Comments (6)
Welcome @ptvoinfo 👋
It looks like this is your first issue on the Sigma rules repository!
The following repository accepts issues related to false positives
or 'rule ideas'.
If you're reporting an issue related to the pySigma library please consider submitting it here
If you're reporting an issue related to the deprecated sigmac library please consider submitting it here
Thanks for taking the time to open this issue, and welcome to the Sigma community! 😃
from sigma.
Hey @ptvoinfo thanks for reporting this. It seems you were using an older version of the rule. The rule has been fixed to use endswith
to avoid cases like the one you reported.
Check out the latest version of the rule here https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_browsers_inline_file_download.yml
from sigma.
@nasbench No, it is the latest version of this rule on VirusTotal.com. Here is another example:
TerminalSessionId:1
ProcessGuid:{C784477D-725F-6554-3706-000000003B00}
ProcessId:8124
Product:Google Chrome
Description:Google Chrome
Company:Google LLC
ParentProcessGuid:{C784477D-722A-6554-3306-000000003B00}
User:DESKTOP-B0T93D6\george
Hashes:MD5=CEDC492FA7879BD5073A255E3B36E373,SHA256=4AB07CEA0D5543F3A955EC1EDDE511BF1C0D770748FDB84A8C5750A122808EED,IMPHASH=891D2BAFA4260189E94CAC8FB19F369A
OriginalFileName:chrome.exe
ParentImage:C:\Users\george\AppData\Local\Temp\is-47NGM.tmp\nmealogger3_2PKO0i.tmp
FileVersion:92.0.4515.159
ParentProcessId:8088
CurrentDirectory:C:\Windows\system32\
CommandLine:"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-features=OptimizationGuideModelDownloading,OptimizationHintsFetching,OptimizationTargetPrediction,OptimizationHints --start-maximized --load-extension=C:\Windows\crx --single-argument https://www.aggsoft.com/support/thank-you.htm?product=Advanced NMEA Data Logger&id=20231114232424&version=3.5.8.1115&id2=2PKO0i
EventID:1
LogonGuid:C784477D-1B29-6539-11D7-030000000000
LogonId:251665
Image:C:\Program Files\Google\Chrome\Application\chrome.exe
IntegrityLevel:High
ParentCommandLine:"C:\Users\george\AppData\Local\Temp\is-47NGM.tmp\nmealogger3_2PKO0i.tmp" /SL5="$1043E,14888167,109568,C:\Users\george\Desktop\nmealogger3_2PKO0i.exe"
UtcTime:1700033119
RuleName:-
Rule info:
title: File Download From Browser Process Via Inline URL
id: 94771a71-ba41-4b6e-a757-b531372eaab6
status: test
description: Detects execution of a browser process with a URL argument pointing to a file with a potentially interesting extension. This can be abused to download arbitrary files or to hide from the user for example by launching the browser in a minimized state.
references:
- https://twitter.com/mrd0x/status/1478116126005641220
- https://lolbas-project.github.io/lolbas/Binaries/Msedge/
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022/01/11
modified: 2023/11/09
tags:
....
from sigma.
Can you send the link of the VT match?
from sigma.
@nasbench
Sure
https://www.virustotal.com/gui/file/99bfe94e0e73ddcf3b6b383b3da86778667eab5907db83772c83543a1f9812dd/detection/f-99bfe94e0e73ddcf3b6b383b3da86778667eab5907db83772c83543a1f9812dd-1701982351
from sigma.
After some testing the issue seems to stem from VT and not the rule. Even if you execute the command locally you won't be able to generate the event. As the command-line doesn't end with any of the extensions used by the rule.
I uploaded another version of the binary just to trigger a fresh rescan and you can see the rule doesn't match even though the command is there https://www.virustotal.com/gui/file/c289bca0aa3b456cf156890b4052b0302702974c21a9c5796bb5ebb7f9b11012/detection
It seems that VT keeps old matches but updates the rules. So the rule technically matches in the older version :)
Thanks for reporting.
from sigma.
Related Issues (20)
- proc_creation_win_susp_bad_opsec_sacrificial_processes Chrome Installer False Positives HOT 2
- Adding Mitre Detection ID to Rule Tags HOT 3
- Detection of Rhysida Ransomware HOT 1
- `documentations/tools/sigma-logsource-checker.py` is broken HOT 1
- Logsources, lack of machine readable definition of log sources (and additional requirements) HOT 4
- Excessive requests from Go-http-client/1.1 HOT 3
- net_connection_win_rundll32_net_connections.yml leads to false positive via multiple vendors HOT 4
- Adding new hosting sites to downloading rules HOT 3
- Lazagne Crendential Dumping Tool Detection Rule HOT 1
- Hacktool Evil-Winrm Tool Detection via Powershell event ID
- CVE-2023-1389 Unauthenticated Command Injection Vulnerability
- Suspicious Process DNS Query Known Abuse Web Services
- FPs with "File Enumeration Via Dir Command"
- ADS Zone.Identifier Deleted By Uncommon Application when installing PuTTy latest version HOT 1
- DPAPI backup keys Theft and Export related activities HOT 1
- Detects Backdoor Kapeka Via Registry Key
- Windows LAPS Credential Dump via Entra ID HOT 1
- Can I use regular expression in sigma? HOT 1
- Update of Rare Service Install Detection Rule to use correlation syntax HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from sigma.