Merge branch 'master' into pr/2231

2021-11-11 18:09:23 +01:00
parent 8291aba4d3 81922af134
commit 4e2e75cd2f
108 changed files with 596 additions and 194 deletions
@@ -24,7 +24,7 @@ jobs:
    - name: Install dependencies
      run: |
        python -m pip install --upgrade pip
-        pip install pipenv
+        pip install pipenv==2021.5.29
        pipenv lock
        pipenv install --dev --deploy
    - name: Test Sigma Tools and Rules
@@ -14,7 +14,7 @@ tags:
 status: experimental
 date: 2021/08/23
 logsource:
-  product: Windows
+  product: windows
  category: file_event
 detection:
  #useful_information: Please add more file extensions and magic bytes to the logic of your choice. 
@@ -26,20 +26,20 @@ detection:
      - 'outlook.exe'
  selection2:
    FileName|endswith:
-    - ".exe"
-    - ".dll"
-    - ".ocx"
-    - ".com"
-    - ".ps1"
-    - ".vbs"
-    - ".sys"
-    - ".bat"
-    - ".scr"
-    - ".proj"
+      - ".exe"
+      - ".dll"
+      - ".ocx"
+      - ".com"
+      - ".ps1"
+      - ".vbs"
+      - ".sys"
+      - ".bat"
+      - ".scr"
+      - ".proj"
  selection3:
    FileMagicBytes|startswith:
-    - "4D5A"
+      - "4D5A"
  condition: selection1 and (selection2 or selection3)
 falsepositives:
- Unknown
+  - Unknown
 level: high
@@ -9,7 +9,7 @@ references:
    - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
 logsource:
    category: ThreatManagement
-    service: m365
+    product: m365
 detection:
    selection:
        eventSource: SecurityComplianceCenter
@@ -9,7 +9,7 @@ references:
    - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
 logsource:
    category: ThreatManagement
-    service: m365
+    product: m365
 detection:
    selection:
        eventSource: SecurityComplianceCenter
@@ -9,7 +9,7 @@ references:
    - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
 logsource:
    category: ThreatManagement
-    service: m365
+    product: m365
 detection:
    selection:
        eventSource: SecurityComplianceCenter
@@ -9,7 +9,7 @@ references:
    - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
 logsource:
    category: ThreatManagement
-    service: m365
+    product: m365
 detection:
    selection:
        eventSource: SecurityComplianceCenter
@@ -9,7 +9,7 @@ references:
    - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
 logsource:
    category: ThreatDetection
-    service: m365
+    product: m365
 detection:
    selection:
        eventSource: SecurityComplianceCenter
@@ -10,7 +10,7 @@ references:
    - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
 logsource:
    category: ThreatManagement
-    service: Office365
+    product: m365
 detection:
    selection:
        eventSource: SecurityComplianceCenter
@@ -9,7 +9,7 @@ references:
    - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
 logsource:
    category: ThreatManagement
-    service: m365
+    product: m365
 detection:
    selection:
        eventSource: SecurityComplianceCenter
@@ -9,7 +9,7 @@ references:
    - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
 logsource:
    category: ThreatManagement
-    service: Microsoft365
+    product: m365
 detection:
    selection:
        eventSource: SecurityComplianceCenter
@@ -9,7 +9,7 @@ references:
    - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
 logsource:
    category: ThreatManagement
-    service: m365
+    product: m365
 detection:
    selection:
        eventSource: SecurityComplianceCenter
@@ -9,7 +9,7 @@ references:
    - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
 logsource:
    category: ThreatManagement
-    service: m365
+    product: m365
 detection:
    selection:
        eventSource: SecurityComplianceCenter
@@ -9,7 +9,7 @@ references:
    - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
 logsource:
    category: ThreatManagement
-    service: Microsoft365
+    product: m365
 detection:
    selection:
        eventSource: SecurityComplianceCenter
@@ -9,7 +9,7 @@ references:
    - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
 logsource:
    category: ThreatManagement
-    service: Microsoft365
+    product: m365
 detection:
    selection:
        eventSource: SecurityComplianceCenter
@@ -11,11 +11,13 @@ references:
 logsource:
    category: dns
 detection:
-    selection:
+    selection1:
        query|startswith:
            - 'aaa.stage.' 
            - 'post.1'
-    condition: selection
+    selection2:
+        query|contains: '.stage.123456.'
+    condition: 1 of them
 falsepositives:
    - Unknown
 level: critical
@@ -4,17 +4,20 @@ status: experimental
 description: Detects different malformed user agents used in Malleable Profiles used with Cobalt Strike
 author: Florian Roth
 date: 2021/05/06
+modified: 2021/11/02
 references:
  - https://github.com/yeyintminthuhtut/Malleable-C2-Profiles-Collection/
 logsource:
  category: proxy
 detection:
-  selection:
+  selection1:
    c-useragent: 
-        - "Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)"
-        - "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E )"
-        - "Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08"
-  condition: selection
+      - "Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)"
+      - "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E )"
+      - "Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08"
+  selection2:
+    c-useragent|endswith: '; MANM; MANM)'
+  condition: 1 of them
 falsepositives:
  - Unknown
 level: critical
@@ -10,7 +10,7 @@ references:
    - https://twitter.com/Cyb3rWard0g/status/1381642789369286662
 logsource:
    product: windows
-    service: Microsoft-ServiceBus-Client
+    service: microsoft-servicebus-client
 detection:
    selection:
        EventID:
@@ -3,7 +3,9 @@ id: fd0f5778-d3cb-4c9a-9695-66759d04702a
 related:
    - id: 51aa9387-1c53-4153-91cc-d73c59ae1ca9
      type: derived
-description: "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014 https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888"
+description: "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references"
+references: 
+    - https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888"
 status: experimental
 author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community
 date: 2019/11/08
@@ -4,8 +4,9 @@ description: This method uses uncommon error codes on failed logons to determine
    restricted.
 author: Florian Roth
 date: 2017/02/19
-modified: 2020/08/23
+modified: 2021/10/29
 references:
+    - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625
    - https://twitter.com/SBousseaden/status/1101431884540710913
 tags:
    - attack.persistence
@@ -28,7 +29,9 @@ detection:
            - '0xC0000413'  # Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine
            - '0xC000018C'  # The logon request failed because the trust relationship between the primary domain and the trusted domain failed
            - '0xC000015B'  # The user has not been granted the requested logon type (aka logon right) at this machine
-    condition: selection
+    filter:
+        SubjectUserSid: 'S-1-0-0'
+    condition: selection and not filter
 falsepositives:
    - User using a disabled account
 level: high
@@ -4,7 +4,7 @@ description: Detects process handle on LSASS process with certain access mask
 status: experimental
 author: Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update)
 date: 2019/11/01
-modified: 2021/04/19
+modified: 2021/11/09
 references:
    - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
@@ -53,6 +53,9 @@ detection:
            - '\minionhost.exe'  # Cyberreason
            - '\VsTskMgr.exe'    # McAfee Enterprise
            - '\thor64.exe'      # THOR
+            - '\MicrosoftEdgeUpdate.exe'
+            - '\GamingServices.exe'
+            - '\svchost.exe'
        ProcessName|startswith:
            - C:\Windows\System32\
            - C:\Windows\SysWow64\
@@ -0,0 +1,30 @@
+title: Suspicious Cobalt Strike DNS Beaconing
+id: f356a9c4-effd-4608-bbf8-408afd5cd006
+status: experimental
+description: Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons
+author: Florian Roth
+date: 2021/11/09
+references:
+    - https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns
+    - https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/
+tags:
+    - attack.command_and_control
+    - attack.t1071 # an old one
+    - attack.t1071.004
+logsource:
+    product: windows
+    category: dns_query
+detection:
+    selection1:
+        QueryName|startswith:
+            - 'aaa.stage.' 
+            - 'post.1'
+    selection2:
+        QueryName|contains: '.stage.123456.'
