Merge pull request #2632 from SigmaHQ/aurora-false-positive-fixing

Aurora false positive fixing

rules/windows/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml

@@ -14,16 +14,17 @@ detection:
   exec_selection:
     ParentImage|endswith: '\userinit.exe'
   exec_exclusion1:
-    Image|endswith:
+    Image|endswith: 
       - '\explorer.exe'
       - '\proquota.exe'
+    Image: 'explorer.exe'
   exec_exclusion2:
     CommandLine|contains:
       - 'netlogon*.bat'
       - 'UsrLogon.cmd'
   create_keywords_cli:
     CommandLine|contains: 'UserInitMprLogonScript'
-  condition: ( exec_selection and not exec_exclusion1 and not exec_exclusion2 ) or create_keywords_cli
+  condition: ( exec_selection and not 1 of exec_exclusion* ) or create_keywords_cli
 falsepositives:
   - exclude legitimate logon scripts
   - penetration tests, red teaming

rules/windows/registry_event/sysmon_registry_persistence_search_order.yml

@@ -7,7 +7,7 @@ references:
     - https://attack.mitre.org/techniques/T1546/015/
 author: Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien
 date: 2020/04/14
-modified: 2022/01/19
+modified: 2022/02/01
 tags:
     - attack.persistence
     - attack.t1546.015
@@ -59,6 +59,10 @@ detection:
         - Image|endswith: '\MicrosoftEdgeUpdateComRegisterShell64.exe'
     filter_dx:
         Image: 'C:\WINDOWS\SYSTEM32\dxdiag.exe'
+    filter_other:
+        Details: 
+            - 'C:\Program Files\Mozilla Firefox\AccessibleHandler.dll'  # Firefox update
+            - 'C:\Program Files\Mozilla Firefox\AccessibleMarshal.dll'  # Firefox update
     condition: selection and not 1 of filter*
 falsepositives:
     - Some installed utilities (i.e. OneDrive) may serve new COM objects at user-level