Closed nwf9 closed 5 years ago
The first match isn't a false positive. It's a positive match on a relevant string in the process memory of the browser. https://github.com/Neo23x0/signature-base/blob/7c8745c59ed43cf60f1dd5bace2339f19824fc9c/yara/gen_p0wnshell.yar#L30
How often does this appear? On your system only?
The second match is some kind of error. I have no idea how a private
rule can match on process memory.
https://github.com/Neo23x0/signature-base/blob/c2634bfa232693ed03f189091384c50a73878d75/yara/apt_hatman.yar#L38
How it can be relevant for the browser process ? Do you recommend to exclude those process ? The correct behavior of the private rule is to analyze only the file present on disk ?
How it can be relevant for the browser process ?
Attackers use browsers on compromised systems to download tools.
Do you recommend to exclude those process ?
If you know that the user of that system with matches in the browser memory is allowed to surf to hacktool web pages and download such tools, yes. I'd filter it where you analyse the logs. (grep -v ...)
The correct behavior of the private rule is to analyze only the file present on disk ?
No. Privat rules shouldn't show up at all. They are use to be combined with other rules only. https://yara.readthedocs.io/en/v3.8.1/writingrules.html#private-rules
How it can be relevant for the browser process ?
Did you see false positives on machines of users that shouldn't visit hack tool sites?
Yes, if the user navigate to malware domain list you trigger a lot of F/P 😁.
Not F/P
Hi Florian,
i have a lot of F/P with two rules below
YARA rule match on process memory SCORE: 75 NAME: chrome.exe DESC: p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs PID: 10564 CMD: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1384,1381225692283285303,12548745127206151242,131072 --service-pipe-token=10935207763610381885 --lang=fr --disable-dinosaur-easter-egg --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=10935207763610381885 --renderer-client-id=124 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7552 /prefetch:1 RULE: Hacktool_Strings_p0wnedShell REFERENCE: https://github.com/Cn33liz/p0wnedShell
YARA rule match on process memory SCORE: 75 NAME: chrome.exe DESC: - PID: 11744 CMD: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1384,1381225692283285303,12548745127206151242,131072 --gpu-preferences=KAAAAAAAAACAAwBAAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --service-request-channel-token=6827380407446322870 --mojo-platform-channel-handle=1400 --ignored=" --type=renderer " /prefetch:2 RULE: hatman_dividers