From 0857670a0cd086f5d87e03799e335f4ec76c5d42 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 9 Apr 2022 19:25:46 +0200 Subject: [PATCH 1/2] fix: removed base64 encoded param --- ...creation_win_susp_base64_cmdline_param.yml | 19 ------------------- 1 file changed, 19 deletions(-) delete mode 100644 rules/windows/process_creation/proc_creation_win_susp_base64_cmdline_param.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_base64_cmdline_param.yml b/rules/windows/process_creation/proc_creation_win_susp_base64_cmdline_param.yml deleted file mode 100644 index 69e6cf857..000000000 --- a/rules/windows/process_creation/proc_creation_win_susp_base64_cmdline_param.yml +++ /dev/null @@ -1,19 +0,0 @@ -title: Base64 Encoded Command Line Param Indicator -id: eee65975-bfb8-41e6-af33-18011ba24c99 -status: experimental -description: Detects programs that use base64 encoded values provided via command line, which is often an indicator of obfuscation but could also be used for legitimate purposes (e.g. if certain special characters would mess with the command line interface, enccrypted keys etc.) -author: Florian Roth -date: 2022/04/05 -references: - - https://blog.malwarebytes.com/threat-intelligence/2022/04/new-uac-0056-activity-theres-a-go-elephant-in-the-room/d -logsource: - product: windows - category: process_creation -detection: - selection: - - CommandLine|endswith: '==' - - CommandLine|contains: '== -' - condition: selection -falsepositives: - - Legitimate software that uses base64 encoded values in its command line -level: medium From 87d06a4f6d31b6ee4f601ebd9fc490d41e5a650e Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 9 Apr 2022 19:33:55 +0200 Subject: [PATCH 2/2] fix: remove rule causing many FPs --- ...creation_win_susp_base64_cmdline_param.yml | 22 ------------------- 1 file changed, 22 deletions(-) delete mode 100644 rules/windows/process_creation/proc_creation_win_susp_base64_cmdline_param.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_base64_cmdline_param.yml b/rules/windows/process_creation/proc_creation_win_susp_base64_cmdline_param.yml deleted file mode 100644 index f6e9e1c00..000000000 --- a/rules/windows/process_creation/proc_creation_win_susp_base64_cmdline_param.yml +++ /dev/null @@ -1,22 +0,0 @@ -title: Base64 Encoded Command Line Param Indicator -id: eee65975-bfb8-41e6-af33-18011ba24c99 -status: experimental -description: Detects programs that use base64 encoded values provided via command line, which is often an indicator of obfuscation but could also be used for legitimate purposes (e.g. if certain special characters would mess with the command line interface, enccrypted keys etc.) -author: Florian Roth -date: 2022/04/05 -modified: 2022/04/08 -references: - - https://blog.malwarebytes.com/threat-intelligence/2022/04/new-uac-0056-activity-theres-a-go-elephant-in-the-room/d -logsource: - product: windows - category: process_creation -detection: - selection: - - CommandLine|endswith: '==' - - CommandLine|contains: '== -' - filter: - Image|endswith: '\VeeamAgent.exe' - condition: selection and not 1 of filter* -falsepositives: - - Legitimate software that uses base64 encoded values in its command line -level: medium