Merge pull request #4073 from nasbench/nasbench-rule-devel

feat: updates and fixes
2023-02-24 17:50:50 +01:00
parent 5dc2e60247 60c0b5fdd0
commit 4d8a6ca51f
21 changed files with 244 additions and 147 deletions
@@ -9,13 +9,13 @@ author: Axel Olsson
 date: 2022/08/14
 tags:
    - attack.discovery
-    - attack.t1590 # Gather Victim Network Information 
+    - attack.t1590
 logsource:
    category: proxy
 detection:
    selection:
-      # Example request: http://www.advanced-port-scanner.com/checkupdate.php?lng=en&ver=2-5-3680&beta=n&type=upd&rmode=p&product=aps 
-      # Example request2: http://www.advanced-ip-scanner.com/checkupdate.php?lng=en&ver=2-5-3499&beta=n&type=upd&rmode=p&product=aips 
+      # Example request: http://www.advanced-port-scanner.com/checkupdate.php?lng=en&ver=2-5-3680&beta=n&type=upd&rmode=p&product=aps
+      # Example request2: http://www.advanced-ip-scanner.com/checkupdate.php?lng=en&ver=2-5-3499&beta=n&type=upd&rmode=p&product=aips
        c-uri|contains: '/checkupdate.php'
        c-uri-query|contains|all:
            - 'lng='
@@ -1,39 +0,0 @@
-title: Dump Office Macro Files from Commandline
-id: b1c50487-1967-4315-a026-6491686d860e
-status: experimental
-description: A office file with macro is created from a commandline or a script
-references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md
-    - https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference
-author: frack113
-date: 2022/01/23
-modified: 2022/07/14
-tags:
-    - attack.initial_access
-    - attack.t1566.001
-logsource:
-    category: file_event
-    product: windows
-detection:
-    selection_ext:
-        TargetFilename|endswith:
-            - .docm
-            - .dotm
-            - .xlsm
-            - .xltm
-            - .potm
-            - .pptm
-            - .pptx
-    selection_cmd:
-        - Image|endswith:
-            - \cmd.exe
-            - \powershell.exe
-            - \pwsh.exe
-        - ParentImage|endswith:
-            - \cmd.exe
-            - \powershell.exe
-            - \pwsh.exe
-    condition: all of selection_*
-falsepositives:
-    - Unknown
-level: medium
@@ -1,12 +1,13 @@
-title: MSDT.exe Creates Files in Autorun Directory
+title: File Creation In Suspicious Directory By Msdt.EXE
 id: 318557a5-150c-4c8d-b70e-a9910e199857
 status: experimental
-description: Detects msdt.exe creating files in suspicious directories
+description: Detects msdt.exe creating files in suspicious directories which could be a sign of exploitation of either Follina or Dogwalk vulnerabilities
 references:
    - https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd
    - https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/
-author: Vadim Varganov, Florian Roth
+author: Vadim Varganov, Florian Roth (Nextron Systems)
 date: 2022/08/24
+modified: 2023/02/23
 tags:
    - attack.persistence
    - attack.t1547.001
@@ -18,11 +19,11 @@ detection:
    selection:
        Image|endswith: '\msdt.exe'
        TargetFilename|contains:
-            - '\Start Menu\Programs\Startup\'
-            - 'C:\Users\Public\'
-            - 'C:\PerfLogs\'
            - '\Desktop\'
+            - '\Start Menu\Programs\Startup\'
+            - 'C:\PerfLogs\'
            - 'C:\ProgramData\'
+            - 'C:\Users\Public\'
    condition: selection
 falsepositives:
    - Unknown
@@ -1,4 +1,4 @@
-title: NET CLR Binary Execution Usage Log Artifact
+title: Suspicious DotNET CLR Usage Log Artifact
 id: e0b06658-7d1d-4cd3-bf15-03467507ff7c
 related:
    - id: 4508a70e-97ef-4300-b62b-ff27992990ea
@@ -15,14 +15,14 @@ references:
    - https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/
 author: frack113, omkar72, oscd.community, Wojciech Lesicki
 date: 2022/11/18
-modified: 2023/01/05
+modified: 2023/02/23
 tags:
