Merge pull request #2356 from SigmaHQ/aurora-false-positive-fixing

Aurora false positive fixing

rules/windows/builtin/win_alert_mimikatz_keywords.yml

@@ -4,7 +4,7 @@ description: This method detects mimikatz keywords in different Eventlogs (some
 status: experimental
 author: Florian Roth
 date: 2017/01/10
-modified: 2021/08/26
+modified: 2021/12/01
 tags:
     - attack.s0002
     - attack.t1003          # an old one
@@ -33,7 +33,9 @@ detection:
         - ' s::l '
         - 'gentilkiwi.com'
         - 'Kiwi Legit Printer'
-    condition: keywords
+    filter:
+        EventID: 15  # Sysmon's FileStream Events (could cause false positives when Sigma rules get copied on/to a system)
+    condition: keywords and not filter
 falsepositives:
     - Naughty administrators
     - Penetration test

rules/windows/file_event/win_cve_2021_1675_printspooler.yml

@@ -9,7 +9,7 @@ references:
     - https://github.com/afwu/PrintNightmare
     - https://github.com/cube0x0/CVE-2021-1675
 date: 2021/06/29
-modified: 2021/07/01
+modified: 2021/12/01
 tags:
     - attack.execution
     - attack.privilege_escalation
@@ -22,8 +22,7 @@ logsource:
 detection:
     selection:
         TargetFilename|contains: 
-        - 'C:\Windows\System32\spool\drivers\x64\3\old\1\123'
-        - 'C:\Windows\System32\spool\drivers\x64\3\New\'
+            - 'C:\Windows\System32\spool\drivers\x64\3\old\1\123'
     condition: selection
 fields:
     - ComputerName

rules/windows/process_access/sysmon_cred_dump_lsass_access.yml

@@ -65,7 +65,9 @@ detection:
         GrantedAccess: '0x100000'
     filter7:
         SourceImage: 'C:\WINDOWS\system32\wbem\wmiprvse.exe'
-        GrantedAccess: '0x1410'
+        GrantedAccess: 
+            - '0x1410'
+            - '0x410'
     filter_generic:
         SourceImage|startswith: 
             - 'C:\Program Files\'
@@ -84,7 +86,7 @@ detection:
         #     - '\csrss.exe'
         #     - '\wininit.exe'
         #     - '\vmtoolsd.exe'
-    condition: selection and not filter1 and not filter2 and not filter3 and not filter4 and not filter5 and not filter6 and not filter7 and not filter_generic
+    condition: selection and not 1 of filter*
 fields:
     - ComputerName
     - User

rules/windows/process_access/win_susp_proc_access_lsass.yml

@@ -75,7 +75,9 @@ detection:
         SourceImage|endswith: 
             - '\PROCEXP64.EXE'
             - '\PROCEXP.EXE'
-        GrantedAccess: '0x1410'
+        GrantedAccess: 
+            - '0x1410'
+            - '0x410'
     # VMware Tools
     filter5:
         SourceImage|startswith: 'C:\ProgramData\VMware\VMware Tools\'
@@ -97,10 +99,11 @@ detection:
         SourceImage|startswith: 
             - 'C:\Program Files\'
             - 'C:\Program Files (x86)\'
+            - 'C:\WINDOWS\system32\'
         GrantedAccess: 
             - '0x1410'
             - '0x410'
-    condition: selection and not filter1 and not filter2 and not filter3 and not filter4 and not filter5 and not filter6 and not filter7 and not filter_generic
+    condition: selection and not 1 of filter*
 fields:
     - User
     - SourceImage