[Rule Tuning] Adding Hidden File Attribute via Attrib

swiftbird07 commented 1 year ago

Link to rule

https://github.com/elastic/detection-rules/blob/main/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml

Description

There is a known false positive of IgfxCUIService.exe using attrib.exe.

See this similar Sigma rule:

falsepositives: - IgfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe and igfxCUIService.exe is the parent of the cmd.exe)

So I would suggest tuning the rule similar to the Sigma rule already does:

ParentImage|endswith: '\cmd.exe'
      CommandLine: '+R +H +S +A \\\*.cui'
     ParentCommandLine: 'C:\\WINDOWS\\system32\\\*.bat'

Example Data:

and not (parent.process.name: "cmd.exe"
and process.command_line: "attrib  +R +H +S +A *.cui"
and process.parent.command_line: "C:\WINDOWS\system32\cmd.exe /c "C:\WINDOWS\system32\*.bat")

Hope you agree with me.

Greetings Martin

w0rk3r commented 1 year ago

Hey @maof97, thanks for the contribution, I've pushed a PR to exclude this pattern

swiftbird07 commented 1 year ago

Thanks 😊

w0rk3r commented 1 year ago

Looking forward to your next ones ;)

elastic / detection-rules

[Rule Tuning] Adding Hidden File Attribute via Attrib #2579

Link to rule

Description

Example Data: