fix: FPs found in different environments

rules/windows/image_load/image_load_dll_vssapi_susp_load.yml

@@ -11,7 +11,7 @@ references:
     - https://github.com/ORCx41/DeleteShadowCopies
 author: frack113
 date: 2022/10/31
-modified: 2023/02/17
+modified: 2023/04/20
 tags:
     - attack.defense_evasion
     - attack.impact
@@ -23,7 +23,9 @@ detection:
     selection:
         ImageLoaded|endswith: '\vssapi.dll'
     filter_windows:
-        - Image: 'C:\Windows\explorer.exe'
+        - Image:
+            - 'C:\Windows\explorer.exe'
+            - '	C:\Windows\ImmersiveControlPanel\SystemSettings.exe'
         - Image|startswith:
             - 'C:\Windows\System32\'
             - 'C:\Windows\SysWOW64\'

rules/windows/network_connection/net_connection_win_rdp_outbound_over_non_standard_tools.yml

@@ -6,7 +6,7 @@ references:
     - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
 author: Markus Neis
 date: 2019/05/15
-modified: 2023/04/18
+modified: 2023/04/20
 tags:
     - attack.lateral_movement
     - attack.t1021.001
@@ -65,6 +65,8 @@ detection:
         Image: null
     filter_optional_empty:
         Image: ''
+    filter_optional_unknown:
+        Image: '<unknown process>'
     condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
     - Third party RDP tools

rules/windows/pipe_created/pipe_created_susp_adfs_namedpipe_connection.yml

@@ -10,7 +10,7 @@ references:
     - https://github.com/Azure/SimuLand
 author: Roberto Rodriguez @Cyb3rWard0g
 date: 2021/10/08
-modified: 2022/02/16
+modified: 2023/04/20
 tags:
     - attack.collection
     - attack.t1005
@@ -31,6 +31,7 @@ detection:
             - '\mmc.exe'
             - '\sqlservr.exe'
             - '\tssdis.exe'
+            - 'C:\Windows\system32\svchost.exe'
     condition: selection and not filter
 falsepositives:
     - Processes in the filter condition

rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml

@@ -12,7 +12,7 @@ references:
     - https://adsecurity.org/?p=2277
 author: Bhabesh Raj
 date: 2021/05/18
-modified: 2023/02/06
+modified: 2023/04/20
 tags:
     - attack.execution
     - attack.t1059.001
@@ -51,7 +51,27 @@ detection:
             - 'Get-DFSshare'
             - 'Get-DNSRecord'
             - 'Get-DNSZone'
-            - 'Get-Domain' # Covers Cmdlets like: DomainComputer, DomainController, DomainDFSShare, DomainDNSRecord, DomainGPO...etc.
+            # - 'Get-Domain'  # too many FPs  # Covers Cmdlets like: DomainComputer, DomainController, DomainDFSShare, DomainDNSRecord, DomainGPO, etc.
+            - 'Get-DomainComputer'
+            - 'Get-DomainController'
+            - 'Get-DomainDFSShare'
+            - 'Get-DomainDNSRecord'
+            - 'Get-DomainDNSZone'
+            - 'Get-DomainFileServer'
+            - 'Get-DomainGPO'  # Covers also: Get-DomainGPOComputerLocalGroupMapping, Get-DomainGPOLocalGroup, Get-DomainGPOUserLocalGroupMapping
+            - 'Get-DomainGroup'
+            - 'Get-DomainGroupMember'
+            - 'Get-DomainManagedSecurityGroup'
+            - 'Get-DomainObject'
+            - 'Get-DomainObjectAcl'
+            - 'Get-DomainOU'
+            - 'Get-DomainPolicy'
+            - 'Get-DomainSID'
+            - 'Get-DomainSite'
+            - 'Get-DomainSPNTicket'
+            - 'Get-DomainSubnet'
+            - 'Get-DomainUser'
+            - 'Get-DomainUserEvent'
             - 'Get-Forest' # Covers: Get-ForestDomain, Get-ForestGlobalCatalog, Get-ForestTrust
             - 'Get-IPAddress'
             - 'Get-LastLoggedOn'

rules/windows/process_creation/proc_creation_win_susp_elevated_system_shell.yml

@@ -6,7 +6,7 @@ references:
     - https://github.com/Wh04m1001/SysmonEoP
 author: frack113, Tim Shelton (update fp)
 date: 2022/12/05
-modified: 2023/03/24
+modified: 2023/03/20
 tags:
     - attack.privilege_escalation
     - attack.defense_evasion
@@ -61,6 +61,13 @@ detection:
         ParentImage|endswith: '\invcol.exe'
         ParentCommandLine|contains: 'C:\ProgramData\Dell\UpdateService\'
         Image|endswith: '\cmd.exe'
+    filter_compattelrunner: # seen on Windows 8
+        ParentImage|startswith: 'C:\Windows\WinSxS\'
+        ParentImage|endswith: '\CompatTelRunner.exe'
+        ParentCommandLine|startswith: 'C:\Windows\system32\CompatTelRunner.exe -m:appraiser.dll -f:DoScheduledTelemetryRun'
+    filter_ibm_spectrumprotect:
+        ParentImage|startswith: 'C:\IBM\SpectrumProtect\webserver\scripts\'
+        CommandLine|contains: 'C:\IBM\SpectrumProtect\webserver\scripts\'
     filter_empty_parent_1:
         CommandLine: "powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';"  # Most probably SetupHost.exe during Windows updates/upgrades; See comment on rule id: f4bbd493-b796-416e-bbf2-121235348529
     filter_empty_parent_2:
@@ -68,7 +75,15 @@ detection:
         CommandLine|contains: '/d /c C:\Windows\system32\silcollector.cmd'
     filter_empty_parent_3:
         Image|endswith: '\cmd.exe'
-        CommandLine|endswith: 'cmd.exe /c btool server list replication_port --no-log'
+        CommandLine|endswith:
+            - 'cmd.exe /c btool server list replication_port --no-log'
+            - 'cmd.exe /c btool server list general --no-log'
+    filter_empty_parent_4: # seen on an SCCM server
+        Image|endswith: '\cmd.exe'
+        CommandLine|contains: 'C:\Windows\system32\reg.exe query hklm\software\microsoft\windows\softwareinventorylogging /v collectionstate /reg:64'
+    filter_empty_parent_5:
+        Image: 'C:\Windows\System32\cmd.exe'
+        CommandLine: 'C:\Windows\system32\cmd.exe /c PAUSE'
     condition: all of selection_* and not 1 of filter_*
 falsepositives:
     - Unknown