search

SigmaHQ / sigma

Main Sigma Rule Repository
Other
8.03k stars 2.15k forks source link

9be34ad0-b6a7-4fbd-91cf-fc7ec1047f5f fasle positive with cmd.exe /C sc stop #4437

Closed nekopep closed 11 months ago

nekopep commented 11 months ago

Rule UUID

9be34ad0-b6a7-4fbd-91cf-fc7ec1047f5f

Example EventLog

Process name cmd.exe (pid=12440) Image name C:\Windows\System32\cmd.exe Command-line C:\WINDOWS\system32\cmd.exe /C sc stop Execution Detected Username [NT AUTHORITY\SYSTEM] Current directory C:\WINDOWS\Installer\MSI32DD.tmp-\ User SID S-1-5-18 Process Create Time 2023-09-11 19:00:26Z Size 323584 (316.00 KiB) MD5 5a6be4d2519515241d0c133a26cf62c0 SHA1 13e9bb7e85ff9b08c26a440412e5cd5d296c4d35 SHA256 423e0e810a69aaceba0e5670e58aff898cf0ebffab99ccb46ebb3464c3d2facb IMPHASH D73E39DAB3C8B57AA408073D01254964 PE timestamp 2042-10-27 22:42:57Z Signed Catalog Signer name Microsoft Windows Root CA name Microsoft Root Certificate Authority 2010 Company name Microsoft Corporation File Description Windows Command Processor File version 10.0.22621.1635 (WinBuild.160101.0800) Internal name cmd Legal copyright © Microsoft Corporation. All rights reserved. Original filename Cmd.Exe Product name Microsoft® Windows® Operating System Product version 10.0.22621.1635

Description

Hello, I think it is a sufficiently generic false positive, basically the rule gets triggered by Selection_3:

selection_3:
        ParentImage|endswith: '\rundll32.exe'
        ParentCommandLine|contains: 'C:\Windows'
        CommandLine|contains: 'cmd.exe /C '

And in my case during what I suspect an installation (not verified yet) a service is stopped. So we probably could whitelist cmd.exe /C sc stop.

This one is one of my first reports so do not hesitate to tell me if these case are too specific. Just it is the first time I see this rule triggered so I suspect service stop is sufficiently generally harmless to whitelist it.

nasbench commented 11 months ago

As a general rule Emerging threat rules are not meant for everyday use. They're basically DFIR/Hunting rules that are meant to look for the specific threat you're investigating or suspecting. In this case as the MS report described as one of the hunting opportunities is rundll running the beacon and then executing cmd /c from it (hence the selection_3).

Regardless, I'll look more into and see if we can add something to that selection.

Can you please provide the parent commandline that triggered this event? That would be much appreciated

nekopep commented 11 months ago

Parent command-line rundll32.exe C:\WINDOWS\Installer\MSI409C.tmp,zzzzInvokeManagedCustomActionOutOfProc SfxCA_548552968 3 ServiceActions!ServiceActions.CustomActions.StopServiceAndWait

Grandparent command-line C:\Windows\System32\MsiExec.exe -Embedding 5B7846E2E8F78E798794E09F9F353864 E Global\MSI0000 chain

nekopep commented 11 months ago

@nasbench : "As a general rule Emerging threat rules are not meant for everyday use. They're basically DFIR/Hunting rules that are meant to look for the specific threat you're investigating or suspecting."

Ha ok, thank you, I'm learning here thank you for the tips.

nasbench commented 11 months ago

This should be fixed in https://github.com/nasbench/sigma/commit/e9ffe92e80bb007b1e7b96ddb8888967f1a1b3ff :) Thanks for reporting.