Rule incorrectly identifies our driver (Topaz Systems - www.topazsystems.com) as using Windows Credential Editor #5170
Assignees
Labels
Create Pull-Request
issues that should be provided as a pull request
False-Positive
Issue reporting a false positive with one of the rules
Comments
m1keam
added
the
False-Positive
|
Welcome @m1keam 👋 It looks like this is your first issue on the Sigma rules repository! The following repository accepts issues related to If you're reporting an issue related to the pySigma library please consider submitting it here If you're reporting an issue related to the deprecated sigmac library please consider submitting it here Thanks for taking the time to open this issue, and welcome to the Sigma community! 😃 |
m1keam
changed the title
|
Hey that specific selection is prone to false positive indeed and cannot be classified as a critical indicator. I will get it fixed soon. Thanks for reporting. |
nasbench
added
the
Create Pull-Request
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Rule UUID
7aa7009a-28b9-4344-8c1f-159489a390df
Example EventLog
logsource:
category: process_creation
product: windows
detection:
selection_1:
Hashes|contains: # Sysmon field hashes contains all types
- IMPHASH=a53a02b997935fd8eedcb5f7abab9b9f
- IMPHASH=e96a73c7bf33a464c510ede582318bf2
selection_2:
CommandLine|endswith: '.exe -S'
ParentImage|endswith: '\services.exe'
filter:
Image|endswith: '\clussvc.exe'
condition: 1 of selection_* and not filter
falsepositives:
- Another service that uses a single -s command line switch
Description
Our driver loads as "atwusb.exe -s". This tells it to load at system level to be able to access user context of current session for mapping the displays. It also supports other switches and can load in the user context. The driver is developed for us by Viewsonic. It makes NO USE of Windows Credential Editor. Have they posted a request?
The text was updated successfully, but these errors were encountered: