fix: remove rule causing many FPs
This commit is contained in:
Florian Roth
@@ -1,22 +0,0 @@
|
||||
title: Base64 Encoded Command Line Param Indicator
|
||||
id: eee65975-bfb8-41e6-af33-18011ba24c99
|
||||
status: experimental
|
||||
description: Detects programs that use base64 encoded values provided via command line, which is often an indicator of obfuscation but could also be used for legitimate purposes (e.g. if certain special characters would mess with the command line interface, enccrypted keys etc.)
|
||||
author: Florian Roth
|
||||
date: 2022/04/05
|
||||
modified: 2022/04/08
|
||||
references:
|
||||
- https://blog.malwarebytes.com/threat-intelligence/2022/04/new-uac-0056-activity-theres-a-go-elephant-in-the-room/d
|
||||
logsource:
|
||||
product: windows
|
||||
category: process_creation
|
||||
detection:
|
||||
selection:
|
||||
- CommandLine|endswith: '=='
|
||||
- CommandLine|contains: '== -'
|
||||
filter:
|
||||
Image|endswith: '\VeeamAgent.exe'
|
||||
condition: selection and not 1 of filter*
|
||||
falsepositives:
|
||||
- Legitimate software that uses base64 encoded values in its command line
|
||||
level: medium
|
||||
Reference in New Issue
Block a user