From 65a11dde5281a661844d64ecbdabdaa79e66c8a1 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 9 Apr 2021 15:55:14 +0200 Subject: [PATCH] fix: rules causing too many false positives --- .../builtin/win_invoke_obfuscation_via_var++_services.yml | 2 +- .../powershell/powershell_invoke_obfuscation_via_var++.yml | 4 ++-- .../sysmon_always_install_elevated_windows_installer.yml | 4 ++-- .../process_creation/win_invoke_obfuscation_via_var++.yml | 2 +- rules/windows/process_creation/win_susp_rar_flags.yml | 3 +-- 5 files changed, 7 insertions(+), 8 deletions(-) diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_var++_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_var++_services.yml index fb74d50bf..0504ec1d4 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_var++_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_var++_services.yml @@ -17,7 +17,7 @@ falsepositives: level: high detection: selection_1: - - ImagePath|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c|\/r' + - ImagePath|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r condition: selection and selection_1 --- logsource: diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml index 62f796ce2..ac20a73c2 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml @@ -17,10 +17,10 @@ logsource: detection: selection_1: EventID: 4104 - ScriptBlockText|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c|\/r' + ScriptBlockText|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c/c' # FPs with |\/r selection_2: EventID: 4103 - Payload|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c|\/r' + Payload|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r condition: selection_1 or selection_2 falsepositives: - Unknown diff --git a/rules/windows/process_creation/sysmon_always_install_elevated_windows_installer.yml b/rules/windows/process_creation/sysmon_always_install_elevated_windows_installer.yml index 30cb9b428..8d89e217b 100644 --- a/rules/windows/process_creation/sysmon_always_install_elevated_windows_installer.yml +++ b/rules/windows/process_creation/sysmon_always_install_elevated_windows_installer.yml @@ -33,5 +33,5 @@ fields: - Image falsepositives: - System administrator Usage - - Penetration test -level: high \ No newline at end of file + - Penetration test +level: medium \ No newline at end of file diff --git a/rules/windows/process_creation/win_invoke_obfuscation_via_var++.yml b/rules/windows/process_creation/win_invoke_obfuscation_via_var++.yml index 248c69830..caeadc4e8 100644 --- a/rules/windows/process_creation/win_invoke_obfuscation_via_var++.yml +++ b/rules/windows/process_creation/win_invoke_obfuscation_via_var++.yml @@ -16,7 +16,7 @@ logsource: product: windows detection: selection: - CommandLine|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c|\/r' + CommandLine|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/win_susp_rar_flags.yml b/rules/windows/process_creation/win_susp_rar_flags.yml index 67e7d2e28..16413091f 100644 --- a/rules/windows/process_creation/win_susp_rar_flags.yml +++ b/rules/windows/process_creation/win_susp_rar_flags.yml @@ -11,8 +11,7 @@ tags: - attack.collection - attack.t1560.001 - attack.exfiltration # an old one - - attack.t1002 # an old one - + - attack.t1002 # an old one logsource: category: process_creation product: windows