Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

a21bcd7e-38ec-49ad-b69a-9ea17e69509e has a lot false positive related to office and webbrowsers #4449

Closed
nekopep opened this issue Sep 18, 2023 · 1 comment · Fixed by #4427
Closed

a21bcd7e-38ec-49ad-b69a-9ea17e69509e has a lot false positive related to office and webbrowsers #4449

nekopep opened this issue Sep 18, 2023 · 1 comment · Fixed by #4427
Labels
False-Positive Issue reporting a false positive with one of the rules

Comments

@nekopep
Copy link

nekopep commented Sep 18, 2023

Rule UUID

a21bcd7e-38ec-49ad-b69a-9ea17e69509e

Example EventLog

Process name firefox.exe (pid=19216)
Image name C:\Program Files\Mozilla Firefox\firefox.exe
Command-line C:\Program Files\Mozilla Firefox\firefox.exe
Execution Detected
Username DOMAIN\xxxxxx
Current directory C:\Program Files\Mozilla Firefox
User SID
Process Create Time 2023/07/03 07:12:01.539
Size 680352 (664.41 KiB)
MD5 ec9d36bd5660da608b95acba56f37d67
SHA1 0894d9121f5698b7039143197e170a77d7204cb5
SHA256 ddf384b19dfd7410134580c97fdb3ff0095a2ab8d146448348a592d2dde00e61
IMPHASH 4429FB94219F6E5F4FE338C4C0EA218A
PE timestamp 2023-06-19 07:43:47Z
Signed Authenticode
Signer name Mozilla Corporation
Root CA name DigiCert Assured ID Root CA
Company name Mozilla Corporation
File Description Firefox
File version 114.0.2
Internal name Firefox
Legal copyright ©Firefox and Mozilla Developers; available under the MPL 2 license.
Original filename firefox.exe
Product name Firefox
Product version 114.0.2

Description

Just a feedback, in my case I need to disable this rule because I got a lot of false positive

DNS Resolution 
Requested domain name     **_ldap._tcp.default-first-site._sites.serv-ad**.
Query type SRV
Status name_not_found
Resolved IP addresses (empty)
Resolved text records (empty)

Requested domain name:
_ldap._tcp.srvad2019.
_ldap._tcp.default-first-site._sites.srvad2019.

Non-specific Command lines affected:

C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
C:\Program Files (x86)\Microsoft Office\Root\Office16\POWERPNT.EXE C:\Users\xxxxxx\Desktop\xxxxxxx.pptx /ou
C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE /n C:\xxxxxxx.docx /o
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=fr --service-sandbox-type=none --mojo-platform-channel-handle=4196 --field-trial-handle=1996,i,14070850443147090736,6564881447880100376,262144 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=fr --service-sandbox-type=none --mojo-platform-channel-handle=4336 --field-trial-handle=1916,i,5381155877489532163,10707663285075261516,262144 /prefetch:8

Perhaps we could add the office one and web browser to reduce the initial false positive so people using this rule will only get their specific applications?
Also I attached the ldap DNS request but I'm not expert and don't know if we could whitelist with these :)
@nekopep nekopep added the False-Positive Issue reporting a false positive with one of the rules label Sep 18, 2023
@nasbench nasbench mentioned this issue Sep 16, 2023
Merged
@nasbench
Copy link
Member

Thanks for reporting @nekopep

This rule was missing some important filters such as program files. I added them and reduced the level to low.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
False-Positive Issue reporting a false positive with one of the rules
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Multiple Fixes & Enhancements nasbench/sigma
2 participants
@nekopep @nasbench