[Rule Tuning] LSASS Memory Dump Handle Access #4919
Description
Link to Rule
Rule Tuning Type
False Positives - Reducing benign events mistakenly identified as threats.
Description
Hey guys! I have seen this alert in my environment generate false positives quite consistently due to the 32-bit ver of WmiPrvSE, contained within "C:\Windows\SysWOW64\wbem\WmiPrvSE.exe".
This creates an issue where the investigation depends on pinpointing the exact source hidden behind the WMI calls AND makes creating custom exclusions impossible as the source process will always be the WMI provider host.
I see that the 64-bit version of the provider is included in the built-in exclusions already ("?:\Windows\system32\wbem\WmiPrvSE.exe").
So my question is, was the 32-bit version left-out for some particular reason or just an oversight?
Thanks.
Example Data
Current exclusions:
/* Common Noisy False Positives */
and not winlog.event_data.ProcessName : (
"?:\\Program Files\\*.exe",
"?:\\Program Files (x86)\\*.exe",
"?:\\Windows\\system32\\wbem\\WmiPrvSE.exe",
"?:\\Windows\\System32\\dllhost.exe",
"?:\\Windows\\System32\\svchost.exe",
"?:\\Windows\\System32\\msiexec.exe",
"?:\\ProgramData\\Microsoft\\Windows Defender\\*.exe",
"?:\\Windows\\explorer.exe",
"?:\\Windows\\System32\\poqexec.exe")
Suggested update (adding the 32-bit provider):
/* Common Noisy False Positives */
and not winlog.event_data.ProcessName : (
"?:\\Program Files\\*.exe",
"?:\\Program Files (x86)\\*.exe",
"?:\\Windows\\system32\\wbem\\WmiPrvSE.exe",
"?:\\Windows\\SysWOW64\\wbem\\WmiPrvSE.exe",
"?:\\Windows\\System32\\dllhost.exe",
"?:\\Windows\\System32\\svchost.exe",
"?:\\Windows\\System32\\msiexec.exe",
"?:\\ProgramData\\Microsoft\\Windows Defender\\*.exe",
"?:\\Windows\\explorer.exe",
"?:\\Windows\\System32\\poqexec.exe")