-
-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Uncommon Userinit Child Process: Add cmstart.exe to filter_optional_citrix #4569
Labels
False-Positive
Issue reporting a false positive with one of the rules
Comments
nasbench
added a commit
to nasbench/sigma
that referenced
this issue
Nov 14, 2023
I do a bit more research and icast.exe has the same path as cmstart.exe in Citrix . I guess the following would fix it.
|
nasbench
added a commit
that referenced
this issue
Nov 15, 2023
remove: Abusing Findstr for Defense Evasion - Deprecate in favour of 2 splitted rules. 587254ee-a24b-4335-b3cd-065c0f1f4baa and 04936b66-3915-43ad-a8e5-809eadfd1141 remove: Windows Update Client LOLBIN - Deprecate in favour of 52d097e2-063e-4c9c-8fbb-855c8948d135 fix: Remote Thread Creation By Uncommon Source Image - Enhance filters to avoid false positives fix: Suspicious Shim Database Installation via Sdbinst.EXE - Add "null" and "empty" filters to account for cases where the CLI is null or empty new: Insenstive Subfolder Search Via Findstr.EXE new: Remote File Download Via Findstr.EXE new: Windows Defender Exclusion Deleted new: Windows Defender Exclusion List Modified new: Windows Defender Exclusion Reigstry Key - Write Access Requested update: Renamed Office Binary Execution - Add new binaries and filters to increase coverage and tune FPs update: EVTX Created In Uncommon Location - Enhance filters to cover other drives other than "C:" update: Findstr GPP Passwords - Add "find.exe" binary to increase coverage update: Findstr Launching .lnk File - Add "find.exe" binary to increase coverage update: LSASS Process Reconnaissance Via Findstr.EXE - Add "find.exe" binary to increase coverage update: Non-DLL Extension File Renamed With DLL Extension - Update title and logic update: Permission Misconfiguration Reconnaissance Via Findstr.EXE - Add "find.exe" binary to increase coverage update: Potentially Suspicious Wuauclt Network Connection - Change the logic to use the "CommandLine" field in order to avoid false positives update: Proxy Execution Via Wuauclt.EXE - Update title and enhance filters update: Recon Command Output Piped To Findstr.EXE - Add "find.exe" binary to increase coverage update: Security Tools Keyword Lookup Via Findstr.EXE - Add "find.exe" binary to increase coverage update: Suspicious Appended Extension - Enhance list of extension update: Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE - Add "find.exe" binary to increase coverage fix: Uncommon Userinit Child Process - Add the citrix process cmstart to the filtered processes and make it more strict to avoid abuse. Also enhances the other filters by removing the C: notation. fix: Bad Opsec Defaults Sacrificial Processes With Improper Arguments - Add FP filter for chrome installer spawning rundll32 without arguments --------- Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> thanks: @vj-codes for #4554 thanks: @mezzofix for #4520 thanks: @rkmbaxed for #4566 and #4569 thanks: @celalettin-turgut for #4570
phantinuss
added a commit
to phantinuss/sigma
that referenced
this issue
Nov 15, 2023
remove: Abusing Findstr for Defense Evasion - Deprecate in favour of 2 splitted rules. 587254ee-a24b-4335-b3cd-065c0f1f4baa and 04936b66-3915-43ad-a8e5-809eadfd1141 remove: Windows Update Client LOLBIN - Deprecate in favour of 52d097e2-063e-4c9c-8fbb-855c8948d135 fix: Remote Thread Creation By Uncommon Source Image - Enhance filters to avoid false positives fix: Suspicious Shim Database Installation via Sdbinst.EXE - Add "null" and "empty" filters to account for cases where the CLI is null or empty new: Insenstive Subfolder Search Via Findstr.EXE new: Remote File Download Via Findstr.EXE new: Windows Defender Exclusion Deleted new: Windows Defender Exclusion List Modified new: Windows Defender Exclusion Reigstry Key - Write Access Requested update: Renamed Office Binary Execution - Add new binaries and filters to increase coverage and tune FPs update: EVTX Created In Uncommon Location - Enhance filters to cover other drives other than "C:" update: Findstr GPP Passwords - Add "find.exe" binary to increase coverage update: Findstr Launching .lnk File - Add "find.exe" binary to increase coverage update: LSASS Process Reconnaissance Via Findstr.EXE - Add "find.exe" binary to increase coverage update: Non-DLL Extension File Renamed With DLL Extension - Update title and logic update: Permission Misconfiguration Reconnaissance Via Findstr.EXE - Add "find.exe" binary to increase coverage update: Potentially Suspicious Wuauclt Network Connection - Change the logic to use the "CommandLine" field in order to avoid false positives update: Proxy Execution Via Wuauclt.EXE - Update title and enhance filters update: Recon Command Output Piped To Findstr.EXE - Add "find.exe" binary to increase coverage update: Security Tools Keyword Lookup Via Findstr.EXE - Add "find.exe" binary to increase coverage update: Suspicious Appended Extension - Enhance list of extension update: Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE - Add "find.exe" binary to increase coverage fix: Uncommon Userinit Child Process - Add the citrix process cmstart to the filtered processes and make it more strict to avoid abuse. Also enhances the other filters by removing the C: notation. fix: Bad Opsec Defaults Sacrificial Processes With Improper Arguments - Add FP filter for chrome installer spawning rundll32 without arguments --------- Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> thanks: @vj-codes for SigmaHQ#4554 thanks: @mezzofix for SigmaHQ#4520 thanks: @rkmbaxed for SigmaHQ#4566 and SigmaHQ#4569 thanks: @celalettin-turgut for SigmaHQ#4570
phantinuss
added a commit
that referenced
this issue
Nov 15, 2023
remove: Abusing Findstr for Defense Evasion - Deprecate in favour of 2 splitted rules. 587254ee-a24b-4335-b3cd-065c0f1f4baa and 04936b66-3915-43ad-a8e5-809eadfd1141 remove: Windows Update Client LOLBIN - Deprecate in favour of 52d097e2-063e-4c9c-8fbb-855c8948d135 fix: Remote Thread Creation By Uncommon Source Image - Enhance filters to avoid false positives fix: Suspicious Shim Database Installation via Sdbinst.EXE - Add "null" and "empty" filters to account for cases where the CLI is null or empty new: Insenstive Subfolder Search Via Findstr.EXE new: Remote File Download Via Findstr.EXE new: Windows Defender Exclusion Deleted new: Windows Defender Exclusion List Modified new: Windows Defender Exclusion Reigstry Key - Write Access Requested update: Renamed Office Binary Execution - Add new binaries and filters to increase coverage and tune FPs update: EVTX Created In Uncommon Location - Enhance filters to cover other drives other than "C:" update: Findstr GPP Passwords - Add "find.exe" binary to increase coverage update: Findstr Launching .lnk File - Add "find.exe" binary to increase coverage update: LSASS Process Reconnaissance Via Findstr.EXE - Add "find.exe" binary to increase coverage update: Non-DLL Extension File Renamed With DLL Extension - Update title and logic update: Permission Misconfiguration Reconnaissance Via Findstr.EXE - Add "find.exe" binary to increase coverage update: Potentially Suspicious Wuauclt Network Connection - Change the logic to use the "CommandLine" field in order to avoid false positives update: Proxy Execution Via Wuauclt.EXE - Update title and enhance filters update: Recon Command Output Piped To Findstr.EXE - Add "find.exe" binary to increase coverage update: Security Tools Keyword Lookup Via Findstr.EXE - Add "find.exe" binary to increase coverage update: Suspicious Appended Extension - Enhance list of extension update: Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE - Add "find.exe" binary to increase coverage fix: Uncommon Userinit Child Process - Add the citrix process cmstart to the filtered processes and make it more strict to avoid abuse. Also enhances the other filters by removing the C: notation. fix: Bad Opsec Defaults Sacrificial Processes With Improper Arguments - Add FP filter for chrome installer spawning rundll32 without arguments --------- Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> thanks: @vj-codes for #4554 thanks: @mezzofix for #4520 thanks: @rkmbaxed for #4566 and #4569 thanks: @celalettin-turgut for #4570
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Rule UUID
0a98a10c-685d-4ab0-bddc-b6bdd1d48458
Example EventLog
Image: C:\Program Files (x86)\Citrix\HDX\bin\cmstart.exe
Description: Citrix Client Manager Starting Utility
Product: Citrix XenApp & XenDesktop
Company: Citrix Systems, Inc.
OriginalFileName: CMStart.exe
CommandLine: cmstart.exe
ParentImage: C:\Windows\System32\userinit.exe
ParentCommandLine: C:\Windows\system32\userinit.exe
Description
Add cmstart.exe to filter_optional_citrix, its a common Citrix executable file.
https://support.citrix.com/article/CTX983798/purpose-of-cmstart-command
The text was updated successfully, but these errors were encountered: