Forum Discussion
Attack surface reduction - check trigger if possible
Hello,
I configured ASR rules and now reviewing exceptions.
Is it possible to find out what triggers "sc.exe" or "conhost.exe" without checking event viewer on the specific machine? Or we can just exclude paths that we actually see as exceptions and that's it?
That way we could define the exception more precisely instead of putting "sc.exe" or "conhost.exe" as exception.
Here are 2 paths blocked by the same rule:
C:\Windows\System32\conhost.exe | Block process creations originating from PSExec and WMI commands |
C:\Windows\System32\sc.exe | Block process creations originating from PSExec and WMI commands |
Thank you!
2 Replies
- Have you considered device events in Defender using advanced hunting queries?
- Thanks, this query provides enough information:
DeviceEvents
| where ActionType startswith 'Asr'
| extend ParsedFields=parse_json(AdditionalFields)
| project DeviceName,ActionType,FolderPath,ProcessCommandLine,InitiatingProcessFileName,InitiatingProcessFolderPath,InitiatingProcessCommandLine,
InitiatingProcessVersionInfoProductName,RuleID=tostring(ParsedFields.RuleId),InitiatingProcessVersionInfoFileDescription,
InitiatingProcessParentFileName,InitiatingProcessVersionInfoInternalFileName
