fix: filter fp found in testing

rules/windows/builtin/security/win_security_scheduled_task_deletion.yml

@@ -7,7 +7,7 @@ references:
     - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699
 author: David Strassegger, Tim Shelton
 date: 2021/01/22
-modified: 2022/05/16
+modified: 2023/01/20
 tags:
     - attack.execution
     - attack.privilege_escalation
@@ -16,13 +16,15 @@ tags:
 logsource:
     product: windows
     service: security
-    definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection. We also recommend extracting the Command field from the embedded XML in the event data.'
+    definition: 'Requirements: The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection. We also recommend extracting the Command field from the embedded XML in the event data.'
 detection:
     selection:
         EventID: 4699
-    falsepositive1:
-        TaskName: '\Microsoft\Windows\RemovalTools\MRT_ERROR_HB' # triggered by ParentCommandLine=C:\WINDOWS\system32\MRT.exe /EHB /HeartbeatFailure ErrorStack,Previous=ErrorStack,Previous=ErrorStack,Previous=ErrorStack,Previous=ErrorStack,Previous=SubmitHeartbeatReportData,Hr=0x80072f8f,Hr=0x80072f8f,Hr=0x80072f8f,Hr=0x80072f8f,Hr=0x80072f8f /HeartbeatError 0x80072f8f
-    condition: selection and not 1 of falsepositive*
+    filter_exact:
+        TaskName: '\Microsoft\Windows\RemovalTools\MRT_ERROR_HB' # Triggered by ParentCommandLine=C:\WINDOWS\system32\MRT.exe /EHB /HeartbeatFailure ErrorStack,Previous=ErrorStack,Previous=ErrorStack,Previous=ErrorStack,Previous=ErrorStack,Previous=SubmitHeartbeatReportData,Hr=0x80072f8f,Hr=0x80072f8f,Hr=0x80072f8f,Hr=0x80072f8f,Hr=0x80072f8f /HeartbeatError 0x80072f8f
+    filter_contains:
+        TaskName|contains: '\Mozilla\Firefox Default Browser Agent ' # Triggered by firefox updates
+    condition: selection and not 1 of filter_*
 falsepositives:
     - Software installation
 level: low

rules/windows/builtin/security/win_security_user_driver_loaded.yml

@@ -12,7 +12,7 @@ references:
     - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673
 author: xknow (@xknow_infosec), xorxes (@xor_xes)
 date: 2019/04/08
-modified: 2023/01/18
+modified: 2023/01/20
 tags:
     - attack.defense_evasion
     - attack.t1562.001
@@ -45,6 +45,8 @@ detection:
             - '\procmon.exe'
             - '\Google\Chrome\Application\chrome.exe'
             - '\AppData\Local\Microsoft\Teams\current\Teams.exe'
+    filter_startswith:
+        ProcessName|startswith: 'C:\Program Files\WindowsApps\Microsoft'
     condition: selection_1 and not 1 of filter_*
 falsepositives:
     - Other legimate tools loading drivers. Including but not limited to, Sysinternals, CPU-Z, AVs etc. A baseline needs to be created according to the used products and allowed tools. A good thing to do is to try and exclude users who are allowed to load drivers.

rules/windows/file/file_event/file_event_win_susp_dropper.yml

@@ -6,7 +6,7 @@ references:
     - Malware Sandbox
 author: frack113
 date: 2022/03/09
-modified: 2023/01/18
+modified: 2023/01/20
 tags:
     - attack.resource_development
     - attack.t1587.001
@@ -66,6 +66,7 @@ detection:
         TargetFilename|endswith:
             - '\AppData\Local\Microsoft\Teams\stage\Teams.exe'
             - '\AppData\Local\Microsoft\Teams\stage\Squirrel.exe'
+            - '\AppData\Local\Microsoft\SquirrelTemp\tempb\'
     filter_mscorsvw:
         # Example:
         #   ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe" ExecuteQueuedItems /LegacyServiceBehavior

rules/windows/image_load/image_load_uipromptforcreds_dlls.yml

@@ -8,7 +8,7 @@ references:
     - https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa
 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 date: 2020/10/20
-modified: 2022/10/24
+modified: 2023/01/20
 tags:
     - attack.credential_access
     - attack.collection
@@ -44,6 +44,7 @@ detection:
         Image|endswith:
             - '\AppData\Roaming\Spotify\Spotify.exe'
             - '\AppData\Local\Microsoft\Teams\current\Teams.exe'
+            - '\AppData\Local\Microsoft\Teams\stage\Teams.exe'
     filter_contains:
         Image|startswith: 'C:\Users\'
         Image|contains: '\AppData\Local\Microsoft\OneDrive\'

rules/windows/network_connection/net_connection_win_dllhost_net_connections.yml

@@ -7,7 +7,7 @@ references:
     - https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08
 author: bartblaze
 date: 2020/07/13
-modified: 2023/01/18
+modified: 2023/01/20
 tags:
     - attack.defense_evasion
     - attack.t1218
@@ -60,10 +60,13 @@ detection:
             - '20.189.'
             - '20.190.'
             - '20.191.'
+            - '23.79.'
+            - '51.10.'
             # Subnet: 51.103.210.0/23
             - '51.103.'
             - '51.104.'
             - '51.105.'
+            - '52.239.'
     condition: selection and not 1 of filter_*
 falsepositives:
     - Communication to other corporate systems that use IP addresses from public address spaces

rules/windows/network_connection/net_connection_win_powershell_network_connection.yml

@@ -6,7 +6,7 @@ references:
     - https://www.youtube.com/watch?v=DLtJTxMWZ2o
 author: Florian Roth
 date: 2017/03/13
-modified: 2022/07/14
+modified: 2023/01/20
 tags:
     - attack.execution
     - attack.t1059.001
@@ -20,7 +20,7 @@ detection:
             - '\pwsh.exe'
         Initiated: 'true'
         DestinationIsIpv6: 'false'
-    filter:
+    filter_internal_ip:
         DestinationIp|startswith:
             - '10.'
             - '192.168.'
@@ -44,7 +44,32 @@ detection:
         User|contains: # covers many language settings
             - 'AUTHORI'
             - 'AUTORI'
-    condition: selection and not filter
+    filter_ipv6:
+        DestinationIp|startswith:
+            - '::1'  # IPv6 loopback variant
+            - '0:0:0:0:0:0:0:1'  # IPv6 loopback variant
+            - 'fe80:'  # link-local address
+            - 'fc'  # private address range fc00::/7
+            - 'fd'  # private address range fc00::/7
+    filter_msrange:
+        DestinationIp|startswith:
+            # Subnet: 20.184.0.0/13
+            - '20.184.'
+            - '20.185.'
+            - '20.186.'
+            - '20.187.'
+            - '20.188.'
+            - '20.189.'
+            - '20.190.'
+            - '20.191.'
+            - '23.79.'
+            - '51.10.'
+            # Subnet: 51.103.210.0/23
+            - '51.103.'
+            - '51.104.'
+            - '51.105.'
+            - '52.239.'
+    condition: selection and not 1 of filter_*
 falsepositives:
     - Administrative scripts
     - Microsoft IP range

rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml

@@ -8,7 +8,7 @@ references:
     - https://dtm.uk/wuauclt/
 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 date: 2020/10/12
-modified: 2022/12/15
+modified: 2023/01/20
 tags:
     - attack.defense_evasion
     - attack.t1218
@@ -17,13 +17,29 @@ logsource:
     product: windows
 detection:
     selection:
-        Image|contains: wuauclt
+        Image|contains: 'wuauclt'
     # "C:\WINDOWS\uus\AMD64\wuauclt.exe" /DeploymentHandlerFullPath \\?\C:\Windows\UUS\AMD64\UpdateDeploy.dll /ClassId aaa256e1-5b21-4993-9188-18f07ccb3b98 /RunHandlerComServer
-    filter_ms_range:  # Sysmon
-        DestinationIp|startswith: '51.10'  # Microsoft Range
+    filter_msrange:  # Sysmon
+        DestinationIp|startswith:
+            # Subnet: 20.184.0.0/13
+            - '20.184.'
+            - '20.185.'
+            - '20.186.'
+            - '20.187.'
+            - '20.188.'
+            - '20.189.'
+            - '20.190.'
+            - '20.191.'
+            - '23.79.'
+            - '51.10.'
+            # Subnet: 51.103.210.0/23
+            - '51.103.'
+            - '51.104.'
+            - '51.105.'
+            - '52.239.'
     filter_cmdline:
         CommandLine|contains: '\UpdateDeploy.dll /ClassId '
-    condition: selection and not 1 of filter*
+    condition: selection and not 1 of filter_*
 falsepositives:
     - Legitimate use of wuauclt.exe over the network.
 level: medium