    - attack.defense_evasion
    - attack.t1218
 logsource:
    category: file_event
    product: windows
-    definition: 'Requirements: UsageLogs folder must be monitored by sysmon configuration'
+    definition: 'Requirements: UsageLogs folder must be monitored by the sysmon configuration'
 detection:
    selection:
        TargetFilename|endswith:
@@ -35,7 +35,15 @@ detection:
            - '\UsageLogs\svchost.exe.log'
            - '\UsageLogs\wscript.exe.log'
            - '\UsageLogs\wmic.exe.log'
-    condition: selection
+    filter_rundll:
+        # This filter requires the event to be enriched by additional information such as ParentImage and CommandLine activity
+        ParentImage|endswith: '\MsiExec.exe'
+        ParentCommandLine|contains: ' -Embedding'
+        Image|endswith: '\rundll32.exe'
+        CommandLine|contains|all:
+            - 'Temp'
+            - 'zzzzInvokeManagedCustomActionOutOfProc'
+    condition: selection and not 1 of filter_*
 falsepositives:
    - Rundll32.exe with zzzzInvokeManagedCustomActionOutOfProc in command line and msiexec.exe as parent process - https://twitter.com/SBousseaden/status/1388064061087260675
 level: high
@@ -1,4 +1,4 @@
-title: Creation Suspicious File In Uncommon AppData Folder
+title: Suspicious File Creation In Uncommon AppData Folder
 id: d7b50671-d1ad-4871-aa60-5aa5b331fe04
 status: experimental
 description: Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs
@@ -6,7 +6,7 @@ references:
    - Internal Research
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/08/05
-modified: 2022/10/28
+modified: 2023/02/23
 tags:
    - attack.defense_evasion
    - attack.execution
@@ -15,24 +15,26 @@ logsource:
    category: file_event
 detection:
    selection:
+        TargetFilename|startswith: 'C:\Users\'
        TargetFilename|contains: '\AppData\'
        TargetFilename|endswith:
            # Add more as needed
-            - '.exe'
-            - '.dll'
            - '.bat'
-            - '.vbe'
-            - '.vbs'
-            - '.msi'
+            - '.cmd'
+            - '.cpl'
+            - '.dll'
+            - '.exe'
+            - '.hta'
            - '.iso'
            - '.lnk'
-            - '.cmd'
+            - '.msi'
            - '.ps1'
            - '.psm1'
-            - '.hta'
-            - '.cpl'
            - '.scr'
+            - '.vbe'
+            - '.vbs'
    filter:
+        TargetFilename|startswith: 'C:\Users\'
        TargetFilename|contains:
            - '\AppData\Local\'
            - '\AppData\LocalLow\'
@@ -1,15 +1,15 @@
 title: SCR File Write Event
 id: c048f047-7e2a-4888-b302-55f509d4a91d
 status: experimental
-description: An attacker may execute an application as a .SCR File (Screensaver) using rundll32.exe desk.cpl,InstallScreenSaver
+description: Detects the creation of screensaver files (.scr) outside of system folders. Attackers may execute an application as an ".SCR" file using "rundll32.exe desk.cpl,InstallScreenSaver" for example.
 references:
    - https://lolbas-project.github.io/lolbas/Libraries/Desk/
 author: 'Christopher Peacock @securepeacock, SCYTHE @scythe_io'
 date: 2022/04/27
-modified: 2022/11/28
+modified: 2023/02/23
 tags:
-    - attack.t1218.011
    - attack.defense_evasion
+    - attack.t1218.011
 logsource:
    category: file_event
    product: windows
@@ -18,11 +18,12 @@ detection:
        TargetFilename|endswith: '.scr'
    filter:
        TargetFilename|startswith:
+            - 'C:\$WINDOWS.~BT\NewOS\'
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
            - 'C:\Windows\WinSxS\'
-            - 'C:\$WINDOWS.~BT\NewOS\'
+            - ':\WUDownloadCache\' # Windows Update Download Cache
    condition: selection and not filter
 falsepositives:
-    - The installation of new screen savers.
