Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

75bf09fa-1dd7-4d18-9af9-dd9e492562eb False positive with outlook.exe #4432

Closed
nekopep opened this issue Sep 8, 2023 · 2 comments · Fixed by #4491
Closed

75bf09fa-1dd7-4d18-9af9-dd9e492562eb False positive with outlook.exe #4432

nekopep opened this issue Sep 8, 2023 · 2 comments · Fixed by #4491
Assignees
@nasbench
Labels
False-Positive Issue reporting a false positive with one of the rules

Comments

@nekopep
Copy link

nekopep commented Sep 8, 2023

Rule UUID

75bf09fa-1dd7-4d18-9af9-dd9e492562eb

Example EventLog

Process name OUTLOOK.EXE (pid=11388)
Image name C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
Command-line C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
Execution Detected
Current directory C:\Windows\System32
Process Create Time 2023-09-07 09:08:54Z
Size 41008072 (39.11 MiB)
MD5 2f6e2354a8ee6fb403f747ce8d42a9e0
SHA1 0fb58c5e285bd59e5492a597d771b5c5e018fcb6
SHA256 89f5ab08db492e68a4fd261585ca42a03babc08eaec495e1ad8af47f96faa4b1
IMPHASH E497CBA696E77737A45672336BFDD193
PE timestamp 2023-08-01 02:53:20Z
Signed
Authenticode Signer name Microsoft Corporation
Root CA name Microsoft Root Certificate Authority 2011
Company name Microsoft Corporation
File Description Microsoft Outlook
File version 16.0.10401.20025
Internal name Outlook
Product name Microsoft Outlook
Product version 16.0.10401.20025

target_filename C:\Users\xxxxxxx\AppData\Local\Microsoft\Windows\SchCache\xxxx.home.sch

Description

I get from times to times false positive with outlook.exe .
Perhaps we shoud add it to the whitelist?
@nekopep nekopep added the False-Positive Issue reporting a false positive with one of the rules label Sep 8, 2023
@nasbench nasbench self-assigned this Sep 8, 2023
@nekopep
Copy link
Author

nekopep commented Sep 8, 2023

Got another one for another domain with Image name :
C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
(please note (x86) difference)

@nasbench
Copy link
Member

nasbench commented Sep 8, 2023

Thanks for the submission. This indeed looks like an FP.

The severity also looks a little higher than it should be. Will apply the necessary filters :)

Cheers.

@nasbench nasbench added the Work In Progress Some changes are needed label Sep 10, 2023
nasbench added a commit to nasbench/sigma that referenced this issue Oct 18, 2023
@nasbench
fix: fp reported in SigmaHQ#4432
9bb133a
@nasbench nasbench mentioned this issue Oct 18, 2023
Merged
@nasbench nasbench removed the Work In Progress Some changes are needed label Oct 18, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nasbench nasbench

Labels
False-Positive Issue reporting a false positive with one of the rules
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Rule Updates & Fixes nasbench/sigma
2 participants
@nekopep @nasbench