From 152f22ba016347cf749a6cd969e743671615b45e Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Thu, 27 Oct 2022 09:45:01 +0200 Subject: [PATCH 1/2] fix: FPs in testing environment --- .../win_codeintegrity_attempted_dll_load.yml | 9 ++++++++- .../process_creation/proc_creation_win_lolbin_bash.yml | 5 +++-- .../proc_creation_win_ntfs_short_name_path_use_cli.yml | 7 +++++-- .../proc_creation_win_susp_clsid_foldername.yml | 5 ++++- 4 files changed, 20 insertions(+), 6 deletions(-) diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml index 3f0a28d40..b21eab87e 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml @@ -6,7 +6,7 @@ status: experimental references: - https://twitter.com/SBousseaden/status/1483810148602814466 date: 2022/01/20 -modified: 2022/10/25 +modified: 2022/10/27 tags: - attack.execution logsource: @@ -51,6 +51,13 @@ detection: ProcessNameBuffer|endswith: '\MsMpEng.exe' RequestedPolicy: 7 ValidatedPolicy: 1 + filter_avast: + FileNameBuffer|endswith: + - 'Program Files\Avast Software\Avast\aswAMSI.dll' + - 'Program Files (x86)\Avast Software\Avast\aswAMSI.dll' + ProcessNameBuffer|endswith: '\Windows\System32\SIHClient.exe' + RequestedPolicy: 12 + ValidatedPolicy: 1 condition: selection and not 1 of filter_* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_bash.yml b/rules/windows/process_creation/proc_creation_win_lolbin_bash.yml index b0d652d0b..34f853632 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_bash.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_bash.yml @@ -9,7 +9,7 @@ tags: - attack.t1202 author: frack113 date: 2021/11/24 -modified: 2022/10/11 +modified: 2022/10/26 logsource: category: process_creation product: windows @@ -19,10 +19,11 @@ detection: - bash.exe - '-c ' filter_git: - ParentCommandLine|contains: + - ParentCommandLine|contains: - 'C:\Program Files\Git\post-install.bat' - 'C:\Program Files (x86)\Git\post-install.bat' - 'echo /etc/post-install/*.post' # needed for occurrences where the *.bat is the grandparent + - CommandLine|contains: 'echo /etc/post-install/*.post' # needed for WinEvtLog 4688 events condition: selection and not 1 of filter* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml index ec7f9f32f..a7d331e46 100644 --- a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml +++ b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml @@ -11,7 +11,7 @@ references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN - https://twitter.com/frack113/status/1555830623633375232 date: 2022/08/07 -modified: 2022/10/19 +modified: 2022/10/26 logsource: category: process_creation product: windows @@ -32,7 +32,10 @@ detection: - '\winget.exe' - '\Everything\Everything.exe' - ParentImage|contains: '\AppData\Local\Temp\WinGet\' - - CommandLine|contains: '\appdata\local\webex\webex64\meetings\wbxreport.exe' + - CommandLine|contains: + - '\appdata\local\webex\webex64\meetings\wbxreport.exe' + - 'C:\Program Files\Git\post-install.bat' + - 'C:\Program Files\Git\cmd\scalar.exe' condition: selection and not filter falsepositives: - Applications could use this notation occasionally which might generate some false positives. In that case investigate the parent and child process. diff --git a/rules/windows/process_creation/proc_creation_win_susp_clsid_foldername.yml b/rules/windows/process_creation/proc_creation_win_susp_clsid_foldername.yml index 55e39ac5e..53b2f330a 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_clsid_foldername.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_clsid_foldername.yml @@ -6,6 +6,7 @@ author: Nasreddine Bencherchali references: - https://twitter.com/Kostastsale/status/1565257924204986369 date: 2022/09/01 +modified: 2022/10/26 logsource: category: process_creation product: windows @@ -27,7 +28,9 @@ detection: Image|contains|all: - '\{' - '}\' - condition: all of selection_* and not filter + filter_null: + Image: null + condition: all of selection_* and not 1 of filter* falsepositives: - Some FP is expected with some installers level: medium From 07faf2b50a9966f0bbbfe2b5f7dbbb6bb760f9e6 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Thu, 27 Oct 2022 10:22:49 +0200 Subject: [PATCH 2/2] fix: add missing \ --- .../code_integrity/win_codeintegrity_attempted_dll_load.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml index b21eab87e..54a67922c 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml @@ -53,8 +53,8 @@ detection: ValidatedPolicy: 1 filter_avast: FileNameBuffer|endswith: - - 'Program Files\Avast Software\Avast\aswAMSI.dll' - - 'Program Files (x86)\Avast Software\Avast\aswAMSI.dll' + - '\Program Files\Avast Software\Avast\aswAMSI.dll' + - '\Program Files (x86)\Avast Software\Avast\aswAMSI.dll' ProcessNameBuffer|endswith: '\Windows\System32\SIHClient.exe' RequestedPolicy: 12 ValidatedPolicy: 1