+    - The installation of new screen savers by third party software
 level: medium
@@ -25,8 +25,8 @@ detection:
        Image|endswith:
            - '\target.exe'
            - 'Installer.x64.exe'
-    condition: selection and not 1 of filter*
+    condition: selection and not 1 of filter_*
 falsepositives:
    - Possible FPs during first installation of Notepad++
-    - Legitimate use of custom plugins to enhance notepad++ functionality by users
+    - Legitimate use of custom plugins by users in order to enhance notepad++ functionalities
 level: medium
@@ -1,7 +1,7 @@
 title: Suspicious NTDS.DIT Creation
 id: 4e7050dd-e548-483f-b7d6-527ab4fa784d
-status: experimental
-description: Detects suspicious creations of a file named ntds.dit, e.g. by a PowerShell parent or in a suspicious directory or a suspicious one liner
+status: test
+description: Detects suspicious creations of a file named "ntds.dit" (Active Directory Database) by suspicious parent process, directory or a suspicious one liner
 references:
    - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration
    - https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/
@@ -16,10 +16,12 @@ tags:
 logsource:
    product: windows
    category: file_event
+    definition: 'Requirements: The "ParentImage" field is not available by default on EID 11 of Sysmon logs. To be able to use this rule to the full extent you need to enriche the log with additional ParentImage data'
 detection:
    selection_file:
        TargetFilename|endswith: '\ntds.dit'
    selection_process_parent:
+        # Note: ParentImage is a custom field and is not available by default on Sysmon EID 11
        ParentImage|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
@@ -30,6 +32,7 @@ detection:
            - '\nginx.exe'
            - '\httpd.exe'
    selection_process_parent_path:
+        # Note: ParentImage is a custom field and is not available by default on Sysmon EID 11
        ParentImage|contains:
            - '\apache'
            - '\tomcat'
@@ -0,0 +1,31 @@
+title: Office Macro File Creation
+id: 91174a41-dc8f-401b-be89-7bfc140612a0
+related:
+    - id: 0e29e3a7-1ad8-40aa-b691-9f82ecd33d66
+      type: similar
+status: experimental
+description: Detects the creation of a new office macro files on the systems
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md
+    - https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2022/01/23
+tags:
+    - attack.initial_access
+    - attack.t1566.001
+logsource:
+    category: file_event
+    product: windows
+detection:
+    selection:
+        TargetFilename|endswith:
+            - '.docm'
+            - '.dotm'
+            - '.xlsm'
+            - '.xltm'
+            - '.potm'
+            - '.pptm'
+    condition: selection
+falsepositives:
+    - Very common in environments that rely heavily on macro documents
+level: low
@@ -0,0 +1,54 @@
+title: Office Macro File Download
+id: 0e29e3a7-1ad8-40aa-b691-9f82ecd33d66
+related:
+    - id: 91174a41-dc8f-401b-be89-7bfc140612a0
+      type: similar
+status: experimental
+description: Detects the creation of a new office macro files on the systems via an application (browser, mail client).
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md
+    - https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2022/01/23
+tags:
+    - attack.initial_access
+    - attack.t1566.001
+logsource:
+    category: file_event
+    product: windows
+detection:
+    selection_processes:
+        Image|endswith:
+            # Email clients
+            - '\outlook.exe'
+            - '\thunderbird.exe'
+            - '\HxOutlook.exe'
+            # Browsers
+            - '\brave.exe'
+            - '\chrome.exe'
+            - '\firefox.exe'
+            - '\iexplorer.exe'
+            - '\microsoftedge.exe'
+            - '\microsoftedgecp.exe'
+            - '\msedge.exe'
+            - '\opera.exe'
+    selection_ext:
+        - TargetFilename|endswith:
+            - '.docm'
+            - '.dotm'
+            - '.xlsm'
+            - '.xltm'
+            - '.potm'
+            - '.pptm'
+        - TargetFilename|contains:
+            - '.docm:Zone'
+            - '.dotm:Zone'
+            - '.xlsm:Zone'
+            - '.xltm:Zone'
+            - '.potm:Zone'
+            - '.pptm:Zone'
+    condition: all of selection_*
+falsepositives:
+    - Legitimate macro files downloaded from the internet
+    - Legitimate macro files sent as attachemnts via emails
+level: medium
@@ -0,0 +1,44 @@
+title: Office Macro File Creation From Suspicious Process
+id: b1c50487-1967-4315-a026-6491686d860e
+status: experimental
+description: Detects the creation of a office macro file from a a suspicious process
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md
+    - https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference
+author: frack113, Nasreddine Bencherchali (Nextron Systems)
+date: 2022/01/23
+modified: 2023/02/22
+tags:
+    - attack.initial_access
