I have 1000+ devices listed against EQL-WIN-EXE-PRC-DIAVOL-ARGS-1 in the new Detections EAP. The description says that this could be indications of Diavol ransomware, however, I think the rule is mistakenly identifying some of the command line arguments used by other legitimate commands.
The command lines detected by this rule according to the description are -p "C:\b.txt" -m local -log "C:\programdata\log.txt". Some of the many misidentified detections are these below, I have bolded the possible command line argument incorrectly found which trigger the detection:
C:\WINDOWS\SysWOW64\WerFault.exe -pss -s 456 -p 16080 -ip 16080
C:\Windows\System32\wlrmdr.exe -s 60000 -f 1 -t Consider changing your password -m Your password will expire in 14 days.\x0ATo change your password, press CTRL+ALT+DELETE and then click \xE2\x80\x9CChange a password\xE2\x80\x9D. -a 0
Yes that rule is broken. It is failing to accurately perform the desired classification.Currently rules with the experimental flag set rimental and are still being adjusted. During EAP those rules are being shown and will be tuned and promoted prior to GA or will be removed from the console. SEE BELOW QUERY TO VIEW RULES THAT HAVE FIRED:
-- Rule execution counts
-- VARIABLE $$Category$$ STRING
-- VARIABLE $$Classification Rule$$ STRING
-- VARIABLE $$Experimental (1 = TRUE)$$ STRING -- SET to 1 to see only experimental rules
-- VARIABLE $$Mitre Tactic$$ STRING
-- VARIABLE $$Worker Process$$ STRING
WHERE LOWER(ioc_detection_id) LIKE LOWER('%$$Classification Rule$$%')
AND LOWER(ioc_detection_category) LIKE LOWER('%$$Category$$%')
AND LOWER(ioc_worker_name) LIKE LOWER('%$$Worker Process$$%')
AND LOWER(ioc_detection_mitre_attack) LIKE LOWER('%$$Mitre Tactic$$%')
AND LOWER(CAST(ioc_detection_experiment_level AS VARCHAR) ) LIKE LOWER('%$$Experimental (1 = TRUE)$$%')
GROUP BY ioc_worker_name, ioc_detection_category, ioc_severity, ioc_detection_id, ioc_detection_sigma, ioc_detection_eql,
ioc_detection_attack, ioc_detection_mitre_attack, ioc_detection_type, ioc_detection_experiment_level
ORDER BY 1 DESC
Thanks for the question and sorry for the broken classification rule.
I also added a community post in the data lake forum that includes a query to show the detection logic used by a classificaiton rule.
That's a great query, especially as I can use it to pivot off the results until this feature is available natively in Detections. Thanks for this.