Select the tab
ESET Inspect On-Prem – Table of Contents

Detections

ESET Inspect On-Prem includes a rule-based detection engine for Indicators of Attack.

Rules identify suspicious, malicious behavior trigger detections with defined severity. The Detection section displays each triggered detection, identifying its location (Computer) and the executable and specific process that triggered it. It is accompanied by severity information defined in the rule and assigns a priority to each detection (later available as a filter). Detections are also 1:1 shown in the ESET PROTECT On-Prem Detections section under the ESET Inspect log type. When a detection is resolved in either ESET Inspect On-Prem or ESET PROTECT On-Prem, it is resolved in both systems.

The Detections view allows advanced grouping and filtering by any column. You can save filter sets by user preference. You can explore each detection's details and find further information, including the next steps. Select the executable's Details, Processes and Rules from the Detections view to continue your investigation. The detection detail layout is similar to ESET PROTECT On-Prem.

Important

When a high number of detections occur, the Rule is temporarily muted on the triggered computer for 24 hours, this notification is shown in the Notifications tab.

Preview panel

Click a detection to display the preview panel. Here, you will find important information about the selected detection. Some items are interactive.

Filtering, Tags and Table options

Use filters at the top of the screen to refine the displayed items. Tags are powerful when searching for a specific computer, detection, incident, executable or script. Click the gear Gear icon for table options to manage the main table.

Detection types

Click the detection type to display comprehensive details.

Firewall

Shows detections triggered by ESET Endpoint Security, for example, if a Firewall rule was triggered

HIPS

Shows detections triggered by ESET Endpoint Security when HIPS protection detects an intrusion.

Filtered Websites

Shows detections triggered by ESET Endpoint Security if the website is on a blacklist (PUA, Internal or anti-phishing).

Antivirus

Shows detections triggered by ESET Endpoint Security after a scan or real-time detection.

Rule

Filters triggered detections based on rules.

Blocked Executables

Shows detections triggered by matching the Blocked hashes listed in the More section.

Detection Groups

Ungrouped

Displays each detection separately when you first open the Detections tab. This is the default view.

Types

Groups detections by type, whether the trigger was a rule or a blocked file based on a hash.

Computers

Groups by computers where detections occurred.

Rules

Groups by rules that raised detections.

Processes

Groups by processes that raised detections.

Executables

Groups by executables that raised detections.

Priority (filter icons)

Shows items with a specific priority. There are four types: No priority and Priority I–III. All icons are deactivated by default, and items with all priorities are displayed. Click the priority icon to activate the filter and show items with the selected priority.

Severity

Shows the detection's severity: Threat Threat severity, Warning Warning severity or InfoInformation severity

Suspicious Network Detection

A silent firewall detection is an event from an endpoint that does not trigger an alert. ESET Inspect On-Prem shows these events as Suspicious Network Detection.

In the list below you can find silent firewall detections that will not trigger in ESET PROTECT On-Prem, and therefore cannot be excluded:

Detection name

MITRE ATT&CK®

Note

Win32/RiskWare.Meterpreter.N

 

TLS1.2 (Win10) Cobalt Strike beacons

WinPE/Agent.DNSoHTTP

 

Designed, but not limited to Brute Ratel beacons. Includes access to doh.opendns.com, cloudflare-dns.com only

SMB/Hacktool.DCenum

 

DC enumeration via DCERPC (Brute Ratel)

SMB/Hacktool.SCquery

 

Remote SC manager QueryServiceConfigW (Brute Ratel)

LDAP/Hacktool.GetGPO

 

Group policy evaluation (Brute Ratel)

SMB/Hacktool.ServicePathModify

 

Service path alteration via remote SC manager (Brute Ratel)

LDAP/Hacktool.GetDCGroups

 

Enumerate DC groups (Brute Ratel)

HTTP/ArchiveUpload

 

RAR & ZIP to public IP

TCP/ArchiveUpload

 

RAR to public IP

TLS/Pastebin

 

TLS access to pastebin.com other than browsers (by process name), except virtual machines

TLS/4shared

 

TLS access to upload.4shared.com, api.4shared.com other than browsers (by process name), except virtual machines

SMB/RiskWare.Impacket.Encrypted

S0357

Incoming SMB traffic with python Impacket flavour

SMB/Impacket.Server

T1557.001, S0357

SMB traffic to a server with python Impacket flavour

Win32/RiskWare.Meterpreter.AX

 

Sliver c2 via WireGuard protocol

DCERPC/DCShadow

T1207

Active Directory Rouge Domain Controller (Mimikatz)