+    - attack.t1566.001
+logsource:
+    category: file_event
+    product: windows
+    definition: 'Requirements: The "ParentImage" field is not available by default on EID 11 of Sysmon logs. To be able to use this rule to the full extent you need to enriche the log with additional ParentImage data'
+detection:
+    selection_cmd:
+        - Image|endswith:
+            - '\cscript.exe'
+            - '\mshta.exe'
+            - '\regsvr32.exe'
+            - '\rundll32.exe'
+            - '\wscript.exe'
+        # Note: ParentImage is a custom field and is not available by default on Sysmon EID 11
+        - ParentImage|endswith:
+            - '\cscript.exe'
+            - '\mshta.exe'
+            - '\regsvr32.exe'
+            - '\rundll32.exe'
+            - '\wscript.exe'
+    selection_ext:
+        TargetFilename|endswith:
+            - '.docm'
+            - '.dotm'
+            - '.xlsm'
+            - '.xltm'
+            - '.potm'
+            - '.pptm'
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: high
@@ -0,0 +1,28 @@
+title: Potential Persistence Via Outlook Form
+id: c3edc6a5-d9d4-48d8-930e-aab518390917
+status: experimental
+description: Detects the creation of a new Outlook form which can contain malicious code
+references:
+    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=76
+    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=79
+    - https://learn.microsoft.com/en-us/office/vba/outlook/concepts/outlook-forms/create-an-outlook-form
+    - https://www.slipstick.com/developer/custom-form/clean-outlooks-forms-cache/
+author: Tobias Michalski (Nextron Systems)
+date: 2021/06/10
+modified: 2023/02/22
+tags:
+    - attack.persistence
+    - attack.t1137.003
+logsource:
+    product: windows
+    category: file_event
+detection:
+    selection:
+        Image|endswith: '\outlook.exe'
+        TargetFilename|contains:
+            - '\AppData\Local\Microsoft\FORMS\IPM'
+            - '\Local Settings\Application Data\Microsoft\Forms' # Windows XP
+    condition: selection
+falsepositives:
+    - Legitimate use of outlook forms
+level: high
@@ -1,23 +0,0 @@
-title: Outlook Form Installation
-id: c3edc6a5-d9d4-48d8-930e-aab518390917
-status: experimental
-description: Detects the creation of new Outlook form which can contain malicious code
-references:
-    - https://twitter.com/blueteamsec1/status/1401290874202382336?s=20
-author: Tobias Michalski (Nextron Systems)
-date: 2021/06/10
-modified: 2022/06/16
-tags:
-    - attack.persistence
-    - attack.t1137.003
-logsource:
-    product: windows
-    category: file_event
-detection:
-    selection:
-        Image|endswith: '\outlook.exe'
-        TargetFilename|contains: '\appdata\local\microsoft\FORMS\'
-    condition: selection
-falsepositives:
-    - Unknown
-level: high
@@ -1,8 +1,8 @@
-title: PowerShell Writing Startup Shortcuts
+title: Potential Startup Shortcut Persistence Via PowerShell.EXE
 id: 92fa78e7-4d39-45f1-91a3-8b23f3f1088d
 status: experimental
 description: |
-    Attempts to detect PowerShell writing startup shortcuts.
+    Detects PowerShell writing startup shortcuts.
    This procedure was highlighted in Red Canary Intel Insights Oct. 2021, "We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence.
    Accordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats.
    In the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL"
@@ -11,7 +11,7 @@ references:
    - https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1547.001/T1547.001.md#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder
 author: Christopher Peacock '@securepeacock', SCYTHE
 date: 2021/10/24
-modified: 2022/08/10
+modified: 2023/02/23
 tags:
    - attack.persistence
    - attack.t1547.001
@@ -27,6 +27,5 @@ detection:
        TargetFilename|endswith: '.lnk'
    condition: selection
 falsepositives:
-    - Unknown
    - Depending on your environment accepted applications may leverage this at times. It is recommended to search for anomalies inidicative of malware.
 level: high
@@ -1,12 +1,13 @@
-title: Potential PSEXEC Remote Execution - FileCreation
+title: PSEXEC Remote Execution File Artefact
 id: 304afd73-55a5-4bb9-8c21-0b1fc84ea9e4
 status: experimental
-description: Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed and gets written to the file system and will be recorded in the USN Journal on the target system
+description: Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system
 references:
    - https://aboutdfir.com/the-key-to-identify-psexec/
    - https://twitter.com/davisrichardg/status/1616518800584704028
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/01/21
+modified: 2023/02/23
 tags:
    - attack.lateral_movement
    - attack.privilege_escalation
@@ -0,0 +1,23 @@
+title: System Drawing DLL Load
+id: 666ecfc7-229d-42b8-821e-1a8f8cb7057c
+status: experimental
+description: Detects processes loading "System.Drawing.ni.dll". This could be an indicator of potential Screen Capture.