+    condition: 1 of them
+fields:
+    - Image
+    - CommandLine
+falsepositives:
+    - Unknown
+level: critical
@@ -6,7 +6,7 @@ related:
 description: Detects well-known credential dumping tools execution via service execution events
 author: Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
 date: 2017/03/05
-modified: 2021/10/14
+modified: 2021/11/10
 references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
 tags:
@@ -26,7 +26,7 @@ logsource:
    category: driver_load
 detection:
    selection:
-        ImagePath|contains:
+        ImageLoaded|contains:
            - 'fgexec'
            - 'dumpsvc'
            - 'cachedump'
@@ -1,4 +1,4 @@
-title: WMI Command Execution by Office Applications
+title: EDR WMI Command Execution by Office Applications
 id: 3ee1bba8-b9e2-4e35-bec5-7fb66b6b3815
 description: Initial execution of malicious document calls wmic Win32_Process::Create to execute the file with regsvr32
 references:
@@ -13,9 +13,10 @@ tags:
    - attack.defense_evasion
 status: experimental
 date: 2021/08/23
+modified: 2021/11/09
 logsource:
-  product: EndPoint Detection Logs
-  category: process_creation
+  product: windows
+  category: edr
 detection:
  #useful_information: Add more office applications to the rule logic of choice
  selection1:
@@ -0,0 +1,21 @@
+title: Mimikatz Kirbi File Creation
+id: 9e099d99-44c2-42b6-a6d8-54c3545cab29
+status: test
+description: Detects the creation of files that contain Kerberos tickets based on an extension used by the popular tool Mimikatz
+author: Florian Roth
+references:
+    - https://cobalt.io/blog/kerberoast-attack-techniques
+date: 2021/11/08
+tags:
+    - attack.credential_access
+    - attack.t1558
+logsource:
+    category: file_event
+    product: windows
+detection:
+    selection:
+        TargetFilename|endswith: '.kirbi'
+    condition: selection
+falsepositives:
+    - Unlikely
+level: critical
@@ -13,29 +13,30 @@ tags:
    - attack.defense_evasion
 status: experimental
 date: 2021/08/23
+modified: 2021/11/10
 logsource:
-  product: Windows
-  category: file_event
+    product: windows
+    category: file_event
 detection:
-  #useful_information: Please add more file extensions to the logic of your choice. 
-  selection1:
-    Image|endswith:
-      - 'winword.exe'
-      - 'excel.exe'
-      - 'powerpnt.exe'
-  selection2:
-    TargetFileName|endswith:
-    - ".exe"
-    - ".dll"
-    - ".ocx"
-    - ".com"
-    - ".ps1"
-    - ".vbs"
-    - ".sys"
-    - ".bat"
-    - ".scr"
-    - ".proj"
-  condition: selection1 and selection2
+    #useful_information: Please add more file extensions to the logic of your choice. 
+    selection1:
+        Image|endswith:
+            - 'winword.exe'
+            - 'excel.exe'
+            - 'powerpnt.exe'
+    selection2:
+        TargetFilename|endswith:
+            - ".exe"
+            - ".dll"
+            - ".ocx"
+            - ".com"
+            - ".ps1"
+            - ".vbs"
+            - ".sys"
+            - ".bat"
+            - ".scr"
+            - ".proj"
+    condition: selection1 and selection2
 falsepositives:
- Unknown
+    - Unknown
 level: high
@@ -14,7 +14,7 @@ logsource:
    product: windows
 detection:
    selection:
-        ParentImage|endswith: '\msbuild.exe'
+        Image|endswith: '\msbuild.exe'
    filter:
        DestinationPort:
            - '80'
@@ -38,9 +38,11 @@ detection:
            - '\FSAssessment.exe'
            - '\MobaRTE.exe'
            - '\chrome.exe'
+            - '\System32\dns.exe'
            - '\thor.exe'
            - '\thor64.exe'
    condition: selection and not filter 
 falsepositives:
    - Other Remote Desktop RDP tools
+    - domain controller using dns.exe
 level: high
@@ -9,8 +9,8 @@ references:
    - https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1
    - https://github.com/BloodHoundAD/SharpHound3/blob/master/SharpHound3/LdapBuilder.cs
 logsource:
-    category: ldap_query
    product: windows
+    service: ldap_debug
    definition: 'Requires Microsoft-Windows-LDAP-Client/Debug ETW logging'
 detection:
    generic_search:
@@ -5,7 +5,7 @@ related:
      type: derived
 description: Detects disabling Windows Defender threat protection
 date: 2020/07/28
-modified: 2021/09/21
+modified: 2021/11/09
 author: Ján Trenčanský, frack113
 references:
    - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus
@@ -17,7 +17,7 @@ tags:
    - attack.t1562.001
 logsource:
    product: windows
-    category: system
+    service: system
 detection:
    selection3:
        EventID: 7036
@@ -3,7 +3,7 @@ id: 1ea13e8c-03ea-409b-877d-ce5c3d2c1cb3
 description: Detects suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database). Used to access information such as the AD FS configuration settings which contains sensitive information used to sign SAML tokens.
