From 941d02dbe50eb4fcb6099433e2d0f7cb01418504 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Thu, 27 Apr 2023 16:40:07 +0200 Subject: [PATCH] fix: FPs found in production environment --- .../win_codeintegrity_attempted_dll_load.yml | 13 ++++++------- ...m_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml | 6 +++--- 2 files changed, 9 insertions(+), 10 deletions(-) diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml index 192f2dd3d..dae161404 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml @@ -7,7 +7,7 @@ references: - https://twitter.com/SBousseaden/status/1483810148602814466 - https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log date: 2022/01/20 -modified: 2023/01/25 +modified: 2023/04/27 tags: - attack.execution logsource: @@ -76,15 +76,14 @@ detection: - 12 ValidatedPolicy: 1 filter_gac: - # If other DLLs show up from this process. Filter the path containing this string `\Windows\assembly\GAC\` - FileNameBuffer|endswith: - - '\stdole.dll' - - '\msdatasrc.dll' - - '\adodb.dll' + # Filtering the path containing this string because of multiple possible DLLs in that location + FileNameBuffer|contains: '\Windows\assembly\GAC\' ProcessNameBuffer|endswith: '\mscorsvw.exe' ProcessNameBuffer|contains: '\Windows\Microsoft.NET\' RequestedPolicy: 8 - ValidatedPolicy: 2 + ValidatedPolicy: + - 1 + - 2 filter_google_drive: # Example: \Program Files\Google\Drive File Stream\67.0.2.0\crashpad_handler.exe FileNameBuffer|contains: '\Program Files\Google\Drive File Stream\' diff --git a/rules/windows/builtin/system/microsoft_windows_user_profiles_service/win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml b/rules/windows/builtin/system/microsoft_windows_user_profiles_service/win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml index 6294bd46f..9a8c3a205 100644 --- a/rules/windows/builtin/system/microsoft_windows_user_profiles_service/win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml +++ b/rules/windows/builtin/system/microsoft_windows_user_profiles_service/win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml @@ -1,12 +1,12 @@ title: Suspicious Usage of CVE_2021_34484 or CVE 2022_21919 id: 52a85084-6989-40c3-8f32-091e12e17692 status: experimental -description: During exploitation of this vuln, two logs (providername:Microsoft-Windows-User Profiles Service) with eventid 1511 and 1515 (maybe lot of false positives with this event) are created. Moreover, it appears the directory \Users\TEMP is created may be created during the exploitation.Viewed on 2008 Server +description: During exploitation of this vulnerability, two logs (Provider_Name:Microsoft-Windows-User Profiles Service) with EventID 1511 and 1515 (maybe lot of false positives with this event) are created. Moreover, it appears the directory \Users\TEMP is created may be created during the exploitation. Viewed on 2008 Server references: - https://packetstormsecurity.com/files/166692/Windows-User-Profile-Service-Privlege-Escalation.html author: Cybex date: 2022/08/16 -modified: 2022/10/21 +modified: 2023/04/27 tags: - attack.execution logsource: @@ -18,5 +18,5 @@ detection: Provider_Name: 'Microsoft-Windows-User Profiles Service' condition: selection falsepositives: - - Unknown + - Corrupted user profiles - https://social.technet.microsoft.com/wiki/contents/articles/3571.windows-user-profiles-service-event-1511-windows-cannot-find-the-local-profile-and-is-logging-you-on-with-a-temporary-profile.aspx level: high