Merge pull request #2532 from SigmaHQ/aurora-false-positive-fixing

fix: FPs noticed with Aurora

rules/windows/builtin/system/win_volume_shadow_copy_mount.yml

@@ -21,4 +21,4 @@ detection:
     condition: selection
 falsepositives:
     - Legitimate use of volume shadow copy mounts (backups maybe).
-level: medium
+level: low

rules/windows/file_event/win_fe_creation_scr_binary_file.yml

@@ -8,13 +8,16 @@ author: frack113
 references:
   - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md
 date: 2021/12/29
+modified: 2022/01/08
 logsource:
   product: windows
   category: file_event
 detection:
   selection:
     TargetFilename|endswith: '.scr'
-  condition: selection 
+  filter:
+    Image|endswith: '\Kindle.exe'
+  condition: selection and not 1 of filter*
 falsepositives:
   - Unkown
 level: medium

rules/windows/process_access/win_susp_proc_access_lsass.yml

@@ -7,7 +7,7 @@ status: experimental
 description: Detects process access to LSASS memory with suspicious access flags
 author: Florian Roth
 date: 2021/11/22
-modified: 2021/12/03
+modified: 2022/01/08
 references:
     - https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights
     - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
@@ -60,6 +60,8 @@ detection:
             - 'C:\WINDOWS\system32\taskhostw.exe'
             - 'C:\Users\\*\AppData\Local\Programs\Microsoft VS Code\Code.exe'
             - 'C:\Program Files\Windows Defender\MsMpEng.exe'
+            - 'C:\Windows\SysWOW64\msiexec.exe'
+            - 'C:\Windows\System32\msiexec.exe'
     # Windows Defender
     filter2:
         SourceImage|startswith: 'C:\ProgramData\Microsoft\Windows Defender\'

rules/windows/registry_event/sysmon_asep_reg_keys_modification_winsock2.yml

@@ -11,7 +11,7 @@ references:
     - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
     - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
 date: 2019/10/25
-modified: 2021/12/05
+modified: 2022/01/08
 logsource:
     category: registry_event
     product: windows
@@ -23,7 +23,8 @@ detection:
             - '\Protocol_Catalog9\Catalog_Entries'
             - '\NameSpace_Catalog5\Catalog_Entries'
     filter:
-        Details: '(Empty)'
+        - Details: '(Empty)'
+        - Image: 'C:\Windows\System32\MsiExec.exe'
     condition: winsock_parameters_base and winsock_parameters and not filter
 fields:
     - SecurityID

rules/windows/registry_event/sysmon_registry_persistence_search_order.yml

@@ -7,7 +7,7 @@ references:
     - https://attack.mitre.org/techniques/T1546/015/
 author: Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien
 date: 2020/04/14
-modified: 2021/12/21
+modified: 2022/01/08
 tags:
     - attack.persistence
     - attack.t1546.015
@@ -55,6 +55,8 @@ detection:
         Image|contains|all:
             - 'C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{'
             - '\setup.exe'
+    filter_dx:
+        Image: 'C:\WINDOWS\SYSTEM32\dxdiag.exe'
     condition: selection and not 1 of filter*
 falsepositives:
     - Some installed utilities (i.e. OneDrive) may serve new COM objects at user-level