From c2d9e95e83e9a04fead436fad9102e43cb4cb1b0 Mon Sep 17 00:00:00 2001
From: Swachchhanda Shrawan Poudel
 <87493836+swachchhanda000@users.noreply.github.com>
Date: Fri, 17 Oct 2025 08:12:25 +0545
Subject: [PATCH] Merge PR #5532 from @swachchhanda000 - fix: refine detections
 and filters; update Account Tampering with SubStatus field

fix: SMB Create Remote File Admin Share - filter out local IP
fix: Alternate PowerShell Hosts - PowerShell Module - filter out more legit powershell host
fix: CurrentVersion NT Autorun Keys Modification - filter svchost making legitimate registry change
fix: Potentially Suspicious Desktop Background Change Via Registry - filter EC2Launch.exe
update: Account Tampering - Suspicious Failed Logon Reasons - add SubStatus field
---
 ...ecurity_smb_file_creation_admin_shares.yml |  8 ++++--
 ...win_security_susp_failed_logon_reasons.yml | 28 ++++++++++++-------
 .../posh_pm_alternate_powershell_hosts.yml    |  5 +++-
 ...eg_keys_modification_currentversion_nt.yml |  3 +-
 ...registry_set_desktop_background_change.yml |  9 ++++--
 tests/sigma_cli_conf.yml                      |  1 +
 6 files changed, 37 insertions(+), 17 deletions(-)

diff --git a/rules/windows/builtin/security/win_security_smb_file_creation_admin_shares.yml b/rules/windows/builtin/security/win_security_smb_file_creation_admin_shares.yml
index 014709ceb..fae6390ff 100644
--- a/rules/windows/builtin/security/win_security_smb_file_creation_admin_shares.yml
+++ b/rules/windows/builtin/security/win_security_smb_file_creation_admin_shares.yml
@@ -7,7 +7,7 @@ references:
     - https://securitydatasets.com/notebooks/atomic/windows/lateral_movement/SDWIN-200806015757.html?highlight=create%20file
 author: Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research)
 date: 2020-08-06
-modified: 2021-11-27
+modified: 2025-10-17
 tags:
     - attack.lateral-movement
     - attack.t1021.002
@@ -19,9 +19,11 @@ detection:
         EventID: 5145
         ShareName|endswith: 'C$'
         AccessMask: '0x2'
-    filter:
+    filter_main_subjectusername:
         SubjectUserName|endswith: '$'
-    condition: selection and not filter
+    filter_optional_local_ip:
+        IpAddress: '::1'
+    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
     - Unknown
 level: high
diff --git a/rules/windows/builtin/security/win_security_susp_failed_logon_reasons.yml b/rules/windows/builtin/security/win_security_susp_failed_logon_reasons.yml
index 00a5c062d..18a808de4 100644
--- a/rules/windows/builtin/security/win_security_susp_failed_logon_reasons.yml
+++ b/rules/windows/builtin/security/win_security_susp_failed_logon_reasons.yml
@@ -7,7 +7,7 @@ references:
     - https://twitter.com/SBousseaden/status/1101431884540710913
 author: Florian Roth (Nextron Systems)
 date: 2017-02-19
-modified: 2022-06-29
+modified: 2025-10-17
 tags:
     - attack.persistence
     - attack.defense-evasion
@@ -18,20 +18,28 @@ logsource:
     product: windows
     service: security
 detection:
-    selection:
+    selection_eid:
         EventID:
             - 4625
             - 4776
-        Status:
-            - '0xC0000072'  # User logon to account disabled by administrator
-            - '0xC000006F'  # User logon outside authorized hours
-            - '0xC0000070'  # User logon from unauthorized workstation
-            - '0xC0000413'  # Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine
-            - '0xC000018C'  # The logon request failed because the trust relationship between the primary domain and the trusted domain failed
-            - '0xC000015B'  # The user has not been granted the requested logon type (aka logon right) at this machine
+    selection_status:
+        - Status:
+              - '0xC0000072'  # User logon to account disabled by administrator
+              - '0xC000006F'  # User logon outside authorized hours
+              - '0xC0000070'  # User logon from unauthorized workstation
+              - '0xC0000413'  # Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine
+              - '0xC000018C'  # The logon request failed because the trust relationship between the primary domain and the trusted domain failed
+              - '0xC000015B'  # The user has not been granted the requested logon type (aka logon right) at this machine
+        - SubStatus:
+              - '0xC0000072'  # User logon to account disabled by administrator
+              - '0xC000006F'  # User logon outside authorized hours
+              - '0xC0000070'  # User logon from unauthorized workstation
