From cb4ee6fbeebc6d121aac06d3e2b31730bd446750 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sun, 5 Dec 2021 11:21:40 +0100 Subject: [PATCH] fix: FPs noticed with Aurora --- .../windows/image_load/sysmon_susp_python_image_load.yml | 8 ++++++-- .../sysmon_suspicious_dbghelp_dbgcore_load.yml | 2 +- .../process_access/sysmon_cred_dump_lsass_access.yml | 3 +++ .../sysmon_in_memory_assembly_execution.yml | 1 + .../win_susp_proc_access_lsass_susp_source.yml | 9 +++++++-- 5 files changed, 18 insertions(+), 5 deletions(-) diff --git a/rules/windows/image_load/sysmon_susp_python_image_load.yml b/rules/windows/image_load/sysmon_susp_python_image_load.yml index 4223429b3..79b4ceff8 100644 --- a/rules/windows/image_load/sysmon_susp_python_image_load.yml +++ b/rules/windows/image_load/sysmon_susp_python_image_load.yml @@ -3,7 +3,7 @@ id: cbb56d62-4060-40f7-9466-d8aaf3123f83 description: Detects the image load of Python Core indicative of a Python script bundled with Py2Exe. status: experimental date: 2020/05/03 -modified: 2021/12/03 +modified: 2021/12/05 author: Patrick St. John, OTR (Open Threat Research) tags: - attack.defense_evasion @@ -18,7 +18,11 @@ detection: selection: Description: 'Python Core' filter: - Image|contains: 'Python' # FPs with python38.dll, python.exe etc. + - Image|contains: + - 'Python' # FPs with python38.dll, python.exe etc. + - Image|startswith: + - 'C:\Program Files\' + - 'C:\Program Files (x86)\' condition: selection and not filter fields: - Description diff --git a/rules/windows/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml b/rules/windows/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml index 11676f828..0dd3b01f3 100755 --- a/rules/windows/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml +++ b/rules/windows/image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml @@ -8,7 +8,7 @@ references: - https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html - https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6 date: 2019/10/27 -modified: 2021/11/27 +modified: 2021/12/05 logsource: category: image_load product: windows diff --git a/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml b/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml index 29c4cc6cb..ebac98349 100755 --- a/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml +++ b/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml @@ -78,6 +78,9 @@ detection: GrantedAccess: - '0x40' - '0x1010' + filter9: + SourceImage|endswith: '\explorer.exe' + GrantedAccess: '0x401' filter_generic: SourceImage|startswith: - 'C:\Program Files\' diff --git a/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml b/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml index 87bc6293c..3f809d057 100644 --- a/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml +++ b/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml @@ -61,6 +61,7 @@ detection: - 'C:\Program Files\Microsoft Visual Studio\' - 'C:\Windows\Microsoft.NET\Framework' - 'C:\WINDOWS\System32\DriverStore\' + - 'C:\Windows\System32\WindowsPowerShell\' - SourceImage: - 'C:\Users\\*\AppData\Local\Programs\Microsoft VS Code\Code.exe' - 'C:\WINDOWS\system32\taskhostw.exe' diff --git a/rules/windows/process_access/win_susp_proc_access_lsass_susp_source.yml b/rules/windows/process_access/win_susp_proc_access_lsass_susp_source.yml index 9044e8671..95341c500 100644 --- a/rules/windows/process_access/win_susp_proc_access_lsass_susp_source.yml +++ b/rules/windows/process_access/win_susp_proc_access_lsass_susp_source.yml @@ -4,7 +4,7 @@ status: experimental description: Detects process access to LSASS memory with suspicious access flags and from a suspicious folder author: Florian Roth date: 2021/11/27 -modified: 2021/11/30 +modified: 2021/12/05 references: - https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow @@ -56,7 +56,12 @@ detection: - '\AppData\' - '\Temporary' filter1: - SourceImage: 'C:\Users\\*\AppData\Local\Programs\Microsoft VS Code\Code.exe' + SourceImage|contains|all: + - 'C:\Users\' + - '\AppData\Local\' + SourceImage|endswith: + - '\Microsoft VS Code\Code.exe' + - '\software_reporter_tool.exe' GrantedAccess: '0x410' condition: selection and not 1 of filter* fields: