Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FP filters #5167

Merged
merged 4 commits into from
Jan 30, 2025
Merged

FP filters #5167

merged 4 commits into from
Jan 30, 2025

Conversation

djlukic
Copy link
Contributor

@djlukic djlukic commented Jan 21, 2025

Summary of the Pull Request

Hi,

I am proposing changes for two rules with FP filters added.

Changelog

  • Failed Code Integrity Checks : 470ec5fa-7b4e-4071-b200-4c753100f49b

    • For some reason CS EDR failes on code integrity checks generating thousands of events.
  • Renamed Powershell Under Powershell Channel : 30a8cb77-8eb3-4cfb-8e79-ad457c5a4592

    • I found an example of escaped backslash.

Example Log Event

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="54849625-5478-4994-A5BA-3E3B0328C30D">
    </Provider>
    <EventID>5038</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12290</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2025-01-06T19:23:57.574661Z">
    </TimeCreated>
    <EventRecordID>11882997</EventRecordID>
    <Correlation>
    </Correlation>
    <Execution ProcessID="4" ThreadID="9784">
    </Execution>
    <Channel>Security</Channel>
    <Computer>redacted</Computer>
    <Security>
    </Security>
  </System>
  <EventData>
    <Data Name="param1">\Device\HarddiskVolume3\Windows\System32\ScriptControl64_18721.dll</Data>
  </EventData>
</Event>
<Event
    xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
        <Provider Name="PowerShell" />
        <EventID Qualifiers="0">600</EventID>
        <Version>0</Version>
        <Level>4</Level>
        <Task>6</Task>
        <Opcode>0</Opcode>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2024-12-31T15:17:03.3516142Z" />
        <EventRecordID>388931</EventRecordID>
        <Correlation />
        <Execution ProcessID="0" ThreadID="0" />
        <Channel>Windows PowerShell</Channel>
        <Computer>redacted</Computer>
        <Security />
    </System>
    <EventData>
        <Data>FileSystem</Data>
        <Data>Started</Data>
        <Data>ProviderName=FileSystem NewProviderState=Started SequenceNumber=7 HostName=ConsoleHost HostVersion=5.1.19041.4648 HostId=7216c750-c80d-487b-b646-ca3c56ea96dd HostApplication=C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\powershell.exe Get-CimInstance -Class Win32_DiskDrive | Select-Object Caption, FirmwareRevision, Index, InterfaceType, MediaType, Model, PNPDeviceID, Status | ForEach-Object { $_.PSObject.Properties | ForEach-Object { '{0}:{1}' -f $_.Name, $_.Value } } EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=</Data>
    </EventData>
</Event>

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

@github-actions github-actions bot added Rules Windows Pull request add/update windows related rules labels Jan 21, 2025
@frack113
Copy link
Member

Hi,
Here is some useful information

  • From the specifiaction informational rule are :
    Rule is intended for enrichment of events, e.g. by tagging them. No case or alerting should be triggered by such rules because it is expected that a huge amount of events will match these rules.

  • for 30a8cb77-8eb3-4cfb-8e79-ad457c5a4592 the logsource is category: ps_classic_start.
    From the toxonomy the EventID should be 400

@nasbench nasbench requested a review from frack113 January 22, 2025 21:40
@nasbench nasbench added the 2nd Review Needed PR need a second approval label Jan 22, 2025
@frack113 frack113 removed the 2nd Review Needed PR need a second approval label Jan 23, 2025
@nasbench nasbench merged commit 92989a4 into SigmaHQ:master Jan 30, 2025
12 checks passed
@djlukic djlukic deleted the fp_fixes_jan25 branch January 30, 2025 20:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Rules Windows Pull request add/update windows related rules
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants