From 03cddbba297b84cc907f3714215c55e05b45282c Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 26 Nov 2021 20:00:55 +0100 Subject: [PATCH] fix: FPs --- rules/windows/image_load/sysmon_susp_system_drawing_load.yml | 3 ++- .../process_access/sysmon_in_memory_assembly_execution.yml | 3 ++- .../registry_event/sysmon_asep_reg_keys_modification.yml | 4 ++-- 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/rules/windows/image_load/sysmon_susp_system_drawing_load.yml b/rules/windows/image_load/sysmon_susp_system_drawing_load.yml index b32e11ac3..9e1522473 100644 --- a/rules/windows/image_load/sysmon_susp_system_drawing_load.yml +++ b/rules/windows/image_load/sysmon_susp_system_drawing_load.yml @@ -3,7 +3,7 @@ id: 666ecfc7-229d-42b8-821e-1a8f8cb7057c description: A General detection for processes loading System.Drawing.ni.dll. This could be an indicator of potential Screen Capture. status: experimental date: 2020/05/02 -modified: 2021/11/16 +modified: 2021/11/25 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.collection @@ -21,6 +21,7 @@ detection: Image|endswith: - '\WmiPrvSE.exe' - '\mmc.exe' + - 'C:\Windows\System32\NhNotifSys.exe' condition: selection and not filter falsepositives: - unknown diff --git a/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml b/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml index 0d45f61ba..f1757825b 100755 --- a/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml +++ b/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml @@ -3,7 +3,7 @@ id: 5f113a8f-8b61-41ca-b90f-d374fa7e4a39 description: Detects the access to processes by other suspicious processes which have reflectively loaded libraries in their memory space. An example is SilentTrinity C2 behaviour. Generally speaking, when Sysmon EventID 10 cannot reference a stack call to a dll loaded from disk (the standard way), it will display "UNKNOWN" as the module name. Usually this means the stack call points to a module that was reflectively loaded in memory. Adding to this, it is not common to see such few calls in the stack (ntdll.dll --> kernelbase.dll --> unknown) which essentially means that most of the functions required by the process to execute certain routines are already present in memory, not requiring any calls to external libraries. The latter should also be considered suspicious. status: experimental date: 2019/10/27 -modified: 2021/11/20 +modified: 2021/11/25 author: Perez Diego (@darkquassar), oscd.community, Jonhnathan Ribeiro references: - https://azure.microsoft.com/en-ca/blog/detecting-in-memory-attacks-with-sysmon-and-azure-security-center/ @@ -47,6 +47,7 @@ detection: - '\Microsoft VS Code\Code.exe' - '\aurora-agent-64.exe' - '\aurora-agent.exe' + - 'C:\WINDOWS\system32\NhNotifSys.exe' condition: ( selection1 or selection2 or selection3 ) and not filter fields: - ComputerName diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml index b87887648..b1476b064 100755 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml @@ -193,7 +193,7 @@ detection: filter: - Details: '(Empty)' - TargetObject|endswith: '\NgcFirst\ConsecutiveSwitchCount' - condition: main_selection or + condition: ( main_selection or session_manager_base and session_manager or current_version_base and current_version or nt_current_version_base and nt_current_version or @@ -205,7 +205,7 @@ detection: classes_base and classes or scripts_base and scripts or winsock_parameters_base and winsock_parameters or - system_control_base and system_control and not filter + system_control_base and system_control ) and not filter fields: - SecurityID - ObjectName