fix: fp found in testing

2023-01-19 18:47:11 +01:00
parent e213252c4c
commit d9f37de1cf
4 changed files with 35 additions and 12 deletions
@@ -7,7 +7,7 @@ references:
    - https://tools.thehacker.recipes/mimikatz/modules
 author: Florian Roth (rule), David ANDRE (additional keywords)
 date: 2021/12/20
-modified: 2022/09/27
+modified: 2023/01/19
 logsource:
    category: process_creation
    product: windows
@@ -62,18 +62,24 @@ detection:
            - 'token::'      #Mimikatz
            - 'vault::cred'     #Mimikatz
            - 'vault::list'     #Mimikatz
-            - ' p::d '  # Mimikatz 
+            - ' p::d '  # Mimikatz
            - ';iex('  # PowerShell IEX
            - 'MiniDump'  # Process dumping method apart from procdump
            - 'net user '
-    filter:
+    filter_ping:
        CommandLine: 'ping 127.0.0.1 -n 5'
    filter_vs:
        Image|endswith: '\PING.EXE'
        ParentCommandLine|contains: '\DismFoDInstall.cmd'
    filter_config_mgr:
        ParentImage|startswith: 'C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\'
-    condition: all of selection* and not 1 of filter*
+    filter_java:
+        ParentImage|startswith: 'C:\Program Files (x86)\Java\'
+        ParentImage|endswith: '\bin\javaws.exe'
+        Image|startswith: 'C:\Program Files (x86)\Java\'
+        Image|endswith: '\bin\jp2launcher.exe'
+        CommandLine|contains: ' -ma '
+    condition: all of selection* and not 1 of filter_*
 falsepositives:
    - Administrative activity
    - Scripts and administrative tools used in the monitored environment
@@ -10,7 +10,7 @@ references:
    - https://docs.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code
 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 date: 2020/05/02
-modified: 2022/10/20
+modified: 2023/01/19
 tags:
    - attack.defense_evasion
    - attack.t1112
@@ -51,6 +51,13 @@ detection:
        Image|endswith: '\Everything.exe'
        # We don't use the HKCR anchor as it could be logged as a different variation (HKEY_CLASSES_ROOT)
        TargetObject|contains: '\Everything.'
+    filter_uninstallers:
+        # This image path is linked with different uninstallers when running as admin unfortunately
+        Image|startswith: 'C:\Windows\Installer\MSI'
+    filter_java:
+        Image|startswith: 'C:\Program Files (x86)\Java\'
+        Image|endswith: '\installer.exe'
+        TargetObject|contains: '\Classes\WOW6432Node\CLSID\{4299124F-F2C3-41b4-9C73-9236B2AD0E8F}'
    condition: selection and not 1 of filter_*
 falsepositives:
    - Legitimate software (un)installations are known to cause some false positives. Please add them as a filter when encountered
@@ -7,7 +7,7 @@ references:
    - https://lolbas-project.github.io/lolbas/Binaries/Atbroker/
 author: Mateusz Wydra, oscd.community
 date: 2020/10/13
-modified: 2022/09/21
+modified: 2023/01/19
 tags:
    - attack.defense_evasion
    - attack.t1218
@@ -21,11 +21,14 @@ detection:
        TargetObject|contains:
            - 'Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs'
            - 'Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration'
-    filter:
+    filter_atbroker:
        Image: 'C:\Windows\system32\atbroker.exe'
        TargetObject|contains: '\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration'
        Details: '(Empty)'
-    condition: selection and not filter
+    filter_uninstallers:
+        Image|startswith: 'C:\Windows\Installer\MSI'
+        TargetObject|contains: 'Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs'
+    condition: selection and not 1 of filter_*
 falsepositives:
    - Creation of non-default, legitimate at usage
 level: medium
@@ -12,7 +12,7 @@ references:
    - https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/
 author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
 date: 2019/10/25
-modified: 2022/12/14
+modified: 2023/01/19
 tags:
    - attack.persistence
    - attack.t1547.001
@@ -20,10 +20,10 @@ logsource:
    category: registry_set
    product: windows
 detection:
-    wow_current_version_base:
+    selection_wow_current_version_base:
        EventType: SetValue
        TargetObject|contains: '\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion'
-    wow_current_version_keys:
+    selection_wow_current_version_keys:
        TargetObject|contains:
            - '\ShellServiceObjectDelayLoad'
            - '\Run\'
@@ -85,7 +85,14 @@ detection:
            - '\windowsdesktop-runtime-'  # C:\WINDOWS\Temp\{751E2E78-46DC-4376-9205-99219CDC34AE}\.be\windowsdesktop-runtime-6.0.12-win-x86.exe
            - '\AspNetCoreSharedFrameworkBundle-'  # "C:\ProgramData\Package Cache\{b52191c1-a9c0-4b34-9a4e-930c2dd8a540}\AspNetCoreSharedFrameworkBundle-x86.exe" /burn.runonce
        Details|endswith: ' /burn.runonce'
-    condition: all of wow_current_version_* and not 1 of filter_*
+    filter_uninstallers:
+        # This image path is linked with different uninstallers when running as admin unfortunately
+        Image|startswith: 'C:\Windows\Installer\MSI'
+        TargetObject|contains: '\Explorer\Browser Helper Objects'
+    filter_msiexec:
+        Image: 'C:\WINDOWS\system32\msiexec.exe'
+        TargetObject|contains: '\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\'
+    condition: all of selection_wow_current_version_* and not 1 of filter_*
 fields:
    - SecurityID
    - ObjectName