From 79bce2c04e951be388041f9fd7ebbfd009691a69 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Tue, 17 Oct 2023 17:01:34 +0200 Subject: [PATCH] Merge PR #4484 From @phantinuss - Fix FP Found In Testing fix: Direct Syscall of NtOpenProcess - falsepositives meta data fix: Potential Shellcode Injection - remove System.ni.dll as there are multiple FPs with ntdll.dll fix: Suspicious Shim Database Installation via Sdbinst.EXE - FP with another sdbinst execution by svchost --- .../proc_access_win_direct_syscall_ntopenprocess.yml | 2 +- .../proc_access_win_shellcode_inject_msf_empire.yml | 3 +-- .../proc_creation_win_sdbinst_susp_extension.yml | 8 ++++++-- 3 files changed, 8 insertions(+), 5 deletions(-) diff --git a/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml b/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml index d6b33d77e..82d8dd88d 100755 --- a/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml +++ b/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml @@ -79,6 +79,6 @@ detection: TargetImage: C:\Windows\system32\svchost.exe GrantedAccess: '0x1000' condition: selection and not 1 of filter_main_* -filter_main_: +falsepositives: - Unknown level: high diff --git a/rules/windows/process_access/proc_access_win_shellcode_inject_msf_empire.yml b/rules/windows/process_access/proc_access_win_shellcode_inject_msf_empire.yml index 13624fa16..b82d19826 100644 --- a/rules/windows/process_access/proc_access_win_shellcode_inject_msf_empire.yml +++ b/rules/windows/process_access/proc_access_win_shellcode_inject_msf_empire.yml @@ -4,7 +4,7 @@ status: test description: Detects potential shellcode injection used by tools such as Metasploit's migrate and Empire's psinject author: Bhabesh Raj date: 2022/03/11 -modified: 2022/12/20 +modified: 2023/10/17 tags: - attack.defense_evasion - attack.privilege_escalation @@ -61,7 +61,6 @@ detection: SourceImage: 'C:\Windows\System32\Wbem\Wmiprvse.exe' TargetImage: 'C:\Windows\system32\lsass.exe' CallTrace|startswith: 'C:\Windows\SYSTEM32\ntdll.dll' - CallTrace|contains: '\System.ni.dll+' condition: selection and not 1 of filter_* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_sdbinst_susp_extension.yml b/rules/windows/process_creation/proc_creation_win_sdbinst_susp_extension.yml index e571be23a..a325b4f30 100644 --- a/rules/windows/process_creation/proc_creation_win_sdbinst_susp_extension.yml +++ b/rules/windows/process_creation/proc_creation_win_sdbinst_susp_extension.yml @@ -11,7 +11,7 @@ references: - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html author: Nasreddine Bencherchali (Nextron Systems) date: 2023/08/01 -modified: 2023/10/06 +modified: 2023/10/17 tags: - attack.persistence - attack.privilege_escalation @@ -25,10 +25,14 @@ detection: - OriginalFileName: 'sdbinst.exe' filter_main_legit_ext: CommandLine|contains: '.sdb' - filter_main_svchost: + filter_main_svchost1: ParentImage|endswith: ':\Windows\System32\svchost.exe' Image|endswith: ':\Windows\System32\sdbinst.exe' CommandLine|contains: ' -m -bg' + filter_main_svchost2: + ParentImage|endswith: ':\Windows\System32\svchost.exe' + Image|endswith: ':\Windows\System32\sdbinst.exe' + CommandLine|endswith: ' -mm' condition: selection and not 1 of filter_main_* falsepositives: - Unknown