proc_creation_win_susp_bad_opsec_sacrificial_processes Chrome Installer False Positives

Question

proc_creation_win_susp_bad_opsec_sacrificial_processes Chrome Installer False Positives

AaronS97 opened this issue a year ago · comments

AaronS97 commented a year ago

Rule UUID

a7c3d773-caef-227e-a7e7-c2f13c622329

Example EventLog

N/A

Description

It appears that issue #4571 was opened by @celalettin-turgut to report false positives for this rule originating from the Google Chrome installer process spawning a Rundll32.exe process with no command line arguments. When this fix was applied, it seems that the condition was incorrectly updated to include these false positives, rather than exclude them. The condition field says "1 of selection_* and not 1 of filter_main_* and 1 of filter_optional_*", when I believe it should be "1 of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*"

github-actions · Answer 1 · Sat Dec 02 2023 08:45:08 GMT+0800 (China Standard Time)

Welcome @AaronS97 👋

It looks like this is your first issue on the Sigma rules repository!

The following repository accepts issues related to false positives or 'rule ideas'.

If you're reporting an issue related to the pySigma library please consider submitting it here

If you're reporting an issue related to the deprecated sigmac library please consider submitting it here

Thanks for taking the time to open this issue, and welcome to the Sigma community! 😃

Nasreddine Bencherchali · Answer 2 · Sat Dec 02 2023 22:43:02 GMT+0800 (China Standard Time)

Hey @AaronS97 thanks for pointing this out. Will get a fix for it :)