From 0aff47946d866dac6f2bc181e7b7bd0ddbf7da50 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 1 Nov 2022 01:05:42 +0100 Subject: [PATCH] Fix FP --- .../image_load_susp_python_image_load.yml | 10 ++++++++-- .../proc_access_win_cred_dump_lsass_access.yml | 12 +++++++++--- .../proc_access_win_invoke_phantom.yml | 11 +++++++++-- ...ccess_win_susp_proc_access_lsass_susp_source.yml | 13 +++++++++---- ...ocess_access_win_shellcode_inject_msf_empire.yml | 6 +++++- .../proc_creation_win_susp_tracker_execution.yml | 13 +++++++++++-- 6 files changed, 51 insertions(+), 14 deletions(-) diff --git a/rules/windows/image_load/image_load_susp_python_image_load.yml b/rules/windows/image_load/image_load_susp_python_image_load.yml index 0636f0e5d..65dcf3eb4 100644 --- a/rules/windows/image_load/image_load_susp_python_image_load.yml +++ b/rules/windows/image_load/image_load_susp_python_image_load.yml @@ -17,14 +17,20 @@ logsource: detection: selection: Description: 'Python Core' - filter: + filter_generic: - Image|contains: - 'Python' # FPs with python38.dll, python.exe etc. - Image|startswith: - 'C:\Program Files\' - 'C:\Program Files (x86)\' - 'C:\ProgramData\Anaconda3\' # Comment out if you don't use Anaconda in your environment - condition: selection and not filter + filter_aurora: + # Example: + # ImageLoaded: C:\ProgramData\Anaconda3\DLLs\_queue.pyd + # ImageName: \Device\HarddiskVolume5\ProgramData\Anaconda3\DLLs\_queue.pyd + Provider_Name: Microsoft-Windows-Kernel-Process + ImageName|contains: '\ProgramData\Anaconda3\DLLs\' + condition: selection and not 1 of filter_* fields: - Description falsepositives: diff --git a/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml b/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml index 6940a8162..b19fe82a5 100755 --- a/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml +++ b/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml @@ -1,7 +1,7 @@ -title: Credentials Dumping Tools Accessing LSASS Memory +title: Credential Dumping Tools Accessing LSASS Memory id: 32d0d3e2-e58d-4d41-926b-18b520b2b32d status: experimental -description: Detects process access LSASS memory which is typical for credentials dumping tools +description: Detects processes requesting access to LSASS memory via suspicious access masks. This is typical for credentials dumping tools references: - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html @@ -9,7 +9,7 @@ references: - http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community (update) date: 2017/02/16 -modified: 2022/10/20 +modified: 2022/11/01 tags: - attack.credential_access - attack.t1003.001 @@ -135,6 +135,12 @@ detection: SourceImage|contains: '\AppData\Local\Temp\' SourceImage|endswith: '.tmp\DropboxUpdate.exe' GrantedAccess: '0x1410' + filter_msbuild: + # This FP was generated while building CPython from source and could be related to other similar examples. + # But if you don't do that kind of stuff consider removing it from the rule ;) + SourceImage|startswith: 'C:\Program Files\Microsoft Visual Studio\' + SourceImage|endswith: '\MSBuild\Current\Bin\MSBuild.exe' + GrantedAccess: '0x1F3FFF' # Old - too broad filter # SourceImage|endswith: # easy to bypass. need to implement supportive rule to detect bypass attempts # - '\wmiprvse.exe' diff --git a/rules/windows/process_access/proc_access_win_invoke_phantom.yml b/rules/windows/process_access/proc_access_win_invoke_phantom.yml index 0dbb54f4e..dd78e1109 100755 --- a/rules/windows/process_access/proc_access_win_invoke_phantom.yml +++ b/rules/windows/process_access/proc_access_win_invoke_phantom.yml @@ -7,7 +7,7 @@ references: - https://twitter.com/timbmsft/status/900724491076214784 author: Tim Burrell date: 2020/01/02 -modified: 2021/10/21 +modified: 2022/11/01 tags: - attack.defense_evasion - attack.t1562.002 @@ -19,7 +19,14 @@ detection: TargetImage|endswith: '\WINDOWS\System32\svchost.exe' GrantedAccess: '0x1F3FFF' CallTrace|contains: 'UNKNOWN' - condition: selection + filter_msbuild: + SourceImage|startswith: 'C:\Program Files\Microsoft Visual Studio\' + SourceImage|endswith: '\MSBuild\Current\Bin\MSBuild.exe' + # Just to make sure it's "really" .NET :) + CallTrace|contains: + - 'Microsoft.Build.ni.dll' + - 'System.ni.dll' + condition: selection and