Merge pull request #3647 from phantinuss/master

fix: FPs in testing environment

rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml

@@ -6,7 +6,7 @@ status: experimental
 references:
     - https://twitter.com/SBousseaden/status/1483810148602814466
 date: 2022/01/20
-modified: 2022/10/25
+modified: 2022/10/27
 tags:
     - attack.execution
 logsource:
@@ -51,6 +51,13 @@ detection:
         ProcessNameBuffer|endswith: '\MsMpEng.exe'
         RequestedPolicy: 7
         ValidatedPolicy: 1
+    filter_avast:
+        FileNameBuffer|endswith:
+            - '\Program Files\Avast Software\Avast\aswAMSI.dll'
+            - '\Program Files (x86)\Avast Software\Avast\aswAMSI.dll'
+        ProcessNameBuffer|endswith: '\Windows\System32\SIHClient.exe'
+        RequestedPolicy: 12
+        ValidatedPolicy: 1
     condition: selection and not 1 of filter_*
 falsepositives:
     - Unknown

rules/windows/process_creation/proc_creation_win_lolbin_bash.yml

@@ -9,7 +9,7 @@ tags:
     - attack.t1202
 author: frack113
 date: 2021/11/24
-modified: 2022/10/11
+modified: 2022/10/26
 logsource:
     category: process_creation
     product: windows
@@ -19,10 +19,11 @@ detection:
             - bash.exe
             - '-c '
     filter_git:
-        ParentCommandLine|contains:
+        - ParentCommandLine|contains:
             - 'C:\Program Files\Git\post-install.bat'
             - 'C:\Program Files (x86)\Git\post-install.bat'
             - 'echo /etc/post-install/*.post'  # needed for occurrences where the *.bat is the grandparent
+        - CommandLine|contains: 'echo /etc/post-install/*.post'  # needed for WinEvtLog 4688 events
     condition: selection and not 1 of filter*
 falsepositives:
     - Unknown

rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml

@@ -11,7 +11,7 @@ references:
     - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN
     - https://twitter.com/frack113/status/1555830623633375232
 date: 2022/08/07
-modified: 2022/10/19
+modified: 2022/10/26
 logsource:
     category: process_creation
     product: windows
@@ -32,7 +32,10 @@ detection:
             - '\winget.exe'
             - '\Everything\Everything.exe'
         - ParentImage|contains: '\AppData\Local\Temp\WinGet\'
-        - CommandLine|contains: '\appdata\local\webex\webex64\meetings\wbxreport.exe'
+        - CommandLine|contains:
+            - '\appdata\local\webex\webex64\meetings\wbxreport.exe'
+            - 'C:\Program Files\Git\post-install.bat'
+            - 'C:\Program Files\Git\cmd\scalar.exe'
     condition: selection and not filter
 falsepositives:
     - Applications could use this notation occasionally which might generate some false positives. In that case investigate the parent and child process.

rules/windows/process_creation/proc_creation_win_susp_clsid_foldername.yml

@@ -6,6 +6,7 @@ author: Nasreddine Bencherchali
 references:
     - https://twitter.com/Kostastsale/status/1565257924204986369
 date: 2022/09/01
+modified: 2022/10/26
 logsource:
     category: process_creation
     product: windows
@@ -27,7 +28,9 @@ detection:
         Image|contains|all:
             - '\{'
             - '}\'
-    condition: all of selection_* and not filter
+    filter_null:
+        Image: null
+    condition: all of selection_* and not 1 of filter*
 falsepositives:
     - Some FP is expected with some installers
 level: medium