+              - '0xC0000413'  # Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine
+              - '0xC000018C'  # The logon request failed because the trust relationship between the primary domain and the trusted domain failed
+              - '0xC000015B'  # The user has not been granted the requested logon type (aka logon right) at this machine
     filter:
         SubjectUserSid: 'S-1-0-0'
-    condition: selection and not filter
+    condition: all of selection_* and not filter
 falsepositives:
     - User using a disabled account
 level: medium
diff --git a/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml
index e9463f1d9..63b37d334 100644
--- a/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml
+++ b/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml
@@ -6,7 +6,7 @@ references:
     - https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html
 author: Roberto Rodriguez @Cyb3rWard0g
 date: 2019-08-11
-modified: 2022-12-13
+modified: 2025-10-17
 tags:
     - attack.execution
     - attack.t1059.001
@@ -28,6 +28,9 @@ detection:
             # In some cases powershell was invoked with inverted slashes
             - '= C:/Windows/System32/WindowsPowerShell/v1.0/powershell'
             - '= C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell'
+            # In some cases \??\C:.. is used
+            - '= \\\?\?\C:Windows\System32\WindowsPowerShell\v1.0\powershell'
+            - '= \\\?\?\C:Windows\SysWOW64\WindowsPowerShell\v1.0\powershell'
     filter_sdiagnhost:
         ContextInfo|contains: '= C:\WINDOWS\System32\sdiagnhost.exe -Embedding' # When MSDT is launched for example
     filter_citrix:
diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml
index d26238dae..d142d5265 100644
--- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml
+++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml
@@ -11,7 +11,7 @@ references:
     - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
 author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
 date: 2019-10-25
-modified: 2025-10-07
+modified: 2025-10-17
 tags:
     - attack.persistence
     - attack.t1547.001
@@ -50,6 +50,7 @@ detection:
             - '\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\PreviousPolicyAreas'
             - '\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\MaxNoGPOListChangesInterval'
         Details:
+            - 'DWORD (0x00000001)'
             - 'DWORD (0x00000009)'
             - 'DWORD (0x000003c0)'
     filter_main_runtimebroker:
diff --git a/rules/windows/registry/registry_set/registry_set_desktop_background_change.yml b/rules/windows/registry/registry_set/registry_set_desktop_background_change.yml
index 2f7665b2d..7de036f7d 100644
--- a/rules/windows/registry/registry_set/registry_set_desktop_background_change.yml
+++ b/rules/windows/registry/registry_set/registry_set_desktop_background_change.yml
@@ -16,7 +16,7 @@ references:
     - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI
 author: Nasreddine Bencherchali (Nextron Systems), Stephen Lincoln @slincoln-aiq (AttackIQ)
 date: 2023-12-21
-modified: 2025-10-08
+modified: 2025-10-17
 tags:
     - attack.defense-evasion
     - attack.impact
@@ -48,7 +48,12 @@ detection:
     filter_main_explorer:
         # Normally Explorer.exe is the process that changes the desktop background
         Image|endswith: 'C:\Windows\Explorer.EXE'
-    condition: selection_keys and 1 of selection_values_* and not 1 of filter_main_*
+    filter_optional_ec2launch:
+        Image:
+            - 'C:\Program Files\Amazon\EC2Launch\EC2Launch.exe'
+            - 'C:\Program Files (x86)\Amazon\EC2Launch\EC2Launch.exe'
+        TargetObject|endswith: '\Control Panel\Desktop\Wallpaper'
+    condition: selection_keys and 1 of selection_values_* and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
     - Administrative scripts that change the desktop background to a company logo or other image.
 level: medium
diff --git a/tests/sigma_cli_conf.yml b/tests/sigma_cli_conf.yml
index 331ec3d0a..497510938 100644
--- a/tests/sigma_cli_conf.yml
+++ b/tests/sigma_cli_conf.yml
@@ -51,6 +51,7 @@ exclusions:
     f57f8d16-1f39-4dcb-a604-6c73d9b54b3d: escaped_wildcard
     f6de6525-4509-495a-8a82-1f8b0ed73a00: escaped_wildcard
     fb502828-2db0-438e-93e6-801c7548686d: escaped_wildcard
+    64e8e417-c19a-475a-8d19-98ea705394cc: escaped_wildcard
     # number_as_string
     5c84856b-55a5-45f1-826f-13f37250cf4e: number_as_string
     749c9f5e-b353-4b90-a9c1-05243357ca4b: number_as_string