 status: experimental
 date: 2021/10/08
-modified: 2021/10/08
+modified: 2021/11/07
 author: Roberto Rodriguez @Cyb3rWard0g
 references:
    - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml
@@ -14,7 +14,7 @@ tags:
    - attack.t1005
 logsource:
    product: windows
-    service: pipe_connected
+    category: pipe_created
 detection:
    selection:
        PipeName: '\MICROSOFT##WID\tsql\query'
@@ -30,4 +30,4 @@ detection:
    condition: selection and not filter
 falsepositives:
    - Processes in the filter condition
-level: critical
+level: critical
@@ -14,7 +14,7 @@ tags:
 status: experimental
 date: 2021/08/23
 logsource:
-  product: Windows
+  product: windows
  category: process_creation
 detection:
  #useful_information: add more LOLBins to the rules logic of your choice.
@@ -14,7 +14,7 @@ tags:
 status: experimental
 date: 2021/08/23
 logsource:
-  product: Windows
+  product: windows
  category: process_creation
 detection:
  #useful_information: add more LOLBins to the rules logic of your choice.
@@ -13,6 +13,7 @@ tags:
    - attack.defense_evasion
 status: experimental
 date: 2021/08/23
+modified: 2021/11/10
 logsource:
  product: windows
  category: process_creation
@@ -24,11 +25,11 @@ detection:
    - OriginalFileName: 'wmic.exe'
    - Description: 'WMI Commandline Utility'
  selection2:
-     ParentPrcessName|endswith:
+    ParentImage|endswith:
      - winword.exe
      - excel.exe
      - powerpnt.exe
  condition: selection1 and selection2
 falsepositives:
- Unknown
+  - Unknown
 level: high
@@ -13,14 +13,15 @@ tags:
    - attack.defense_evasion
 status: experimental
 date: 2021/08/23
+modified: 2021/11/09
 logsource:
-  product: Windows
+  product: windows
  category: process_creation
 detection:
  #useful_information: add more LOLBins to the rules logic of your choice.
  selection1:
    - Image|endswith: '\wbem\WMIC.exe'
-    - ProcessCommandLine|contains: 'wmic '
+    - ParentCommandLine|contains: 'wmic '
    - OriginalFileName: 'wmic.exe'
    - Description: 'WMI Commandline Utility'
  selection2:
@@ -32,11 +33,11 @@ detection:
      - 'verclsid'
  selection3:
    ParentImage|endswith:
-    - winword.exe
-    - excel.exe
-    - powerpnt.exe
+      - winword.exe
+      - excel.exe
+      - powerpnt.exe
  selection4:
-    processCommandLine|contains|all: 
+    ParentCommandLine|contains|all: 
      - 'process'
      - 'create'
      - 'call'
@@ -13,13 +13,14 @@ tags:
    - attack.defense_evasion
 status: experimental
 date: 2021/08/23
+modified: 2021/11/09
 logsource:
-  product: Windows
+  product: windows
  category: process_creation
 detection:
  #useful_information: add more LOLBins to the rules logic of your choice.
  selection1:
-    ProcessCommandLine:
+    ParentCommandLine:
      - '*regsvr32*'
      - '*rundll32*'
      - '*msiexec*'
@@ -27,14 +28,14 @@ detection:
      - '*verclsid*'
  selection2:
    - Image|endswith: '\wbem\WMIC.exe'
-    - ProcessCommandLine|contains: 'wmic '
+    - ParentCommandLine|contains: 'wmic '
  selection3:
    ParentImage|endswith:
-    - winword.exe
-    - excel.exe
-    - powerpnt.exe
+      - winword.exe
+      - excel.exe
+      - powerpnt.exe
  selection4:
-    processCommandLine|contains|all: 
+    ParentCommandLine|contains|all: 
      - 'process'
      - 'create'
      - 'call' 
@@ -13,19 +13,20 @@ tags:
    - attack.defense_evasion
 status: experimental
 date: 2021/08/23
+modified: 2021/11/09
 logsource:
  product: windows
  category: process_creation
 detection:
 #useful_information: Add more office applications to the rule logic of choice
  selection1:
-  - Image|endswith: '\wbem\WMIC.exe'
-  - ProcessCommandLine|contains: 'wmic '
+    - Image|endswith: '\wbem\WMIC.exe'
+    - ParentCommandLine|contains: 'wmic '
  selection2:
-   ParentImage:
-    - winword.exe
-    - excel.exe
-    - powerpnt.exe
+    ParentImage:
+      - winword.exe
+      - excel.exe
+      - powerpnt.exe
  condition: selection1 and selection2
 falsepositives:
 - Unknown
@@ -0,0 +1,33 @@
+title: Suspicious ZipExec Execution
+id: 90dcf730-1b71-4ae7-9ffc-6fcf62bd0132
+status: experimental
+description: ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file.
