Merge PR #5833 from @swachchhanda000 - Fix Multiple FPs based on VT data

update: Suspicious Creation TXT File in User Desktop - Move to a TH rule
fix: ffice Macro File Creation - Exclude office binaries
fix: Suspicious Msiexec Execute Arbitrary DLL - Make the filter more generic due to the amount of FPs.
fix: Script Interpreter Execution From Suspicious Folder - Add filters for chocolatey
fix: Suspicious Script Execution From Temp Folder - Add filter for chocolatey
fix: Office Autorun Keys Modification - Add filters for shortened paths using tilda
fix Outlook Security Settings Updated - Registry - Exclude the outlook process

---------

Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>

rules-threat-hunting/windows/file/file_event/file_event_win_susp_desktop_txt.yml

@@ -1,14 +1,18 @@
 title: Suspicious Creation TXT File in User Desktop
 id: caf02a0a-1e1c-4552-9b48-5e070bd88d11
 status: test
-description: Ransomware create txt file in the user Desktop
+description: |
+    Detects creation of .txt files in user desktop folders via cmd.exe. This behavior may indicate ransomware deploying ransom notes, but can also occur during legitimate administrative tasks.
+    Analysts should investigate for suspicious filenames (e.g., "RANSOM", "DECRYPT", "READ_ME"), bulk file creation patterns, or concurrent encryption activity to determine if this is part of a ransomware attack.
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1486/T1486.md#atomic-test-5---purelocker-ransom-note
 author: frack113
 date: 2021-12-26
+modified: 2026-01-09
 tags:
     - attack.impact
     - attack.t1486
+    - detection.threat-hunting
 logsource:
     product: windows
     category: file_event
@@ -22,4 +26,4 @@ detection:
     condition: selection
 falsepositives:
     - Unknown
-level: high
+level: medium

rules/windows/file/file_event/file_event_win_office_macro_files_created.yml

@@ -10,6 +10,7 @@ references:
     - https://learn.microsoft.com/en-us/deployoffice/compat/office-file-format-reference
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022-01-23
+modified: 2026-01-09
 tags:
     - attack.initial-access
     - attack.t1566.001
@@ -25,7 +26,16 @@ detection:
             - '.xltm'
             - '.potm'
             - '.pptm'
-    condition: selection
+    filter_main_office:
+        Image|startswith:
+            - 'C:\Program Files\Microsoft Office\'
+            - 'C:\Program Files (x86)\Microsoft Office\'
+        Image|endswith:
+            - '\WINWORD.EXE'
+            - '\EXCEL.EXE'
+            - '\POWERPNT.EXE'
+        TargetFilename|contains: '\~$' # Temporary files created by Office applications
+    condition: selection and not 1 of filter_main_*
 falsepositives:
     - Very common in environments that rely heavily on macro documents
 level: low

rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml

@@ -10,7 +10,7 @@ references:
     - https://twitter.com/_st0pp3r_/status/1583914515996897281
 author: frack113
 date: 2022-01-16
-modified: 2024-03-13
+modified: 2026-01-09
 tags:
     - attack.defense-evasion
     - attack.t1218.007
@@ -20,22 +20,14 @@ logsource:
 detection:
     selection:
         Image|endswith: '\msiexec.exe'
-        CommandLine|contains|windash: ' -y'
-    filter_apple:
+        CommandLine|contains|windash: ' /Y'
+    filter_main_legit_path:
         CommandLine|contains:
-            - '\MsiExec.exe" /Y "C:\Program Files\Bonjour\mdnsNSP.dll'
-            - '\MsiExec.exe" /Y "C:\Program Files (x86)\Bonjour\mdnsNSP.dll'
-            - '\MsiExec.exe" /Y "C:\Program Files (x86)\Apple Software Update\ScriptingObjectModel.dll'
-            - '\MsiExec.exe" /Y "C:\Program Files (x86)\Apple Software Update\SoftwareUpdateAdmin.dll'
-            - '\MsiExec.exe" /Y "C:\Windows\CCM\'
-            - '\MsiExec.exe" /Y C:\Windows\CCM\' # also need non-quoted execution
-            - '\MsiExec.exe" -Y "C:\Program Files\Bonjour\mdnsNSP.dll'
-            - '\MsiExec.exe" -Y "C:\Program Files (x86)\Bonjour\mdnsNSP.dll'
-            - '\MsiExec.exe" -Y "C:\Program Files (x86)\Apple Software Update\ScriptingObjectModel.dll'
-            - '\MsiExec.exe" -Y "C:\Program Files (x86)\Apple Software Update\SoftwareUpdateAdmin.dll'
-            - '\MsiExec.exe" -Y "C:\Windows\CCM\'
-            - '\MsiExec.exe" -Y C:\Windows\CCM\' # also need non-quoted execution
-    condition: selection and not 1 of filter_*
+            - '\MsiExec.exe" /Y "C:\Program Files\'
+            - '\MsiExec.exe" /Y "C:\Program Files (x86)\'
+            - '\MsiExec.exe" /Y "C:\Windows\System32\'
+            - '\MsiExec.exe" /Y "C:\Windows\SysWOW64\'
+    condition: selection and not 1 of filter_main_*
 falsepositives:
     - Legitimate script
 level: medium

