fix: fp found in testing

rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml

@@ -9,7 +9,7 @@ references:
     - http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf
 author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community
 date: 2017/02/16
-modified: 2023/01/25
+modified: 2023/03/22
 tags:
     - attack.credential_access
     - attack.t1003.001
@@ -50,6 +50,7 @@ detection:
         SourceImage|startswith:
             - 'C:\ProgramData\Microsoft\Windows Defender\'
             - 'C:\Program Files\Windows Defender\'
+            - 'C:\Program Files\Microsoft Security Client\MsMpEng.exe' # Windows7
         SourceImage|endswith: '\MsMpEng.exe'
     filter_defender_updates:
         SourceImage: 'C:\Windows\System32\svchost.exe'
@@ -164,5 +165,5 @@ fields:
     - User
     - SourceImage
 falsepositives:
-    - Legitimate software accessing LSASS process for legitimate reason; please add more filters
+    - Likely
 level: high

rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml

@@ -6,7 +6,7 @@ references:
     - https://medium.com/falconforce/falconfriday-direct-system-calls-and-cobalt-strike-bofs-0xff14-741fa8e1bdd6
 author: Christian Burkard (Nextron Systems), Tim Shelton
 date: 2021/07/28
-modified: 2022/12/28
+modified: 2023/03/22
 tags:
     - attack.execution
     - attack.t1106
@@ -59,6 +59,12 @@ detection:
         TargetImage|endswith: '\Discord.exe'
     falsepositives14:
         TargetImage: 'C:\WINDOWS\system32\AUDIODG.EXE'
+    falsepositives15:
+        SourceImage|startswith: 'C:\Users\'
+        SourceImage|endswith: '\AppData\Local\yammerdesktop\app-3.4.5\Yammer.exe'
+        TargetImage|startswith: 'C:\Users\'
+        TargetImage|endswith: '\AppData\Local\yammerdesktop\app-3.4.5\Yammer.exe'
+        GrantedAccess: '0x1000'
     falsepositive_kerneltrace_edge:  # Cases in which the CallTrace is just e.g. 'UNKNOWN(19290435374)' from Microsoft-Windows-Kernel-Audit-API-Calls provider
         Provider_Name: 'Microsoft-Windows-Kernel-Audit-API-Calls'
     falsepositives_mixed:

rules/windows/process_access/proc_access_win_susp_proc_access_lsass.yml

@@ -13,7 +13,7 @@ references:
     - http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf
 author: Florian Roth (Nextron Systems)
 date: 2021/11/22
-modified: 2022/06/20
+modified: 2023/03/22
 tags:
     - attack.credential_access
     - attack.t1003.001
@@ -67,15 +67,25 @@ detection:
             - 'C:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe'
             - 'C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe'
     # Windows Defender
-    filter1:
+    filter_windefend_1:
         SourceImage|startswith: 'C:\ProgramData\Microsoft\Windows Defender\'
         SourceImage|endswith: '\MsMpEng.exe'
+    filter_windefend_2:
+        CallTrace|contains|all:
+            - '|C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{'
+            - '}\mpengine.dll+'
+        GrantedAccess: '0x1418'
+    filter_windefend_3:
+        # Trigger Win7
+        SourceImage: 'C:\Program Files\Microsoft Security Client\MsMpEng.exe'
+        GrantedAccess: '0x1418'
     # VMware Tools
-    filter2:
+    filter_vmwaretools:
         SourceImage|startswith: 'C:\ProgramData\VMware\VMware Tools\'
         SourceImage|endswith: '\vmtoolsd.exe'
     # Antivirus and EDR agents
-    filter3:
+    filter_generic_av:
+        # When using this rule. Remove this filter and replace it by the path of the specific AV you use
         SourceImage|startswith:
             - 'C:\Program Files\'
             - 'C:\Program Files (x86)\'
@@ -86,21 +96,13 @@ detection:
     filter_mcafee:
         SourceImage: 'C:\Program Files\Common Files\McAfee\MMSSHost\MMSSHOST.exe'
     filter_nextron:
+        # Remove this if you don't use Nextron Products
         SourceImage|startswith: 'C:\Windows\Temp\asgard2-agent\'
         SourceImage|endswith:
             - '\thor64.exe'
             - '\thor.exe'
         GrantedAccess: '0x1fffff'
-    filter_windefend2:
-        CallTrace|contains|all:
-            - '|C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{'
-            - '}\mpengine.dll+'
-        GrantedAccess: '0x1418'
-    condition: selection and not 1 of filter*
-fields:
-    - User
-    - SourceImage
-    - GrantedAccess
+    condition: selection and not 1 of filter_*
 falsepositives:
-    - Legitimate software accessing LSASS process for legitimate reason
+    - Legitimate software such as AV and EDR
 level: high

rules/windows/process_creation/proc_creation_win_lolbin_squirrel.yml

@@ -11,7 +11,7 @@ references:
     - http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/
 author: Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community
 date: 2022/06/09
-modified: 2023/02/14
+modified: 2023/03/22
 tags:
     - attack.defense_evasion
     - attack.execution
@@ -58,6 +58,14 @@ detection:
         CommandLine|contains:
             - '--processStart'
             - '--createShortcut'
+    filter_yammer:
+        CommandLine|contains|all:
+            - 'C:\Users\'
+            - '\AppData\Local\yammerdesktop\Update.exe'
+            - 'Yammer.exe'
+        CommandLine|contains:
+            - '--processStart'
+            - '--createShortcut'
     condition: selection_img and (all of selection_download_* or selection_exec) and not 1 of filter_*
 falsepositives:
     - Expected FP with some electron based applications such as (1Clipboard, Beaker Browser, Caret, Discord, GitHub Desktop,...Etc)