From dbfd439ce415b90ca71af587fc6d8b69ce75e7d6 Mon Sep 17 00:00:00 2001
From: phantinuss <79651203+phantinuss@users.noreply.github.com>
Date: Mon, 25 Jul 2022 11:27:19 +0200
Subject: [PATCH 1/2] fix: too many FPs

with e.g. =select-billing-address and many more
---
 rules/web/web_sql_injection_in_access_logs.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/rules/web/web_sql_injection_in_access_logs.yml b/rules/web/web_sql_injection_in_access_logs.yml
index f7767e58f..45318e277 100644
--- a/rules/web/web_sql_injection_in_access_logs.yml
+++ b/rules/web/web_sql_injection_in_access_logs.yml
@@ -4,7 +4,7 @@ status: test
 description: Detects SQL Injection attempts via GET requests in access logs
 author: Saw Win Naung, Nasreddine Bencherchali
 date: 2020/02/22
-modified: 2022/06/27
+modified: 2022/07/25
 references:
     - https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/
     - https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/
@@ -16,7 +16,9 @@ detection:
     select_method:
         cs-method: 'GET'
     keywords:
-        - '=select'
+        - '=select '
+        - '=select%20'
+        - '=select('
         - 'UNION SELECT'
         - 'UNION%20SELECT'
         - 'UNION ALL SELECT'
@@ -38,8 +40,6 @@ detection:
         - 'or%201=1#'
     filter:
         sc-status: 404
-    filter_fps:
-        - '=select2'
     condition: select_method and keywords and not 1 of filter*
 fields:
     - client_ip

From b40d9951c4fc1c0dc803671afbba9dd9ed5b05e2 Mon Sep 17 00:00:00 2001
From: phantinuss <79651203+phantinuss@users.noreply.github.com>
Date: Wed, 27 Jul 2022 14:18:17 +0200
Subject: [PATCH 2/2] fix: FP found in testing

---
 .../registry/registry_set/registry_set_taskcache_entry.yml  | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml b/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml
index 9162c9c78..ec3a77ffd 100644
--- a/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml
+++ b/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml
@@ -3,7 +3,7 @@ id: 4720b7df-40c3-48fd-bbdf-fd4b3c464f0d
 description: Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious
 status: experimental
 date: 2021/06/18
-modified: 2022/05/23
+modified: 2022/07/27
 references:
   - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
   - https://labs.f-secure.com/blog/scheduled-task-tampering/
@@ -26,6 +26,10 @@ detection:
     TargetObject|contains: '\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\PLAIN\{1A552422-F571-4376-A7F1-5941E63D7B40}'
   filter_svchost:
     Image: 'C:\WINDOWS\system32\svchost.exe'
+  filter_ngen:
+    Image|startswith: 'C:\Windows\Microsoft.NET\Framework\'
+    Image|endswith: '\ngen.exe'
+    TargetObject|contains: '\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B66B135D-DA06-4FC4-95F8-7458E1D10129}'
   condition: selection and not 1 of filter*
 falsepositives:
   - Unknown