Re: mDNS Broadcast FALSE POSITIVE windows 10 pro

[Luciano Gorza]

Hi VT,

To better understand the behavior and assist you, could you please provide rule 102503 and any other custom rules that apply?

Could you describe under what circumstances an alert should be generated and under which it should not with an example log?

Thanks!

On Thursday, April 25, 2024 at 10:51:35 AM UTC-3 VT wrote:

```<rule id="102504" level="15">
  <if_sid>102503</if_sid>
  <description>Malware Network connection Possible RAT</description>
  <group>sysmon_event3,</group>
</rule>
<rule id="102505" level="3">
   <if_sid>102503</if_sid>
   <match>C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe</match>
   <description>Broadcast by Microsoft Edge</description>
</rule>
<rule id="102506" level="3">
  <if_sid>102504</if_sid>
  <match>C:\\Windows\\System32\\svchost.exe</match>
  <description>Windows Broadcasting...</description>
</rule>
<!-- Rules 102600 - 102699: Correlation Rules -->
</group>

On Thursday, April 25, 2024 at 3:50:28 PM UTC+2 VT wrote:

Hi,

I think wazuh has an false positive which when windows does mDNS broadcasts as this look which i got from sysmon. I wanted to know which is the best rule to stop this alerting since it is an false positive i did use an rule with match but i think it is going to affect true postive in short feature.

```{ "agent": { "ip": "192.168.10.170", "name": "DESKTOP-AIV84IF", "id": "132" }, "manager": { "name": "intel" }, "data": { "win": { "eventdata": { "destinationPort": "5353", "image": "C:\\\\Windows\\\\System32\\\\svchost.exe", "sourcePort": "5353", "initiated": "false", "destinationIp": "fe80:0:0:0:b81d:47ff:fea7:4c04", "protocol": "udp", "processGuid": "{e9487774-5c79-662a-3900-000000000900}", "sourceIp": "ff02:0:0:0:0:0:0:fb", "processId": "2928", "utcTime": "2024-04-25 13:37:48.077", "ruleName": "technique_id=T1571,technique_name=Non-Standard Port", "destinationIsIpv6": "true", "user": "NT AUTHORITY\\\\NETWORK SERVICE", "sourceIsIpv6": "true" }, "system": { "eventID": "3", "keywords": "0x8000000000000000", "providerGuid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", "level": "4", "channel": "Microsoft-Windows-Sysmon/Operational", "opcode": "0", "message": "\"Network connection detected:\r\nRuleName: technique_id=T1571,technique_name=Non-Standard Port\r\nUtcTime: 2024-04-25 13:37:48.077\r\nProcessGuid: {e9487774-5c79-662a-3900-000000000900}\r\nProcessId: 2928\r\nImage: C:\\Windows\\System32\\svchost.exe\r\nUser: NT AUTHORITY\\NETWORK SERVICE\r\nProtocol: udp\r\nInitiated: false\r\nSourceIsIpv6: true\r\nSourceIp: ff02:0:0:0:0:0:0:fb\r\nSourceHostname: -\r\nSourcePort: 5353\r\nSourcePortName: -\r\nDestinationIsIpv6: true\r\nDestinationIp: fe80:0:0:0:b81d:47ff:fea7:4c04\r\nDestinationHostname: -\r\nDestinationPort: 5353\r\nDestinationPortName: -\"", "version": "5", "systemTime": "2024-04-25T13:37:50.4349788Z", "eventRecordID": "48110", "threadID": "6256", "computer": "DESKTOP-AIV84IF", "task": "3", "processID": "4648", "severityValue": "INFORMATION", "providerName": "Microsoft-Windows-Sysmon" } } }, "rule": { "firedtimes": 16, "mail": true, "level": 15, "description": "Malware Network connection Possible RAT", "groups": [ "windows", "sysmon", "sysmon_event3" ], "id": "102504" }, "decoder": { "name": "windows_eventchannel" }, "full_log": "{\"win\":{\"system\":{\"providerName\":\"Microsoft-Windows-Sysmon\",\"providerGuid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\",\"eventID\":\"3\",\"version\":\"5\",\"level\":\"4\",\"task\":\"3\",\"opcode\":\"0\",\"keywords\":\"0x8000000000000000\",\"systemTime\":\"2024-04-25T13:37:50.4349788Z\",\"eventRecordID\":\"48110\",\"processID\":\"4648\",\"threadID\":\"6256\",\"channel\":\"Microsoft-Windows-Sysmon/Operational\",\"computer\":\"DESKTOP-AIV84IF\",\"severityValue\":\"INFORMATION\",\"message\":\"\\\"Network connection detected:\\r\\nRuleName: technique_id=T1571,technique_name=Non-Standard Port\\r\\nUtcTime: 2024-04-25 13:37:48.077\\r\\nProcessGuid: {e9487774-5c79-662a-3900-000000000900}\\r\\nProcessId: 2928\\r\\nImage: C:\\\\Windows\\\\System32\\\\svchost.exe\\r\\nUser: NT AUTHORITY\\\\NETWORK SERVICE\\r\\nProtocol: udp\\r\\nInitiated: false\\r\\nSourceIsIpv6: true\\r\\nSourceIp: ff02:0:0:0:0:0:0:fb\\r\\nSourceHostname: -\\r\\nSourcePort: 5353\\r\\nSourcePortName: -\\r\\nDestinationIsIpv6: true\\r\\nDestinationIp: fe80:0:0:0:b81d:47ff:fea7:4c04\\r\\nDestinationHostname: -\\r\\nDestinationPort: 5353\\r\\nDestinationPortName: -\\\"\"},\"eventdata\":{\"ruleName\":\"technique_id=T1571,technique_name=Non-Standard Port\",\"utcTime\":\"2024-04-25 13:37:48.077\",\"processGuid\":\"{e9487774-5c79-662a-3900-000000000900}\",\"processId\":\"2928\",\"image\":\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\",\"user\":\"NT AUTHORITY\\\\\\\\NETWORK SERVICE\",\"protocol\":\"udp\",\"initiated\":\"false\",\"sourceIsIpv6\":\"true\",\"sourceIp\":\"ff02:0:0:0:0:0:0:fb\",\"sourcePort\":\"5353\",\"destinationIsIpv6\":\"true\",\"destinationIp\":\"fe80:0:0:0:b81d:47ff:fea7:4c04\",\"destinationPort\":\"5353\"}}}", "input": { "type": "log" }, "@timestamp": "2024-04-25T13:37:52.756Z", "location": "EventChannel", "id": "1714052272.64248324", "timestamp": "2024-04-25T15:37:52.756+0200", "_id": "7nZ6FY8B8CGDjqqzHupS" }

[Luciano Gorza]

Hi VT,

From what I can see, the rules are fine.
For the case of the attached alert, perhaps you can add port 5353 to the "etc/lists/common-ports" list and then identify the false positive using another match.
If you would be so kind, could you please explain in which cases it is a false positive and in which cases it is not? Do you have a sample log for each case?

Thanks,

On Friday, April 26, 2024 at 4:38:46 AM UTC-3 VT wrote:

Hi Luciano

This is the parent 102503 rule

<rule id="102503" level="15">
  <if_group>sysmon_event3</if_group>
  <list field="win.eventdata.destinationPort" lookup="not_address_match_key">etc/lists/common-ports</list>
  <description>Sysmon - Event 3: Network connection to Uncommon Port by $(win.eventdata.image)</description>
  <options>no_full_log</options>
  <group>sysmon_event3,</group>
</rule>