Warning and Alerts which might be false positive, worth discussing
Closed this issue · 3 comments
Hello,
great tool first of all.
I've collected some Alerts and Warnings (not 100% sure for systemd though) i've found on my machine which i consider false positive and can be categorized in:
systemd (flagged as Exaramel malware)
suricata (CobaltStrike)
vscode (flagged as suspicious due to /bin/bash, i was accessing ssh via vscode when i was using thor)
thor-lite-linux-64 (autoflagged as suspicious)
here the full log
https://pastebin.com/skCLuj99
are they effectively false positives for which the tool might consider adding them as such?
Regards,
Hi @maxdd ,
there's a problem with that signature, which triggers on your processes and files.
The problem is that the included string is very specific and shouldn't appear on systems that aren't compromised.
https://google.com/search?q=%22configtx.json%22&oq=%22configtx.json%22
I see from the matched strings, that the user (maybe you yourself) somewhen in the past searched for that very specific filename
find -name configtx.json
find / -name configtx.json
sudo find / -name configtx.json
This IOC polluted your system and caused the many different matches.
If you believe that this is legit behaviour, simply exclude all matches with the rule "APT_MAL_Sandworm_Exaramel_Configuration_Name_Encrypted" from the output.
https://thor-manual.nextron-systems.com/en/latest/usage/configuration.html#false-positives
Which alert/warning did the search pollute exactly? Is there a way to clean it?
Which alert/warning did the search pollute exactly?
All of them have to do with Exaramel, except the Surricata rule, which is an obvious match on rules of a different tool. (accepted)
Simply filter out "Exaramel" as described in the docs.
Is there a way to clean it?
Unlikely.