Giter Club home page Giter Club logo

Comments (6)

github-actions avatar github-actions commented on June 11, 2024

Welcome @ptvoinfo 👋

It looks like this is your first issue on the Sigma rules repository!

The following repository accepts issues related to false positives or 'rule ideas'.

If you're reporting an issue related to the pySigma library please consider submitting it here

If you're reporting an issue related to the deprecated sigmac library please consider submitting it here

Thanks for taking the time to open this issue, and welcome to the Sigma community! 😃

from sigma.

nasbench avatar nasbench commented on June 11, 2024

Hey @ptvoinfo thanks for reporting this. It seems you were using an older version of the rule. The rule has been fixed to use endswith to avoid cases like the one you reported.

Check out the latest version of the rule here https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_browsers_inline_file_download.yml

from sigma.

ptvoinfo avatar ptvoinfo commented on June 11, 2024

@nasbench No, it is the latest version of this rule on VirusTotal.com. Here is another example:

TerminalSessionId:1
ProcessGuid:{C784477D-725F-6554-3706-000000003B00}
ProcessId:8124
Product:Google Chrome
Description:Google Chrome
Company:Google LLC
ParentProcessGuid:{C784477D-722A-6554-3306-000000003B00}
User:DESKTOP-B0T93D6\george
Hashes:MD5=CEDC492FA7879BD5073A255E3B36E373,SHA256=4AB07CEA0D5543F3A955EC1EDDE511BF1C0D770748FDB84A8C5750A122808EED,IMPHASH=891D2BAFA4260189E94CAC8FB19F369A
OriginalFileName:chrome.exe
ParentImage:C:\Users\george\AppData\Local\Temp\is-47NGM.tmp\nmealogger3_2PKO0i.tmp
FileVersion:92.0.4515.159
ParentProcessId:8088
CurrentDirectory:C:\Windows\system32\
CommandLine:"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-features=OptimizationGuideModelDownloading,OptimizationHintsFetching,OptimizationTargetPrediction,OptimizationHints --start-maximized --load-extension=C:\Windows\crx --single-argument https://www.aggsoft.com/support/thank-you.htm?product=Advanced NMEA Data Logger&id=20231114232424&version=3.5.8.1115&id2=2PKO0i
EventID:1
LogonGuid:C784477D-1B29-6539-11D7-030000000000
LogonId:251665
Image:C:\Program Files\Google\Chrome\Application\chrome.exe
IntegrityLevel:High
ParentCommandLine:"C:\Users\george\AppData\Local\Temp\is-47NGM.tmp\nmealogger3_2PKO0i.tmp" /SL5="$1043E,14888167,109568,C:\Users\george\Desktop\nmealogger3_2PKO0i.exe"
UtcTime:1700033119
RuleName:-

Rule info:

title: File Download From Browser Process Via Inline URL
id: 94771a71-ba41-4b6e-a757-b531372eaab6
status: test
description: Detects execution of a browser process with a URL argument pointing to a file with a potentially interesting extension. This can be abused to download arbitrary files or to hide from the user for example by launching the browser in a minimized state.
references:
    - https://twitter.com/mrd0x/status/1478116126005641220
    - https://lolbas-project.github.io/lolbas/Binaries/Msedge/
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022/01/11
modified: 2023/11/09
tags:
....

from sigma.

nasbench avatar nasbench commented on June 11, 2024

Can you send the link of the VT match?

from sigma.

ptvoinfo avatar ptvoinfo commented on June 11, 2024

@nasbench
Sure
https://www.virustotal.com/gui/file/99bfe94e0e73ddcf3b6b383b3da86778667eab5907db83772c83543a1f9812dd/detection/f-99bfe94e0e73ddcf3b6b383b3da86778667eab5907db83772c83543a1f9812dd-1701982351

from sigma.

nasbench avatar nasbench commented on June 11, 2024

After some testing the issue seems to stem from VT and not the rule. Even if you execute the command locally you won't be able to generate the event. As the command-line doesn't end with any of the extensions used by the rule.

I uploaded another version of the binary just to trigger a fresh rescan and you can see the rule doesn't match even though the command is there https://www.virustotal.com/gui/file/c289bca0aa3b456cf156890b4052b0302702974c21a9c5796bb5ebb7f9b11012/detection

It seems that VT keeps old matches but updates the rules. So the rule technically matches in the older version :)

Thanks for reporting.

from sigma.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.