Skip to content

Multiple Updates & Fixes #3564

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Jun 17, 2025
Merged

Multiple Updates & Fixes #3564

merged 7 commits into from
Jun 17, 2025

Conversation

nasbench
Copy link
Contributor

@nasbench nasbench commented Jun 16, 2025
edited
Loading

This PR introduces a couple of update and fixes:

  • Cobalt Strike Named Pipes - Added additional named pipes
  • Detect Renamed WinRAR - Fixed issue in logic as reported in [BUG] Logical flaw in ESCU rule "Detect Renamed WinRAR" due to incorrect use of OR instead of AND in process #3550
  • Icacls Deny Command - Enhanced the logic by adding additional options
  • ICACLS Grant Command - Enhanced the logic by adding additional options
  • Modify ACL permission To Files Or Folder - Enhanced the logic by adding additional options
  • Suspicious Copy on System32 - Reworked the logic to avoid FPs and FNs. Namely the previous logic did not take into account xcopy (and its sisters) starting from a full path (AKA containing System32 or SysWOW64). It also incorrectly split the CommandLine on a space character which introduces inconsistency in the logic

@nasbench nasbench linked an issue Jun 16, 2025 that may be closed by this pull request
[BUG] Logical flaw in ESCU rule "Detect Renamed WinRAR" due to incorrect use of OR instead of AND in process #3550
Closed
@nasbench nasbench added this to the v5.8.0 milestone Jun 16, 2025
@nasbench nasbench marked this pull request as ready for review June 17, 2025 09:15
ljstella
ljstella approved these changes Jun 17, 2025
View reviewed changes
Copy link
Contributor

@ljstella ljstella left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@pyth0n1c pyth0n1c merged commit 799b276 into develop Jun 17, 2025
4 checks passed
@pyth0n1c pyth0n1c deleted the fixing-issues-5.8 branch June 17, 2025 17:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ljstella ljstella ljstella approved these changes

@patel-bhavin patel-bhavin Awaiting requested review from patel-bhavin patel-bhavin is a code owner

Assignees
No one assigned
Labels
Detections
Projects
None yet
Milestone
v5.8.0
Development

Successfully merging this pull request may close these issues.

[BUG] Logical flaw in ESCU rule "Detect Renamed WinRAR" due to incorrect use of OR instead of AND in process
3 participants
@nasbench @ljstella @pyth0n1c