Fix FP

2022-09-29 11:20:08 +02:00
parent e6d0f35c82
commit cdd9aff032
4 changed files with 26 additions and 9 deletions
@@ -8,7 +8,7 @@ references:
    - https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/ # iphlpapi.dll
 author: Nasreddine Bencherchali, Wietze Beukema (project and research), Chris Spehn (research WFH Dridex)
 date: 2022/08/14
-modified: 2022/09/28
+modified: 2022/09/29
 tags:
    - attack.defense_evasion
    - attack.persistence
@@ -427,6 +427,9 @@ detection:
            - 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs'
            - 'C:\Windows\System32\backgroundTaskHost.exe'
        ImageLoaded|startswith: 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs'
+    filter_cleanmgr:
+        Image: 'C:\Windows\System32\cleanmgr.exe'
+        ImageLoaded|endswith: '\ssshim.dll'
    condition: selection and not 1 of filter_*
 falsepositives:
    - Legitimate applications loading their own versions of the DLLs mentioned in this rule
@@ -6,7 +6,7 @@ author: Nasreddine Bencherchali
 references:
    - https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC (Idea)
 date: 2022/07/17
-modified: 2022/09/10
+modified: 2022/09/29
 tags:
    - attack.defense_evasion
    - attack.t1070
@@ -23,12 +23,17 @@ detection:
            - '\Downloads\'
            - '\AppData\Local\Temp\'
            - 'C:\PerfLogs\'
-    filter:
+    filter_generic:
        - Image|endswith: '\msiexec.exe'
        - ImageLoaded|startswith:
            - 'C:\Program Files\'
            - 'C:\Program Files (x86)\'
-    condition: selection and not filter
+    filter_cleanmgr:
+        # Example CLI that generates this event: C:\WINDOWS\system32\cleanmgr.exe /autocleanstoragesense /d C:
+        # Sometimes the DLL gets loaded from %temp%
+        Image: 'C:\Windows\System32\cleanmgr.exe'
+        ImageLoaded|endswith: '\ssshim.dll'
+    condition: selection and not 1 of filter_*
 falsepositives:
    - Unknown
 level: high
@@ -6,18 +6,22 @@ references:
    - https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/
 author: Kutepov Anton, oscd.community
 date: 2019/10/23
-modified: 2022/03/26
+modified: 2022/09/29
 logsource:
    category: registry_add
    product: windows
 detection:
    selection:
        EventType: 'CreateKey'  # don't want DeleteKey events
-        TargetObject|contains|all: 
+        TargetObject|contains|all:
            - 'HKU\'
            - 'Classes\CLSID\'
            - '\TreatAs'
-    condition: selection
+    filter_svchost:
+        # Example of target object by svchost
+        # TargetObject: HKU\S-1-5-21-1098798288-3663759343-897484398-1001_Classes\CLSID\{0003000A-0000-0000-C000-000000000046}\TreatAs
+        Image: 'C:\WINDOWS\system32\svchost.exe'
+    condition: selection and not 1 of filter_*
 falsepositives:
    - Maybe some system utilities in rare cases use linking keys for backward compatibility
 level: medium
@@ -19,10 +19,15 @@ detection:
        Image|endswith: '\OfficeClickToRun.exe'
    filter_office2:
        Image: 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe'
+    filter_svchost:
+        # Example of target object by svchost
+        # TargetObject: HKLM\SOFTWARE\Microsoft\MsixRegistryCompatibility\Package\Microsoft.Paint_11.2208.6.0_x64__8wekyb3d8bbwe\User\SOFTWARE\Classes\CLSID\{0003000A-0000-0000-C000-000000000046}\TreatAs\(Default)
+        # TargetObject: HKU\S-1-5-21-1000000000-000000000-000000000-0000_Classes\CLSID\{0003000A-0000-0000-C000-000000000046}\TreatAs\(Default)
+        Image: 'C:\WINDOWS\system32\svchost.exe'
    condition: selection and not 1 of filter_*
 falsepositives:
    - Legitimate use
 level: medium
 tags:
-  - attack.persistence
-  - attack.t1546.015
+    - attack.persistence
+    - attack.t1546.015