From de318c122a5c02cb208e74791e3c2bffa96a55d5 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Wed, 22 Dec 2021 13:54:39 +0100
Subject: [PATCH 1/2] fix: FPs noticed with Aurora

---
 .../sysmon_raw_disk_access_using_illegitimate_tools.yml     | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml b/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml
index fb2923b9d..8d9e9f4b9 100644
--- a/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml
+++ b/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml
@@ -3,7 +3,7 @@ id: db809f10-56ce-4420-8c86-d6a7d793c79c
 description: Raw disk access using illegitimate tools, possible defence evasion
 author: Teymur Kheirkhabarov, oscd.community
 date: 2019/10/22
-modified: 2021/12/18
+modified: 2021/12/22
 references:
     - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
 tags:
@@ -36,6 +36,7 @@ detection:
             - '\lsass.exe'
             - '\svchost.exe'
             - '\MsMpEng.exe'
+            - '\SearchApp.exe'
             - 'C:\Windows\System32\taskhostw.exe'
             - 'C:\Windows\System32\SrTasks.exe'
             - 'C:\Windows\System32\dllhost.exe'
@@ -47,6 +48,9 @@ detection:
             - 'C:\Program Files\Bitdefender Antivirus Free\updatesrv.exe'
             - 'C:\Program Files\Bitdefender Antivirus Free\downloader.exe'
             - 'C:\Program Files\Bitdefender Antivirus Free\vsserv.exe'
+            - 'C:\Windows\System32\backgroundTaskHost.exe'
+            - 'C:\Windows\System32\RuntimeBroker.exe'
+            - 'C:\Windows\System32\MoUsoCoreWorker.exe'
     filter_Keybase:
         Image|endswith: '\Keybase\upd.exe'
     condition: not 1 of filter_*

From b276ccd121d887f38f660daed718a34cfe0e9c53 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Wed, 22 Dec 2021 14:51:06 +0100
Subject: [PATCH 2/2] fix: FPs noticed with THOR

---
 .../process_creation/process_creation_susp_image_missing.yml  | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/process_creation_susp_image_missing.yml b/rules/windows/process_creation/process_creation_susp_image_missing.yml
index 723f6f28a..6549e88d5 100644
--- a/rules/windows/process_creation/process_creation_susp_image_missing.yml
+++ b/rules/windows/process_creation/process_creation_susp_image_missing.yml
@@ -16,7 +16,9 @@ detection:
         Image|contains: '\'
     filter:
         Image: null
-    condition: not image_absolute_path and not filter
+    filter_4688:
+        Image: 'Registry'
+    condition: not image_absolute_path and not 1 of filter*
 falsepositives:
     - unknown
 level: high