Merge pull request #2382 from SigmaHQ/aurora-false-positive-fixing

Aurora false positive fixing

rules/windows/process_access/sysmon_in_memory_assembly_execution.yml

@@ -3,7 +3,7 @@ id: 5f113a8f-8b61-41ca-b90f-d374fa7e4a39
 description: Detects the access to processes by other suspicious processes which have reflectively loaded libraries in their memory space. An example is SilentTrinity C2 behaviour. Generally speaking, when Sysmon EventID 10 cannot reference a stack call to a dll loaded from disk (the standard way), it will display "UNKNOWN" as the module name. Usually this means the stack call points to a module that was reflectively loaded in memory. Adding to this, it is not common to see such few calls in the stack (ntdll.dll --> kernelbase.dll --> unknown) which essentially means that most of the functions required by the process to execute certain routines are already present in memory, not requiring any calls to external libraries. The latter should also be considered suspicious.
 status: experimental
 date: 2019/10/27
-modified: 2021/12/03
+modified: 2021/12/04
 author: Perez Diego (@darkquassar), oscd.community, Jonhnathan Ribeiro
 references:
     - https://azure.microsoft.com/en-ca/blog/detecting-in-memory-attacks-with-sysmon-and-azure-security-center/
@@ -51,6 +51,8 @@ detection:
             - '\git\usr\bin\sh.exe'
             - '\IDE\devenv.exe'
             - '\GitHubDesktop\Update.exe'
+            - '\RuntimeBroker.exe'
+            - '\backgroundTaskHost.exe'
         - SourceImage|startswith:
             - 'C:\Program Files (x86)\'
             - 'C:\Program Files\'

rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml

@@ -3,7 +3,7 @@ id: db809f10-56ce-4420-8c86-d6a7d793c79c
 description: Raw disk access using illegitimate tools, possible defence evasion
 author: Teymur Kheirkhabarov, oscd.community
 date: 2019/10/22
-modified: 2021/11/20
+modified: 2021/12/04
 references:
     - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
 tags:
@@ -16,6 +16,9 @@ detection:
     filter_1:
         Device|contains: floppy
     filter_2:
+        Image|startswith:
+            - 'C:\Windows\System32\'
+            - 'C:\Windows\SystemApps\'
         Image|endswith:             # easy to bypass. requires extra rule to support this one
             - '\wmiprvse.exe'
             - '\sdiagnhost.exe'

rules/windows/registry_event/sysmon_taskcache_entry.yml

@@ -7,13 +7,10 @@ tags:
   - attack.t1053
   - attack.t1053.005
 date: 2021/06/18
-modified: 2021/07/27
+modified: 2021/12/04
 references:
   - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
 author: Syed Hasan (@syedhasan009)
-falsepositives:
-  - Unknown
-level: medium
 logsource:
   category: registry_event
   product: windows
@@ -21,4 +18,11 @@ detection:
   selection:
     EventType: SetValue
     TargetObject|contains: 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\'
-  condition: selection
+  filter:
+    TargetObject|contains:
+      - 'Microsoft\Windows\UpdateOrchestrator'
+      - 'Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask\Index'
+  condition: selection and not filter
+falsepositives:
+  - Unknown
+level: medium