False positive: File Download From Browser Process Via Inline Link

ptvoinfo commented 11 months ago

Rule UUID

94771a71-ba41-4b6e-a757-b531372eaab6

Example EventLog

File Download From Browser Process Via Inline Link Detects execution of a browser process with a URL argument pointing to a file with a potentially interesting extension. This can be abused to download arbitrary files or to hide from the user for example by launching the browser in a minimized state. Sigma Integrated Rule Set (GitHub) - Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) TerminalSessionId:1 ProcessGuid:{C784477D-5DC3-6554-5006-000000004A00} ProcessId:3496 Product:Google Chrome Description:Google Chrome Company:Google LLC ParentProcessGuid:{C784477D-5D77-6554-4C06-000000004A00} User:DESKTOP-B0T93D6\george Hashes:MD5=B147FBDBD44374F73A763531C8D1093D,SHA256=9142FF96C6066950BA5B1253DE97080341902E1F9621E6084AE6197F8D8E2FB8,IMPHASH=891D2BAFA4260189E94CAC8FB19F369A OriginalFileName:chrome.exe ParentImage:C:\Users\george\AppData\Local\Temp\is-5NB11.tmp\pbxlogger3_3ELTGY.tmp FileVersion:92.0.4515.131 ParentProcessId:7216 CurrentDirectory:C:\Windows\system32\ CommandLine:"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-features=OptimizationGuideModelDownloading,OptimizationHintsFetching,OptimizationTargetPrediction,OptimizationHints --start-maximized --load-extension=C:\Windows\crx --single-argument https://www.aggsoft.com/support/thank-you.htm?product=Advanced PBX Data Logger&version=3.7.3.1115&id=20231114215601&id2=3ELTGY EventID:1 LogonGuid:C784477D-37F0-6536-8CCF-030000000000 LogonId:249740 Image:C:\Program Files\Google\Chrome\Application\chrome.exe IntegrityLevel:High ParentCommandLine:"C:\Users\george\AppData\Local\Temp\is-5NB11.tmp\pbxlogger3_3ELTGY.tmp" /SL5="$20448,42949145,109568,C:\Users\george\Desktop\pbxlogger3_3ELTGY.exe" UtcTime:1700027843 RuleName:-

Description

It looks like, it detects the ".exe" extension name in the chrome.exe

github-actions[bot] commented 11 months ago

Welcome @ptvoinfo :wave:

It looks like this is your first issue on the Sigma rules repository!

The following repository accepts issues related to false positives or 'rule ideas'.

If you're reporting an issue related to the pySigma library please consider submitting it here

If you're reporting an issue related to the deprecated sigmac library please consider submitting it here

Thanks for taking the time to open this issue, and welcome to the Sigma community! :smiley:

nasbench commented 11 months ago

Hey @ptvoinfo thanks for reporting this. It seems you were using an older version of the rule. The rule has been fixed to use endswith to avoid cases like the one you reported.

Check out the latest version of the rule here https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_browsers_inline_file_download.yml

ptvoinfo commented 11 months ago

@nasbench No, it is the latest version of this rule on VirusTotal.com. Here is another example:

TerminalSessionId:1
ProcessGuid:{C784477D-725F-6554-3706-000000003B00}
ProcessId:8124
Product:Google Chrome
Description:Google Chrome
Company:Google LLC
ParentProcessGuid:{C784477D-722A-6554-3306-000000003B00}
User:DESKTOP-B0T93D6\george
Hashes:MD5=CEDC492FA7879BD5073A255E3B36E373,SHA256=4AB07CEA0D5543F3A955EC1EDDE511BF1C0D770748FDB84A8C5750A122808EED,IMPHASH=891D2BAFA4260189E94CAC8FB19F369A
OriginalFileName:chrome.exe
ParentImage:C:\Users\george\AppData\Local\Temp\is-47NGM.tmp\nmealogger3_2PKO0i.tmp
FileVersion:92.0.4515.159
ParentProcessId:8088
CurrentDirectory:C:\Windows\system32\
CommandLine:"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-features=OptimizationGuideModelDownloading,OptimizationHintsFetching,OptimizationTargetPrediction,OptimizationHints --start-maximized --load-extension=C:\Windows\crx --single-argument https://www.aggsoft.com/support/thank-you.htm?product=Advanced NMEA Data Logger&id=20231114232424&version=3.5.8.1115&id2=2PKO0i
EventID:1
LogonGuid:C784477D-1B29-6539-11D7-030000000000
LogonId:251665
Image:C:\Program Files\Google\Chrome\Application\chrome.exe
IntegrityLevel:High
ParentCommandLine:"C:\Users\george\AppData\Local\Temp\is-47NGM.tmp\nmealogger3_2PKO0i.tmp" /SL5="$1043E,14888167,109568,C:\Users\george\Desktop\nmealogger3_2PKO0i.exe"
UtcTime:1700033119
RuleName:-

Rule info:

title: File Download From Browser Process Via Inline URL
id: 94771a71-ba41-4b6e-a757-b531372eaab6
status: test
description: Detects execution of a browser process with a URL argument pointing to a file with a potentially interesting extension. This can be abused to download arbitrary files or to hide from the user for example by launching the browser in a minimized state.
references:
    - https://twitter.com/mrd0x/status/1478116126005641220
    - https://lolbas-project.github.io/lolbas/Binaries/Msedge/
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022/01/11
modified: 2023/11/09
tags:
....

nasbench commented 11 months ago

Can you send the link of the VT match?

ptvoinfo commented 11 months ago

@nasbench Sure https://www.virustotal.com/gui/file/99bfe94e0e73ddcf3b6b383b3da86778667eab5907db83772c83543a1f9812dd/detection/f-99bfe94e0e73ddcf3b6b383b3da86778667eab5907db83772c83543a1f9812dd-1701982351

nasbench commented 11 months ago

After some testing the issue seems to stem from VT and not the rule. Even if you execute the command locally you won't be able to generate the event. As the command-line doesn't end with any of the extensions used by the rule.

I uploaded another version of the binary just to trigger a fresh rescan and you can see the rule doesn't match even though the command is there https://www.virustotal.com/gui/file/c289bca0aa3b456cf156890b4052b0302702974c21a9c5796bb5ebb7f9b11012/detection

It seems that VT keeps old matches but updates the rules. So the rule technically matches in the older version :)

Thanks for reporting.

SigmaHQ / sigma