From 2bbf6089ed2efd9868fee0c3b10fde034415845d Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Wed, 9 Feb 2022 18:18:57 +0100
Subject: [PATCH] fix: FPs, wrong modifier

---
 .../builtin/windefend/win_alert_lsass_access.yml     |  2 +-
 ...smon_raw_disk_access_using_illegitimate_tools.yml | 12 ++++--------
 2 files changed, 5 insertions(+), 9 deletions(-)

diff --git a/rules/windows/builtin/windefend/win_alert_lsass_access.yml b/rules/windows/builtin/windefend/win_alert_lsass_access.yml
index 0241da03e..ef419a20e 100644
--- a/rules/windows/builtin/windefend/win_alert_lsass_access.yml
+++ b/rules/windows/builtin/windefend/win_alert_lsass_access.yml
@@ -35,7 +35,7 @@ detection:
             - 'C:\Windows\System32\wbem\WmiPrvSE.exe'
             - 'C:\Windows\SysWOW64\msiexec.exe'
     filter_begins:
-        ProcessName|beginswith:
+        ProcessName|startswith:
             - 'C:\Windows\System32\\DriverStore\'
             - 'C:\WINDOWS\Installer\'
             - 'C:\Program Files\'
diff --git a/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml b/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml
index 84e0f7b09..e9a4b6b0b 100644
--- a/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml
+++ b/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml
@@ -4,7 +4,7 @@ description: Raw disk access using illegitimate tools, possible defence evasion
 author: Teymur Kheirkhabarov, oscd.community
 status: test
 date: 2019/10/22
-modified: 2022/02/08
+modified: 2022/02/09
 references:
     - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
 tags:
@@ -60,20 +60,16 @@ detection:
     filter_windefender:
         Image|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
         Image|endswith: '\MsMpEng.exe'
-    filter_appdata:
-        Image|contains|all: 
-            - 'C:\Users\'
-            - '\Microsoft\OneDrive\'
-            - '\FileCoAuth.exe'
     filter_programfiles:  # this rule causes so many FPs that we have to do this
         Image|startswith:
             - 'C:\Program Files\'
             - 'C:\Program Files (x86)\'
-    filter_onedrive:
+    filter_appdata:
         Image|contains|all:
             - 'C:\Users\'
             - '\AppData\'
-            - '\Microsoft\OneDrive\'
+        Image|contains:
+            - '\Microsoft\'
     condition: not 1 of filter_*
 fields:
     - ComputerName