not 1 of filter_* falsepositives: - Unknown level: high diff --git a/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml b/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml index c5e503a98..50434474b 100644 --- a/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml +++ b/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml @@ -10,7 +10,7 @@ references: - http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf author: Florian Roth date: 2021/11/27 -modified: 2022/10/26 +modified: 2022/11/01 tags: - attack.credential_access - attack.t1003.001 @@ -55,9 +55,8 @@ detection: - '\AppData\' - '\Temporary' filter1: - SourceImage|contains|all: - - 'C:\Users\' - - '\AppData\Local\' + SourceImage|startswith: 'C:\Users\' + SourceImage|contains: '\AppData\Local\' SourceImage|endswith: - '\Microsoft VS Code\Code.exe' - '\software_reporter_tool.exe' @@ -74,6 +73,7 @@ detection: - '0x410' - '0x1410' filter_dropbox2: + SourceImage|startswith: 'C:\Users\' SourceImage|contains: '\AppData\Local\Temp\' SourceImage|endswith: '.tmp\DropboxUpdate.exe' GrantedAccess: '0x1410' @@ -91,6 +91,7 @@ detection: - '0x1010' - '0x101010' filter_ms_products: + SourceImage|startswith: 'C:\Users\' SourceImage|contains|all: - '\AppData\Local\Temp\' - '\vs_bootstrapper_' @@ -103,6 +104,10 @@ detection: SourceImage|startswith: - 'C:\Program Files (x86)\' - 'C:\Program Files\' + filter_keybase: + SourceImage|startswith: 'C:\Users\' + SourceImage|endswith: \AppData\Local\Keybase\keybase.exe + GrantedAccess: '0x1fffff' condition: selection and not 1 of filter* fields: - User diff --git a/rules/windows/process_access/process_access_win_shellcode_inject_msf_empire.yml b/rules/windows/process_access/process_access_win_shellcode_inject_msf_empire.yml index f0cd0ba4e..5c5bb41df 100644 --- a/rules/windows/process_access/process_access_win_shellcode_inject_msf_empire.yml +++ b/rules/windows/process_access/process_access_win_shellcode_inject_msf_empire.yml @@ -4,7 +4,7 @@ status: experimental description: Detects shellcode injection by Metasploit's migrate and Empire's psinject author: Bhabesh Raj date: 2022/03/11 -modified: 2022/10/27 +modified: 2022/11/01 tags: - attack.defense_evasion - attack.privilege_escalation @@ -53,6 +53,10 @@ detection: - 'C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\devenv.exe' - 'C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\devenv.exe' CallTrace|startswith: 'C:\Windows\System32\ntdll.dll' + filter_ddvdatacollector: + SourceImage|startswith: 'C:\Program Files\Microsoft Visual Studio\' + SourceImage|endswith: '\MSBuild\Current\Bin\MSBuild.exe' + TargetImage: C:\Program Files\Dell\DellDataVault\DDVDataCollector.exe condition: selection and not 1 of filter_* falsepositives: - Empire's csharp_exe payload uses 0x1f3fff for process enumeration as well diff --git a/rules/windows/process_creation/proc_creation_win_susp_tracker_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_tracker_execution.yml index 72350f350..9751b5da3 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_tracker_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_tracker_execution.yml @@ -6,7 +6,7 @@ references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Tracker/ author: 'Avneet Singh @v3t0_, oscd.community' date: 2020/10/18 -modified: 2021/11/27 +modified: 2022/11/01 tags: - attack.defense_evasion - attack.t1055.001 @@ -21,7 +21,16 @@ detection: CommandLine|contains: - ' /d ' - ' /c ' - condition: all of selection_* + filter_msbuild: + # Example: + # GrandparentImage: C:\Program Files\Microsoft Visual Studio\2022\Community\Msbuild\Current\Bin\MSBuild.exe + # ParentCommandLine: "C:\Program Files\Microsoft Visual Studio\2022\Community\MSBuild\Current\Bin\MSBuild.exe" /nologo /nodemode:1 /nodeReuse:true /low:false + # CommandLine: "C:\Program Files\Microsoft Visual Studio\2022\Community\MSBuild\Current\Bin\Tracker.exe" @"C:\Users\user\AppData\Local\Temp\tmp05c7789bc5534838bf96d7a0fed1ffff.tmp" /c "C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.29.30133\bin\HostX86\x64\Lib.exe" + ParentImage|endswith: '\Msbuild\Current\Bin\MSBuild.exe' + CommandLine|contains|all: + - '\VC\Tools\MSVC\' + - '\bin\HostX86\x64\' + condition: all of selection_* and not 1 of filter_* falsepositives: - Unknown level: medium