Forum Discussion

djolenole's avatar
djolenole
Brass Contributor
Jul 01, 2024

Attack surface reduction - check trigger if possible

Hello,

I configured ASR rules and now reviewing exceptions.

Is it possible to find out what triggers "sc.exe" or "conhost.exe" without checking event viewer on the specific machine? Or we can just exclude paths that we actually see as exceptions and that's it?

That way we could define the exception more precisely instead of putting "sc.exe" or "conhost.exe" as exception.

Here are 2 paths blocked by the same rule:

C:\Windows\System32\conhost.exe

Block process creations originating from PSExec and WMI commands

C:\Windows\System32\sc.exe

Block process creations originating from PSExec and WMI commands

Thank you!

    • djolenole's avatar
      djolenole
      Brass Contributor
      Thanks, this query provides enough information:

      DeviceEvents
      | where ActionType startswith 'Asr'
      | extend ParsedFields=parse_json(AdditionalFields)
      | project DeviceName,ActionType,FolderPath,ProcessCommandLine,InitiatingProcessFileName,InitiatingProcessFolderPath,InitiatingProcessCommandLine,
      InitiatingProcessVersionInfoProductName,RuleID=tostring(ParsedFields.RuleId),InitiatingProcessVersionInfoFileDescription,
      InitiatingProcessParentFileName,InitiatingProcessVersionInfoInternalFileName

Resources