From 37b445d3bbdc2f502891f02c3050e03a25792dfa Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 24 Nov 2021 00:27:43 +0100 Subject: [PATCH] fix: FPs that only show up in Aurora Sysmon configs are often too restricted --- ...ge_load.yml => image_load_wsman_provider_image_load.yml} | 6 ++++-- rules/windows/image_load/sysmon_uipromptforcreds_dlls.yml | 3 ++- 2 files changed, 6 insertions(+), 3 deletions(-) rename rules/windows/image_load/{sysmon_wsman_provider_image_load.yml => image_load_wsman_provider_image_load.yml} (84%) diff --git a/rules/windows/image_load/sysmon_wsman_provider_image_load.yml b/rules/windows/image_load/image_load_wsman_provider_image_load.yml similarity index 84% rename from rules/windows/image_load/sysmon_wsman_provider_image_load.yml rename to rules/windows/image_load/image_load_wsman_provider_image_load.yml index ec2373f6f..d9bb86dda 100644 --- a/rules/windows/image_load/sysmon_wsman_provider_image_load.yml +++ b/rules/windows/image_load/image_load_wsman_provider_image_load.yml @@ -3,7 +3,7 @@ id: ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94 description: Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution. status: experimental date: 2020/06/24 -modified: 2021/11/17 +modified: 2021/11/23 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.execution @@ -30,10 +30,12 @@ detection: - Microsoft.WSMan.Management.dll filter_ps: Image|endswith: '\powershell.exe' + filter_bits: # not available in Sysmon data, but Aurora logs + CommandLine|contains: 'svchost.exe -k netsvcs -p -s BITS' respond_server: Image|endswith: '\svchost.exe' OriginalFileName: 'WsmWmiPl.dll' - condition: (request_client and not filter_ps) or respond_server + condition: (request_client and not filter_ps and not filter_bits) or respond_server falsepositives: - Unknown level: medium diff --git a/rules/windows/image_load/sysmon_uipromptforcreds_dlls.yml b/rules/windows/image_load/sysmon_uipromptforcreds_dlls.yml index 27c50cff0..d43d2cbb0 100644 --- a/rules/windows/image_load/sysmon_uipromptforcreds_dlls.yml +++ b/rules/windows/image_load/sysmon_uipromptforcreds_dlls.yml @@ -3,7 +3,7 @@ id: 9ae01559-cf7e-4f8e-8e14-4c290a1b4784 description: Detects potential use of UIPromptForCredentials functions by looking for some of the DLLs needed for it. status: experimental date: 2020/10/20 -modified: 2021/11/20 +modified: 2021/11/23 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.credential_access @@ -28,6 +28,7 @@ detection: Image|startswith: - 'C:\Windows\System32\' - 'C:\Windows\explorer.exe' + - 'C:\Program Files\' condition: selection and not filter falsepositives: - other legitimate processes loading those DLLs in your environment.