Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixed more fps #5224

Open
wants to merge 11 commits into
base: master
Choose a base branch
from
Open

Fixed more fps #5224

wants to merge 11 commits into from

Conversation

swachchhanda000
Copy link
Contributor

@swachchhanda000 swachchhanda000 commented Mar 5, 2025
edited
Loading

Summary of the Pull Request

This makes a little change on Python Initiated Connection rule to reduce the false positive

Changelog

fix: Python Initiated Connection: modified the image to remove the fp
fix: Potential Binary Or Script Dropper Via PowerShell: added filters to remove fp
fix: Potential WinAPI Calls Via CommandLine: added filters to remove fp
fix: Elevated System Shell Spawned From Uncommon Parent Location: Added new filter for parentimage with '-' value
fix: Windows Processes Suspicious Parent Directory: Added new filter for parentimage with '-' value
fix: Whoami.EXE Execution Anomaly: Added new filter for parentimage with '-' value
fix: Conhost Spawned By Uncommon Parent Process: Added filter for new type of svchost parentcommandline
update: Elevated System Shell Spawned: Added powershell_ise.exe

Example Log Event

  1. Python Initiated Connection
Screenshot 2025-03-05 at 7 39 48 PM

This rule cause fp for me when you don't have python accessible in your cmd env, then it redirects you to windows app store portal to download the python.

  1. Potential Binary Or Script Dropper Via PowerShell
Screenshot 2025-03-05 at 9 31 24 PM
  1. Potential WinAPI Calls Via CommandLine:
Screenshot 2025-03-05 at 9 32 37 PM ](url) image
  1. Elevated System Shell Spawned From Uncommon Parent Location
Screenshot 2025-03-06 at 11 21 18 AM image
  1. Conhost Spawned By Uncommon Parent Process
Screenshot 2025-03-06 at 1 10 32 PM Screenshot 2025-03-06 at 1 10 46 PM

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

@github-actions github-actions bot added Rules Windows Pull request add/update windows related rules labels Mar 5, 2025
@swachchhanda000 swachchhanda000 changed the title Fixed the image to reduce the fp Fixed more fps Mar 5, 2025
frack113
frack113 approved these changes Mar 6, 2025
View reviewed changes
Copy link
Member

@frack113 frack113 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM
As C:\Windows\SystemTemp\ is proteted by design , the filter should not open up opportunities for attackers to bypass the rule.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nasbench nasbench nasbench approved these changes

@frack113 frack113 frack113 approved these changes

Assignees
No one assigned
Labels
Ready to Merge Rules Windows Pull request add/update windows related rules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@swachchhanda000 @nasbench @frack113