Fix FP

rules/windows/image_load/image_load_susp_python_image_load.yml

@@ -17,14 +17,20 @@ logsource:
 detection:
     selection:
         Description: 'Python Core'
-    filter:
+    filter_generic:
         - Image|contains:
             - 'Python'  # FPs with python38.dll, python.exe etc.
         - Image|startswith:
             - 'C:\Program Files\'
             - 'C:\Program Files (x86)\'
             - 'C:\ProgramData\Anaconda3\' # Comment out if you don't use Anaconda in your environment
-    condition: selection and not filter
+    filter_aurora:
+        # Example:
+        #   ImageLoaded: C:\ProgramData\Anaconda3\DLLs\_queue.pyd
+        #   ImageName: \Device\HarddiskVolume5\ProgramData\Anaconda3\DLLs\_queue.pyd
+        Provider_Name: Microsoft-Windows-Kernel-Process
+        ImageName|contains: '\ProgramData\Anaconda3\DLLs\'
+    condition: selection and not 1 of filter_*
 fields:
     - Description
 falsepositives:

rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml

@@ -1,7 +1,7 @@
-title: Credentials Dumping Tools Accessing LSASS Memory
+title: Credential Dumping Tools Accessing LSASS Memory
 id: 32d0d3e2-e58d-4d41-926b-18b520b2b32d
 status: experimental
-description: Detects process access LSASS memory which is typical for credentials dumping tools
+description: Detects processes requesting access to LSASS memory via suspicious access masks. This is typical for credentials dumping tools
 references:
     - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
     - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
@@ -9,7 +9,7 @@ references:
     - http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf
 author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community (update)
 date: 2017/02/16
-modified: 2022/10/20
+modified: 2022/11/01
 tags:
     - attack.credential_access
     - attack.t1003.001
@@ -135,6 +135,12 @@ detection:
         SourceImage|contains: '\AppData\Local\Temp\'
         SourceImage|endswith: '.tmp\DropboxUpdate.exe'
         GrantedAccess: '0x1410'
+    filter_msbuild:
+        # This FP was generated while building CPython from source and could be related to other similar examples.
+        # But if you don't do that kind of stuff consider removing it from the rule ;)
+        SourceImage|startswith: 'C:\Program Files\Microsoft Visual Studio\'
+        SourceImage|endswith: '\MSBuild\Current\Bin\MSBuild.exe'
+        GrantedAccess: '0x1F3FFF'
     # Old - too broad filter
         # SourceImage|endswith: # easy to bypass. need to implement supportive rule to detect bypass attempts
         #     - '\wmiprvse.exe'

rules/windows/process_access/proc_access_win_invoke_phantom.yml

@@ -7,7 +7,7 @@ references:
     - https://twitter.com/timbmsft/status/900724491076214784
 author: Tim Burrell
 date: 2020/01/02
-modified: 2021/10/21
+modified: 2022/11/01
 tags:
     - attack.defense_evasion
     - attack.t1562.002
@@ -19,7 +19,14 @@ detection:
         TargetImage|endswith: '\WINDOWS\System32\svchost.exe'
         GrantedAccess: '0x1F3FFF'
         CallTrace|contains: 'UNKNOWN'
-    condition: selection
+    filter_msbuild:
+        SourceImage|startswith: 'C:\Program Files\Microsoft Visual Studio\'
+        SourceImage|endswith: '\MSBuild\Current\Bin\MSBuild.exe'
+        # Just to make sure it's "really" .NET :)
+        CallTrace|contains:
+            - 'Microsoft.Build.ni.dll'
+            - 'System.ni.dll'
+    condition: selection and not 1 of filter_*
 falsepositives:
     - Unknown
 level: high

rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml

@@ -10,7 +10,7 @@ references:
     - http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf
 author: Florian Roth
 date: 2021/11/27
-modified: 2022/10/26
+modified: 2022/11/01
 tags:
     - attack.credential_access
     - attack.t1003.001
@@ -55,9 +55,8 @@ detection:
             - '\AppData\'
             - '\Temporary'
     filter1:
-        SourceImage|contains|all:
-            - 'C:\Users\'
-            - '\AppData\Local\'
+        SourceImage|startswith: 'C:\Users\'
+        SourceImage|contains: '\AppData\Local\'
         SourceImage|endswith:
             - '\Microsoft VS Code\Code.exe'
             - '\software_reporter_tool.exe'
@@ -74,6 +73,7 @@ detection:
             - '0x410'
             - '0x1410'
     filter_dropbox2:
+        SourceImage|startswith: 'C:\Users\'
         SourceImage|contains: '\AppData\Local\Temp\'
         SourceImage|endswith: '.tmp\DropboxUpdate.exe'
         GrantedAccess: '0x1410'
@@ -91,6 +91,7 @@ detection:
             - '0x1010'
             - '0x101010'
     filter_ms_products:
+        SourceImage|startswith: 'C:\Users\'
         SourceImage|contains|all:
             - '\AppData\Local\Temp\'
             - '\vs_bootstrapper_'
@@ -103,6 +104,10 @@ detection:
         SourceImage|startswith:
             - 'C:\Program Files (x86)\'
             - 'C:\Program Files\'
+    filter_keybase:
+        SourceImage|startswith: 'C:\Users\'
+        SourceImage|endswith: \AppData\Local\Keybase\keybase.exe
+        GrantedAccess: '0x1fffff'
     condition: selection and not 1 of filter*
 fields:
     - User

rules/windows/process_access/process_access_win_shellcode_inject_msf_empire.yml

@@ -4,7 +4,7 @@ status: experimental
 description: Detects shellcode injection by Metasploit's migrate and Empire's psinject
 author: Bhabesh Raj
 date: 2022/03/11
-modified: 2022/10/27
+modified: 2022/11/01
 tags:
     - attack.defense_evasion
     - attack.privilege_escalation
@@ -53,6 +53,10 @@ detection:
             - 'C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\devenv.exe'
             - 'C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\devenv.exe'
         CallTrace|startswith: 'C:\Windows\System32\ntdll.dll'
+    filter_ddvdatacollector:
+        SourceImage|startswith: 'C:\Program Files\Microsoft Visual Studio\'
+        SourceImage|endswith: '\MSBuild\Current\Bin\MSBuild.exe'
+        TargetImage: C:\Program Files\Dell\DellDataVault\DDVDataCollector.exe
     condition: selection and not 1 of filter_*
 falsepositives:
     - Empire's csharp_exe payload uses 0x1f3fff for process enumeration as well

rules/windows/process_creation/proc_creation_win_susp_tracker_execution.yml

@@ -6,7 +6,7 @@ references:
     - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Tracker/
 author: 'Avneet Singh @v3t0_, oscd.community'
 date: 2020/10/18
-modified: 2021/11/27
+modified: 2022/11/01
 tags:
     - attack.defense_evasion
     - attack.t1055.001
@@ -21,7 +21,16 @@ detection:
         CommandLine|contains:
             - ' /d '
             - ' /c '
-    condition: all of selection_*
+    filter_msbuild:
+        # Example:
+        #   GrandparentImage: C:\Program Files\Microsoft Visual Studio\2022\Community\Msbuild\Current\Bin\MSBuild.exe
+        #   ParentCommandLine: "C:\Program Files\Microsoft Visual Studio\2022\Community\MSBuild\Current\Bin\MSBuild.exe" /nologo /nodemode:1 /nodeReuse:true /low:false
+        #   CommandLine: "C:\Program Files\Microsoft Visual Studio\2022\Community\MSBuild\Current\Bin\Tracker.exe" @"C:\Users\user\AppData\Local\Temp\tmp05c7789bc5534838bf96d7a0fed1ffff.tmp" /c "C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.29.30133\bin\HostX86\x64\Lib.exe"
+        ParentImage|endswith: '\Msbuild\Current\Bin\MSBuild.exe'
+        CommandLine|contains|all:
+            - '\VC\Tools\MSVC\'
+            - '\bin\HostX86\x64\'
+    condition: all of selection_* and not 1 of filter_*
 falsepositives:
     - Unknown
 level: medium