Add FP on new windows 10 VM

rules/windows/image_load/sysmon_uipromptforcreds_dlls.yml

@@ -3,7 +3,7 @@ id: 9ae01559-cf7e-4f8e-8e14-4c290a1b4784
 description: Detects potential use of UIPromptForCredentials functions by looking for some of the DLLs needed for it.
 status: experimental
 date: 2020/10/20
-modified: 2021/11/25
+modified: 2021/12/03
 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 tags:
     - attack.credential_access
@@ -32,7 +32,8 @@ detection:
             - 'C:\Users\\*\AppData\Local\Microsoft\OneDrive\\*\Microsoft.SharePoint.exe'
             - 'C:\Program Files (x86)\'
             - 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe'
-        - Image|endswith: '\opera_autoupdate.exe'
+            - 'C:\Users\\*\AppData\Local\Microsoft\OneDrive\OneDrive.exe'
+        - Image|endswith: '\opera_autoupdate.exe'      
     condition: selection and not filter
 falsepositives:
     - other legitimate processes loading those DLLs in your environment.

rules/windows/process_access/sysmon_cred_dump_lsass_access.yml

@@ -5,7 +5,7 @@ description: Detects process access LSASS memory which is typical for credential
 author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov,
     oscd.community (update)
 date: 2017/02/16
-modified: 2021/12/02
+modified: 2021/12/03
 references:
     - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
     - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
@@ -82,6 +82,9 @@ detection:
         GrantedAccess: 
             - '0x1410'
             - '0x410'
+    filter_edge: # version in path 96.0.1054.43
+        SourceImage|startswith: C:\Program Files (x86)\Microsoft\Edge\Application\
+        SourceImage|endswith: \Installer\setup.exe
     # Old - too broad filter  
         # SourceImage|endswith: # easy to bypass. need to implement supportive rule to detect bypass attempts
         #     - '\wmiprvse.exe'

rules/windows/process_access/win_susp_proc_access_lsass.yml

@@ -7,7 +7,7 @@ status: experimental
 description: Detects process access to LSASS memory with suspicious access flags
 author: Florian Roth
 date: 2021/11/22
-modified: 2021/11/30
+modified: 2021/12/03
 references:
     - https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights
     - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
@@ -59,6 +59,7 @@ detection:
             - 'C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\ctlrupdate\mbupdatr.exe'
             - 'C:\WINDOWS\system32\taskhostw.exe'
             - 'C:\Users\\*\AppData\Local\Programs\Microsoft VS Code\Code.exe'
+            - 'C:\Program Files\Windows Defender\MsMpEng.exe'
     # Windows Defender
     filter2:
         SourceImage|startswith: 'C:\ProgramData\Microsoft\Windows Defender\'

rules/windows/process_creation/win_susp_svchost.yml

@@ -8,7 +8,7 @@ tags:
     - attack.t1036      # an old one
 author: Florian Roth
 date: 2017/08/15
-modified: 2021/11/26
+modified: 2021/12/03
 logsource:
     category: process_creation
     product: windows
@@ -23,6 +23,7 @@ detection:
             - '\rpcnet.exe'
             - '\svchost.exe'
             - '\ngen.exe'
+            - '\TiWorker.exe'
     filter_null:
         ParentImage: null
     condition: selection and not filter and not filter_null