From 885651efaeabb3da410c3778dae2977c95b2db19 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Wed, 2 Feb 2022 20:39:47 +0100
Subject: [PATCH] fix: FPs noticed with Aurora

---
 .../sysmon_logon_scripts_userinitmprlogonscript_proc.yml    | 5 +++--
 .../sysmon_registry_persistence_search_order.yml            | 6 +++++-
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/rules/windows/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml b/rules/windows/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml
index f56c4d87b..c6726f1bd 100644
--- a/rules/windows/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml
+++ b/rules/windows/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml
@@ -6,7 +6,7 @@ author: Tom Ueltschi (@c_APT_ure)
 references:
   - https://attack.mitre.org/techniques/T1037/
 date: 2019/01/12
-modified: 2021/11/29
+modified: 2022/02/02
 logsource:
   category: process_creation
   product: windows
@@ -15,13 +15,14 @@ detection:
     ParentImage|endswith: '\userinit.exe'
   exec_exclusion1:
     Image|endswith: '\explorer.exe'
+    Image: 'explorer.exe'
   exec_exclusion2:
     CommandLine|contains:
       - 'netlogon*.bat'
       - 'UsrLogon.cmd'
   create_keywords_cli:
     CommandLine|contains: 'UserInitMprLogonScript'
-  condition: ( exec_selection and not exec_exclusion1 and not exec_exclusion2 ) or create_keywords_cli
+  condition: ( exec_selection and not 1 of exec_exclusion* ) or create_keywords_cli
 falsepositives:
   - exclude legitimate logon scripts
   - penetration tests, red teaming
diff --git a/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml b/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml
index 841bbd7e4..bc88da650 100644
--- a/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml
+++ b/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml
@@ -7,7 +7,7 @@ references:
     - https://attack.mitre.org/techniques/T1546/015/
 author: Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien
 date: 2020/04/14
-modified: 2022/01/19
+modified: 2022/02/01
 tags:
     - attack.persistence
     - attack.t1546.015
@@ -59,6 +59,10 @@ detection:
         - Image|endswith: '\MicrosoftEdgeUpdateComRegisterShell64.exe'
     filter_dx:
         Image: 'C:\WINDOWS\SYSTEM32\dxdiag.exe'
+    filter_other:
+        Details: 
+            - 'C:\Program Files\Mozilla Firefox\AccessibleHandler.dll'  # Firefox update
+            - 'C:\Program Files\Mozilla Firefox\AccessibleMarshal.dll'  # Firefox update
     condition: selection and not 1 of filter*
 falsepositives:
     - Some installed utilities (i.e. OneDrive) may serve new COM objects at user-level