XDR Detections -is EQL-WIN-EXE-PRC-DIAVOL-ARGS-1 broken

I have 1000+ devices listed against EQL-WIN-EXE-PRC-DIAVOL-ARGS-1 in the new Detections EAP. The description says that this could be indications of Diavol ransomware, however, I think the rule is mistakenly identifying some of the command line arguments used by other legitimate commands.

The command lines detected by this rule according to the description are -p "C:\b.txt" -m local -log "C:\programdata\log.txt". Some of the many misidentified detections are these below, I have bolded the possible command line argument incorrectly found which trigger the detection:

C:\WINDOWS\SysWOW64\WerFault.exe -pss -s 456 -p 16080 -ip 16080

C:\Windows\System32\wlrmdr.exe -s 60000 -f 1 -t Consider changing your password -m Your password will expire in 14 days.\x0ATo change your password, press CTRL+ALT+DELETE and then click \xE2\x80\x9CChange a password\xE2\x80\x9D. -a 0

Regards
Andy.

Top Replies

Karl_Ackerman over 3 years ago +1

Yes that rule is broken. It is failing to accurately perform the desired classification. Currently rules with the experimental flag set rimental and are still being adjusted. During EAP those rules are…

0 Karl_Ackerman over 3 years ago

Yes that rule is broken. It is failing to accurately perform the desired classification.

Currently rules with the experimental flag set rimental and are still being adjusted. During EAP those rules are being shown and will be tuned and promoted prior to GA or will be removed from the console.

SEE BELOW QUERY TO VIEW RULES THAT HAVE FIRED:

-- Rule execution counts

-- VARIABLE $$Category$$                STRING
-- VARIABLE $$Classification Rule$$     STRING
-- VARIABLE $$Experimental (1 = TRUE)$$ STRING -- SET to 1 to see only experimental rules
-- VARIABLE $$Mitre Tactic$$            STRING
-- VARIABLE $$Worker Process$$          STRING

SELECT
   COUNT(*) Instances,
   ioc_worker_name WorkerProcess,
   ioc_detection_category Category,
   ioc_detection_attack Detection_Type,
   ioc_detection_type Type,
   ioc_severity Risk,
   ioc_detection_id Classificattion_Rule,
   ioc_detection_sigma Sigma_Details,
   ioc_detection_eql EQL_Details,
   ioc_detection_mitre_attack ATTACK_Mapping,
   ioc_detection_experiment_level Experimental 
FROM xdr_ti_data
WHERE LOWER(ioc_detection_id) LIKE LOWER('%$$Classification Rule$$%')
   AND LOWER(ioc_detection_category) LIKE LOWER('%$$Category$$%')
   AND LOWER(ioc_worker_name) LIKE LOWER('%$$Worker Process$$%')
   AND LOWER(ioc_detection_mitre_attack) LIKE LOWER('%$$Mitre Tactic$$%')
   AND LOWER(CAST(ioc_detection_experiment_level AS VARCHAR) ) LIKE LOWER('%$$Experimental (1 = TRUE)$$%')
GROUP BY ioc_worker_name, ioc_detection_category, ioc_severity, ioc_detection_id, ioc_detection_sigma, ioc_detection_eql, 
   ioc_detection_attack, ioc_detection_mitre_attack, ioc_detection_type, ioc_detection_experiment_level
ORDER BY 1 DESC

Thanks for the question and sorry for the broken classification rule.

0 Karl_Ackerman over 3 years ago in reply to Karl_Ackerman

I also added a community post in the data lake forum that includes a query to show the detection logic used by a classificaiton rule.

https://community.sophos.com/intercept-x-endpoint/edr-data-lake-eap/f/discussions/130785/how-do-i-check-the-logic-for-a-classification-rule-if-i-suspect-it-is-a-false-positive
Cancel
Vote Up +1 Vote Down

Sign in to reply

Verify Answer

Cancel
0 AndyR over 3 years ago in reply to Karl_Ackerman

Thanks for the update, i wasnt aware that rules ending in -1 were experimental until now. Glad that I discounted the 1000+ Diavol ransomware detections previously as a false positive
Cancel
Vote Up +1 Vote Down

Sign in to reply

Verify Answer

Cancel
0 AndyR over 3 years ago in reply to Karl_Ackerman

That's a great query, especially as I can use it to pivot off the results until this feature is available natively in Detections. Thanks for this.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

0 Karl_Ackerman over 3 years ago in reply to AndyR

After chatting with the MTR SOC Team, the -1 does not always indicate a rule is experimental. You should check the flag in the table as shown in this query to list all Experimental rules that have fired.

-- Rule execution counts

-- VARIABLE $$Category$$                STRING
-- VARIABLE $$Classification Rule$$     STRING
-- VARIABLE $$Mitre Tactic$$            STRING
-- VARIABLE $$Worker Process$$          STRING
-- VARIABLE $$Experimental (1 = TRUE)$$ STRING

SELECT
   COUNT(*) Instances,
   ioc_worker_name WorkerProcess,
   ioc_detection_category Category,
   ioc_detection_attack Detection_Type,
   ioc_detection_type Type,
   ioc_severity Risk,
   ioc_detection_id Classificattion_Rule,
   ioc_detection_sigma Sigma_Details,
   ioc_detection_eql EQL_Details,
   ioc_detection_mitre_attack ATTACK_Mapping,
   ioc_detection_experiment_level Experimental 
FROM xdr_ti_data
WHERE LOWER(ioc_detection_id) LIKE LOWER('%$$Classification Rule$$%')
   AND LOWER(ioc_detection_category) LIKE LOWER('%$$Category$$%')
   AND LOWER(ioc_worker_name) LIKE LOWER('%$$Worker Process$$%')
   AND LOWER(ioc_detection_mitre_attack) LIKE LOWER('%$$Mitre Tactic$$%')
   AND LOWER(CAST(ioc_detection_experiment_level AS VARCHAR) ) LIKE LOWER('%$$Experimental (1 = TRUE)$$%')
GROUP BY ioc_worker_name, ioc_detection_category, ioc_severity, ioc_detection_id, ioc_detection_sigma, ioc_detection_eql, 
   ioc_detection_attack, ioc_detection_mitre_attack, ioc_detection_type, ioc_detection_experiment_level
ORDER BY 1 DESC