From 1d45c98f0f715a68a3e7ddf4c2e3af6216801fae Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Tue, 23 Aug 2022 14:26:27 +0200 Subject: [PATCH 1/3] fix: FP with teams --- .../proc_creation_win_susp_squirrel_lolbin.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_squirrel_lolbin.yml b/rules/windows/process_creation/proc_creation_win_susp_squirrel_lolbin.yml index b283fdd97..7912a646f 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_squirrel_lolbin.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_squirrel_lolbin.yml @@ -11,7 +11,7 @@ tags: - attack.t1218 author: Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community date: 2019/11/12 -modified: 2022/07/20 +modified: 2022/08/23 logsource: category: process_creation product: windows @@ -32,6 +32,9 @@ detection: - CommandLine|contains|all: - 'C:\Users\' - '\AppData\Local\GitHubDesktop\Update.exe --createShortcut GitHubDesktop.exe' + - CommandLine|contains|all: + - 'C:\Users\' + - '\AppData\Local\Microsoft\Teams\Update.exe" --processStart "Teams.exe"' condition: all of selection* and not 1 of filter* falsepositives: - 1Clipboard From e2cbcd319991197e3f6cc4c34a7d36a87373b92e Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Tue, 23 Aug 2022 14:26:45 +0200 Subject: [PATCH 2/3] fix: FP with AVG --- ...gistry_set_asep_reg_keys_modification_currentversion.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml index 588549a9d..63a57cf8e 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml @@ -117,6 +117,12 @@ detection: filter_ctfmon: Image: 'C:\Windows\system32\userinit.exe' Details: 'ctfmon.exe /n' + filter_AVG: + Image|startswith: 'C:\Program Files\AVG\Antivirus\Setup\' + Details: + - '"C:\Program Files\AVG\Antivirus\AvLaunch.exe" /gui' + - '"C:\Program Files (x86)\AVG\Antivirus\AvLaunch.exe" /gui' + - ' {472083B0-C522-11CF-8763-00608CC02F24}' condition: all of current_version_* and not 1 of filter_* fields: - SecurityID From e9ecf8d83d47f09df1b7dd2c18a6678a147d80bb Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Tue, 23 Aug 2022 16:02:51 +0200 Subject: [PATCH 3/3] fix: remove space from copy paste --- .../registry_set_asep_reg_keys_modification_currentversion.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml index 63a57cf8e..bf9e046d0 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml @@ -122,7 +122,7 @@ detection: Details: - '"C:\Program Files\AVG\Antivirus\AvLaunch.exe" /gui' - '"C:\Program Files (x86)\AVG\Antivirus\AvLaunch.exe" /gui' - - ' {472083B0-C522-11CF-8763-00608CC02F24}' + - '{472083B0-C522-11CF-8763-00608CC02F24}' condition: all of current_version_* and not 1 of filter_* fields: - SecurityID