[BUG] False positive in rule "Suspicious Copy on System32"

Question

[BUG] False positive in rule "Suspicious Copy on System32"

iso-rgomez opened this issue 2 years ago · 2 comments

Describe the bug

The rule "Suspicious Copy on System32" triggers when the executable performing the copy has "windows\system32" in the path. In this case, it's not system32 that's being copied to or from, it's being referenced in a full command line. Example:
"C:\WINDOWS\system32\xcopy.exe" [redacted] [redacted] /D /E /C /H /I /K /Y
Neither redacted entry has system32 in it.

Expected behavior

Look for a match anywhere other than the first part of the command line, where the executable and path to executable are.

App Version:

ESCU: 4.7.0

Answer 1 · 2023-08-17T07:47:00.000Z

looking to this one

Answer 2 · 2023-08-17T08:50:59.000Z

Thanks for this great feedback. the fixed for this issue is this PR: https://github.com/splunk/security_content/pull/2808/files