sigma icon indicating copy to clipboard operation
sigma copied to clipboard
verified publisher icon SigmaHQ

Modify proc_creation_win_ping_hex_ip.yml to look for hexidemical strings using regex

Open vasquja opened this issue 9 months ago • 4 comments

Summary of the Pull Request

I found false positives in my org's environment when pinging by hostname where the string '0x' is included in the hostname. For example, this rule would identify the command 'ping c0xk2jhf79' when this is a host name, not a hex IP address. Using regex can look for string starting with 0x and containing 8 characters after, representing an IPv4 address and thereby reducing false-positive detections.

Changelog

Example Log Event

AccountName: SYSTEM AccountType: User Category: Process Create (rule: ProcessCreate) Channel: Microsoft-Windows-Sysmon/Operational CommandLine: ping c0xk2jhf79 Company: Microsoft Corporation CurrentDirectory: F:
Description: TCP/IP Ping Command Domain: NT AUTHORITY EventCreated: 2025-04-02 15:00:35 Eastern Daylight Time EventID: 1 EventReceivedTime: 2025-04-02T15:00:37.461571-04:00

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

vasquja avatar Apr 02 '25 20:04 vasquja

This is filtering out rare cases we saw during testing where ping generated an error which contained a hex error code, causing a false positive detection.

vasquja avatar Jun 10 '25 02:06 vasquja

This is filtering out rare cases we saw during testing where ping generated an error which contained a hex error code, causing a false positive detection.

Was the error "ping generated an error which contained a hex error code" in the commandline? It would be nice if you could you share the log, please.

swachchhanda000 avatar Jun 10 '25 02:06 swachchhanda000

From my POV this PR is good to merge but I also would be interested in an example log of the ping command error because the error would be shown by the command output, not be in the command line for process creation, would it?

phantinuss avatar Jun 12 '25 10:06 phantinuss

This is filtering out rare cases we saw during testing where ping generated an error which contained a hex error code, causing a false positive detection.

Was the error "ping generated an error which contained a hex error code" in the commandline? It would be nice if you could you share the log, please.

It actually is in the CommandLine but it looks like poor error handling from an internal tool we developed that spit the error out there with ping. I will share for curiosity's sake but it is probably not useful as a filter for the wider community.

AccountName: SYSTEM
AccountType: User
Category: Process Create (rule: ProcessCreate)
Channel: Microsoft-Windows-Sysmon/Operational
CommandLine: "C:\windows\system32\PING.EXE" ERROR: Call was canceled by the message filter. (Exception from HRESULT: 0x80010002 (RPC_E_CALL_CANCELED)) -t
Company: Microsoft Corporation
CurrentDirectory: C:\Program Files\***\IS Toolkit\
Description: TCP/IP Ping Command
Domain: NT AUTHORITY
EventCreated: 2025-06-03 20:21:30 Eastern Daylight Time
EventID: 1
EventReceivedTime: 2025-06-03T20:21:32.026727-04:00
EventTime: 1748996490881919
EventType: INFO
ExecutionProcessID: 5004
ExecutionThreadID: 5228
FileVersion: 10.0.19041.1 (WinBuild.160101.0800)
Hashes: SHA1=9C13C854A4EF98879D0CAB80EF679B4C4ECCF518,MD5=2F46799D79D22AC72C241EC0322B011D,SHA256=7AF50FA112932EA3284F7821B2EEA2B7582F558DBA897231BB82182003C29F8B,IMPHASH=8C3BE1286CDAD6AC1136D0BB6C83FF41
Hostname: ***
IMPHASH: 8C3BE1286CDAD6AC1136D0BB6C83FF41
Image: C:\Windows\System32\PING.EXE
IntegrityLevel: Medium
Level: Information
LevelValue: 4
LogonGuid: {69AEEF1C-39ED-683F-8819-4C0200000000}
LogonId: 0x24c1988
MD5: 2F46799D79D22AC72C241EC0322B011D
Message: Process Create
Opcode: Info
OpcodeValue: 0
OriginalFileName: ping.exe
ParentCommandLine: "C:\Program Files\***\IS Toolkit\IS Toolkit.exe"
ParentImage: C:\Program Files\***\IS Toolkit\IS Toolkit.exe
ParentProcessGuid: {69AEEF1C-3D1B-683F-9203-00000000A600}
ParentProcessId: 5840
ParentUser: ***
ProcessGuid: {69AEEF1C-918A-683F-D404-00000000A600}
ProcessId: 484
Product: Microsoft® Windows® Operating System
ProviderGuid: {5770385F-C22A-43E0-BF4C-06F5698FFBD9}
RuleName: -
SHA1: 9C13C854A4EF98879D0CAB80EF679B4C4ECCF518
SHA256: 7AF50FA112932EA3284F7821B2EEA2B7582F558DBA897231BB82182003C29F8B
Severity: INFO
SeverityValue: 2
SourceModuleName: Sysmon
SourceName: Microsoft-Windows-Sysmon
TaskValue: 1
TerminalSessionId: 1
User: ***
UserID: S-1-5-18
UtcTime: 2025-06-04T00:21:30.852000-04:00
Version: 5

vasquja avatar Jun 12 '25 14:06 vasquja