Forum Discussion
AsrPsexecWmiChildProcess and Nessus
Hi guys,
We’d like to implement some of the Attack Surface Reduction rules within our Windows estate but coming up against an issue with how the Nessus agent operates triggering the "Block process creations originating from PSExec and WMI commands" rule.
When we do an impact assessment for this, we’re seeing that the Nessus agent seems to fit the above criteria:
We can only put in exclusions on certificate or file hash (using Indicators), or the filename or path using an ASR policy.
Given the parent process is WmiPrvSE.exe and sits in the correct Windows dir this isn't feasible as it defeats the purpose of the ruleset.
Given that WMI abuse has been a https://attack.mitre.org/techniques/T1047/, Microsoft recommends this rule in their https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-faq?view=o365-worldwide#what-are-the-rules-microsoft-recommends-enabling-, and Tenable are a huge security vendor – I can’t imagine we’re the only ones experiencing/have experienced this issue.
Have I missed something _really_ obvious or is this one of those scenarios where the business requirement means the rule stays disabled, and we use a mitigation through Sentinel/MDE rulesets to detect and respond?
Thanks in advance!
1 Reply
sirkillnotalot We've run into this as well. You either block and break Nessus, or audit and allow the activity to occur. We've decided to leave that particular ASR rule in audit mode and alert any time it fires unless the user is our nessus service account.
