Fix Further FPs Found In Testing #4564

nasbench · 2023-11-11T19:00:29Z

Summary of the Pull Request

This PR fixes more false positives found in testing and updates

Changelog

remove: Abusing Findstr for Defense Evasion - Deprecate in favour of 2 splitted rules. 587254ee-a24b-4335-b3cd-065c0f1f4baa and 04936b66-3915-43ad-a8e5-809eadfd1141
remove: Windows Update Client LOLBIN - Deprecate in favour of 52d097e2-063e-4c9c-8fbb-855c8948d135
fix: Remote Thread Creation By Uncommon Source Image - Enhance filters to avoid false positives
fix: Suspicious Shim Database Installation via Sdbinst.EXE - Add "null" and "empty" filters to account for cases where the CLI is null or empty
new: Insenstive Subfolder Search Via Findstr.EXE
new: Remote File Download Via Findstr.EXE
new: Windows Defender Exclusion Deleted
new: Windows Defender Exclusion List Modified
new: Windows Defender Exclusion Reigstry Key - Write Access Requested
update: Renamed Office Binary Execution - Add new binaries and filters to increase coverage and tune FPs
update: EVTX Created In Uncommon Location - Enhance filters to cover other drives other than "C:"
update: Findstr GPP Passwords - Add "find.exe" binary to increase coverage
update: Findstr Launching .lnk File - Add "find.exe" binary to increase coverage
update: LSASS Process Reconnaissance Via Findstr.EXE - Add "find.exe" binary to increase coverage
update: Non-DLL Extension File Renamed With DLL Extension - Update title and logic
update: Permission Misconfiguration Reconnaissance Via Findstr.EXE - Add "find.exe" binary to increase coverage
update: Potentially Suspicious Wuauclt Network Connection - Change the logic to use the "CommandLine" field in order to avoid false positives
update: Proxy Execution Via Wuauclt.EXE - Update title and enhance filters
update: Recon Command Output Piped To Findstr.EXE - Add "find.exe" binary to increase coverage
update: Security Tools Keyword Lookup Via Findstr.EXE - Add "find.exe" binary to increase coverage
update: Suspicious Appended Extension - Enhance list of extension
update: Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE - Add "find.exe" binary to increase coverage
fix: Uncommon Userinit Child Process - Add the citrix process cmstart to the filtered processes and make it more strict to avoid abuse. Also enhances the other filters by removing the C: notation.
fix: Bad Opsec Defaults Sacrificial Processes With Improper Arguments - Add FP filter for chrome installer spawning rundll32 without arguments

Example Log Event

N/A

Fixed Issues

Fixes Typo in readme #4554 (Thanks @vj-codes)
Fixes FP With Rule c649a6c7-cd8c-4a78-9c04-000fc76df954 #4520 (Thanks @mezzofix)
Fixes Renamed Office Binary Execution: Add excelcnv.exe to filter #4566 (Thanks @rkmbaxed)
Fixes Uncommon Userinit Child Process: Add cmstart.exe to filter_optional_citrix #4569 (Thanks @rkmbaxed)
Fixes Bad Opsec Defaults Sacrificial Processes With Improper Arguments #4570 (Thanks @celalettin-turgut)

SigmaHQ Rule Creation Conventions

If your PR adds new rules, please consider following and applying these conventions

rules-threat-hunting/windows/file/file_rename/file_rename_win_non_dll_to_dll_ext.yml

rules/windows/builtin/security/win_security_windows_defender_exclusions_registry_modified.yml

rules/windows/builtin/security/win_security_windows_defender_exclusions_write_access.yml

rules/windows/builtin/security/win_security_windows_defender_exclusions_write_deleted.yml

rules/windows/process_creation/proc_creation_win_findstr_subfolder_search.yml

...windows/process_creation/proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml

rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml

rules/windows/process_creation/proc_creation_win_wuauclt_dll_loading.yml

@vj-codes

remove: Abusing Findstr for Defense Evasion - Deprecate in favour of 2 splitted rules. 587254ee-a24b-4335-b3cd-065c0f1f4baa and 04936b66-3915-43ad-a8e5-809eadfd1141 remove: Windows Update Client LOLBIN - Deprecate in favour of 52d097e2-063e-4c9c-8fbb-855c8948d135 fix: Remote Thread Creation By Uncommon Source Image - Enhance filters to avoid false positives fix: Suspicious Shim Database Installation via Sdbinst.EXE - Add "null" and "empty" filters to account for cases where the CLI is null or empty new: Insenstive Subfolder Search Via Findstr.EXE new: Remote File Download Via Findstr.EXE new: Windows Defender Exclusion Deleted new: Windows Defender Exclusion List Modified new: Windows Defender Exclusion Reigstry Key - Write Access Requested update: Renamed Office Binary Execution - Add new binaries and filters to increase coverage and tune FPs update: EVTX Created In Uncommon Location - Enhance filters to cover other drives other than "C:" update: Findstr GPP Passwords - Add "find.exe" binary to increase coverage update: Findstr Launching .lnk File - Add "find.exe" binary to increase coverage update: LSASS Process Reconnaissance Via Findstr.EXE - Add "find.exe" binary to increase coverage update: Non-DLL Extension File Renamed With DLL Extension - Update title and logic update: Permission Misconfiguration Reconnaissance Via Findstr.EXE - Add "find.exe" binary to increase coverage update: Potentially Suspicious Wuauclt Network Connection - Change the logic to use the "CommandLine" field in order to avoid false positives update: Proxy Execution Via Wuauclt.EXE - Update title and enhance filters update: Recon Command Output Piped To Findstr.EXE - Add "find.exe" binary to increase coverage update: Security Tools Keyword Lookup Via Findstr.EXE - Add "find.exe" binary to increase coverage update: Suspicious Appended Extension - Enhance list of extension update: Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE - Add "find.exe" binary to increase coverage fix: Uncommon Userinit Child Process - Add the citrix process cmstart to the filtered processes and make it more strict to avoid abuse. Also enhances the other filters by removing the C: notation. fix: Bad Opsec Defaults Sacrificial Processes With Improper Arguments - Add FP filter for chrome installer spawning rundll32 without arguments --------- Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> thanks: @vj-codes for SigmaHQ#4554 thanks: @mezzofix for SigmaHQ#4520 thanks: @rkmbaxed for SigmaHQ#4566 and SigmaHQ#4569 thanks: @celalettin-turgut for SigmaHQ#4570

This reverts commit b77a3fa.

This reverts commit 2967675.

…ing" This reverts commit dddd7cd.

@vj-codes

remove: Abusing Findstr for Defense Evasion - Deprecate in favour of 2 splitted rules. 587254ee-a24b-4335-b3cd-065c0f1f4baa and 04936b66-3915-43ad-a8e5-809eadfd1141 remove: Windows Update Client LOLBIN - Deprecate in favour of 52d097e2-063e-4c9c-8fbb-855c8948d135 fix: Remote Thread Creation By Uncommon Source Image - Enhance filters to avoid false positives fix: Suspicious Shim Database Installation via Sdbinst.EXE - Add "null" and "empty" filters to account for cases where the CLI is null or empty new: Insenstive Subfolder Search Via Findstr.EXE new: Remote File Download Via Findstr.EXE new: Windows Defender Exclusion Deleted new: Windows Defender Exclusion List Modified new: Windows Defender Exclusion Reigstry Key - Write Access Requested update: Renamed Office Binary Execution - Add new binaries and filters to increase coverage and tune FPs update: EVTX Created In Uncommon Location - Enhance filters to cover other drives other than "C:" update: Findstr GPP Passwords - Add "find.exe" binary to increase coverage update: Findstr Launching .lnk File - Add "find.exe" binary to increase coverage update: LSASS Process Reconnaissance Via Findstr.EXE - Add "find.exe" binary to increase coverage update: Non-DLL Extension File Renamed With DLL Extension - Update title and logic update: Permission Misconfiguration Reconnaissance Via Findstr.EXE - Add "find.exe" binary to increase coverage update: Potentially Suspicious Wuauclt Network Connection - Change the logic to use the "CommandLine" field in order to avoid false positives update: Proxy Execution Via Wuauclt.EXE - Update title and enhance filters update: Recon Command Output Piped To Findstr.EXE - Add "find.exe" binary to increase coverage update: Security Tools Keyword Lookup Via Findstr.EXE - Add "find.exe" binary to increase coverage update: Suspicious Appended Extension - Enhance list of extension update: Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE - Add "find.exe" binary to increase coverage fix: Uncommon Userinit Child Process - Add the citrix process cmstart to the filtered processes and make it more strict to avoid abuse. Also enhances the other filters by removing the C: notation. fix: Bad Opsec Defaults Sacrificial Processes With Improper Arguments - Add FP filter for chrome installer spawning rundll32 without arguments --------- Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> thanks: @vj-codes for #4554 thanks: @mezzofix for #4520 thanks: @rkmbaxed for #4566 and #4569 thanks: @celalettin-turgut for #4570

