Skip to content

fix(932370): remove url from Windows LOLBIN command list#4587

Merged
fzipi merged 2 commits into
coreruleset:mainfrom
zoutjebot:fix/932370-remove-url
Apr 8, 2026
Merged

fix(932370): remove url from Windows LOLBIN command list#4587
fzipi merged 2 commits into
coreruleset:mainfrom
zoutjebot:fix/932370-remove-url

Conversation

@zoutjebot
Copy link
Copy Markdown
Contributor

@zoutjebot zoutjebot commented Mar 30, 2026

What

Remove url from the Windows living-off-the-land binary list in rule 932370.

Why

The word 'url' appears in countless legitimate contexts: URL parameters, API fields, form data, content descriptions. This makes it a significant FP source.

The actual Windows url.dll exploitation is already covered by other patterns that include the full invocation context (rundll32 url.dll,FileProtocolHandler).

Files changed

  • regex-assembly/932370.ra — removed url entry
  • rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf — regenerated via crs-toolchain

Refs: #4584

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Mar 30, 2026
edited
Loading

📊 Quantitative test results for language: eng, year: 2023, size: 10K, paranoia level: 1:
🚀 Quantitative testing did not detect new false positives

@zoutjebot zoutjebot mentioned this pull request Mar 30, 2026
Open
@HackingRepo
Copy link
Copy Markdown
Contributor

HackingRepo commented Mar 30, 2026
edited
Loading

yes, that is an extremly important pr, you opened if ?url= will cause FP, It need to be merged to the LTS

fzipi
fzipi reviewed Mar 30, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@fzipi fzipi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add tests? Positive and negative, so we cover both cases. Thanks!

Zoutje and others added 2 commits April 5, 2026 17:02
@fzipi
fix(932370): remove url from Windows LOLBIN command list
23c5770 
The 'url' entry in the Windows command list causes frequent false
positives because 'url' appears in many legitimate contexts (URL
parameters, API fields, content descriptions).

The actual Windows url.dll is already covered by other patterns that
include the full invocation context (rundll32 url.dll, etc.).

Refs: coreruleset#4584
@claude @fzipi
test(932370): add positive and negative regression tests
f28854b 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@fzipi fzipi force-pushed the fix/932370-remove-url branch from a76afd8 to f28854b Compare April 5, 2026 20:02
@fzipi fzipi mentioned this pull request Apr 6, 2026
Closed
@fzipi fzipi added this pull request to the merge queue Apr 8, 2026
Merged via the queue into coreruleset:main with commit 3d23ebe Apr 8, 2026
8 checks passed
@theseion theseion mentioned this pull request May 4, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fzipi fzipi fzipi approved these changes

Assignees

No one assigned

Labels

release:fix

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@zoutjebot @HackingRepo @fzipi