Merge pull request #2813 from phantinuss/master

Changes to falsepositives metadata
2022-03-17 14:31:27 +01:00
parent 55afc660ea 043747822f
commit becf3baeb4
371 changed files with 375 additions and 410 deletions
@@ -24,7 +24,7 @@ detection:
        ImagePath|endswitch: 'readtoend'
    condition: selection
 falsepositives:
-    - unknown
+    - Unknown
 level: medium
 tags:
    - attack.defense_evasion
@@ -30,7 +30,7 @@ fields:
    - ParentImage
    - ParentOfParentImage
 falsepositives:
-    - Penetration test
+    - Unknown
 level: high
 enrichment:
    - EN_0001_cache_sysmon_event_id_1_info                # http://bit.ly/314zc6x
@@ -1,12 +1,12 @@
 title: Always Install Elevated Parent Child Correlated
 id: 078235c5-6ec5-48e7-94b2-f8b5474379ea
-description: This rule will looks any process with low privilege launching Windows Installer service (msiexec.exe) that tries to install MSI packages with SYSTEM privilege 
+description: This rule will looks any process with low privilege launching Windows Installer service (msiexec.exe) that tries to install MSI packages with SYSTEM privilege
 #look for MSI start by low privilege user, write the process guid to the suspicious_guid variable
 #look for child process from the suspicious_guid, alert if it's Windows Installer trying to install package with SYSTEM privilege
 status: unsupported
 author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community
 date: 2020/10/13
-references: 
+references:
    - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-48-638.jpg
 tags:
    - attack.privilege_escalation
@@ -20,14 +20,14 @@ detection:
    system_user:
        User: 'NT AUTHORITY\SYSTEM'
    image_1:
-        Image|contains|all: 
+        Image|contains|all:
            - '\Windows\Installer\'
            - 'msi'
-        Image|endswith: 
+        Image|endswith:
            - 'tmp'
    image_2:
        Image|endswith: '\msiexec.exe'
-    child_of_suspicious_guid:  
+    child_of_suspicious_guid:
        ParentProcessGuid: '%suspicious_guid%'
    condition: write ProcessGuid from (event_id and image_2 and not system_user) to %suspicious_guid%; then if (child_of_suspicious_guid and event_id and image_1 and system_user) or (suspicious_guid and event_id and image_2 and system_user and integrity_level) -> alert
 fields:
@@ -38,5 +38,4 @@ fields:
    - ParentProcessGuid
 falsepositives:
    - System administrator usage
-    - Penetration test 
 level: high
@@ -22,7 +22,7 @@ modified: 2021/12/02
 detection:
    condition: all of selection*
 falsepositives:
-    - unknown
+    - Unknown
 level: high
 ---
 logsource:
@@ -33,6 +33,6 @@ detection:
        ServiceName: 'Java(TM) Virtual Machine Support Service'
    condition: selection and 1 of malsvc_*
 falsepositives:
-    - Penetration testing
+    - Unknown
 level: critical
 status: unsupported
@@ -30,7 +30,6 @@ detection:
    condition: keywords
 falsepositives:
    - Application bugs
-    - Penetration testing
 level: medium
 tags:
    - attack.initial_access
@@ -19,7 +19,6 @@ detection:
    condition: exceptions
 falsepositives:
    - Application bugs
-    - Penetration testing
 level: medium
 tags:
    - attack.initial_access
@@ -30,5 +30,5 @@ detection:
          - 1
    condition: selection
 falsepositives:
-    - unknown
+    - Unknown
 level: high
@@ -27,5 +27,5 @@ detection:
        - 1
    condition: selection and not filter
 falsepositives:
-    - unknown
+    - Unknown
 level: high
@@ -23,5 +23,5 @@ detection:
          - f6beaff7-1e19-4fbb-9f8f-b89e2018337c
    condition: selection
 falsepositives:
-    - remote administrative tasks on Windows Events
+    - Remote administrative tasks on Windows Events
 level: high
@@ -38,5 +38,5 @@ detection:
          - 15
    condition: selection
 falsepositives:
-    - unknown
+    - Unknown
 level: high
@@ -33,5 +33,5 @@ detection:
        - 15
    condition: selection and not filter
 falsepositives:
-    - unknown
+    - Unknown
 level: high
@@ -30,5 +30,5 @@ detection:
          - ae33069b-a2a8-46ee-a235-ddfd339be281
    condition: selection
 falsepositives:
-    - actual printing
+    - Actual printing
 level: high
@@ -30,5 +30,5 @@ detection:
          - 1
    condition: selection
 falsepositives:
-    - unknown
+    - Unknown
 level: high
@@ -26,5 +26,5 @@ detection:
        - 1
    condition: selection and not filter
 falsepositives:
-    - unknown
+    - Unknown
 level: high
@@ -23,7 +23,6 @@ detection:
    condition: keywords
 falsepositives:
    - Application bugs
-    - Penetration testing
 level: medium
 tags:
    - attack.initial_access
@@ -22,7 +22,6 @@ detection:
    condition: keywords
 falsepositives:
    - Application bugs
-    - Penetration testing
 level: medium
 tags:
    - attack.initial_access
@@ -15,7 +15,7 @@ detection:
        eventName: DeleteFileSystem
    condition: selection
 falsepositives:
-    - unknown
+    - Unknown
 level: medium
 tags:
    - attack.impact
@@ -15,7 +15,7 @@ detection:
        eventName: DeleteMountTarget
    condition: selection
 falsepositives:
-    - unknown
+    - Unknown
 level: medium
 tags:
    - attack.impact
@@ -17,7 +17,7 @@ detection:
        eventName: RestoreDBInstanceFromDBSnapshot
    condition: selection_source
 falsepositives:
-    - unknown
+    - Unknown
 level: high
 tags:
    - attack.exfiltration
@@ -23,5 +23,5 @@ detection:
    OperationNameValue: 'Microsoft.ADHybridHealthService/services/servicemembers/action'
  condition: selection
 falsepositives:
-  - legitimate AD FS servers added to an AAD Health AD FS service instance
+  - Legitimate AD FS servers added to an AAD Health AD FS service instance
 level: medium
@@ -23,5 +23,5 @@ detection:
    OperationNameValue: 'Microsoft.ADHybridHealthService/services/delete'
  condition: selection
 falsepositives:
-  - legitimate AAD Health AD FS service instances being deleted in a tenant
+  - Legitimate AAD Health AD FS service instances being deleted in a tenant
 level: medium
@@ -17,7 +17,7 @@ detection:
        status: success
    condition: selection
 falsepositives:
-    - 
+    - Unknown
 level: medium
 tags:
    - attack.exfiltration
@@ -17,7 +17,7 @@ detection:
        status: success
    condition: selection
 falsepositives:
-    - 
+    - Unknown
 level: medium
 tags:
    - attack.impact
@@ -17,7 +17,7 @@ detection:
        status: success
    condition: selection
 falsepositives:
-    - 
+    - Unknown
 level: medium
 tags:
    - attack.initial_access
@@ -18,4 +18,4 @@ detection:
    condition: selection
 level: medium
 falsepositives:
- - None
+ - Unknown
@@ -79,7 +79,7 @@ detection:
            - 87106
    condition: selection
 falsepositives:
-    - unknown
+    - Unknown
 level: medium
 # tags:
    # - CSC4
@@ -38,7 +38,7 @@ detection:
            - 2
    condition: selection1 and selection2
 falsepositives:
-    - unknown
+    - Unknown
 level: low
 # tags:
    # - CSC4
@@ -31,7 +31,7 @@ detection:
            - 634
    condition: selection
 falsepositives:
-    - unknown
+    - Unknown
 level: low
 # tags:
    # - CSC4
@@ -75,5 +75,5 @@ detection:
            - 5904
    condition: selection
 falsepositives:
-    - unknown
+    - Unknown
 level: low
@@ -19,7 +19,7 @@ detection:
            - 4800
    condition: selection
 falsepositives:
-    - unknown
+    - Unknown
 level: low
 # tags:
    # - CSC16
@@ -18,7 +18,6 @@ fields:
  - user
 falsepositives:
  - Inventarization
-  - Penetration testing
  - Vulnerability scanner
  - Legitimate application
 level: medium
@@ -26,5 +26,5 @@ tags:
   - attack.collection
   - attack.t1123
 falsepositives:
-   - None
+   - Unknown
 level: low
@@ -23,7 +23,7 @@ detection:
    - 'of='
  condition: execve and (all of truncate or (all of dd and not filter))
 falsepositives:
-  - 'Legitimate script work'
+  - Legitimate script work
 level: high
 tags:
  - attack.defense_evasion
@@ -25,5 +25,5 @@ tags:
   - attack.t1123
   - attack.t1548
 falsepositives:
-   - None
+   - Unknown
 level: low
@@ -22,7 +22,7 @@ detection:
    - '-r'
  condition: execve and touch and selection2
 falsepositives:
-  - 'Unknown'
+  - Unknown
 level: medium
 tags:
  - attack.defense_evasion
@@ -24,5 +24,5 @@ tags:
   - attack.privilege_escalation
   - attack.t1068
 falsepositives:
-   - unknown
+   - Unknown
 level: high
@@ -21,5 +21,5 @@ tags:
   - attack.exfiltration
   - attack.t1048.003
 falsepositives:
-   - legitimate usage of wget utility to post a file
+   - Legitimate usage of wget utility to post a file
 level: medium
@@ -18,7 +18,7 @@ detection:
    - 'password'
  condition: execve and all of passwordgrep
 falsepositives:
-  - 'Unknown'
+  - Unknown
 level: high
 tags:
  - attack.credential_access
@@ -29,5 +29,5 @@ tags:
   - attack.defense_evasion
   - attack.t1564.001
 falsepositives:
-   - None
+   - Unknown
 level: low
@@ -11,7 +11,7 @@ tags:
   - attack.defense_evasion
   - attack.t1027.003
 falsepositives:
-   - None
+   - Unknown
 level: low
 logsource:
   product: linux
@@ -16,7 +16,7 @@ detection:
    comm: 'split'
  condition: selection
 falsepositives:
-  - 'Legitimate administrative activity'
+  - Legitimate administrative activity
 level: low
 tags:
  - attack.exfiltration
@@ -11,7 +11,7 @@ tags:
   - attack.defense_evasion
   - attack.t1027.003
 falsepositives:
-   - None
+   - Unknown
 level: low
 logsource:
   product: linux
@@ -11,7 +11,7 @@ tags:
   - attack.defense_evasion
   - attack.t1027.003
 falsepositives:
-   - None
+   - Unknown
 level: low
 logsource:
   product: linux
@@ -28,8 +28,8 @@ fields:
  - a3
  - key
 falsepositives:
-  - 'Legitimate administrative activity'
-  - 'Ligitimate software, cleaning hist file'
+  - Legitimate administrative activity
+  - Ligitimate software, cleaning hist file
 level: medium
 tags:
  - attack.credential_access
@@ -26,7 +26,7 @@ detection:
    - '6'
  condition: execve and (shutdowncmd or (init and initselection))
 falsepositives:
-  - 'Legitimate administrative activity'
+  - Legitimate administrative activity
 level: informational
 tags:
  - attack.impact
@@ -11,7 +11,7 @@ tags:
   - attack.defense_evasion
   - attack.t1027.003
 falsepositives:
-   - None
+   - Unknown
 level: low
 logsource:
   product: linux
@@ -9,11 +9,11 @@ references:
 logsource:
    product: linux
 detection:
-    keyword: 
+    keyword:
        - '/etc/ld.so.preload'
    condition: keyword
 falsepositives:
-    - rare temporary workaround for library misconfiguration
+    - Rare temporary workaround for library misconfiguration
 level: high
 tags:
    - attack.persistence
@@ -25,7 +25,7 @@ detection:
    CommandLine|contains: 'of='
  condition: selection1 or (selection2 and not filter)
 falsepositives:
-  - 'Legitimate script work'
+  - Legitimate script work
 level: high
 tags:
  - attack.defense_evasion
@@ -21,7 +21,7 @@ detection:
      - '-r'
  condition: selection1 and selection2
 falsepositives:
-  - 'Unknown'
+  - Unknown
 level: medium
 tags:
  - attack.defense_evasion
@@ -20,7 +20,7 @@ detection:
    CommandLine|contains: 'laZagne'
  condition: selection1 or selection2
 falsepositives:
-  - 'Unknown'
+  - Unknown
 level: high
 tags:
  - attack.credential_access
@@ -15,7 +15,7 @@ detection:
    Image|endswith: '/split'
  condition: selection
 falsepositives:
-  - 'Legitimate administrative activity'
+  - Legitimate administrative activity
 level: low
 tags:
  - attack.exfiltration
@@ -21,8 +21,8 @@ detection:
      - 'fish_history'
  condition: selection
 falsepositives:
-  - 'Legitimate administrative activity'
-  - 'Ligitimate software, cleaning hist file'
+  - Legitimate administrative activity
+  - Ligitimate software, cleaning hist file
 level: medium
 tags:
  - attack.credential_access
@@ -18,7 +18,7 @@ detection:
      - '/halt'
  condition: selection
 falsepositives:
-  - 'Legitimate administrative activity'
+  - Legitimate administrative activity
 level: informational
 tags:
  - attack.impact
@@ -19,7 +19,6 @@ fields:
 falsepositives:
  - Inventarization systems
  - Vulnerability scans
-  - Penetration testing activity
 level: medium
 tags:
  - attack.discovery
@@ -18,7 +18,6 @@ detection:
 falsepositives:
    - Inventarization systems
    - Vulnerability scans
-    - Penetration testing activity
 level: medium
 fields:
    - src_ip
@@ -43,8 +43,8 @@ detection:
    operation: 'StartServiceW'
  condition: 1 of op*
 falsepositives:
-  - 'Windows administrator tasks or troubleshooting'
-  - 'Windows management scripts or software'
+  - Windows administrator tasks or troubleshooting
+  - Windows management scripts or software
 level: medium
 tags:
  - attack.execution
@@ -31,8 +31,8 @@ detection:
    operation: 'SeclCreateProcessWithLogonExW'
  condition: 1 of op*
 falsepositives:
-  - 'Windows administrator tasks or troubleshooting'
-  - 'Windows management scripts or software'
+  - Windows administrator tasks or troubleshooting
+  - Windows management scripts or software
 level: medium
 tags:
  - attack.persistence
@@ -22,5 +22,5 @@ fields:
    - certificate.subject
    - certificate.issuer
 falsepositives:
-    - none
+    - Unknown
 level: high
@@ -20,7 +20,7 @@ detection:
    - c-uri|endswith: '.exe'
  condition: selection_webdav and selection_executable
 falsepositives:
-  - unknown
+  - Unknown
 level: medium
 tags:
  - attack.command_and_control
@@ -21,7 +21,7 @@ detection:
      - 10.0.0.0/8
  condition: selection and not filter
 falsepositives:
-  - unknown
+  - Unknown
 level: low
 tags:
  - attack.exfiltration
@@ -17,7 +17,7 @@ detection:
        #Accesses: '*WriteData*'
  condition: selection
 falsepositives:
-  - unknown
+  - Unknown
 level: medium
 tags:
  - attack.lateral_movement
@@ -19,7 +19,7 @@ detection:
    name|endswith: '.tmp'
  condition: selection
 falsepositives:
-  - 'unknown'
+  - Unknown
 level: high
 tags:
  - attack.credential_access
@@ -26,7 +26,7 @@ detection:
    path|startswith: 'PSEXESVC'
  condition: selection1 and not selection2
 falsepositives:
-  - nothing observed so far
+  - Unknown
 level: high
 tags:
  - attack.lateral_movement
@@ -18,7 +18,6 @@ detection:
  condition: selection
 falsepositives:
  - Scanning from Nuclei
-  - Penetration Testing Activity
  - Unknown
 tags:
  - attack.initial_access
@@ -22,7 +22,7 @@ fields:
  - c-ip
  - c-dns
 falsepositives:
-  - None
+  - Unknown
 level: high
 tags:
  - attack.initial_access
@@ -18,5 +18,5 @@ detection:
        c-uri|contains: '/analytics/telemetry/ph/api/hyper/send?'
    condition: selection
 falsepositives:
-    - Vulnerability Scanning/Pentesting
+    - Vulnerability Scanning
 level: high
@@ -30,5 +30,5 @@ detection:
            - 'metric'
    condition: selection1 and selection2
 falsepositives:
-    - Vulnerability Scanning/Pentesting
+    - Vulnerability Scanning
 level: high
@@ -16,7 +16,7 @@ fields:
    - c-ip
    - c-dns
 falsepositives:
-    - None
+    - Unknown
 level: high
 tags:
    - attack.initial_access
@@ -29,5 +29,5 @@ fields:
    - c-ip
    - c-uri
 falsepositives:
-    - External Pentesting
+    - Unknown
 level: critical
@@ -19,5 +19,5 @@ detection:
        sc-status: 200
    condition: selection
 falsepositives:
-    - Vulnerability Scanning/Pentesting
+    - Vulnerability Scanning
 level: high
@@ -17,7 +17,6 @@ detection:
  condition: selection
 falsepositives:
  - Happens all the time on systems exposed to the Internet
-  - Penetration testing activity on internal systems
  - Internal vulnerability scanners
 tags:
  - attack.initial_access
@@ -20,7 +20,7 @@ fields:
  - url
  - response
 falsepositives:
-  - unknown
+  - Unknown
 level: medium
 tags:
  - attack.discovery
@@ -31,5 +31,5 @@ detection:
            - 'cvdfhjh1231.ddns.net'
    condition: c2_selection
 falsepositives:
-    - unknown
+    - Unknown
 level: high
@@ -22,7 +22,7 @@ detection:
        - '.aspx'
    condition: all of export_command and export_params
 falsepositives:
-    - unlikely
+    - Unlikely
 level: critical
 tags:
    - attack.persistence
@@ -24,7 +24,7 @@ detection:
        - ' -User '
    condition: (all of export_command and export_params) or all of role_assignment
 falsepositives:
-    - unlikely
+    - Unlikely
 level: critical
 tags:
    - attack.persistence  
@@ -16,7 +16,7 @@ detection:
        - ' -Confirm "False"'
    condition: all of command
 falsepositives:
-    - unknown
+    - Unknown
 level: high
 tags:
    - attack.defense_evasion
@@ -23,5 +23,5 @@ detection:
 fields:
    - AssemblyPath
 falsepositives:
-    - legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this.
+    - Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this.
 level: medium
@@ -21,5 +21,5 @@ detection:
 fields:
    - AssemblyPath
 falsepositives:
-    - legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this.
+    - Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this.
 level: high
@@ -23,7 +23,6 @@ detection:
    condition: selection1 or selection2 
 falsepositives:
    - Administrator activity
-    - Penetration tests
    - Proxy SSL certificate with subject modification
    - Smart card enrollement
 level: low
@@ -37,7 +37,6 @@ detection:
    condition: (selection10 and selection11) or (selection20 and selection21)
 falsepositives:
    - Administrator activity
-    - Penetration tests
    - Proxy SSL certificate with subject modification
    - Smart card enrollement
 level: high
@@ -22,7 +22,7 @@ detection:
        FilePath|contains: 'immersivecontrolpanel'
    condition: selection and not filter
 falsepositives: 
-    - unknown
+    - Unknown
 fields: 
    - ParentProcess
    - CommandLine
@@ -37,7 +37,7 @@ detection:
            - '.inf'
    condition: all of selection_*
 falsepositives: 
-    - unknown
+    - Unknown
 fields: 
    - ParentProcess
    - CommandLine
@@ -19,7 +19,7 @@ detection:
    Accesses|contains: 'WriteData'
  condition: selection
 falsepositives:
-  - pentesting
+  - Unknown
 level: medium
 tags:
  - attack.lateral_movement
@@ -26,7 +26,7 @@ detection:
    NewValue: '0'
  condition: selection
 falsepositives:
-  - unknown
+  - Unknown
 level: critical
 tags:
  - attack.defense_evasion
@@ -9,7 +9,7 @@ references:
 date: 2021/07/02
 tags:
    - attack.execution
-    - attack.t1569    
+    - attack.t1569
    - cve.2021.1675
    - cve.2021.34527
 logsource:
@@ -24,4 +24,4 @@ detection:
        ObjectType: 'File'
    condition: selection
 falsepositives:
-    - nothing observed so far
+    - Unknown
@@ -21,5 +21,5 @@ fields:
    - EventCode
    - AccountName
 falsepositives:
-    - unknown
+    - Unknown
 level: high
@@ -21,7 +21,7 @@ detection:
      - 'RemCom_stderrt'
  condition: selection1
 falsepositives:
-  - nothing observed so far
+  - Unknown
 level: high
 tags:
  - attack.lateral_movement
@@ -20,10 +20,10 @@ detection:
    selection:
        EventID: 5145
        ShareName: \\\*\ADMIN$
-        RelativeTargetName|contains|all: 
+        RelativeTargetName|contains|all:
            - 'SYSTEM32\'
            - '.tmp'
    condition: selection
 falsepositives:
-    - pentesting
+    - Unknown
 level: high
@@ -31,5 +31,5 @@ detection:
            - 'system.io.streamreader'
    condition: all of selection*
 falsepositives:
-    - unknown
+    - Unknown
 level: medium
@@ -11,7 +11,7 @@ references:
 tags:
    - attack.lateral_movement
    - attack.execution
-    - attack.t1021  
+    - attack.t1021
    - attack.t1059
 logsource:
    product: windows
@@ -25,5 +25,4 @@ detection:
    condition: selection
 falsepositives:
    - legal admin action
-    - Penetration tests where lateral movement has occurred. This event will be created on the target host.
 level: low
@@ -7,7 +7,7 @@ description: The attacker might use LOLBAS nltest.exe for discovery of domain co
 references:
  - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/nltest.htm
  - https://attack.mitre.org/software/S0359/
-tags: 
+tags:
  - attack.discovery
  - attack.t1482 # enumerate trusted domains by using commands such as nltest /domain_trusts
  - attack.t1018 # enumerate remote domain controllers using options such as /dclist and /dsgetdc
@@ -26,5 +26,5 @@ fields:
  - 'SubjectDomainName'
 falsepositives:
  - Red team activity
-  - rare legitimate use by an administrator
+  - Rare legitimate use by an administrator
 level: high
@@ -21,7 +21,7 @@ detection:
    ObjectName|endswith: '\wceaux.dll'
  condition: selection
 falsepositives:
-  - Penetration testing
+  - Unknown
 level: critical
 tags:
  - attack.credential_access
@@ -25,7 +25,6 @@ detection:
  condition: selection and not filter
 falsepositives:
  - Administrator activity
-  - Penetration tests
 level: medium
 tags:
  - attack.lateral_movement
@@ -30,5 +30,4 @@ detection:
    condition: selection and not filter
 falsepositives:
    - Administrator activity
-    - Penetration tests
 level: medium
@@ -24,5 +24,5 @@ detection:
    condition: selection and not filter
 falsepositives:
    - automatic DC computer account password change
-    - legitimate DC computer account password change
+    - Legitimate DC computer account password change
 level: high
@@ -34,5 +34,5 @@ detection:
            - '::1'
    condition: selection and ( sourceRDP or destinationRDP )
 falsepositives:
-    - unknown
+    - Unknown
 level: high
@@ -29,5 +29,5 @@ detection:
        ServiceName: 'javamtsup'
    condition: selection and 1 of malsvc_*
 falsepositives:
-    - Penetration testing
+    - Unknown
 level: critical
@@ -26,7 +26,6 @@ detection:
  condition: selection and selection2
 falsepositives:
  - Administrator activity
-  - Penetration tests
 level: high
 tags:
  - attack.discovery
@@ -23,7 +23,7 @@ detection:
    RelativeTargetName|startswith: 'PSEXESVC'
  condition: selection1 and not filter
 falsepositives:
-  - nothing observed so far
+  - Unknown
 level: high
 tags:
  - attack.lateral_movement
--- a/Show More
+++ b/Show More