Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create proc_creation_win_wmic_system_info_discovery.yml #3960

Merged
merged 5 commits into from
Feb 7, 2023
Merged

Create proc_creation_win_wmic_system_info_discovery.yml #3960

merged 5 commits into from
Feb 7, 2023

Conversation

tropChaud
Copy link
Contributor

No description provided.

@phantinuss
Copy link
Collaborator

One could try to write the rule with specific commands used by specific malware variants. I am unsure about the FPs which might still occur there but it should be less than for a generic rule.

Video games wouldn't be my biggest concern as they already are the source of many FPs and normally there shouldn't be games on corporate machines. But right now some detection strings don't look suspicious, even for a medium level rule and I can see them used by just any legitimate software.

We could put the rule through our internal testing and see if something sticks but I suspect many more FPs in the wild. Recon can be hard to detect without FPs :/

@tropChaud
Copy link
Contributor Author

Thanks. The variant observed so far seems to use only three of the commands (os get Caption, path win32_VideoController get name, cpu get name), executed in immediate succession (within ~1 second). Maybe the idea of a correlation-based rule makes the most sense? And if so we can wait for the new notation to be released.

@frack113 frack113 added the Author Input Required changes the require information from original author of the rules label Jan 27, 2023
@nasbench nasbench added the Work In Progress Some changes are needed label Jan 30, 2023
@nasbench @phantinuss
fix: update description
ce608f4 
Co-authored-by: phantinuss <[email protected]>
@nasbench
Copy link
Member

nasbench commented Feb 6, 2023

After thinking a bit about it. I would say we could test the rule in its current form and see the results. If too many FPs arise we simply reduce it to low or remove the CLIs generating a lot of FPs and in the future we add a variation using correlations.

@nasbench nasbench removed Work In Progress Some changes are needed Author Input Required changes the require information from original author of the rules labels Feb 6, 2023
@phantinuss
Copy link
Collaborator

Agreed. As medium we can try.

@phantinuss phantinuss merged commit d187470 into SigmaHQ:master Feb 7, 2023
@nasbench nasbench mentioned this pull request Dec 5, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nasbench nasbench nasbench approved these changes

@phantinuss phantinuss phantinuss approved these changes

@frack113 frack113 Awaiting requested review from frack113

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@tropChaud @phantinuss @nasbench @frack113