Closed nekopep closed 11 months ago
As a general rule Emerging threat rules are not meant for everyday use. They're basically DFIR/Hunting rules that are meant to look for the specific threat you're investigating or suspecting. In this case as the MS report described as one of the hunting opportunities is rundll running the beacon and then executing cmd /c
from it (hence the selection_3).
Regardless, I'll look more into and see if we can add something to that selection.
Can you please provide the parent commandline that triggered this event? That would be much appreciated
Parent command-line rundll32.exe C:\WINDOWS\Installer\MSI409C.tmp,zzzzInvokeManagedCustomActionOutOfProc SfxCA_548552968 3 ServiceActions!ServiceActions.CustomActions.StopServiceAndWait
Grandparent command-line C:\Windows\System32\MsiExec.exe -Embedding 5B7846E2E8F78E798794E09F9F353864 E Global\MSI0000
@nasbench : "As a general rule Emerging threat rules are not meant for everyday use. They're basically DFIR/Hunting rules that are meant to look for the specific threat you're investigating or suspecting."
Ha ok, thank you, I'm learning here thank you for the tips.
This should be fixed in https://github.com/nasbench/sigma/commit/e9ffe92e80bb007b1e7b96ddb8888967f1a1b3ff :) Thanks for reporting.
Rule UUID
9be34ad0-b6a7-4fbd-91cf-fc7ec1047f5f
Example EventLog
Process name cmd.exe (pid=12440) Image name C:\Windows\System32\cmd.exe Command-line C:\WINDOWS\system32\cmd.exe /C sc stop Execution Detected Username [NT AUTHORITY\SYSTEM] Current directory C:\WINDOWS\Installer\MSI32DD.tmp-\ User SID S-1-5-18 Process Create Time 2023-09-11 19:00:26Z Size 323584 (316.00 KiB) MD5 5a6be4d2519515241d0c133a26cf62c0 SHA1 13e9bb7e85ff9b08c26a440412e5cd5d296c4d35 SHA256 423e0e810a69aaceba0e5670e58aff898cf0ebffab99ccb46ebb3464c3d2facb IMPHASH D73E39DAB3C8B57AA408073D01254964 PE timestamp 2042-10-27 22:42:57Z Signed Catalog Signer name Microsoft Windows Root CA name Microsoft Root Certificate Authority 2010 Company name Microsoft Corporation File Description Windows Command Processor File version 10.0.22621.1635 (WinBuild.160101.0800) Internal name cmd Legal copyright © Microsoft Corporation. All rights reserved. Original filename Cmd.Exe Product name Microsoft® Windows® Operating System Product version 10.0.22621.1635
Description
Hello, I think it is a sufficiently generic false positive, basically the rule gets triggered by Selection_3:
And in my case during what I suspect an installation (not verified yet) a service is stopped. So we probably could whitelist cmd.exe /C sc stop.
This one is one of my first reports so do not hesitate to tell me if these case are too specific. Just it is the first time I see this rule triggered so I suspect service stop is sufficiently generally harmless to whitelist it.