Sunshine-boy

Level 27
Verified
Hi Umbra thanks for the answer.
Do you mean that it can alert for wmi commands? wmi has complicated commands like:
C:\Windows\system32\ApplicationFrameHost.exe -Embedding
or
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
or
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
I asked Eset to add this feature and they did but I cant whitelist or blacklist the command! I can only allow or block the operation.
 
Reactions: AtlBo

AtlBo

Level 26
Verified
@Umbra...yes in SUA, but it isn't a problem on another PC I have running Windows 7 in SUA.

Hey @sunshineboy. You mean command lines? It seems to monitor everything from all of the script engines. Is WMI the GUI components like device manager and all that? Seems Windows picks up on the command lines for the Windows GUI things like Control Panel applets etc...
 
Reactions: Sunshine-boy

AtlBo

Level 26
Verified
@Sunshine-boy...try it for the logging. That's a huge thing with ERP, since it monitors literally everything that runs. Watch out, though, because the logs will pile up in the C:\program data folder. I had over a gig before I realized they don't turn over. I use a script to keep the folder to 60 days.

The logging will really help you trace down activity. It's helped me many times...
 
Last edited:
Reactions: Sunshine-boy
D

Deleted member 178

@Umbra...yes in SUA, but it isn't a problem on another PC I have running Windows 7 in SUA.
ERP v3 is not fully compatible with SUA on Win10 ; i reported this issue years ago; and it is one of the main fixes in ERP v4
 
Last edited by a moderator:
Reactions: AtlBo

AtlBo

Level 26
Verified
Seems good.
Can you pls try? https://www.nirsoft.net/utils/simple_wmi_view.html and see if ERP can alert for these commands?If yes then I will use it.because this wmi is a rat inside the windows:D Microsoft built a rat xd no security tools care about wmi.dangerous! also, you cant disable it cuz it breaks the windows.
It alerts the executable behind this activity. You will need to set ERP up a certain way for it to monitor Windows, but it will do this with proper settings.

Here are some examples:
  1. "C:\Windows\system32\rundll32.exe" /d C:\Windows\system32\shell32.dll,Control_RunDLL SYSDM.CPL
  2. C:\Windows\system32\schtasks.exe /delete /f /TN "Microsoft\Windows\Customer Experience Improvement Program\Uploader"
  3. rundll32 C:\Windows\system32\inetcpl.cpl,*
  4. "C:\Windows\system32\rundll32.exe" shell32.dll,Control_RunDLL PowerCfg.cpl *
  5. "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL C:\Windows\system32\wuaucpl.cpl
  6. "C:\Windows\system32\regsvr32.exe" /s /n /i:U C:\Windows\system32\shell32.dll
  7. "C:\Windows\system32\rundll32.exe" C:\Windows\system32\mscories.dll,*
  8. "C:\Windows\system32\mmc.exe" "C:\Windows\system32\services.msc"
These are some that I have whitelisted because I knew what was using the command line. I think most of what you are talking about will show up as a command line.

If you want help to set up ERP 3.1 let me know. It's not simple, and it takes some time. I think I can create some settings you could use for starters though and then save them and send them to you if you wish.
 
D

Deleted member 178

Hi Umbra thanks for the answer.
Do you mean that it can alert for wmi commands? wmi has complicated commands like:
C:\Windows\system32\ApplicationFrameHost.exe -Embedding
or
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
or
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
I asked Eset to add this feature and they did but I cant whitelist or blacklist the command! I can only allow or block the operation.
if my memory is good, in v3, any exe put on vulnerable list will always generate a prompt.
 

AMD1

Level 4
Verified
Hi,

Can anyone advise the changes i need to make to the wildcard setting below(lowest) so that it does not repeatedly pop up as it does not appear to work as I have done it?

Notification:
C:\WINDOWS\system32\cmd.exe /d /c "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Total Security 18.0.0\plugins-setup.exe" chrome-extension://mchjnmdbdlkdbfliogedbnpnanfjnolk/ --parent-window=0 < \\.\pipe\chrome.nativeMessaging.in.df76d62a4f7aa2e3 > \\.\pipe\chrome.nativeMessaging.out.df76d62a4f7aa2e3

Wildcard configuration:
C:\WINDOWS\system32\cmd.exe /d /c "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Total Security 18.0.0\plugins-setup.exe" chrome-extension://mchjnmdbdlkdbfliogedbnpnanfjnolk/ --parent-window=0 < \\.\pipe\chrome.nativeMessaging.in.* > \\.\pipe\chrome.nativeMessaging.out.*

I have simply replaced the random characters but does not appear to be right ?

I have the V3 Beta version running with all processes whitelisted in folders c\ windows, program files and program files (x86). I do not have allow all processes from programs folder selected in settings

Thanks