Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Rule Tuning] Startup or Run Key Registry Modification #3357

Closed
psanz-estc opened this issue Dec 29, 2023 · 3 comments · Fixed by #3367
Closed

[Rule Tuning] Startup or Run Key Registry Modification #3357

psanz-estc opened this issue Dec 29, 2023 · 3 comments · Fixed by #3367
Assignees
@w0rk3r
Labels
OS: Windows windows related rules Rule: Tuning tweaking or tuning an existing rule

Comments

@psanz-estc
Copy link

psanz-estc commented Dec 29, 2023
edited by shashank-elastic
Loading

Link to rule

https://www.elastic.co/guide/en/security/current/startup-or-run-key-registry-modification.html

Description

Rule "Startup or Run Key Registration Modification" leads to a lot of false positives alerts in the rule due to the registry.path(ie MS Office using different registry keys for different users).

One option would be to create exceptions based on some fields (such as process.name) but it is not clear if we would be allowing rogue binaries to go unnoticed./

Example Data

In the capture below we can see registry.path and process.name

Registry.path changes from user to user, so each alert is different
Creating exceptions based on process.name would open the door to non legit binaries going under the radar
@psanz-estc psanz-estc added the Rule: Tuning tweaking or tuning an existing rule label Dec 29, 2023
@w0rk3r w0rk3r self-assigned this Jan 2, 2024
@ibotello
Copy link

ibotello commented Jan 3, 2024

Example Data

consultaelastic png

@w0rk3r w0rk3r mentioned this issue Jan 3, 2024
Closed
@w0rk3r w0rk3r added the OS: Windows windows related rules label Jan 3, 2024
@w0rk3r w0rk3r mentioned this issue Jan 5, 2024
Merged
@w0rk3r
Copy link
Contributor

w0rk3r commented Jan 5, 2024
edited
Loading

Hey @psanz-estc @ibotello, I've just pushed #3367 to solve the majority of the FPs that this rule is generating, let me know if you have any feedback on it ;)

And thanks for bringing this to our attention, we are doing a review on the entire ruleset as part of #3186, but do not hesitate to open a tuning issue in the repo if any rule is generating a considerable amount of FPs.

@psanz-estc
Copy link
Author

hi @w0rk3r , even after upgrading to version 8.11.7 (released on Jan 25th) we still see quite a lot false positives for Startup or Run Key Registration Modification rule

image

As you can see in the image above, at least in this case, it seems it seems all related to msedge.exe (but could be circumstantial) .

Any chance this could be improved?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@w0rk3r w0rk3r

Labels
OS: Windows windows related rules Rule: Tuning tweaking or tuning an existing rule
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Rule Tuning] Startup or Run Key Registry Modification elastic/detection-rules
4 participants
@w0rk3r @psanz-estc @ibotello @terrancedejesus