Part 5: Tuning Response Rules Around False Positives

Finding False Positives

When our detection rules start creating alerts around "normal" system processes, it is an unnecessary workload for the SOC analyst. In other words, if we are getting an alert in our "Detections" list every time a legitimate service or application runs a process that triggers a D&R rule for fire up, it could add up to the point where truly malicious activities could be overlooked or noticed at a much later time. Consequently delaying the time it took to detect and react to a truly suspicious/malicious event.
Detections of legitimate processes fall under the category of false positives.

Creating a False Positive Detection Rule

We will start this exercise by creating a detection rule that will give us a lot of false-positives for us to work with.

1. Create a new D&R rule with the name "Suspicious svchost execution
   
   # In the "Detect" section of the rule, paste in the following lines.

   event: NEW_PROCESS
   op: ends with
   path: event/FILE_PATH
   value: \svchost.exe
   




2. # In the "Response" section of the rule paste in the following lines.
   
   

   - action: report
     name: Suspicious svchost execution
   



Once we have our detection rule in place, it is a matter of time until we start having some false positives in our detection tab in LimaCharlie.

If we let this run for a while and we go back into the detections tab, we will see that several of these events have been detected and all of the alerts they have generated.


3. Click on one of the detections to see the raw event and review the details. Once reviewed the specifics, click on "Mark False Positive" at the top.


By default, when marking a detection as false-positive, the "Detect" section will be populated with details from the raw event. In order to make this rule more accurate, we'd need to edit some parts.


4. # The original false-positive detection rule brought forward by LimaCharlie.




op: and
rules:
  - op: is
    path: cat
    value: Suspicious svchost execution
  - op: is
    path: detect/event/FILE_PATH
    value: C:\Windows\system32\svchost.exe
  - op: is
    path: detect/event/COMMAND_LINE
    value: C:\Windows\system32\svchost.exe -k netsvcs -p -s wisvc
  - op: is
    path: detect/event/HASH
    value: 949bfb5b4c7d58d92f3f9c5f8ec7ca4ceaffd10ec5f0020f0a987c472d61c54b
  - op: is
    path: routing/hostname
    value: windev2407eval.localdomain




5. # This is what the false-positive rule looks like after some modification.




op: and
rules:
  - op: is
    path: cat
    value: Suspicious svchost execution
  - op: is
    path: detect/event/FILE_PATH
    value: C:\Windows\system32\svchost.exe
  - op: contains
    path: detect/event/COMMAND_LINE
    value: -k 



You can find a detailed explanation of the different parts edited in the rule in this video by Eric Capuano from Part 5 of the "So you want to be a SOC Analyst?" series.

As described in the video, tuning a rule comes down to knowing "what normal looks like" and knowledge & experience of working with processes. Here are three resources recommended by Eric to study further on the topic.

• SANS DFIR “Hunt Evil” poster
• EchoTrail
• LOLBAS Project

Resources:

So you want to be a SOC Analyst? Part 5