search

Neo23x0 / signature-base

YARA signature and IOC database for my scanners and tools
Other
2.49k stars 604 forks source link

Reporting false positive: Synology Drive Client #214

Open NikGnuel opened 2 years ago

NikGnuel commented 2 years ago

Reporting false positive: Synology Drive Client Alert: MODULE: ProcessScan MESSAGE: Yara Rule MATCH: EXPL_LOG_CVE_2021_27065_Exchange_Forensic_Artefacts_Mar21_1 PID: 10680 NAME: cloud-drive-daemon.exe OWNER: Admin CMD: C:\Users\Admin\AppData\Local\SynologyDrive\SynologyDrive.app\bin\cloud-drive-daemon.exe C:/Users/Admin/AppData/Local/SynologyDrive/data/config/client.conf 50016 PATH: C:\Users\Admin\AppData\Local\SynologyDrive\SynologyDrive.app\bin\cloud-drive-daemon.exe Alert: MODULE: ProcessScan MESSAGE: Yara Rule MATCH: LOG_Exchange_Forensic_Artefacts_CleanUp_Activity_Mar21_1 PID: 10680 NAME: cloud-drive-daemon.exe OWNER: Admin CMD: C:\Users\Admin\AppData\Local\SynologyDrive\SynologyDrive.app\bin\cloud-drive-daemon.exe C:/Users/Admin/AppData/Local/SynologyDrive/data/config/client.conf 50016 PATH: C:\Users\Admin\AppData\Local\SynologyDrive\SynologyDrive.app\bin\cloud-drive-daemon.exe Alert: MODULE: ProcessScan MESSAGE: Yara Rule MATCH: WiltedTulip_ReflectiveLoader PID: 10680 NAME: cloud-drive-daemon.exe OWNER: Admin CMD: C:\Users\Admin\AppData\Local\SynologyDrive\SynologyDrive.app\bin\cloud-drive-daemon.exe C:/Users/Admin/AppData/Local/SynologyDrive/data/config/client.conf 50016 PATH: C:\Users\Admin\AppData\Local\SynologyDrive\SynologyDrive.app\bin\cloud-drive-daemon.exe Alert: MODULE: ProcessScan MESSAGE: Yara Rule MATCH: PowerShell_ISESteroids_Obfuscation PID: 10680 NAME: cloud-drive-daemon.exe OWNER: Admin CMD: C:\Users\Admin\AppData\Local\SynologyDrive\SynologyDrive.app\bin\cloud-drive-daemon.exe C:/Users/Admin/AppData/Local/SynologyDrive/data/config/client.conf 50016 PATH: C:\Users\Admin\AppData\Local\SynologyDrive\SynologyDrive.app\bin\cloud-drive-daemon.exe

phantinuss commented 2 years ago

This is not the full alert message. Can you provide the full events including the match-strings?

Do the rules match reproducibly? The match is in-memory on the process. Maybe some clear-text IOCs are synced and the process had them in-memory at the time. Is that possible?

Neo23x0 commented 2 years ago

I'm pretty sure that the service somehow copied the contents of clear text YARA rules into his own memory. (e.g. to sync the signature files of LOKI to the Synology drive)

If that's the case, it is expected behaviour.