From 9d06c3cfe7b0e8b3293ec09f691f95d3641abeae Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Fri, 25 Feb 2022 16:17:01 +0000 Subject: [PATCH 1/3] Filters false positive from msiexec.exe --- .../proc_creation_win_run_executable_invalid_extension.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_run_executable_invalid_extension.yml b/rules/windows/process_creation/proc_creation_win_run_executable_invalid_extension.yml index 393336942..00cb41176 100644 --- a/rules/windows/process_creation/proc_creation_win_run_executable_invalid_extension.yml +++ b/rules/windows/process_creation/proc_creation_win_run_executable_invalid_extension.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/mrd0x/status/1481630810495139841?s=12 author: Tim Shelton, Florian Roth date: 2022/01/13 -modified: 2022/01/27 +modified: 2022/02/25 logsource: category: process_creation product: windows @@ -21,6 +21,9 @@ detection: filter_iexplorer: ParentImage|endswith: ':\Program Files\Internet Explorer\iexplore.exe' CommandLine|contains: '.cpl' + filter_msiexec: + ParentImage|endswith: ':\Windows\SysWOW64\msiexec.exe' + CommandLine|beginswith: 'C:\Windows\syswow64\MsiExec.exe -Embedding' condition: selection and not 1 of filter* fields: - Image From f6caaf795ae79004a0117180e65f828f2002f795 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Fri, 25 Feb 2022 16:32:33 +0000 Subject: [PATCH 2/3] oof, misspelled detection type --- .../proc_creation_win_run_executable_invalid_extension.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_run_executable_invalid_extension.yml b/rules/windows/process_creation/proc_creation_win_run_executable_invalid_extension.yml index 00cb41176..5d459eb26 100644 --- a/rules/windows/process_creation/proc_creation_win_run_executable_invalid_extension.yml +++ b/rules/windows/process_creation/proc_creation_win_run_executable_invalid_extension.yml @@ -23,7 +23,7 @@ detection: CommandLine|contains: '.cpl' filter_msiexec: ParentImage|endswith: ':\Windows\SysWOW64\msiexec.exe' - CommandLine|beginswith: 'C:\Windows\syswow64\MsiExec.exe -Embedding' + CommandLine|beginwith: 'C:\Windows\syswow64\MsiExec.exe -Embedding' condition: selection and not 1 of filter* fields: - Image From 6d29b4c4a5b2961c18c6ed02f73192f29d1e1aa3 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Fri, 25 Feb 2022 16:34:32 +0000 Subject: [PATCH 3/3] oof, misspelled detection type 2 --- .../proc_creation_win_run_executable_invalid_extension.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_run_executable_invalid_extension.yml b/rules/windows/process_creation/proc_creation_win_run_executable_invalid_extension.yml index 5d459eb26..013a9d11d 100644 --- a/rules/windows/process_creation/proc_creation_win_run_executable_invalid_extension.yml +++ b/rules/windows/process_creation/proc_creation_win_run_executable_invalid_extension.yml @@ -23,7 +23,7 @@ detection: CommandLine|contains: '.cpl' filter_msiexec: ParentImage|endswith: ':\Windows\SysWOW64\msiexec.exe' - CommandLine|beginwith: 'C:\Windows\syswow64\MsiExec.exe -Embedding' + CommandLine|startswith: 'C:\Windows\syswow64\MsiExec.exe -Embedding' condition: selection and not 1 of filter* fields: - Image