Crowdstrike yaml rules create a false positive when the tool has been ran twice.
capricewag opened this issue ยท 0 comments
๐ Summary
What's wrong? Please be specific.
To reproduce
Steps to reproduce the behavior:
- Run the CHIRP tool on a server
- Look at the results, they should show zero results or matches
- Run the CHIRP tool again
- The CHIRP Results show a false positive based on yaml rules
Expected behavior
What did you expect to happen that didn't?
No detected results when using the tool multiple times
Any helpful log output or screenshots
Paste the results here:
"CrowdStrike Sunspot": {
"description": ""Identifies Sunspot backdoor dropper utilizing unique strings in key encryption material, mutexes, and logging."\n",
"confidence": 10,
"matches": [
{
"meta": "{'copyright': '(c) 2021 CrowdStrike Inc.', 'description': 'Detects mutex names in SUNSPOT', 'version': '202101081448', 'last_modified': '2021-01-08', 'actor': 'StellarParticle', 'malware_family': 'SUNSPOT'}",
"namespace": "CrowdStrike Sunspot",
"rule": "CrowdStrike_SUNSPOT_02",
"strings": "[(1155, '$mutex_01', b'{12d61a41-4b74-7610-a4d8-3028d2f56395}'), (1227, '$mutex_02', b'{56331e4d-76a3-0390-a7ee-567adf5836b7}')]",
"tags": "['artifact', 'stellarparticle', 'sunspot']",
"file": "C:\$Recycle.Bin\S-1-5-21-1078081533-1897051121-xxxxxx-19038\xxxxx\crowdstrike_sunspot.yaml"
},
{
"meta": "{'copyright': '(c) 2021 CrowdStrike Inc.', 'description': 'Detects mutex names in SUNSPOT', 'version': '202101081448', 'last_modified': '2021-01-08', 'actor': 'StellarParticle', 'malware_family': 'SUNSPOT'}",
"namespace": "CrowdStrike Sunspot",
"rule": "CrowdStrike_SUNSPOT_02",
"strings": "[(514, '$mutex_01', b'{12d61a41-4b74-7610-a4d8-3028d2f56395}'), (578, '$mutex_02', b'{56331e4d-76a3-0390-a7ee-567adf5836b7}')]",
"tags": "['artifact', 'stellarparticle', 'sunspot']",
"file": "C:\Users\xxxxx\Desktop\Results\output\yara.json"
}
]
}
}
Add any screenshots of the problem here.