Closed nasbench closed 5 months ago
Hi, I hope you can help me.
I'm using Security Onion and the rule "Renamed ZOHO Dctask64 Execution" is generating about 100.000 alerts / hour.
It affects to all windows devices with elastic-endpoint software.
Is this the expected behavior?
Should I be warried or they are false positives?
Should I deactivate it because it has "status: test"?
Can I do something to help to improve the alert behavior?
Thanks!
ZOHO
Hi @Carlos-mb it is not an expected behavior, last time i discussed this with Josh from Sec onion he said it was probably related to a windash bug in sec onion. Can you please open an issue and give me some redacted example logs so that i can troubleshoot this more accurately.
Cheers.
Wow!
I really thank your fast response and your offer to help me.
I'll open an issue and I'll give you all information you need.
Summary of the Pull Request
This PR updates lolbin rules (update filename, metadata info, and logic where necessary)
Changelog
update: Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE - Update logic to add additional variation of the extensions update: Arbitrary File Download Via ConfigSecurityPolicy.EXE - Update description update: C# IL Code Compilation Via Ilasm.EXE - Add flags to increase accuracy of the rule instead of it focusing on "any" execution update: COM Object Execution via Xwizard.EXE - Update logic update: JScript Compiler Execution - Update metadata update: ManageEngine Endpoint Central Dctask64.EXE Potential Abuse - Update logic to account for flags and increase accuracy update: Potential Application Whitelisting Bypass via Dnx.EXE - Update description update: Potential Arbitrary Command Execution Via FTP.EXE - Use "windash" modifier and update description update: Potential Arbitrary File Download Via Cmdl32.EXE - Remove unnecessary spaces to account for flags being at the end. update: Renamed ZOHO Dctask64 Execution - Add additional imphash values update: Windows Kernel Debugger Execution - Reduce level to "medium" update: Xwizard.EXE Execution From Non-Default Location - Update description
Example Log Event
N/A
Fixed Issues
N/A
SigmaHQ Rule Creation Conventions