+references:
+    - https://github.com/OTRF/detection-hackathon-apt29/issues/16
+    - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.A.1_3B4E5808-3C71-406A-B181-17B0CE3178C9.md
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/05/02
+modified: 2023/02/22
+tags:
+    - attack.collection
+    - attack.t1113
+logsource:
+    product: windows
+    category: image_load
+detection:
+    selection:
+        ImageLoaded|endswith: '\System.Drawing.ni.dll'
+    condition: selection
+falsepositives:
+    - False positives are very common from system and third party applications, activity needs to be investigated. This rule is best correlated with other events to increase the level of suspiciousness
+level: low
@@ -1,14 +1,14 @@
-title: WMI Script Host Process Image Loaded
+title: WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load
 id: b439f47d-ef52-4b29-9a2f-57d8a96cb6b8
 status: test
-description: Detects signs of the WMI script host process %SystemRoot%\system32\wbem\scrcons.exe functionality being used via images being loaded by a process.
+description: Detects signs of the WMI script host process "scrcons.exe" loading scripting DLLs which could indciates WMI ActiveScriptEventConsumers EventConsumers activity.
 references:
    - https://twitter.com/HunterPlaybook/status/1301207718355759107
    - https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/
    - https://threathunterplaybook.com/hunts/windows/200902-RemoteWMIActiveScriptEventConsumers/notebook.html
 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 date: 2020/09/02
-modified: 2022/10/11
+modified: 2023/02/22
 tags:
    - attack.lateral_movement
    - attack.privilege_escalation
@@ -1,7 +1,7 @@
-title: CLR DLL Loaded Via Scripting Applications
+title: DotNet CLR DLL Loaded By Scripting Applications
 id: 4508a70e-97ef-4300-b62b-ff27992990ea
 status: test
-description: Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript
+description: Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution.
 references:
    - https://github.com/tyranid/DotNetToJScript
    - https://thewover.github.io/Introducing-Donut/
@@ -9,7 +9,7 @@ references:
    - https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008
 author: omkar72, oscd.community
 date: 2020/10/14
-modified: 2023/01/06
+modified: 2023/02/23
 tags:
    - attack.execution
    - attack.privilege_escalation
@@ -20,11 +20,14 @@ logsource:
 detection:
    selection:
        Image|endswith:
-            - '\wscript.exe'
+            - '\cmstp.exe'
            - '\cscript.exe'
            - '\mshta.exe'
-            - '\cmstp.exe'
            - '\msxsl.exe'
+            - '\regsvr32.exe'
+            #- '\svchost.exe'
+            - '\wmic.exe'
+            - '\wscript.exe'
        ImageLoaded|endswith:
            - '\clr.dll'
            - '\mscoree.dll'
@@ -1,39 +0,0 @@
-title: Suspicious System.Drawing Load
-id: 666ecfc7-229d-42b8-821e-1a8f8cb7057c
-status: experimental
-description: A General detection for processes loading System.Drawing.ni.dll. This could be an indicator of potential Screen Capture.
-references:
-    - https://github.com/OTRF/detection-hackathon-apt29/issues/16
-    - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-433DEDD7F622.md
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-date: 2020/05/02
-modified: 2022/08/13
-tags:
-    - attack.collection
-    - attack.t1113
-logsource:
-    product: windows
-    category: image_load
-detection:
-    selection:
-        ImageLoaded|endswith: '\System.Drawing.ni.dll'
-    filter:
-        # The number of false positives was too high - we had to do this broader filter 
-        # based on the following paths that shouldn't be writable to an unprivileged user
-        Image|startswith:
-            - 'C:\Program Files\'
-            - 'C:\Program Files (x86)\'
-            - 'C:\Windows\System32\'
-            - 'C:\Windows\Microsoft.NET\'
-            - 'C:\Windows\ImmersiveControlPanel\'
-    filter2:
-        Image: 'C:\Windows\System32\NhNotifSys.exe'
-    filter3:
-        Image|startswith: 'C:\Users\'
-        Image|endswith:
-            - '\AppData\Local\NhNotifSys\nahimic\nahimicNotifSys.exe'
-            - '\GitHubDesktop\Update.exe'
-    condition: selection and not 1 of filter*
-falsepositives:
-    - Unknown
-level: low