Updated to exclude false positives from common CLI searches like "fin… #5209
Conversation
github-actions
bot
added
Rules
Windows
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Welcome @kagebunsher 👋
It looks like this is your first pull request on the Sigma rules repository!
Please make sure to read the SigmaHQ conventions document to make sure your contribution is adhering to best practices and has all the necessary elements in place for a successful approval.
Thanks again, and welcome to the Sigma community! 😃
| CommandLine|regex: | ||
| - '(?i)findstr.*(?i)eyJhbG[a-zA-Z0-9]*' | ||
| - '(?i)findstr.*(?i)eyJ0eX[a-zA-Z0-9]*' |
There was a problem hiding this comment.
This will reduce the coverage by a lot and invalidate the original logic of the rule.
findstr is only one of many ways one could search for these strings, do not take only public reporting as a use case.
If you say this is creating a lot of FPs. Please provide some anonymized examples. As the presence of JWT in CLI is common but limited and can be excluded.
We could downgrade it to low and/or move it as a hunting rule, if necessary and after seeing some data if possible.
nasbench
added
the
Author Input Required
…dstr /i eyJ0eX".
Summary of the Pull Request
The original rule generated too many false positives because it simply looked for the presence of JWT tokens (eyJ0eX or eyJhbG) anywhere in the command line. This caused benign processes—especially those involving legitimate use of JWTs—to be flagged unnecessarily.
For instance, in the example provided, the token is used as a query parameter in a legitimate process (such as opening a link in a browser), and there is no indication of malicious activity. Attackers often use tools like findstr to search for tokens within process memory dumps (e.g., strings64.exe WINWORD.EXE.dmp | findstr /i eyJ0eX). Consequently, just seeing a JWT in the command line is insufficient to consider it malicious or suspicious.
By requiring the presence of findstr together with the JWT token pattern (e.g., eyJ0eX), the new rule focuses on the actual technique attackers typically use:
Dumping process memory (using tools such as strings64.exe),
Searching for JWT tokens with findstr.
This approach reduces false positives while still detecting malicious behavior. In other words, the updated rule is more precise because it only triggers when a suspect JWT search command (findstr) occurs rather than every instance of JWT usage.
I don't want to just edit this rule, it really produces a lot of false positives.
I would appreciate it if you could write my nickname (kagebunsher) somewhere in the rule.
Changelog
update: description - Edited according to the new code.
delete: new: detection:selection:CommandLine|contains - It increases the false positive rate.
new: detection:selection:CommandLine|regex - The regex containing findstr was written to include all jwt starts already in the code.
Example Log Event
I can't provide the event log. The following log would normally be found, but will not be detected due to the enhancement, which is now FP-reduced.
Processes.parent_process="C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE",
Processes.parent_process_name="OUTLOOK.EXE",
Processes.process=""C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument ?tk=&languageId=1",
Processes.process_exec="msedge.exe",
Processes.process_name="msedge.exe",
Processes.user="",
Fixed Issues
6d3a3952-6530-44a3-8554-cf17c116c615
SigmaHQ Rule Creation Conventions