Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False positive for e3845023-ca9a-4024-b2b2-5422156d5527 and C:\WINDOWS\System32\poqexec.exe #4448

Closed
nekopep opened this issue Sep 18, 2023 · 1 comment · Fixed by #4427
Closed

False positive for e3845023-ca9a-4024-b2b2-5422156d5527 and C:\WINDOWS\System32\poqexec.exe #4448

nekopep opened this issue Sep 18, 2023 · 1 comment · Fixed by #4427
Labels
False-Positive Issue reporting a false positive with one of the rules

Comments

@nekopep
Copy link

nekopep commented Sep 18, 2023

Rule UUID

e3845023-ca9a-4024-b2b2-5422156d5527

Example EventLog

Process name poqexec.exe (pid=8796)
Image name C:\Windows\System32\poqexec.exe
Command-line C:\WINDOWS\System32\poqexec.exe /noreboot /transaction 65340 /display_progress \SystemRoot\WinSxS\pending.xml

Execution Detected
Username [NT AUTHORITY\SYSTEM]
Current directory C:\WINDOWS\system32
User SID S-1-5-18
Process Create Time 2023-09-18 16:27:15Z
Size 569344 (556.00 KiB)
MD5 51714023bc465f6e5964ae8f26d98fd4
SHA1 9976e99a8a860e85e62bed7f854cf2799052ea31
SHA256 ed6a49b10a0479995a989e582b75bfe83b4079740054f6be395ab8cdf6dc41f0
IMPHASH E2F919B2D48793840C2EB63490B6F095
PE timestamp 2062-08-08 18:41:10Z
Signed Catalog
Signer name Microsoft Windows
Root CA name Microsoft Root Certificate Authority 2010
Company name Microsoft Corporation
File Description Primitive Operations Queue Executor
File version 10.0.22621.2061 (WinBuild.160101.0800)
Internal name POQExec
Legal copyright © Microsoft Corporation. All rights reserved.
Original filename poqexec.exe
Product name Microsoft® Windows® Operating System
Product version 10.0.22621.2061

Description

target_filename
C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\en-GB\MSFT_PackageManagementSource.strings.psd1

C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\en-GB\MSFT_PackageManagementSource.schema.mfl

C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\en-GB\MSFT_PackageManagement.strings.psd1

C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\en-GB\MSFT_PackageManagement.schema.mfl

etc...

Looks like addinf poqexec.exe to the exception list could be a good addition.

Quoted from a pseudo website:
Poqexec.exe is a legitimate Windows system file that is part of the Windows Update process. It stands for Post-OOBE Queue Execution and it is responsible for executing tasks that are queued after the Out-of-Box Experience (OOBE) phase of Windows installation. The OOBE phase is when you set up your user account, language, region, and other preferences for the first time. Poqexec.exe runs in the background and performs tasks such as installing drivers, updates, and other components that are required for the proper functioning of your system.
@nekopep nekopep added the False-Positive Issue reporting a false positive with one of the rules label Sep 18, 2023
@nasbench
Copy link
Member

Thanks for reporting @nekopep. We'll add this to the list

@nasbench nasbench mentioned this issue Sep 16, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
False-Positive Issue reporting a false positive with one of the rules
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Multiple Fixes & Enhancements nasbench/sigma
2 participants
@nekopep @nasbench