security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 45 Packages Projects Releases Wiki Activity

Merge PR #4994 from @djlukic - Multiple FP fixes

Browse Source 
update: CodeIntegrity - Unmet Signing Level Requirements By File Under Validation - Add additional filters for third party AV
update: Suspicious Non PowerShell WSMAN COM Provider - Add new filter to cover the edge case where the `HostApplication` field is null
update: Renamed Powershell Under Powershell Channel - Add new filter to cover the edge case where the `HostApplication` field is null

---------
 
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
This commit is contained in:
Djordje Lukic
2024-10-08 23:08:50 +02:00
committed by GitHub
parent 7ddc551605
commit f33530e756
3 changed files with 19 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml
+6 -1
View File
@@ -11,7 +11,7 @@ references:
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-01-20
modified: 2024-08-29
modified: 2024-10-08
tags:
- attack.execution
logsource:
@@ -99,6 +99,11 @@ detection:
FileNameBuffer|endswith: '\Program Files\ESET\ESET Security\eamsi.dll'
filter_optional_comodo:
FileNameBuffer|endswith: '\Program Files\comodo\comodo internet security\amsiprovider_x64.dll'
filter_optional_sentinel_one:
# Example: program files\sentinelone\sentinel agent 23.4.4.223\inprocessclient64.dll
- FileNameBuffer|contains: '\Program Files\SentinelOne\Sentinel Agent'
# Example: Program Files\SentinelOne\Sentinel Agent 23.4.4.223\SentinelAgent.exe
- ProcessNameBuffer|contains: '\Program Files\SentinelOne\Sentinel Agent'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Antivirus and other third party products are known to trigger this rule quite a lot. Initial filters and tuning is required before using this rule.
rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml
+8 -2
View File
@@ -1,15 +1,17 @@
title: Renamed Powershell Under Powershell Channel
id: 30a8cb77-8eb3-4cfb-8e79-ad457c5a4592
status: test
description: Detects renamed powershell
description: |
Detects a renamed Powershell execution, which is a common technique used to circumvent security controls and bypass detection logic that's dependent on process names and process paths.
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
author: Harish Segar, frack113
date: 2020-06-29
modified: 2023-10-27
modified: 2024-10-08
tags:
- attack.execution
- attack.t1059.001
- attack.t1036.003
logsource:
product: windows
category: ps_classic_start
@@ -25,6 +27,10 @@ detection:
# In some cases powershell was invoked with inverted slashes
- 'HostApplication=C:/Windows/System32/WindowsPowerShell/v1.0/powershell'
- 'HostApplication=C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell'
filter_main_host_application_null:
# Note: Since we're using the raw data field to match. There is no easy way to filter out cases where the "HostApplication" field is null (i.e doesn't exist). We're practically forced to use a regex.
# If you're already mapping and extracting the field, then obviously use that directly.
Data|re: 'HostId=[a-zA-Z0-9-]{36} EngineVersion='
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
rules/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml
+5 -1
View File
@@ -8,7 +8,7 @@ references:
- https://github.com/bohops/WSMan-WinRM
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-06-24
modified: 2023-10-27
modified: 2024-10-08
tags:
- attack.execution
- attack.t1059.001
@@ -28,6 +28,10 @@ detection:
# In some cases powershell was invoked with inverted slashes
- 'HostApplication=C:/Windows/System32/WindowsPowerShell/v1.0/powershell'
- 'HostApplication=C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell'
filter_main_host_application_null:
# Note: Since we're using the raw data field to match. There is no easy way to filter out cases where the "HostApplication" field is null (i.e doesn't exist). We're practically forced to use a regex.
# If you're already mapping and extracting the field, then obviously use that directly.
Data|re: 'HostId=[a-zA-Z0-9-]{36} EngineVersion='
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown