Matrix found item potential error

[cyb3rxp]

Hi,

first of all, congrats for this work!

I'd like to report the following potential bug, while running Zircolite latest version with latest ruleset on a Sysmon EVTX file sample:

• in the Matrix tab of Zircolite Gui, I can see that there is a 'T1490-Inhibit System Recovery' TTP being found ('found' tag being displayed),
• when I select this TTP ID from the matrix, I only get filtered events (within the upper tab) that are related to: 'Amsi.DLL Load By Uncommon Process'. No other events related to T1490 are being shown.

Unless I'm mistaking, this does not seem to be consistent, between what the matrix shows and what the upper tab ('Sigma alerts') shows.

Many thanks and regards,

[wagga40]

Hi thanks for the issue.

Can you post it in the Zircolite repository instead of the rules repository ? 😅

If you have the sample and you can share it, it would help a lot.

[cyb3rxp]

Hi again, Done. Thx.