rules/windows/process_access/proc_access_win_invoke_patchingapi.yml

@@ -7,7 +7,7 @@ references:
     - https://twitter.com/D1rkMtr/status/1611471891193298944?s=20
 author: frack113
 date: 2023/01/07
-modified: 2023/01/18
+modified: 2023/01/20
 tags:
     - attack.defense_evasion
     - attack.t1562.002
@@ -37,13 +37,28 @@ detection:
     filter_githubdesktop:
         SourceImage|startswith: 'C:\Users\'
         SourceImage|contains: '\AppData\Local\GitHubDesktop\app-'
-        SourceImage|endswith: '\GitHubDesktop.exe'
+        SourceImage|endswith:
+            - '\GitHubDesktop.exe'
+            - '\resources\app\git\usr\bin\sh.exe'
         TargetImage|startswith: 'C:\Users\'
         TargetImage|contains: '\AppData\Local\GitHubDesktop\app-'
     filter_dotnet:
         SourceImage|startswith: 'C:\Windows\Microsoft.NET\Framework\v'
         SourceImage|endswith: '\NGenTask.exe'
         TargetImage: 'C:\Windows\Microsoft.NET\Framework\'
+    filter_teams_to_update:
+        SourceImage|startswith: 'C:\Users\'
+        SourceImage|endswith: '\AppData\Local\Microsoft\Teams\stage\Teams.exe'
+        TargetImage|startswith: 'C:\Users\'
+        TargetImage|endswith: '\AppData\Local\Microsoft\Teams\Update.exe'
+    filter_teams_update_regsvr32:
+        SourceImage|startswith: 'C:\Users\'
+        SourceImage|endswith: '\AppData\Local\Microsoft\Teams\Update.exe'
+        TargetImage: 'C:\WINDOWS\SysWOW64\regsvr32.exe'
+    filter_teams_update_to_teams:
+        SourceImage|startswith: 'C:\Users\'
+        SourceImage|endswith: '\AppData\Local\Microsoft\Teams\Update.exe'
+        TargetImage|endswith: '\AppData\Local\Microsoft\Teams\stage\Teams.exe'
     condition: selection and not 1 of filter_*
 falsepositives:
     - Unknown

rules/windows/process_creation/proc_creation_win_non_interactive_powershell.yml

@@ -1,12 +1,12 @@
-title: Non Interactive PowerShell
+title: Non Interactive PowerShell Process Spawned
 id: f4bbd493-b796-416e-bbf2-121235348529
 status: test
-description: Detects non-interactive PowerShell activity by looking at powershell.exe with not explorer.exe as a parent.
+description: Detects non-interactive PowerShell activity by looking at powershell.exe with a non user process such as "explorer.exe" as a parent.
 references:
     - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html
 author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements)
 date: 2019/09/12
-modified: 2022/11/08
+modified: 2023/01/20
 tags:
     - attack.execution
     - attack.t1059.001
@@ -15,13 +15,23 @@ logsource:
     product: windows
 detection:
     selection:
-        Image|endswith: '\powershell.exe'
+        - Image|endswith:
+            - '\powershell.exe'
+            - '\pwsh.exe'
+        - OriginalFileName:
+            - 'PowerShell.EXE'
+            - 'pwsh.dll'
     filter_generic:
         - ParentImage|endswith:
             - '\explorer.exe'
             - '\CompatTelRunner.exe'
         - ParentImage: 'C:\$WINDOWS.~BT\Sources\SetupHost.exe' # During Windows updates/upgrades
         # CommandLine: powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';
+    filter_vscode:
+        # Triggered by VsCode when you open a Shell inside the workspace
+        ParentImage|startswith: 'C:\Users\'
+        ParentImage|endswith: '\AppData\Local\Programs\Microsoft VS Code\Code.exe'
+        ParentCommandLine|contains: ' --ms-enable-electron-run-as-node '
     condition: selection and not 1 of filter_*
 falsepositives:
     - Legitimate programs executing PowerShell scripts