XDR Detections -is EQL-WIN-EXE-PRC-DIAVOL-ARGS-1 broken

I have 1000+ devices listed against EQL-WIN-EXE-PRC-DIAVOL-ARGS-1 in the new Detections EAP. The description says that this could be indications of Diavol ransomware, however, I think the rule is mistakenly identifying some of the command line arguments used by other legitimate commands.

The command lines detected by this rule according to the description are -p "C:\b.txt" -m local -log "C:\programdata\log.txt". Some of the many misidentified detections are these below, I have bolded the possible command line argument incorrectly found which trigger the detection:

C:\WINDOWS\SysWOW64\WerFault.exe -pss -s 456 -p 16080 -ip 16080

C:\Windows\System32\wlrmdr.exe -s 60000 -f 1 -t Consider changing your password -m Your password will expire in 14 days.\x0ATo change your password, press CTRL+ALT+DELETE and then click \xE2\x80\x9CChange a password\xE2\x80\x9D. -a 0

Regards
Andy.

Parents
  • Yes that rule is broken.  It is failing to accurately perform the desired classification.

    Currently rules with the experimental flag set rimental and are still being adjusted.  During EAP those rules are being shown and will be tuned and promoted prior to GA or will be removed from the console.  

    SEE BELOW QUERY TO VIEW RULES THAT HAVE FIRED:

    -- Rule execution counts
    
    -- VARIABLE $$Category$$                STRING
    -- VARIABLE $$Classification Rule$$     STRING
    -- VARIABLE $$Experimental (1 = TRUE)$$ STRING -- SET to 1 to see only experimental rules
    -- VARIABLE $$Mitre Tactic$$            STRING
    -- VARIABLE $$Worker Process$$          STRING
    
    SELECT
       COUNT(*) Instances,
       ioc_worker_name WorkerProcess,
       ioc_detection_category Category,
       ioc_detection_attack Detection_Type,
       ioc_detection_type Type,
       ioc_severity Risk,
       ioc_detection_id Classificattion_Rule,
       ioc_detection_sigma Sigma_Details,
       ioc_detection_eql EQL_Details,
       ioc_detection_mitre_attack ATTACK_Mapping,
       ioc_detection_experiment_level Experimental 
    FROM xdr_ti_data
    WHERE LOWER(ioc_detection_id) LIKE LOWER('%$$Classification Rule$$%')
       AND LOWER(ioc_detection_category) LIKE LOWER('%$$Category$$%')
       AND LOWER(ioc_worker_name) LIKE LOWER('%$$Worker Process$$%')
       AND LOWER(ioc_detection_mitre_attack) LIKE LOWER('%$$Mitre Tactic$$%')
       AND LOWER(CAST(ioc_detection_experiment_level AS VARCHAR) ) LIKE LOWER('%$$Experimental (1 = TRUE)$$%')
    GROUP BY ioc_worker_name, ioc_detection_category, ioc_severity, ioc_detection_id, ioc_detection_sigma, ioc_detection_eql, 
       ioc_detection_attack, ioc_detection_mitre_attack, ioc_detection_type, ioc_detection_experiment_level
    ORDER BY 1 DESC

    Thanks for the question and sorry for the broken classification rule.

  • Thanks for the update, i wasnt aware that rules ending in -1 were experimental until now. Glad that I discounted the 1000+ Diavol ransomware detections previously as a false positive  Relaxed

  • After chatting with the MTR SOC Team, the -1 does not always indicate a rule is experimental.   You should check the flag in the table as shown in this query to list all Experimental rules that have fired.

    -- Rule execution counts
    
    -- VARIABLE $$Category$$                STRING
    -- VARIABLE $$Classification Rule$$     STRING
    -- VARIABLE $$Mitre Tactic$$            STRING
    -- VARIABLE $$Worker Process$$          STRING
    -- VARIABLE $$Experimental (1 = TRUE)$$ STRING
    
    SELECT
       COUNT(*) Instances,
       ioc_worker_name WorkerProcess,
       ioc_detection_category Category,
       ioc_detection_attack Detection_Type,
       ioc_detection_type Type,
       ioc_severity Risk,
       ioc_detection_id Classificattion_Rule,
       ioc_detection_sigma Sigma_Details,
       ioc_detection_eql EQL_Details,
       ioc_detection_mitre_attack ATTACK_Mapping,
       ioc_detection_experiment_level Experimental 
    FROM xdr_ti_data
    WHERE LOWER(ioc_detection_id) LIKE LOWER('%$$Classification Rule$$%')
       AND LOWER(ioc_detection_category) LIKE LOWER('%$$Category$$%')
       AND LOWER(ioc_worker_name) LIKE LOWER('%$$Worker Process$$%')
       AND LOWER(ioc_detection_mitre_attack) LIKE LOWER('%$$Mitre Tactic$$%')
       AND LOWER(CAST(ioc_detection_experiment_level AS VARCHAR) ) LIKE LOWER('%$$Experimental (1 = TRUE)$$%')
    GROUP BY ioc_worker_name, ioc_detection_category, ioc_severity, ioc_detection_id, ioc_detection_sigma, ioc_detection_eql, 
       ioc_detection_attack, ioc_detection_mitre_attack, ioc_detection_type, ioc_detection_experiment_level
    ORDER BY 1 DESC

Reply
  • After chatting with the MTR SOC Team, the -1 does not always indicate a rule is experimental.   You should check the flag in the table as shown in this query to list all Experimental rules that have fired.

    -- Rule execution counts
    
    -- VARIABLE $$Category$$                STRING
    -- VARIABLE $$Classification Rule$$     STRING
    -- VARIABLE $$Mitre Tactic$$            STRING
    -- VARIABLE $$Worker Process$$          STRING
    -- VARIABLE $$Experimental (1 = TRUE)$$ STRING
    
    SELECT
       COUNT(*) Instances,
       ioc_worker_name WorkerProcess,
       ioc_detection_category Category,
       ioc_detection_attack Detection_Type,
       ioc_detection_type Type,
       ioc_severity Risk,
       ioc_detection_id Classificattion_Rule,
       ioc_detection_sigma Sigma_Details,
       ioc_detection_eql EQL_Details,
       ioc_detection_mitre_attack ATTACK_Mapping,
       ioc_detection_experiment_level Experimental 
    FROM xdr_ti_data
    WHERE LOWER(ioc_detection_id) LIKE LOWER('%$$Classification Rule$$%')
       AND LOWER(ioc_detection_category) LIKE LOWER('%$$Category$$%')
       AND LOWER(ioc_worker_name) LIKE LOWER('%$$Worker Process$$%')
       AND LOWER(ioc_detection_mitre_attack) LIKE LOWER('%$$Mitre Tactic$$%')
       AND LOWER(CAST(ioc_detection_experiment_level AS VARCHAR) ) LIKE LOWER('%$$Experimental (1 = TRUE)$$%')
    GROUP BY ioc_worker_name, ioc_detection_category, ioc_severity, ioc_detection_id, ioc_detection_sigma, ioc_detection_eql, 
       ioc_detection_attack, ioc_detection_mitre_attack, ioc_detection_type, ioc_detection_experiment_level
    ORDER BY 1 DESC

Children
No Data