rules/windows/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml

@@ -1,14 +1,16 @@
 title: Script Interpreter Execution From Suspicious Folder
 id: 1228c958-e64e-4e71-92ad-7d429f4138ba
 status: test
-description: Detects a suspicious script execution in temporary folders or folders accessible by environment variables
+description: |
+    Detects suspicious script execution from suspicious directories or folders accessible by environment variables that may indicate malware activity.
+    Script interpreters (cscript, wscript, mshta, powershell) executing from folders like Temp, Public, or user profile directories may suggest attempts to evade detection or execute malicious scripts.
 references:
     - https://www.virustotal.com/gui/file/91ba814a86ddedc7a9d546e26f912c541205b47a853d227756ab1334ade92c3f
     - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-russia-ukraine-military
     - https://learn.microsoft.com/en-us/windows/win32/shell/csidl
 author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
 date: 2022-02-08
-modified: 2023-06-16
+modified: 2026-01-09
 tags:
     - attack.execution
     - attack.t1059
@@ -38,6 +40,7 @@ detection:
         CommandLine|contains:
             - ':\Perflogs\'
             - ':\Users\Public\'
+            - '\%Public%'
             - '\AppData\Local\Temp'
             - '\AppData\Roaming\Temp'
             - '\Temporary Internet'
@@ -52,7 +55,16 @@ detection:
         - CommandLine|contains|all:
               - ':\Users\'
               - '\Contacts\'
-    condition: 1 of selection_proc_* and 1 of selection_folders_*
+    filter_optional_chocolatey_installer:
+        ParentImage:
+            - 'C:\Windows\System32\Msiexec.exe'
+            - 'C:\Windows\SysWOW64\Msiexec.exe'
+        Image|endswith: '\powershell.exe'
+        CommandLine|contains|all:
+            - '-NoProfile -ExecutionPolicy Bypass -Command'
+            - 'AppData\Local\Temp\'
+            - 'Install-Chocolatey.ps1'
+    condition: 1 of selection_proc_* and 1 of selection_folders_* and not 1 of filter_optional_*
 falsepositives:
-    - Unknown
+    - Various legitimate software have been observed to use similar techniques for installation or update purposes;thus, it is recommended to review and tune filters for your environment to reduce false positives before deploying to production.
 level: high

rules/windows/process_creation/proc_creation_win_susp_script_exec_from_temp.yml

@@ -6,7 +6,7 @@ references:
     - https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/
 author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton
 date: 2021-07-14
-modified: 2022-10-05
+modified: 2026-01-09
 tags:
     - attack.execution
     - attack.t1059
@@ -29,14 +29,25 @@ detection:
             - '%TEMP%'
             - '%TMP%'
             - '%LocalAppData%\Temp'
-    filter:
+    filter_optional_vscode:
+        CommandLine|contains: '-WindowStyle hidden -Verb runAs'
+    filter_optional_amazon_ec2:
+        CommandLine|contains: '\Windows\system32\config\systemprofile\AppData\Local\Temp\Amazon\EC2-Windows\'
+    filter_optional_generic:
         CommandLine|contains:
             - ' >'
             - 'Out-File'
             - 'ConvertTo-Json'
-            - '-WindowStyle hidden -Verb runAs'  # VSCode behaviour if file cannot be written as current user
-            - '\Windows\system32\config\systemprofile\AppData\Local\Temp\Amazon\EC2-Windows\' # EC2 AWS
-    condition: selection and not filter
+    filter_optional_chocolatey_installer:
+        ParentImage:
+            - 'C:\Windows\System32\Msiexec.exe'
+            - 'C:\Windows\SysWOW64\Msiexec.exe'
+        Image|endswith: '\powershell.exe'
+        CommandLine|contains|all:
+            - '-NoProfile -ExecutionPolicy Bypass -Command'
+            - 'AppData\Local\Temp\'
+            - 'Install-Chocolatey.ps1'
+    condition: selection and not 1 of filter_optional_*
 falsepositives:
-    - Administrative scripts
+    - Various legitimate software have been observed to use similar techniques for installation or update purposes;thus, it is recommended to review and tune filters for your environment to reduce false positives before deploying to production.
 level: high

