From 835dda948414684be091c33e12536a179596a589 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Wed, 5 Jul 2023 10:30:40 +0200 Subject: [PATCH] fix: FPs found in testing env --- .../builtin/application/Other/win_av_relevant_match.yml | 4 +++- .../proc_creation_win_susp_elevated_system_shell.yml | 6 +++++- .../proc_creation_win_susp_ntfs_short_name_use_image.yml | 5 +++-- 3 files changed, 11 insertions(+), 4 deletions(-) diff --git a/rules/windows/builtin/application/Other/win_av_relevant_match.yml b/rules/windows/builtin/application/Other/win_av_relevant_match.yml index 97f6ad74580..2f21f5ad3e5 100644 --- a/rules/windows/builtin/application/Other/win_av_relevant_match.yml +++ b/rules/windows/builtin/application/Other/win_av_relevant_match.yml @@ -8,7 +8,7 @@ references: - https://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01 author: Florian Roth (Nextron Systems), Arnim Rupp date: 2017/02/19 -modified: 2023/02/03 +modified: 2023/07/04 tags: - attack.resource_development - attack.t1588 @@ -95,6 +95,8 @@ detection: - 'cyber-protect-service.exe' filter_optional_information: Level: 4 # Information level + filter_optional_restartmanager: + Provider_Name: 'Microsoft-Windows-RestartManager' condition: keywords and not 1 of filter_optional_* falsepositives: - Some software piracy tools (key generators, cracks) are classified as hack tools diff --git a/rules/windows/process_creation/proc_creation_win_susp_elevated_system_shell.yml b/rules/windows/process_creation/proc_creation_win_susp_elevated_system_shell.yml index c31969ab3c2..925543ec932 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_elevated_system_shell.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_elevated_system_shell.yml @@ -6,7 +6,7 @@ references: - https://github.com/Wh04m1001/SysmonEoP author: frack113, Tim Shelton (update fp) date: 2022/12/05 -modified: 2023/03/20 +modified: 2023/07/04 tags: - attack.privilege_escalation - attack.defense_evasion @@ -68,6 +68,10 @@ detection: filter_ibm_spectrumprotect: ParentImage|startswith: 'C:\IBM\SpectrumProtect\webserver\scripts\' CommandLine|contains: 'C:\IBM\SpectrumProtect\webserver\scripts\' + filter_msiexec: + ParentImage: 'C:\Windows\SysWOW64\msiexec.exe' + ParentCommandLine|startswith: 'C:\Windows\syswow64\MsiExec.exe -Embedding' + CommandLine|contains: '\RegisterMicrosoftUpdate.ps1' filter_empty_parent_1: CommandLine: "powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';" # Most probably SetupHost.exe during Windows updates/upgrades; See comment on rule id: f4bbd493-b796-416e-bbf2-121235348529 filter_empty_parent_2: diff --git a/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml b/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml index 5ec83de3c94..869d1322ba6 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml @@ -11,7 +11,7 @@ references: - https://twitter.com/jonasLyk/status/1555914501802921984 author: frack113, Nasreddine Bencherchali (Nextron Systems) date: 2022/08/06 -modified: 2022/12/12 +modified: 2023/07/05 tags: - attack.defense_evasion - attack.t1564.004 @@ -40,12 +40,13 @@ detection: - '~2.js' - '~2.hta' filter: + - ParentImage: 'C:\Windows\explorer.exe' - ParentImage|endswith: - '\WebEx\WebexHost.exe' - '\thor\thor64.exe' - '-installer.exe' # e.g. C:\Users\neo\Downloads\xampp-windows-x64-8.1.6-0-VS16-installer.exe + - Image: 'C:\PROGRA~1\WinZip\WZPREL~1.EXE' - Image|contains: '\vcredi' - - ParentImage: 'C:\Windows\explorer.exe' condition: selection and not filter falsepositives: - Unknown