Merge pull request #2334 from SigmaHQ/aurora-false-positive-fixing

Aurora false positive fixing

rules-unsupported/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml

@@ -1,6 +1,6 @@
 title: MSI Spawned Cmd and Powershell Spawned Processes
 id: 38cf8340-461b-4857-bf99-23a41f772b18
-description: This rule will looks for Windows Installer service (msiexec.exe) spawned command line and/or powershell that spawned other processes
+description: This rule looks for Windows Installer service (msiexec.exe) spawning command line and/or powershell that spawns other processes
 status: unsupported
 author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community
 date: 2020/10/13

rules/windows/image_load/sysmon_abusing_azure_browser_sso.yml

@@ -5,7 +5,7 @@ author: Den Iuzvyk
 references:
    - https://posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30
 date: 2020/07/15
-modified: 2020/12/23
+modified: 2021/11/27
 logsource:
    category: image_load
    product: windows
@@ -16,15 +16,16 @@ tags:
    - attack.t1073          # an old one
    - attack.t1574.002
 detection:
-   condition: selection_dll and not filter_legit
    selection_dll:
       ImageLoaded|endswith: MicrosoftAccountTokenProvider.dll
    filter_legit:
       Image|endswith:
-         - BackgroundTaskHost.exe
-         - devenv.exe
-         - iexplore.exe
-         - MicrosoftEdge.exe
+         - '\BackgroundTaskHost.exe'
+         - '\devenv.exe'
+         - '\iexplore.exe'
+         - '\MicrosoftEdge.exe'
+         - '\Microsoft\Edge\Application\msedge.exe'
+   condition: selection_dll and not filter_legit
 falsepositives:
    - unknown
 level: high

rules/windows/image_load/sysmon_in_memory_powershell.yml

@@ -7,7 +7,7 @@ status: experimental
 description: Detects loading of essential DLL used by PowerShell, but not by the process powershell.exe. Detects meterpreter's "load powershell" extension.
 author: Tom Kern, oscd.community, Natalia Shornikova, Tim Shelton
 date: 2019/11/14
-modified: 2021/11/11
+modified: 2021/11/27
 references:
     - https://adsecurity.org/?p=2921
     - https://github.com/p3nt4/PowerShdll
@@ -24,7 +24,7 @@ detection:
             - '\System.Management.Automation.Dll'
             - '\System.Management.Automation.ni.Dll'
     filter:
-        Image|endswith:
+        - Image|endswith:
             - '\powershell.exe'
             - '\powershell_ise.exe'
             - '\WINDOWS\System32\sdiagnhost.exe'
@@ -40,6 +40,10 @@ detection:
             - '\IDE\devenv.exe'
             - '\ServiceHub.VSDetouredHost.exe'
             - '\ServiceHub.SettingsHost.exe'
+            - '\ServiceHub.Host.CLR.x86.exe'
+        - Image|startswith:
+            - 'C:\Program Files (x86)\Microsoft Visual Studio\'
+            - 'C:\Program Files\Microsoft Visual Studio\'
        # User: 'NT AUTHORITY\SYSTEM'   # if set, matches all powershell processes not launched by SYSTEM
     condition: selection and not filter
 falsepositives:

rules/windows/image_load/sysmon_susp_system_drawing_load.yml

@@ -29,6 +29,7 @@ detection:
             - 'C:\Program Files\'
             - 'C:\Program Files (x86)\'
             - 'C:\Windows\System32\'
+            - 'C:\Windows\Microsoft.NET\'
             - 'C:\Windows\ImmersiveControlPanel\'
             - 'C:\Windows\System32\NhNotifSys.exe'
             - 'C:\Users\*\AppData\Local\NhNotifSys\nahimic\nahimicNotifSys.exe'

rules/windows/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml

@@ -1,6 +1,6 @@
 title: Always Install Elevated MSI Spawned Cmd And Powershell
 id: 1e53dd56-8d83-4eb4-a43e-b790a05510aa
-description: This rule will looks for Windows Installer service (msiexec.exe) spawned command line and/or powershell
+description: This rule looks for Windows Installer service (msiexec.exe) spawned command line and/or powershell
 status: experimental
 author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community
 date: 2020/10/13

rules/windows/process_creation/sysmon_always_install_elevated_windows_installer.yml

@@ -1,6 +1,6 @@
 title: Always Install Elevated Windows Installer 
 id: cd951fdc-4b2f-47f5-ba99-a33bf61e3770
-description: This rule will looks for Windows Installer service (msiexec.exe) when it tries to install MSI packages with SYSTEM privilege 
+description: This rule looks for Windows Installer service (msiexec.exe) trying to install MSI packages with SYSTEM privilege 
 status: experimental
 author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community
 date: 2020/10/13