thomaspatzke
commented
6 years ago Thanks for reporting, fixed it!
Closed chrispraesidio closed 6 years ago
thomaspatzke
commented
6 years ago Thanks for reporting, fixed it!
https://github.com/Neo23x0/sigma/blob/5e3211928f3e841ac5ee47eb02609681a3afd4c8/rules/apt/apt_turla_commands.yml#L40
This seems to me like it should be
Or am i misunderstanding the intention of this rule?
It seems like that second detection intends to look for a match for netCommand1 that occurs within 1m of matches for netCommand2 and netCommand3. I.e. these queries are intended to match 3 distinct events occurring in close temporal proximity. Is that correct?
If so, I suspect current rule likely has excessive false positives, as all matches for netCommand1 would be 'near' themselves (perhaps this would require 3 events matching netCommand1 in a minute? not sure how everyone's aggregation systems work).