Recon suspicious commands rule - odd detections #147
Description
Getting a fair amount of odd detections against this rule -
rules/community/microsoft/windows/recon_suspicious_commands_cisa_report.yaral
None of which have matching target process command line's to the regex blocks.
Example:
target.process.command_line = "\"opera.exe\" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --enable-quic --video-capture-use-gpu-memory-buffer --no-pre-read-main-dll --with-feature:cashback-assistant=on --with-feature:address-bar-dropdown-autocompleted-domains=on --with-feature:address-bar-dropdown-cities=on --with-feature:address-bar-dropdown-keyword-ads=on --with-feature:address-bar-keywords-monetization=on --with-feature:ai-tab-management=on --with-feature:ai-writing-mode-in-context-menu=on --with-feature:amp-requests-stats=on --with-feature:aria-in-tab-view=on --with-feature:bluesky-in-sidebar=on --with-feature:cashback-assistant=on --with-feature:continue-on-booking=on --with-feature:continue-on-shopping-via-amp=off --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-amazon-us-associates=off --with-feature:continue-shopping-explore=off --with-feature:continue-shopping-structured-partners=on --with-feature:discord-in-sidebar=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:hide-navigations-from-extensions=on --with-feature:keywords-from-backend=off --with-feature:native-crypto-wallet=on --with-feature:opera-startpage-special=on --with-feature:proxy-switcher-ui-default-visible=on --with-feature:realtime-impressions-reporting=on --with-feature:run-at-startup-default=off --with-feature:sd-suggestions-external=on --with-feature:shopping-corner=on --with-feature:sitecheck-age=on --with-feature:slack-in-sidebar=on --with-feature:specific-keywords=on --with-feature:startpage-opening-animation=off --with-feature:startpage-sync-banner-ref=on --with-feature:suggestion-redirect-handler=on --with-feature:installer-experiment-test=off --field-trial-handle=1940,i,9789469440981851426,12912846037641706350,262144 --disable-features=CertificateTransparencyAskBeforeEnabling,PlatformSoftwareH264EncoderInGpu,UpdatableKeyPins --variations-seed-version --mojo-platform-channel-handle=8608 /prefetch:14"
Has anyone got this working as expected in their environment? I did raise a support case but didn't really get anywhere. Happy to collaborate to get this functioning as intended but thought i'd check to make sure i'm not missing something.