From dcfc9d562e58998ea029e45d06fc5e41bdc7aa72 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 17 Nov 2021 10:27:02 +0100 Subject: [PATCH] fix: more false positives --- .../windows/deprecated/sysmon_mimikatz_detection_lsass.yml | 7 +++++-- .../image_load/sysmon_wsman_provider_image_load.yml | 3 +++ 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/rules/windows/deprecated/sysmon_mimikatz_detection_lsass.yml b/rules/windows/deprecated/sysmon_mimikatz_detection_lsass.yml index 92242bd38..801cf3167 100644 --- a/rules/windows/deprecated/sysmon_mimikatz_detection_lsass.yml +++ b/rules/windows/deprecated/sysmon_mimikatz_detection_lsass.yml @@ -13,7 +13,7 @@ tags: - car.2019-04-004 author: Sherif Eldeeb date: 2017/10/18 -modified: 2021/06/21 +modified: 2021/11/17 logsource: product: windows category: process_access @@ -23,7 +23,10 @@ detection: GrantedAccess: - '0x1410' - '0x1010' - condition: selection + filter: + SourceImage|startswith: 'C:\Program Files\WindowsApps\' + SourceImage|endswith: '\GamingServices.exe' + condition: selection and not filter fields: - ComputerName - User diff --git a/rules/windows/image_load/sysmon_wsman_provider_image_load.yml b/rules/windows/image_load/sysmon_wsman_provider_image_load.yml index 953e556e8..5bf954a9b 100644 --- a/rules/windows/image_load/sysmon_wsman_provider_image_load.yml +++ b/rules/windows/image_load/sysmon_wsman_provider_image_load.yml @@ -3,6 +3,7 @@ id: ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94 description: Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution. status: experimental date: 2020/06/24 +modified: 2021/11/17 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.execution @@ -32,6 +33,8 @@ detection: respond_server: Image|endswith: '\svchost.exe' OriginalFileName: 'WsmWmiPl.dll' + filter: + CommandLine|endswith: '\svchost.exe -k netsvcs -p -s BITS' condition: (request_client and not filter_ps) or respond_server falsepositives: - Unknown