fix: fp found in testing

d2ba0ed

nasbench added the 2nd Review Needed PR need a second approval label Nov 11, 2023

nasbench requested a review from phantinuss November 11, 2023 19:00

github-actions bot added Rules Windows Pull request add/update windows related rules labels Nov 11, 2023

nasbench added 3 commits November 11, 2023 20:06

fix: typo and closes SigmaHQ#4554

5b8268d

fix: resolves SigmaHQ#4520

cf6a604

fix: even more fp fixes

f58cc75

nasbench mentioned this pull request Nov 11, 2023

FP With Rule c649a6c7-cd8c-4a78-9c04-000fc76df954 #4520

Closed

nasbench added 4 commits November 12, 2023 00:20

feat: update findstr rules and other tunings

b5fb5db

Update proc_creation_win_findstr_subfolder_search.yml

491829f

fix: quick fix of selections

cf51905

Update proc_creation_win_renamed_office_processes.yml

fdf66e0

This was referenced Nov 13, 2023

Renamed Office Binary Execution: Add excelcnv.exe to filter #4566

Closed

Typo in readme #4554

Closed

phantinuss reviewed Nov 14, 2023

View reviewed changes

phantinuss and others added 2 commits November 14, 2023 10:20

fix: wording

7139d97

fix: SigmaHQ#4569

8a8f022

nasbench mentioned this pull request Nov 14, 2023

Uncommon Userinit Child Process: Add cmstart.exe to filter_optional_citrix #4569

Closed

nasbench added 3 commits November 14, 2023 14:02

fix: SigmaHQ#4570

3a25b90

chore: add missing modified date and reduce level

28e60fc

Update proc_creation_win_susp_bad_opsec_sacrificial_processes.yml

f4f281e

nasbench mentioned this pull request Nov 14, 2023

Bad Opsec Defaults Sacrificial Processes With Improper Arguments #4570

Closed

nasbench requested a review from phantinuss November 14, 2023 13:07

Update proc_creation_win_userinit_uncommon_child_processes.yml

42394d7

phantinuss approved these changes Nov 15, 2023

View reviewed changes

nasbench removed the 2nd Review Needed PR need a second approval label Nov 15, 2023

nasbench merged commit b77a3fa into SigmaHQ:master Nov 15, 2023
11 checks passed

phantinuss added a commit that referenced this pull request Nov 15, 2023

Revert "Fix Further FPs Found In Testing (#4564)"

2967675

This reverts commit b77a3fa.

phantinuss added a commit that referenced this pull request Nov 15, 2023

Merge PR #4564 from @nasbench - Fix Further FPs Found In Testing

dddd7cd

This reverts commit 2967675.

phantinuss added a commit that referenced this pull request Nov 15, 2023

Revert "Merge PR #4564 from @nasbench - Fix Further FPs Found In Test…

8dbf7b9

…ing" This reverts commit dddd7cd.

nasbench deleted the fix-fp-testing-2 branch March 11, 2024 21:10

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix Further FPs Found In Testing #4564

Fix Further FPs Found In Testing #4564

nasbench commented Nov 11, 2023 •

edited

Loading

Fix Further FPs Found In Testing #4564

Fix Further FPs Found In Testing #4564

Conversation

nasbench commented Nov 11, 2023 • edited Loading

Summary of the Pull Request

Changelog

Example Log Event

Fixed Issues

SigmaHQ Rule Creation Conventions

nasbench commented Nov 11, 2023 •

edited

Loading