From 691dca6fd2cac002bec9f158bb3ecf4c679a76fa Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Mon, 15 Apr 2024 13:43:35 +0200
Subject: [PATCH] Merge PR #4808 from @frack113 - FP Bad practice GPO

fix: Windows Binaries Write Suspicious Extensions - Add new filter for when "bat" or "powershell" scripts are written via GPO to run at startup.

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
---
 ..._win_shell_write_susp_files_extensions.yml | 38 ++++++++++++-------
 1 file changed, 24 insertions(+), 14 deletions(-)

diff --git a/rules/windows/file/file_event/file_event_win_shell_write_susp_files_extensions.yml b/rules/windows/file/file_event/file_event_win_shell_write_susp_files_extensions.yml
index 31509a820..549e7d54f 100644
--- a/rules/windows/file/file_event/file_event_win_shell_write_susp_files_extensions.yml
+++ b/rules/windows/file/file_event/file_event_win_shell_write_susp_files_extensions.yml
@@ -9,7 +9,7 @@ references:
     - Internal Research
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/08/12
-modified: 2024/04/04
+modified: 2024/04/15
 tags:
     - attack.defense_evasion
     - attack.t1036
@@ -19,41 +19,51 @@ logsource:
 detection:
     selection_generic:
         Image|endswith:
-            - '\smss.exe'
+            - '\csrss.exe'
+            - '\lsass.exe'
             - '\RuntimeBroker.exe'
             - '\sihost.exe'
-            - '\lsass.exe'
-            - '\csrss.exe'
-            - '\winlogon.exe'
+            - '\smss.exe'
             - '\wininit.exe'
+            - '\winlogon.exe'
         TargetFilename|endswith:
             - '.bat'
-            - '.vbe'
-            - '.txt'
-            - '.vbs'
+            - '.dll'
             - '.exe'
-            - '.ps1'
             - '.hta'
             - '.iso'
-            - '.dll'
+            - '.ps1'
+            - '.txt'
+            - '.vbe'
+            - '.vbs'
     selection_special:
         Image|endswith:
+            - '\dllhost.exe'
             - '\rundll32.exe'
             - '\svchost.exe'
-            - '\dllhost.exe'
         TargetFilename|endswith:
             - '.bat'
-            - '.vbe'
-            - '.vbs'
-            - '.ps1'
             - '.hta'
             - '.iso'
+            - '.ps1'
+            - '.vbe'
+            - '.vbs'
     filter_main_AppLockerPolicyTest:
         Image: 'C:\Windows\System32\dllhost.exe'
         TargetFilename|contains|all:
             - ':\Users\'
             - '\AppData\Local\Temp\__PSScriptPolicyTest_'
         TargetFilename|endswith: '.ps1'
+    filter_main_script_gpo_machine:
+        Image: 'C:\Windows\system32\svchost.exe'
+        TargetFilename|contains|all:
+            - 'C:\Windows\System32\GroupPolicy\DataStore\'
+            - '\sysvol\'
+            - '\Policies\'
+            - '\Machine\Scripts\Startup\'
+        TargetFilename|endswith:
+            - '.ps1'
+            - '.bat'
     condition: 1 of selection_* and not 1 of filter_main_*
 falsepositives:
     - Unknown