False Detections with Invoke-Obfuscation and Null Bytes

[KDot227]

Rule UUID

f3a98ce4-6164-4dd4-867c-4d83de7eca51

Example EventLog

I found this off virus total lol

Description

Script Block is

ScriptBlockText|re: '\w+`(\w+|-|.)`[\w+|\s]'

False code detected is:

$aes_key = "KDOT-ON-TOP`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0`0"

Similar code it's meant to detect:

        # Examples:
        #   IN`V`o`Ke-eXp`ResSIOn (Ne`W-ob`ject Net.WebClient).DownloadString
        #   &('In'+'voke-Expressi'+'o'+'n') (.('New-Ob'+'jec'+'t') Net.WebClient).DownloadString
        #   &("{2}{3}{0}{4}{1}"-f 'e','Expression','I','nvok','-') (&("{0}{1}{2}"-f'N','ew-O','bject') Net.WebClient).DownloadString
        #   ${e`Nv:pATh}

It's looking for obfuscating text but mistaking null bytes as obfuscated text.

[github-actions[bot]]

Welcome @KDot227 :wave:

It looks like this is your first issue on the Sigma rules repository!

The following repository accepts issues related to false positives or 'rule ideas'.

If you're reporting an issue related to the pySigma library please consider submitting it here

If you're reporting an issue related to the deprecated sigmac library please consider submitting it here

Thanks for taking the time to open this issue, and welcome to the Sigma community! :smiley:

[nasbench]

Hey, thanks for reporting this. While the case you found is not malicious. The regex in question is looking for any simple back tick obfuscation in power shell logs. For example the following would match.

a`b`a

While its a very "weak" regex its still in the logic of the rule. I would try to look into this more to try and enhance it. In the worst case this would be transferred to the threat hunting folder to set FP appetite correctly.

Thanks