+references:
+    - https://twitter.com/SBousseaden/status/1451237393017839616
+    - https://github.com/Tylous/ZipExec
+tags:
+    - attack.execution
+    - attack.defense_evasion
+    - attack.t1218
+    - attack.t1202
+author: frack113
+date: 2021/11/07
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    run:
+        CommandLine|contains|all:
+            - '/generic:Microsoft_Windows_Shell_ZipFolder:filename='
+            - '.zip'
+            - '/pass:'
+            - '/user:'
+    delete:
+        CommandLine|contains|all:
+            - '/delete'
+            - 'Microsoft_Windows_Shell_ZipFolder:filename='
+            - '.zip'
+    condition: run or delete
+falsepositives:
+    - unknown
+level: medium
@@ -6,7 +6,7 @@ references:
    - https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/
 author: Florian Roth, Max Altgelt
 date: 2021/07/14
-modified: 2021/08/10
+modified: 2021/11/11
 tags:
    - attack.execution
 logsource:
@@ -32,6 +32,7 @@ detection:
            - ' >'
            - 'Out-File'
            - 'ConvertTo-Json'
+            - '-WindowStyle hidden -Verb runAs'  # VSCode behaviour if file cannot be written as current user
    condition: selection and not filter
 falsepositives:
    - Administrative scripts
@@ -6,7 +6,7 @@ references:
    - https://dtm.uk/wuauclt/
 author: FPT.EagleEye Team
 date: 2020/10/17
-modified: 2021/05/12
+modified: 2021/11/09
 tags:
    - attack.command_and_control
    - attack.execution
@@ -17,7 +17,7 @@ logsource:
    category: process_creation
 detection:
    selection:
-        ProcessCommandLine|contains|all: 
+        CommandLine|contains|all: 
            - '/UpdateDeploymentProvider'
            - '/RunHandlerComServer'
        Image|endswith: 
@@ -6,7 +6,7 @@ references:
    - https://twitter.com/subTee/status/1216465628946563073
    - https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26
 date: 2020/01/13
-modified: 2021/05/30
+modified: 2021/11/06
 author: Sreeman
 tags:
    - attack.defense_evasion
@@ -15,9 +15,9 @@ tags:
    - attack.t1574.002
    - attack.t1059  # an old one
    - attack.t1064  # an old one
-
 logsource:
    product: windows
+    category: process_creation
 detection:
    selection1:
        CommandLine|contains:
@@ -3,7 +3,7 @@ id: d21374ff-f574-44a7-9998-4a8c8bf33d7d
 description: Detects wmiprvse spawning processes
 status: experimental
 date: 2019/08/15
-modified: 2021/08/26
+modified: 2021/11/10
 author: Roberto Rodriguez @Cyb3rWard0g
 references:
    - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190810201010.html
@@ -20,20 +20,15 @@ detection:
        - LogonId: 
            - '0x3e7'  # LUID 999 for SYSTEM
            - 'null'   # too many false positives
-        - SubjectLogonId:
-            - '0x3e7'  # LUID 999 for SYSTEM
-            - 'null'   # too many false positives
        - User|startswith: 
            - 'NT AUTHORITY\SYSTEM'  # if we don't have LogonId data, fallback on username detection
            - 'AUTORITE NT\Sys' # French language settings
        - Image|endswith: 
            - '\WmiPrvSE.exe'
            - '\WerFault.exe'
-    filter_null1:  # some backends need the null value in a separate expression
+    filter_null:  # some backends need the null value in a separate expression
        LogonId: null
-    filter_null2:  # some backends need the null value in a separate expression
-        SubjectLogonId: null
-    condition: selection and not filter and not filter_null1 and not filter_null2
+    condition: selection and not filter and not filter_null
 falsepositives:
    - Unknown
 level: high
--- a/Show More
+++ b/Show More