From 8dbd03ff3297f5bee12378cd4fdcb6bb78dc9aca Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Date: Fri, 7 Oct 2022 13:26:33 +0200
Subject: [PATCH] Fix FP In Testing

---
 ...access_win_browser_credential_stealing.yml |  2 +
 ...creation_win_cobaltstrike_bloopers_cmd.yml | 68 +++++++------
 ...roc_creation_win_mimikatz_command_line.yml | 98 ++++++++++---------
 .../proc_creation_win_susp_conhost.yml        | 26 ++++-
 .../proc_creation_win_susp_non_exe_image.yml  |  5 +-
 5 files changed, 119 insertions(+), 80 deletions(-)

diff --git a/rules/windows/file_access/file_access_win_browser_credential_stealing.yml b/rules/windows/file_access/file_access_win_browser_credential_stealing.yml
index 77ff46804..8e2b7bf82 100644
--- a/rules/windows/file_access/file_access_win_browser_credential_stealing.yml
+++ b/rules/windows/file_access/file_access_win_browser_credential_stealing.yml
@@ -50,4 +50,6 @@ detection:
 falsepositives:
     - Antivirus, Anti-Spyware, Anti-Malware Software
     - Backup software
+    - Software installed on other partitions other than "C:\"
+    - Searching software such as "everything.exe" that are installed and are not located in one of the "filter_programfile" filter entries
 level: medium
diff --git a/rules/windows/process_creation/proc_creation_win_cobaltstrike_bloopers_cmd.yml b/rules/windows/process_creation/proc_creation_win_cobaltstrike_bloopers_cmd.yml
index 33a39958b..39d4c1feb 100644
--- a/rules/windows/process_creation/proc_creation_win_cobaltstrike_bloopers_cmd.yml
+++ b/rules/windows/process_creation/proc_creation_win_cobaltstrike_bloopers_cmd.yml
@@ -4,36 +4,42 @@ id: 647c7b9e-d784-4fda-b9a0-45c565a7b729
 description: Detects use of Cobalt Strike commands accidentally entered in the CMD shell
 author: _pete_0, TheDFIRReport
 references:
-  - https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf
-  - https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/
-  - https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/
+    - https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf
+    - https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/
+    - https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/
 date: 2022/05/06
-modified: 2022/05/06
-logsource:
-  category: process_creation
-  product: windows
-detection:
-  selection:
-    CommandLine|startswith:
-      - 'cmd.exe'
-      - 'c:\windows\system32\cmd.exe'
-    CommandLine|contains:
-      - psinject
-      - spawnas
-      - make_token
-      - remote-exec
-      - rev2self
-      - dcsync
-      - logonpasswords
-      - execute-assembly
-      - getsystem
-    Image|endswith: '\cmd.exe'
-  condition: selection
-fields:
-  - CommandLine
-falsepositives:
-  - Unknown
-level: high
+modified: 2022/10/07
 tags:
-  - attack.execution
-  - attack.t1059.003
\ No newline at end of file
+    - attack.execution
+    - attack.t1059.003
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine|startswith:
+            - 'cmd.exe'
+            - 'c:\windows\system32\cmd.exe'
+        CommandLine|contains:
+            - psinject
+            - spawnas
+            - make_token
+            - remote-exec
+            - rev2self
+            - dcsync
+            - logonpasswords
+            - execute-assembly
+            - getsystem
+        Image|endswith: '\cmd.exe'
+    filter_vscode:
+        # This FP could occure when VSCode is installed and a search/or string selection is made to look for one of these detections mentioned above
+        ParentImage|endswith: \AppData\Local\Programs\Microsoft VS Code\Code.exe # This is the default install location please add your custom one to avoid FP
+        CommandLine|contains|all:
+            - '/d /s /c '
+            - 'checkfilenameiocs --ioc-path '
+    condition: selection and not 1 of filter_*
+fields:
+    - CommandLine
+falsepositives:
+    - Unknown
+level: high
diff --git a/rules/windows/process_creation/proc_creation_win_mimikatz_command_line.yml b/rules/windows/process_creation/proc_creation_win_mimikatz_command_line.yml
index 81afa4eff..4ef5cffda 100644
--- a/rules/windows/process_creation/proc_creation_win_mimikatz_command_line.yml
+++ b/rules/windows/process_creation/proc_creation_win_mimikatz_command_line.yml
@@ -4,55 +4,61 @@ status: test
 description: Detection well-known mimikatz command line arguments
 author: Teymur Kheirkhabarov, oscd.community, David ANDRE (additional keywords), Tim Shelton
 references:
-  - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
-  - https://tools.thehacker.recipes/mimikatz/modules
+    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
+    - https://tools.thehacker.recipes/mimikatz/modules
 date: 2019/10/22
-modified: 2022/02/07
+modified: 2022/10/07
 tags:
-  - attack.credential_access
-  - attack.t1003.001
-  - attack.t1003.002
-  - attack.t1003.004
-  - attack.t1003.005
-  - attack.t1003.006
+    - attack.credential_access
+    - attack.t1003.001
+    - attack.t1003.002
+    - attack.t1003.004
+    - attack.t1003.005
+    - attack.t1003.006
 logsource:
-  category: process_creation
-  product: windows
+    category: process_creation
+    product: windows
 detection:
-  selection_1:
-    CommandLine|contains:
-      - DumpCreds
-      - invoke-mimikatz
-  module_names:
-    CommandLine|contains:
-      - rpc
-      - token
-      - crypto
-      - dpapi
-      - sekurlsa
-      - kerberos
-      - lsadump
-      - privilege
-      - process
-      - vault
-  mimikatz_separator:
-    CommandLine|contains: '::'
-  function_names: # To cover functions from modules that are not in module_names (likely too generic)
