Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reporting false positive: Synology Drive Client #214

Open
NikGnuel opened this issue Nov 9, 2022 · 2 comments
Open

Reporting false positive: Synology Drive Client #214

NikGnuel opened this issue Nov 9, 2022 · 2 comments

Comments

@NikGnuel
Copy link

NikGnuel commented Nov 9, 2022

Reporting false positive: Synology Drive Client
Alert: MODULE: ProcessScan MESSAGE: Yara Rule MATCH: EXPL_LOG_CVE_2021_27065_Exchange_Forensic_Artefacts_Mar21_1 PID: 10680 NAME: cloud-drive-daemon.exe OWNER: Admin CMD: C:\Users\Admin\AppData\Local\SynologyDrive\SynologyDrive.app\bin\cloud-drive-daemon.exe C:/Users/Admin/AppData/Local/SynologyDrive/data/config/client.conf 50016 PATH: C:\Users\Admin\AppData\Local\SynologyDrive\SynologyDrive.app\bin\cloud-drive-daemon.exe
Alert: MODULE: ProcessScan MESSAGE: Yara Rule MATCH: LOG_Exchange_Forensic_Artefacts_CleanUp_Activity_Mar21_1 PID: 10680 NAME: cloud-drive-daemon.exe OWNER: Admin CMD: C:\Users\Admin\AppData\Local\SynologyDrive\SynologyDrive.app\bin\cloud-drive-daemon.exe C:/Users/Admin/AppData/Local/SynologyDrive/data/config/client.conf 50016 PATH: C:\Users\Admin\AppData\Local\SynologyDrive\SynologyDrive.app\bin\cloud-drive-daemon.exe
Alert: MODULE: ProcessScan MESSAGE: Yara Rule MATCH: WiltedTulip_ReflectiveLoader PID: 10680 NAME: cloud-drive-daemon.exe OWNER: Admin CMD: C:\Users\Admin\AppData\Local\SynologyDrive\SynologyDrive.app\bin\cloud-drive-daemon.exe C:/Users/Admin/AppData/Local/SynologyDrive/data/config/client.conf 50016 PATH: C:\Users\Admin\AppData\Local\SynologyDrive\SynologyDrive.app\bin\cloud-drive-daemon.exe
Alert: MODULE: ProcessScan MESSAGE: Yara Rule MATCH: PowerShell_ISESteroids_Obfuscation PID: 10680 NAME: cloud-drive-daemon.exe OWNER: Admin CMD: C:\Users\Admin\AppData\Local\SynologyDrive\SynologyDrive.app\bin\cloud-drive-daemon.exe C:/Users/Admin/AppData/Local/SynologyDrive/data/config/client.conf 50016 PATH: C:\Users\Admin\AppData\Local\SynologyDrive\SynologyDrive.app\bin\cloud-drive-daemon.exe
@phantinuss
Copy link
Collaborator

This is not the full alert message. Can you provide the full events including the match-strings?

Do the rules match reproducibly? The match is in-memory on the process. Maybe some clear-text IOCs are synced and the process had them in-memory at the time. Is that possible?

@Neo23x0
Copy link
Owner

Neo23x0 commented Nov 9, 2022
edited
Loading

I'm pretty sure that the service somehow copied the contents of clear text YARA rules into his own memory. (e.g. to sync the signature files of LOKI to the Synology drive)

If that's the case, it is expected behaviour.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Neo23x0 @phantinuss @NikGnuel