Merge pull request #4340 from phantinuss/fpfix

fix: FPs found in testing env
SigmaHQ · Jul 12, 2023 · b8a6a7c · b8a6a7c
2 parents c0332a9 + 835dda9
commit b8a6a7c
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 4 deletions.
diff --git a/rules/windows/builtin/application/Other/win_av_relevant_match.yml b/rules/windows/builtin/application/Other/win_av_relevant_match.yml
@@ -8,7 +8,7 @@ references:
     - https://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01
 author: Florian Roth (Nextron Systems), Arnim Rupp
 date: 2017/02/19
-modified: 2023/02/03
+modified: 2023/07/04
 tags:
     - attack.resource_development
     - attack.t1588
@@ -95,6 +95,8 @@ detection:
         - 'cyber-protect-service.exe'
     filter_optional_information:
         Level: 4  # Information level
+    filter_optional_restartmanager:
+        Provider_Name: 'Microsoft-Windows-RestartManager'
     condition: keywords and not 1 of filter_optional_*
 falsepositives:
     - Some software piracy tools (key generators, cracks) are classified as hack tools

diff --git a/rules/windows/process_creation/proc_creation_win_susp_elevated_system_shell.yml b/rules/windows/process_creation/proc_creation_win_susp_elevated_system_shell.yml
@@ -6,7 +6,7 @@ references:
     - https://github.com/Wh04m1001/SysmonEoP
 author: frack113, Tim Shelton (update fp)
 date: 2022/12/05
-modified: 2023/03/20
+modified: 2023/07/04
 tags:
     - attack.privilege_escalation
     - attack.defense_evasion
@@ -68,6 +68,10 @@ detection:
     filter_ibm_spectrumprotect:
         ParentImage|startswith: 'C:\IBM\SpectrumProtect\webserver\scripts\'
         CommandLine|contains: 'C:\IBM\SpectrumProtect\webserver\scripts\'
+    filter_msiexec:
+        ParentImage: 'C:\Windows\SysWOW64\msiexec.exe'
+        ParentCommandLine|startswith: 'C:\Windows\syswow64\MsiExec.exe -Embedding'
+        CommandLine|contains: '\RegisterMicrosoftUpdate.ps1'
     filter_empty_parent_1:
         CommandLine: "powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';"  # Most probably SetupHost.exe during Windows updates/upgrades; See comment on rule id: f4bbd493-b796-416e-bbf2-121235348529
     filter_empty_parent_2:

diff --git a/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml b/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml
@@ -11,7 +11,7 @@ references:
     - https://twitter.com/jonasLyk/status/1555914501802921984
 author: frack113, Nasreddine Bencherchali (Nextron Systems)
 date: 2022/08/06
-modified: 2022/12/12
+modified: 2023/07/05
 tags:
     - attack.defense_evasion
     - attack.t1564.004
@@ -40,12 +40,13 @@ detection:
             - '~2.js'
             - '~2.hta'
     filter:
+        - ParentImage: 'C:\Windows\explorer.exe'
         - ParentImage|endswith:
             - '\WebEx\WebexHost.exe'
             - '\thor\thor64.exe'
             - '-installer.exe'  # e.g. C:\Users\neo\Downloads\xampp-windows-x64-8.1.6-0-VS16-installer.exe
+        - Image: 'C:\PROGRA~1\WinZip\WZPREL~1.EXE'
         - Image|contains: '\vcredi'
-        - ParentImage: 'C:\Windows\explorer.exe'
     condition: selection and not filter
 falsepositives:
     - Unknown