Security Connect 2021 is coming Jun 3. Register for free today!

Enterprise EDR: [RESOLVED] Watchlist Report Triggers an Incorrect Hits

Enterprise EDR: [RESOLVED] Watchlist Report Triggers an Incorrect Hits

Environment

  • Enterprise EDR Web Console: All Versions

Symptoms

The report "Defense Evasion - AMSI - Suspicious MSHTA File Write And Execute Behaviors Detected" in Watchlist triggers an incorrect Hit however, the scriptloads specified in the IOC does not show events in Processes tab under Investigate page when searched specifically.
(process_name:mshta.exe AND (fileless_scriptload_cmdline:ITextStream.Write AND fileless_scriptload_cmdline:IWshShell3.Run) OR (scriptload_content:ITextStream.Write AND scriptload_content:IWshShell3.Run)) AND NOT crossproc_name:windows\\ccm\\ccmexec.exe

 

Cause

Engineering team found that the query is missing set of parentheses, causing non-deterministic behavior (See additional Notes)

Resolution

The query has been updated with the added parentheses, and will now report as expected

Additional Notes

  • Engineering team found that the query is missing set of parentheses here, causing non-deterministic behavior.
  • The IOC query should be like below:
(process_name:mshta.exe AND ((fileless_scriptload_cmdline:ITextStream.Write AND fileless_scriptload_cmdline:IWshShell3.Run) OR (scriptload_content:ITextStream.Write AND scriptload_content:IWshShell3.Run))) AND NOT crossproc_name:windows\\ccm\\ccmexec.exe.

Related Content


Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎02-23-2021
Views:
107
Contributors