DCERPC/DCSync

T1003.006

Active Directory OS Credential dumping (Mimikatz)

SMB/Hacktool.lsadump

S0002, T1003.004

Remote lsadump::backupkeys (Mimikatz)

SMB/NTLMAUTHtoSuspIP

S0174, T1040

Possible SMB NTLM hash leak - authorization to server with fingerprint of that of a responder https://github.com/SpiderLabs/Responder

SMB/LMHashDowngrade

S0174, T1557.001

Server forcing an old SMB1 dialect. Known switch of the responder https://github.com/SpiderLabs/Responder

SMB/LMHashDowngrade.A

S0174

Server instructed to connect to a third party with SMB2 and using old NTLMv1 https://github.com/3lp4tr0n/RemoteMonologue + Responder

SMB/Hacktool.Netexec.Encrypted

S0488

Any suspected SMB command from the NetExec tool (formerly CrackMapExec), uses impacket

LDAP/Hacktool.Netexec.Generik

S0488

Any suspected LDAP command from the NetExec tool (formerly CrackMapExec); not LDAPS

NFS/Hacktool.Netexec.Generik

S0488

Any suspected NFS command from the NetExec tool (formerly CrackMapExec)

WINRM/Hacktool.Netexec.Generik

S0488

Any suspected WINRM command from the NetExec tool (formerly CrackMapExec)

VNC/Hacktool.Netexec.Generik

S0488

Any suspected VNC connection from the NetExec tool (formerly CrackMapExec)

MSSQL/Hacktool.Netexec.Generik

S0488

Any suspected MSSQL command from the NetExec tool (formerly CrackMapExec)

SSH/Hacktool.Netexec.Generik

S0488

Any suspected SSH connection from the NetExec tool (formerly CrackMapExec)

SMB/Agent.PSEXESVCtoAdminShare

 

Write open admin share with filename PSEXESVC.exe

SMB/Agent.SuspEXEtoAdminShare

 

Write open admin share with suspect .exe filename (from telemetry: DOC001.exe, IMG001.exe, VID001.exe)

RDP/RestrictedAdmin.Handshake

 

Client sent RDP handshake with Restricted Admin flag

RDP/Riskware.OpenSSL.Client

 

A remote client other than mstsc.exe is initiating a RDP connection, for example FreeRDP

SMB/lsadump.SAM

T1003.002

Raw registry hive of HKLM\SAM (dumped by a tool such as reg.exe) read via SMB (Mimikatz), write via SMB

SMB/lsadump.SECURITY

 

Raw registry hive of HKLM\SECURITY (dumped by a tool such as reg.exe) read via SMB (Mimikatz), write via SMB

SMB/lsadump.SYSTEM

T1003

Raw registry hive of HKLM\SYSTEM (dumped by a tool such as reg.exe) read via SMB (Mimikatz), write via SMB

DCERPC/StartService

T1021.003

Generic remote start system service (the service name itself is encrypted on modern systems)

IPV6/SLAAC

 

IPv6 Router Announcement detailed in the following article

SMB/Winreg.HKLM.dump

 

HKLM accessed via SMB for potentially dumping or querying some keys (for example: SAM, SYSTEM, SECURITY or any other sub-key)

LDAP/Hacktool.GetSPN

 

Get whole subtree of servicePrincipleName - Impacket GetUserSPNs

 

Click a detection to take further action:

Computer Details

Go to the Computer details tab.

Toggle Group

Expand or contract the group; not available if ungrouped is selected.

Mark as Resolved

Mark the detection as Resolved.

Mark as not Resolved

Mark the detection as Unresolved.

Create Exclusion

Create an exclusion task for selected rules. You are redirected to the Create Rule Exclusion.

Edit Rule

Redirects you to the Edit Rule section if a rule raised the detection.

Edit User Actions

Opens the Edit User Actions window and shows edit user actions for the selected detection rule.

Priority

Mark the detection as No priority/Priority I/Priority II/Priority III.

Add Comment

Add a comment.

Open

Open Computer—Opens Computer details for the computer that triggered the detection.

Open Process—If a Rule triggers the detection, opens the Process details of the process that caused the detection.

Open Parent Process—If the detection has a parent process, opens the parent Process details.

Tags

Assign a detection tags from the existing list or create custom tags.

Audit log

Go to the Audit log tab.

Incident

oCreate an incident report

oAdd to a current incident

oAdd to recent incident, which shows the last three incidents

oSelect incident to add to

Filter

Show quick filters on the column where you activated the context menu (Show only this, Hide this).