8000 [Rule Tuning] Startup or Run Key Registry Modification · Issue #4692 · elastic/detection-rules · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

[Rule Tuning] Startup or Run Key Registry Modification #4692

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
sw-jung opened this issue May 1, 2025 · 1 comment · May be fixed by #4710
Open

[Rule Tuning] Startup or Run Key Registry Modification #4692

sw-jung opened this issue May 1, 2025 · 1 comment · May be fixed by #4710
Assignees
@w0rk3r
Labels
Rule: Tuning tweaking or tuning an existing rule Team: TRADE

Comments

@sw-jung
Copy link
sw-jung commented May 1, 2025

Link to Rule

https://github.com/elastic/detection-rules/blob/main/rules/windows/persistence_run_key_and_startup_broad.toml

Rule Tuning Type

False Positives - Reducing benign events mistakenly identified as threats.

Description

Seeking an upstream rule modification to skip alerting about 1Password in the "Startup or Run Key Registry Modification" rule.
Looking at the existing rule query, fields that could be used for 1Password. Presumably this would not be limited to a single hardcoded version.

process.executable C:\Users\\AppData\Local\1Password\1PasswordSetup-8.10.70.exe
registry.key S-1-12-\Software\Microsoft\Windows\CurrentVersion\Run
process.code_signature.exists true
process.code_signature.status trusted
process.code_signature.subject_name Agilebits
process.code_signature.trusted true

Example Data

No response
@sw-jung sw-jung added Rule: Tuning tweaking or tuning an existing rule Team: TRADE labels May 1, 2025
@w0rk3r w0rk3r self-assigned this May 2, 2025
@w0rk3r w0rk3r linked a pull request May 8, 2025 that will close this issue
Open
@w0rk3r
Copy link
Contributor
w0rk3r commented May 8, 2025

Just opened a PR for this one: #4710

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@w0rk3r w0rk3r

Labels
Rule: Tuning tweaking or tuning an existing rule Team: TRADE
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Rule Tuning] Startup or Run Key Registry Modification elastic/detection-rules
2 participants
@sw-jung @w0rk3r
0