Rule incorrectly identifies our driver (Topaz Systems - www.topazsystems.com) as using Windows Credential Editor

[m1keam]

Rule UUID

7aa7009a-28b9-4344-8c1f-159489a390df

Example EventLog

logsource:
category: process_creation
product: windows
detection:
selection_1:
Hashes|contains: # Sysmon field hashes contains all types
- IMPHASH=a53a02b997935fd8eedcb5f7abab9b9f
- IMPHASH=e96a73c7bf33a464c510ede582318bf2
selection_2:
CommandLine|endswith: '.exe -S'
ParentImage|endswith: '\services.exe'
filter:
Image|endswith: '\clussvc.exe'
condition: 1 of selection_* and not filter
falsepositives:
- Another service that uses a single -s command line switch

Description

Our driver loads as "atwusb.exe -s". This tells it to load at system level to be able to access user context of current session for mapping the displays. It also supports other switches and can load in the user context. The driver is developed for us by Viewsonic. It makes NO USE of Windows Credential Editor. Have they posted a request?

[github-actions]

Welcome @m1keam 👋

It looks like this is your first issue on the Sigma rules repository!

The following repository accepts issues related to false positives or 'rule ideas'.

If you're reporting an issue related to the pySigma library please consider submitting it here

If you're reporting an issue related to the deprecated sigmac library please consider submitting it here

Thanks for taking the time to open this issue, and welcome to the Sigma community! 😃

[nasbench]

Hey that specific selection is prone to false positive indeed and cannot be classified as a critical indicator. I will get it fixed soon. Thanks for reporting.