diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml index 3f0a28d40..54a67922c 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml @@ -6,7 +6,7 @@ status: experimental references: - https://twitter.com/SBousseaden/status/1483810148602814466 date: 2022/01/20 -modified: 2022/10/25 +modified: 2022/10/27 tags: - attack.execution logsource: @@ -51,6 +51,13 @@ detection: ProcessNameBuffer|endswith: '\MsMpEng.exe' RequestedPolicy: 7 ValidatedPolicy: 1 + filter_avast: + FileNameBuffer|endswith: + - '\Program Files\Avast Software\Avast\aswAMSI.dll' + - '\Program Files (x86)\Avast Software\Avast\aswAMSI.dll' + ProcessNameBuffer|endswith: '\Windows\System32\SIHClient.exe' + RequestedPolicy: 12 + ValidatedPolicy: 1 condition: selection and not 1 of filter_* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_bash.yml b/rules/windows/process_creation/proc_creation_win_lolbin_bash.yml index b0d652d0b..34f853632 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_bash.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_bash.yml @@ -9,7 +9,7 @@ tags: - attack.t1202 author: frack113 date: 2021/11/24 -modified: 2022/10/11 +modified: 2022/10/26 logsource: category: process_creation product: windows @@ -19,10 +19,11 @@ detection: - bash.exe - '-c ' filter_git: - ParentCommandLine|contains: + - ParentCommandLine|contains: - 'C:\Program Files\Git\post-install.bat' - 'C:\Program Files (x86)\Git\post-install.bat' - 'echo /etc/post-install/*.post' # needed for occurrences where the *.bat is the grandparent + - CommandLine|contains: 'echo /etc/post-install/*.post' # needed for WinEvtLog 4688 events condition: selection and not 1 of filter* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml index ec7f9f32f..a7d331e46 100644 --- a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml +++ b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml @@ -11,7 +11,7 @@ references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN - https://twitter.com/frack113/status/1555830623633375232 date: 2022/08/07 -modified: 2022/10/19 +modified: 2022/10/26 logsource: category: process_creation product: windows @@ -32,7 +32,10 @@ detection: - '\winget.exe' - '\Everything\Everything.exe' - ParentImage|contains: '\AppData\Local\Temp\WinGet\' - - CommandLine|contains: '\appdata\local\webex\webex64\meetings\wbxreport.exe' + - CommandLine|contains: + - '\appdata\local\webex\webex64\meetings\wbxreport.exe' + - 'C:\Program Files\Git\post-install.bat' + - 'C:\Program Files\Git\cmd\scalar.exe' condition: selection and not filter falsepositives: - Applications could use this notation occasionally which might generate some false positives. In that case investigate the parent and child process. diff --git a/rules/windows/process_creation/proc_creation_win_susp_clsid_foldername.yml b/rules/windows/process_creation/proc_creation_win_susp_clsid_foldername.yml index 55e39ac5e..53b2f330a 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_clsid_foldername.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_clsid_foldername.yml @@ -6,6 +6,7 @@ author: Nasreddine Bencherchali references: - https://twitter.com/Kostastsale/status/1565257924204986369 date: 2022/09/01 +modified: 2022/10/26 logsource: category: process_creation product: windows @@ -27,7 +28,9 @@ detection: Image|contains|all: - '\{' - '}\' - condition: all of selection_* and not filter + filter_null: + Image: null + condition: all of selection_* and not 1 of filter* falsepositives: - Some FP is expected with some installers level: medium