reduce false positives in credential manager, credit-card parsing, an…

[akshat4703]

Summary

This PR reduces false positives across three capa rules while preserving existing positive detections.

The changes tighten matching logic and add structural gating to better distinguish malicious behavior from benign patterns.

Issues

Closes #1030
Closes #1088
Closes #897
Closes #1090

---

Changes

1. Tighten vaultcmd matching

Rule:

• collection/acquire-credentials-from-windows-credential-manager.yml

Change:

• From:
  • string: /vaultcmd(\.exe)?/
• To:
  • string: /\bvaultcmd(\.exe)?\b/i

Rationale:
Adds word-boundary anchoring to prevent substring false positives (e.g., security-vaultcmd_...) while maintaining case-insensitive matching.

---

2. Strengthen credit card sentinel logic

Rule:

• collection/credit-card/parse-credit-card-information.yml

Change:

• Require ('^' or ';') plus two or more additional credit-card sentinels.

Rationale:
Reduces delimiter-only matches and prevents generic pattern false positives (including the mimikatz case) while preserving valid track-style detections.

---

3. Add PE-header structural gate

Rule:

• load-code/pe/enumerate-pe-sections.yml

Change:

• Added:
  • match: parse PE header

Rationale:
Ensures section-offset logic only applies to confirmed PE files, reducing struct-pattern false positives (including the mimikatz case).

---

Validation

Formatting

• Verified with capafmt.py

Linting

• Verified with lint.py --thorough
• No linter errors introduced

Positive Coverage Retained

• acquire credentials from Windows Credential Manager
• parse credit card information
• enumerate PE sections

All previously matching test samples continue to match.

False Positive Improvements

• parse credit card information no longer matches mimikatz.exe
• enumerate PE sections no longer matches mimikatz.exe

---

Please let me know if you'd prefer alternative gating logic or additional sample coverage.

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[williballenthin]

@akshat4703 i'm not comfortable considering these changes without references/test files that show this behavior works better than what we had before. please try to find some cases and help demonstrate how this PR improves the situation.

[akshat4703]

Thank you for the feedback — I’ve incorporated the suggestions.

Updates:

1. Added explicit meta.references entries to each modified rule.
2. Performed local old-vs-new comparisons using the previous ruleset versus this branch to validate behavior changes.

Key Improvements (Validated Locally)

1. parse credit card information
   a. Previously matched on mimikatz.exe_ (false positive).
   b. With this branch: no longer matches (FP reduced).
   c. Expected positive sample 1d8fd13c890060464019c0f07b928b1a continues to match.

2. enumerate PE sections
   a. Previously matched on mimikatz.exe_ (false positive).
   b. With this branch: no longer matches (FP reduced).
   c. Expected positive sample e4c33ac3638eef68311f8ac0d72483c7 continues to match.

3. No regressions observed for:
   a. discover group policy via gpresult
   b. acquire credentials via vaultcmd
   c.persist via Windows service