fix: FPs found in testing env

phantinuss · Oct 11, 2023 · 59b90ee · 59b90ee
1 parent 905abc4
commit 59b90ee
Show file tree

Hide file tree

Showing 7 changed files with 42 additions and 21 deletions.
diff --git a/rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml b/rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml
@@ -7,7 +7,7 @@ references:
     - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
 author: Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update)
 date: 2019/11/01
-modified: 2023/10/06
+modified: 2023/10/11
 tags:
     - attack.credential_access
     - car.2019-04-004
@@ -86,11 +86,15 @@ detection:
         # Example: C:\a70de9569c3a5aa22184ef52a890177b\x64\SCENARIOENGINE.EXE
         ProcessName|endswith: '\x64\SCENARIOENGINE.EXE'
         AccessList|contains: '%%4484'
-    filter_avira:
+    filter_avira1:
         ProcessName|startswith: 'C:\Users\'
         ProcessName|contains: '\AppData\Local\Temp\is-'
         ProcessName|endswith: '\avira_system_speedup.tmp'
         AccessList|contains: '%%4484'
+    filter_avira2:
+        ProcessName|startswith: 'C:\Windows\Temp\'
+        ProcessName|endswith: '\avira_speedup_setup_update.tmp'
+        AccessList|contains: '%%4484'
     filter_snmp:
         ProcessName: 'C:\Windows\System32\snmp.exe'
         AccessList|contains: '%%4484'

diff --git a/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml b/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml
@@ -6,7 +6,7 @@ references:
     - https://medium.com/falconforce/falconfriday-direct-system-calls-and-cobalt-strike-bofs-0xff14-741fa8e1bdd6
 author: Christian Burkard (Nextron Systems), Tim Shelton
 date: 2021/07/28
-modified: 2023/03/22
+modified: 2023/10/11
 tags:
     - attack.execution
     - attack.t1106
@@ -33,17 +33,19 @@ detection:
         TargetImage|endswith: 'AmazonSSMAgentSetup.exe'
         SourceImage|endswith: 'AmazonSSMAgentSetup.exe'
     falsepositive6:
-        TargetImage|endswith: 'C:\Program Files\Mozilla Firefox\firefox.exe'
-        SourceImage|endswith: 'C:\Program Files\Mozilla Firefox\firefox.exe'
+        TargetImage|endswith: ':\Program Files\Mozilla Firefox\firefox.exe'
+        SourceImage|endswith:
+            - ':\Program Files\Mozilla Firefox\firefox.exe'
+            - ':\Program Files\Mozilla Firefox\plugin-container.exe'
     falsepositive7: # VsCode
         TargetImage|endswith: '\AppData\Local\Programs\Microsoft VS Code\Code.exe'
         SourceImage|endswith: '\AppData\Local\Programs\Microsoft VS Code\Code.exe'
     falsepositive8: # Google Chrome
-        TargetImage|endswith: 'C:\Program Files\Google\Chrome\Application\chrome.exe'
-        SourceImage|endswith: 'C:\Program Files\Google\Chrome\Application\chrome.exe'
+        TargetImage|endswith: ':\Program Files\Google\Chrome\Application\chrome.exe'
+        SourceImage|endswith: ':\Program Files\Google\Chrome\Application\chrome.exe'
     falsepositive9: # Google Chrome Update
-        TargetImage|endswith: 'C:\Program Files (x86)\Google\Update\GoogleUpdate.exe'
-        SourceImage|endswith: 'C:\Program Files (x86)\Google\Update\GoogleUpdate.exe'
+        TargetImage|endswith: ':\Program Files (x86)\Google\Update\GoogleUpdate.exe'
+        SourceImage|endswith: ':\Program Files (x86)\Google\Update\GoogleUpdate.exe'
     falsepositive10: # MS Teams
         TargetImage|endswith: '\AppData\Local\Microsoft\Teams\current\Teams.exe'
         SourceImage|endswith: '\AppData\Local\Microsoft\Teams\current\Teams.exe'
@@ -69,8 +71,12 @@ detection:
         GrantedAccess: '0x1000'
     falsepositive_kerneltrace_edge:  # Cases in which the CallTrace is just e.g. 'UNKNOWN(19290435374)' from Microsoft-Windows-Kernel-Audit-API-Calls provider
         Provider_Name: 'Microsoft-Windows-Kernel-Audit-API-Calls'
-    falsepositives_mixed:
+    falsepositive_mixed:
         TargetImage|endswith: '\Evernote\Evernote.exe'
+    falsepositive_defender:
+        SourceImage: 'C:\Program Files\Microsoft Security Client\MsMpEng.exe'
+        TargetImage: C:\Windows\system32\svchost.exe
+        GrantedAccess: '0x1000'
     condition: selection and not 1 of falsepositive*
 falsepositives:
     - Unknown

diff --git a/rules/windows/process_creation/proc_creation_win_control_panel_item.yml b/rules/windows/process_creation/proc_creation_win_control_panel_item.yml
@@ -6,7 +6,7 @@ references:
     - https://ired.team/offensive-security/code-execution/code-execution-through-control-panel-add-ins
 author: Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_)
 date: 2020/06/22
-modified: 2022/11/11
+modified: 2023/10/11
 tags:
     - attack.execution
     - attack.defense_evasion
@@ -30,6 +30,7 @@ detection:
         CommandLine|contains:
             - '\System32\'
             - '%System%'
+            - '|C:\Windows\system32|'
     filter_cpl_igfx:
         CommandLine|contains|all:
             - 'regsvr32 '

diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_executable_invalid_extension.yml b/rules/windows/process_creation/proc_creation_win_rundll32_executable_invalid_extension.yml
@@ -6,7 +6,7 @@ references:
     - https://twitter.com/mrd0x/status/1481630810495139841?s=12
 author: Tim Shelton, Florian Roth (Nextron Systems), Yassine Oukessou (fix + fp)
 date: 2022/01/13
-modified: 2023/10/06
+modified: 2023/10/11
 tags:
     - attack.defense_evasion
     - attack.t1218.011
@@ -45,7 +45,7 @@ detection:
         ParentImage|startswith: 'C:\Users\'
         ParentImage|contains: '\AppData\Local\Microsoft\EdgeUpdate\Install\{'
         ParentImage|endswith: '\setup.exe'
-        ParentCommandLine|contains: '\setup.exe" --install-archive="C:\Users\'
+        # ParentCommandLine|contains: '\setup.exe" --install-archive="C:\Users\' ## ParentCommandLine not existing for 4688 events
     filter_zzzzInvokeManagedCustomActionOutOfProc:
         CommandLine|contains|all:
             - 'C:\Windows\Installer\MSI'

diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_system.yml b/rules/windows/process_creation/proc_creation_win_schtasks_system.yml
@@ -7,7 +7,7 @@ references:
     - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/07/28
-modified: 2023/03/14
+modified: 2023/10/11
 tags:
     - attack.execution
     - attack.persistence
@@ -29,11 +29,14 @@ detection:
             - ' SYSTEM ' # SYSTEM is a valid value for schtasks hence it gets it's own value with space
     filter_teamviewer:
         # FP from test set in SIGMA
-        ParentImage|contains|all:
-            - '\AppData\Local\Temp\'
-            - 'TeamViewer_.exe'
+        # Cannot use ParentImage on all OSes for 4688 events
+        # ParentImage|contains|all:
+        #     - '\AppData\Local\Temp\'
+        #     - 'TeamViewer_.exe'
         Image|endswith: '\schtasks.exe'
-        CommandLine|contains: '/TN TVInstallRestore'
+        CommandLine|contains|all:
+            - '/TN TVInstallRestore'
+            - '\TeamViewer_.exe'
     filter_avira:
         CommandLine|contains:
             - '/Create /F /RU System /SC WEEKLY /TN AviraSystemSpeedupVerify /TR '

diff --git a/rules/windows/process_creation/proc_creation_win_susp_elevated_system_shell.yml b/rules/windows/process_creation/proc_creation_win_susp_elevated_system_shell.yml
@@ -6,7 +6,7 @@ references:
     - https://github.com/Wh04m1001/SysmonEoP
 author: frack113, Tim Shelton (update fp)
 date: 2022/12/05
-modified: 2023/09/14
+modified: 2023/10/11
 tags:
     - attack.privilege_escalation
     - attack.defense_evasion
@@ -68,12 +68,17 @@ detection:
         ParentImage|endswith: '\CompatTelRunner.exe'
         ParentCommandLine|startswith: 'C:\Windows\system32\CompatTelRunner.exe -m:appraiser.dll -f:DoScheduledTelemetryRun'
     filter_ibm_spectrumprotect:
-        ParentImage|startswith: 'C:\IBM\SpectrumProtect\webserver\scripts\'
+        ParentImage|startswith:
+            - 'C:\IBM\SpectrumProtect\webserver\scripts\'
+            - ''
+            - null
         CommandLine|contains: 'C:\IBM\SpectrumProtect\webserver\scripts\'
     filter_msiexec:
         ParentImage: 'C:\Windows\SysWOW64\msiexec.exe'
         ParentCommandLine|startswith: 'C:\Windows\syswow64\MsiExec.exe -Embedding'
         CommandLine|contains: '\RegisterMicrosoftUpdate.ps1'
+    filter_avira_update:
+        CommandLine|startswith: '"C:\Windows\system32\cmd.exe" /C copy "C:\ProgramData\Avira\SystemSpeedup\Update\avira_speedup_setup_update.exe"'
     filter_empty_parent_1:
         # https://answers.microsoft.com/en-us/windows/forum/all/res-and-inf-powershell-commands/793736ee-94bd-424f-811c-35a425e28832
         # Most probably SetupHost.exe during Windows updates/upgrades; See comment on rule id: f4bbd493-b796-416e-bbf2-121235348529

diff --git a/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml b/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml
@@ -6,7 +6,7 @@ references:
     - https://pentestlaboratories.com/2021/12/08/process-ghosting/
 author: Max Altgelt (Nextron Systems)
 date: 2021/12/09
-modified: 2023/06/15
+modified: 2023/10/10
 tags:
     - attack.defense_evasion
 logsource:
@@ -64,6 +64,8 @@ detection:
             - 'CodeSetup'
     filter_optional_libreoffice:
         Image|endswith: '\program\soffice.bin'
+    filter_optional_openoffice:
+        Image|endswith: '\program\unopkg.bin'
     filter_optional_emc_networker:
         Image:
             - 'C:\Program Files\EMC NetWorker\Management\GST\apache\cgi-bin\update_jnlp.cgi'