rules/windows/registry/registry_event/registry_event_susp_process_registry_modification.yml

@@ -32,13 +32,20 @@ detection:
             - '\mshta.exe'
             - '\wscript.exe'
             - '\cscript.exe'
-    filter_main_legit_wscript:
+    filter_main_binary_data:
+        Details: 'Binary Data'
+    filter_main_null:
+        Details: null
+    filter_main_wscript_legit_1:
         Image|endswith: '\wscript.exe'
         TargetObject|contains:
             - 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Notifications\Data\'
             - '\Services\bam\State\UserSettings\S-1-'
             - 'Software\Microsoft\Windows Script\Settings\Telemetry\wscript.exe\'
             - 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\'
+    filter_main_wscript_legit_2:
+        Image|endswith: '\wscript.exe'
+        TargetObject|contains: '\wscript.exe'
     condition: selection and not 1 of filter_main_*
 falsepositives:
     - Some legitimate admin or install scripts may use these processes for registry modifications.

rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml

@@ -4,7 +4,11 @@ related:
     - id: 17f878b8-9968-4578-b814-c4217fc5768c
       type: obsolete
 status: test
-description: Detects modification of autostart extensibility point (ASEP) in registry.
+description: |
+    Detects modification of Windows Registry Classes keys used for persistence.
+    Adversaries modify these autostart extensibility points (ASEP) to execute malicious code when file types are opened or actions are performed.
+    Various legitimate software also uses these keys. Currently, this rule only filters out known legitimate software paths,
+    thus it is recommended to review and tune filters for your environment to reduce false positives before deploying to production.
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
     - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns

rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml

@@ -4,14 +4,17 @@ related:
     - id: 17f878b8-9968-4578-b814-c4217fc5768c
       type: obsolete
 status: test
-description: Detects modification of autostart extensibility point (ASEP) in registry.
+description: |
+    Detects modification of autostart extensibility point (ASEP) in registry. Adversaries may modify these keys to execute malicious code when Office files are opened.
+    There are various legitimate add-ins that also use these keys and this filter list might not be exhaustive.
+    Thus, it is recommended to review and tune filters for your environment to reduce false positives before deploying to production.
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
     - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
     - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
 author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
 date: 2019-10-25
-modified: 2025-10-17
+modified: 2026-01-09
 tags:
     - attack.privilege-escalation
     - attack.persistence
@@ -35,12 +38,17 @@ detection:
             - 'test\Special\Perf'
     filter_main_empty:
         Details: '(Empty)'
+    filter_main_null:
+        Details: null
     filter_main_known_addins:
         Image|startswith:
             - 'C:\Program Files\Microsoft Office\'
             - 'C:\Program Files (x86)\Microsoft Office\'
+            - 'C:\PROGRA~2\MICROS~2\Office'
             - 'C:\Windows\System32\msiexec.exe'
+            - 'C:\Windows\SysWOW64\msiexec.exe'
             - 'C:\Windows\System32\regsvr32.exe'
+            - 'C:\Windows\SysWOW64\regsvr32.exe '
         TargetObject|contains:
             # Remove any unused addins in your environment from the filter
             # Known addins for excel
@@ -55,9 +63,11 @@ detection:
             - '\Outlook\AddIns\EvernoteCC.EvernoteContactConnector\'
             - '\Outlook\AddIns\EvernoteOLRD.Connect\'
             # - '\Outlook\Addins\GrammarlyAddIn.Connect' # Uncomment if you use Grammarly
+            - '\Outlook\Addins\\OneNote.OutlookAddin'
+            - '\Outlook\Addins\DriveFSExtensionLib.Connect\' # An Outlook Add-in to talk with Google Drive
+            - '\Outlook\Addins\GoogleAppsSync.Connect\' # Google Apps Sync for Microsoft Outlook
             - '\Outlook\Addins\Microsoft.VbaAddinForOutlook.1\'
             - '\Outlook\Addins\OcOffice.OcForms\'
-            - '\Outlook\Addins\\OneNote.OutlookAddin'
             - '\Outlook\Addins\OscAddin.Connect\'
             - '\Outlook\Addins\OutlookChangeNotifier.Connect\'
             - '\Outlook\Addins\UCAddin.LyncAddin.1'
@@ -69,6 +79,11 @@ detection:
             - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
             - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\'
         Image|endswith: '\OfficeClickToRun.exe'
+    filter_main_vsto:
+        Image|startswith:
+            - 'C:\Program Files\Common Files\Microsoft Shared\VSTO\'
+            - 'C:\Program Files (x86)\Microsoft Shared\VSTO\'
+        Image|endswith: '\VSTOInstaller.exe'
     filter_optional_avg:
         Image:
             - 'C:\Program Files\AVG\Antivirus\RegSvr.exe'
@@ -79,8 +94,9 @@ detection:
             - 'C:\Program Files\Avast Software\Avast\RegSvr.exe'
             - 'C:\Program Files\Avast Software\Avast\x86\RegSvr.exe'
         TargetObject|contains: '\Microsoft\Office\Outlook\Addins\Avast.AsOutExt\'
+    # These filters are not exhaustive, filter can be expanded based on environment
     condition: all of selection_office_* and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
-    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
-    - Legitimate administrator sets up autorun keys for legitimate reason
+    - Legitimate software or add-in installations and administrative configurations
+    - Automatic registry modifications during legitimate software installations
 level: medium

rules/windows/registry/registry_set/registry_set_office_outlook_security_settings.yml

@@ -10,7 +10,7 @@ references:
     - https://learn.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings
 author: frack113
 date: 2021-12-28
-modified: 2023-08-17
+modified: 2026-01-09
 tags:
     - attack.persistence
     - attack.t1137
@@ -22,7 +22,12 @@ detection:
         TargetObject|contains|all:
             - '\SOFTWARE\Microsoft\Office\'
             - '\Outlook\Security\'
-    condition: selection
+    filter_main_outlook:
+        Image|startswith:
+            - 'C:\Program Files\Microsoft Office\'
+            - 'C:\Program Files (x86)\Microsoft Office\'
+        Image|endswith: '\OUTLOOK.EXE'
+    condition: selection and not 1 of filter_main_*
 falsepositives:
     - Administrative activity
 level: medium

rules/windows/registry/registry_set/registry_set_persistence_office_vsto.yml

@@ -7,7 +7,7 @@ references:
     - https://vanmieghem.io/stealth-outlook-persistence/
 author: Bhabesh Raj
 date: 2021-01-10
-modified: 2025-10-07
+modified: 2026-01-09
 tags:
     - attack.t1137.006
     - attack.persistence
@@ -43,14 +43,21 @@ detection:
             - 'C:\Program Files (x86)\Microsoft Office\OFFICE'
             - 'C:\Program Files\Microsoft Office\Root\OFFICE'
             - 'C:\Program Files (x86)\Microsoft Office\Root\OFFICE'
+            - 'C:\PROGRA~2\MICROS~2\Office'
         Image|endswith:
             - '\excel.exe'
             - '\Integrator.exe'
+            - '\OneNote.exe'
             - '\outlook.exe'
             - '\powerpnt.exe'
             - '\Teams.exe'
             - '\visio.exe'
             - '\winword.exe'
+    filter_main_vsto:
+        Image|startswith:
+            - 'C:\Program Files\Common Files\Microsoft Shared\VSTO\'
+            - 'C:\Program Files (x86)\Microsoft Shared\VSTO\'
+        Image|endswith: '\VSTOInstaller.exe'
     filter_optional_avg:
         Image:
             - 'C:\Program Files\AVG\Antivirus\RegSvr.exe'