[Rule Tuning] Startup or Run Key Registry Modification

Question

[Rule Tuning] Startup or Run Key Registry Modification

psanz-estc opened this issue 5 months ago · comments

Link to rule

https://www.elastic.co/guide/en/security/current/startup-or-run-key-registry-modification.html

Description

Rule "Startup or Run Key Registration Modification" leads to a lot of false positives alerts in the rule due to the registry.path(ie MS Office using different registry keys for different users).

One option would be to create exceptions based on some fields (such as process.name) but it is not clear if we would be allowing rogue binaries to go unnoticed./

Example Data

In the capture below we can see registry.path and process.name

Registry.path changes from user to user, so each alert is different
Creating exceptions based on process.name would open the door to non legit binaries going under the radar

Ivonne Botello · Answer 1 · Wed Jan 03 2024 14:04:02 GMT+0800 (China Standard Time)

Example Data

Jonhnathan · Answer 2 · Fri Jan 05 2024 22:29:01 GMT+0800 (China Standard Time)

Hey @psanz-estc @ibotello, I've just pushed #3367 to solve the majority of the FPs that this rule is generating, let me know if you have any feedback on it ;)

And thanks for bringing this to our attention, we are doing a review on the entire ruleset as part of #3186, but do not hesitate to open a tuning issue in the repo if any rule is generating a considerable amount of FPs.

Pablo Sanz · Answer 3 · Mon Feb 05 2024 22:38:52 GMT+0800 (China Standard Time)

hi @w0rk3r , even after upgrading to version 8.11.7 (released on Jan 25th) we still see quite a lot false positives for Startup or Run Key Registration Modification rule

As you can see in the image above, at least in this case, it seems it seems all related to msedge.exe (but could be circumstantial) .

Any chance this could be improved?