Part 5 - Reducing False Positives

This section is an additional part that explains the false positive detection of the svchost rule test. It helps refine the rule to reduce unnecessary alerts.

False Positive Tuning in SOC Analysis

1. Understanding False Positives in SOC Analysis

• False positives are a major challenge for SOC analysts.

• Detection rules might not always be fine-tuned for a specific environment.

• Some alerts may be generated even when there is no real threat.

---

2. Example of a Poorly Written Detection Rule

• The example rule detects any svchost.exe execution, which is too broad.

• svchost.exe is a legitimate system process that runs frequently on Windows.

• This leads to many false positives, flooding the SOC console.

But first, What is svchost.exe?

svchost.exe (Service Host) is a Windows system process that runs multiple services to optimize performance.

Why is it Important?

• Legit Path: ✅ C:\Windows\System32\svchost.exe

• Suspicious Path: ❌ C:\Users\Public\svchost.exe, C:\Temp\svchost.exe

• Malware Trick: Hackers rename malware as svchost.exe and place it outside System32.

How to Detect Suspicious svchost.exe?

1. Check Path → Must be in C:\Windows\System32.

2. Analyze Command-Line → -k is normal; strange args are suspicious.

3. Monitor Network → Unexpected external connections = 🚨.

4. Watch Behavior → If svchost.exe launches PowerShell, investigate.

Rule:

1. Detect:

event: NEW_PROCESS
op: ends with
path: event/FILE_PATH
value: \svchost.exe 

This is a detection rule configuration that triggers an alert when a new process is created, and its file path ends with \svchost.exe. Here's a breakdown of each line:

1. event: NEW_PROCESS → This rule applies to new process creation events.

2. op: ends with → The condition checks if the process file path ends with a specific value.

3. path: event/FILE_PATH → The rule evaluates the file path of the newly created process.

4. value: \svchost.exe → The detection triggers when the file path ends with \svchost.exe.

2. Response :

  - action: report
  name: Suspicious svchost execution

• What It Does? Flags new processes ending with svchost.exe to detect suspicious activity.

• Action? Generates an alert for SOC analysts to review.

here is the detection

---

3. Now let's improve the Detection Rule: Click on Mark False Positive

• Instead of detecting all svchost.exe executions, refine the rule by:

  • Checking for unusual file paths (e.g., C:\Windows\Temp\svchost.exe).

  • Inspecting command-line arguments used during execution.

Improved Rule:

op: and
rules:
  - op: is
    path: cat
    value: Suspicious scvhost execution
  - op: is
    path: detect/event/FILE_PATH
    value: C:\Windows\System32\svchost.exe
  - op: contains
    path: detect/event/COMMAND_LINE
    value: -k

• The -k argument is expected for normal svchost.exe executions.

• This helps reduce false positives.

Trying to test the False Positive Detection: svchost Rule Test

• Select a false positive detection event from the SOC console.

• Copy the raw event data and test it against the new FP rule.

• If the rule matches, it means the detection will be suppressed.

• The rule triggered successfully, but the detection is too broad.

• It matched any svchost.exe execution with the -k parameter.

✅ Matched Conditions:

1. cat = Suspicious svchost execution → Rule triggered

2. FILE_PATH = C:\Windows\System32\svchost.exe → Common system file

3. COMMAND_LINE contains "-k" → Common Windows service argument

---

4. Refining the False Positive Rule

• Avoid using process hash in the False Positive rule because:

  • The hash could be change with system updates.

  • Relying on it can lead to missing future legitimate detections.

• Avoid using hostnames in the False Positive rule because:

  • We want the rule to apply to all systems, not just one specific host.

---

5. Deploying the False Positive Rule

• Once validated, save the FP rule.

• It will now automatically suppress normal svchost.exe executions.

• This reduces noise and allows analysts to focus on real threats.