Merge pull request #773 from EccoTheFlintstone/fix_fp

add some false positives checks

rules/windows/sysmon/sysmon_webshell_creation_detect.yml

@@ -6,7 +6,7 @@ references:
     - PT ESC rule and personal experience
 author: Beyu Denis, oscd.community
 date: 2019/10/22
-modified: 2019/11/04
+modified: 2020/05/18
 tags:
     - attack.persistence
     - attack.t1100
@@ -36,8 +36,12 @@ detection:
         - TargetFilename|contains|all:
             - '\cgi-bin\'
             - '.pl'
-    condition: selection_1 and ( selection_2 and selection_3 ) or
-               selection_1 and ( selection_4 and selection_5 ) or
-               selection_1 and selection_6
+    false_positives:  # false positives when unpacking some executables in $TEMP
+        TargetFilename|contains:
+            - '\AppData\Local\Temp\'
+            - '\Windows\Temp\'
+    # kind of ugly but sigmac seems not to handle double parenthesis "(("
+    # we shold prefer something like : selection_1 and not false_positives and ((selection_2 and selection_3) or (selection_4 and selection_5) or selection_6)
+    condition: (selection_1 and selection_2 and selection_3 and not false_positives) or (selection_1 and selection_4 and selection_5 and not false_positives) or (selection_1 and selection_6 and not false_positives)
 falsepositives:
     - Legitimate administrator or developer creating legitimate executable files in a web application folder