Merge pull request #4240 from phantinuss/master

fix: FP with CheckPoint SmartConsole

rules/windows/image_load/image_load_side_load_from_non_system_location.yml

@@ -1,7 +1,7 @@
 title: Potential System DLL Sideloading From Non System Locations
 id: 4fc0deee-0057-4998-ab31-d24e46e0aba4
 status: experimental
-description: Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)
+description: Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.)
 references:
     - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there). Wietze Beukema (project and research)
     - https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/ # WindowsCodecs.dll
@@ -9,7 +9,7 @@ references:
     - https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md # XForceIR (SideLoadHunter Project), Chris Spehn (research WFH Dridex)
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/08/14
-modified: 2023/05/05
+modified: 2023/05/16
 tags:
     - attack.defense_evasion
     - attack.persistence
@@ -462,6 +462,15 @@ detection:
     filter_optional_dell_wldp:
         Image|startswith: 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs'
         Image|endswith: '\wldp.dll'
+    filter_optional_checkpoint:
+        Image|startswith:
+            - 'C:\Program Files\CheckPoint\'
+            - 'C:\Program Files (x86)\CheckPoint\'
+        Image|endswith: '\SmartConsole.exe'
+        ImageLoaded|startswith:
+            - 'C:\Program Files\CheckPoint\'
+            - 'C:\Program Files (x86)\CheckPoint\'
+        ImageLoaded|endswith: '\PolicyManager.dll'
     condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
     - Legitimate applications loading their own versions of the DLLs mentioned in this rule