-    CommandLine|contains:
-      - 'aadcookie' #misc module
-      - 'detours' #misc module
-      - 'memssp' #misc module
-      - 'mflt' #misc module
-      - 'ncroutemon' #misc module
-      - 'ngcsign' #misc module
-      - 'printnightmare' #misc module
-      - 'skeleton' #misc module
-      - 'preshutdown'  #service module
-      - 'mstsc'  #ts module
-      - 'multirdp'  #ts module
-  filter_1:
-    CommandLine|contains: 'function Convert-GuidToCompressedGuid'
-  condition: ( selection_1 or (module_names and mimikatz_separator) or (function_names and mimikatz_separator) ) and not 1 of filter*
+    selection_1:
+        CommandLine|contains:
+            - DumpCreds
+            - invoke-mimikatz
+    module_names:
+        CommandLine|contains:
+            - rpc
+            - token
+            - crypto
+            - dpapi
+            - sekurlsa
+            - kerberos
+            - lsadump
+            - privilege
+            - process
+            - vault
+    mimikatz_separator:
+        CommandLine|contains: '::'
+    function_names: # To cover functions from modules that are not in module_names (likely too generic)
+        CommandLine|contains:
+            - 'aadcookie' #misc module
+            - 'detours' #misc module
+            - 'memssp' #misc module
+            - 'mflt' #misc module
+            - 'ncroutemon' #misc module
+            - 'ngcsign' #misc module
+            - 'printnightmare' #misc module
+            - 'skeleton' #misc module
+            - 'preshutdown'  #service module
+            - 'mstsc'  #ts module
+            - 'multirdp'  #ts module
+    filter_1:
+        CommandLine|contains: 'function Convert-GuidToCompressedGuid'
+    filter_vscode:
+        # This FP could occure when VSCode is installed and a search/or string selection is made to look for one of these detections mentioned above
+        ParentImage|endswith: \AppData\Local\Programs\Microsoft VS Code\Code.exe # This is the default install location please add your custom one to avoid FP
+        CommandLine|contains|all:
+            - '/d /s /c '
+            - 'checkfilenameiocs --ioc-path '
+    condition: ( selection_1 or (module_names and mimikatz_separator) or (function_names and mimikatz_separator) ) and not 1 of filter*
 falsepositives:
-  - Legitimate Administrator using tool for password recovery
+    - Legitimate Administrator using tool for password recovery
 level: medium
diff --git a/rules/windows/process_creation/proc_creation_win_susp_conhost.yml b/rules/windows/process_creation/proc_creation_win_susp_conhost.yml
index 3d683d11e..c04f74a1d 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_conhost.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_conhost.yml
@@ -6,7 +6,7 @@ references:
     - http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/
 author: omkar72
 date: 2020/10/25
-modified: 2022/09/29
+modified: 2022/10/07
 tags:
     - attack.defense_evasion
     - attack.t1202
@@ -18,11 +18,33 @@ detection:
         ParentImage|endswith: '\conhost.exe'
     filter_provider:
         Provider_Name: 'SystemTraceProvider-Process'  # FPs with Aurora
+    # Note that some of these git events occure because of a sppofed parent image
     filter_git:
         # Example FP:
         #   ParentCommandLine: "C:\Program Files\Git\cmd\git.exe" show --textconv :path/to/file
+        #   ParentCommandLine: "C:\Program Files\Git\cmd\git.exe" cat-file -s 4ca60c8a054f7eaa05f0438a8292762f2015d228
         Image|endswith: '\git.exe'
-        ParentCommandLine|contains: ' show '
+        ParentCommandLine|contains:
+            - ' show --textconv '
+            - ' cat-file -s '
+    filter_git_show:
+        # Example FP:
+        #   GrandparentCommandLine: git.exe cat-file -s 4ca60c8a054f7eaa05f0438a8292762f2015d258
+        #   ParentCommandLine: \??\C:\WINDOWS\system32\conhost.exe 0x4
+        #   ParentImage: C:\Windows\System32\conhost.exe
+        #   CommandLine: git.exe show --textconv :path/to/file
+        ParentCommandLine|contains: 'C:\WINDOWS\system32\conhost.exe 0x4'
+        CommandLine|contains:
+            - ' show --textconv '
+            - ' cat-file -s '
+    filter_image_conhost:
+        # Example FP:
+        #   ParentCommandLine: "C:\Program Files\Git\cmd\git.exe" cat-file -s 4ca60c8a054f7eaa05f0438a8292762f2015d228
+        ParentCommandLine|contains: ' cat-file -s '
+        Image: C:\Windows\System32\conhost.exe
+    filter_image_conhost2:
+        ParentCommandLine: \??\C:\WINDOWS\system32\conhost.exe 0x4
+        Image: C:\Windows\System32\conhost.exe
     condition: selection and not 1 of filter_*
 fields:
     - Image
diff --git a/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml b/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml
index e8b55f8fe..98e25cc03 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml
@@ -4,7 +4,7 @@ status: experimental
 description: Checks whether the image specified in a process creation event doesn't refer to an .exe file (caused by process ghosting or other unorthodox methods to start a process)
 author: Max Altgelt
 date: 2021/12/09
-modified: 2022/09/20
+modified: 2022/10/07
 references:
     - https://pentestlaboratories.com/2021/12/08/process-ghosting/
 tags:
@@ -83,6 +83,9 @@ detection:
             - '\LocalState\rootfs\'
     filter_lzma_exe:
         Image|endswith: '\LZMA_EXE'
+    filter_windows_helper:
+        ParentImage: C:\Windows\Temp\
+        Image|startswith: 'C:\Windows\Temp\Helper\'
     condition: not known_image_extension and not 1 of filter*
 falsepositives:
     - Unknown