events. I understand that the report indicates that a new service was installed, but if they are only relying on process execution using those specific binaries, this PR will not meet the criteria. This is because they may be relying on command-line arguments and, by extension, process creation events on the system without looking into ETW calls or system calls to monitor new service/scheduled task creation events.
The PowerShell Commands to Run:(The example commands from below are taken directly from the Microsoft documentation
New-Service -Name "TestService" -BinaryPathName 'C:\WINDOWS\System32\svchost.exe -k netsvcs'
$trigger = New-ScheduledTaskTrigger -AtLogon
$principal = "Contoso\Administrator"
$settings = New-ScheduledTaskSettingsSet
$task = New-ScheduledTask -Action $action -Principal $principal -Trigger $trigger -Settings $settings
Register-ScheduledTask T1 -InputObject $task
Please let us know of your findings and attached screenshots if necessary.
Hi @tsale no problem at all.
Here is the output for the Service creation:
And here is output for the Scheduled Task
I don't think the Service one really proves, what you are trying to prove. In theory this could also be based on seeing the New-Service cmdlet in AMSI. With Register-ScheduledTask it's better since that works through CIM and you can see that it's attached to the wmiprvse.exe process.
However, I can confirm that ESET Inspect does utilize ETW for both events. Disclaimer, I work for ESET on Inspect.
FYI we also have Service Started event, but I don't see that as a category, something you might consider adding in the future if it's worth it.
Awesome,thanks for that @j91321 ! I'll go ahead and merge this PR.
Indeed, service start/stopped would be good to have. Same with scheduled tasks. We might end up adding it and start updating each vendor with it slowly.
ESET Inspect Scheduled Task Creation and Service Creation
Description
Please provide the below information so we can validate before merging:
1: Yes\ 2: No, the documentation has not been updated yet\ 3: Yes
Type of change
Please delete options that are not relevant.
How Has This Been Tested?
Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration.
Test Configuration:
Checklist: