From fefaa57d3c05da5f26b01df3e63597a637e7ff4b Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Tue, 3 Jan 2023 00:16:32 +0100
Subject: [PATCH] fix: FPs noticed in CI testing

---
 .../posh_ps_token_obfuscation.yml                 |  7 +++++--
 .../proc_creation_win_susp_cmd.yml                | 15 ++++++++++++++-
 2 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml b/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml
index 2c1be97b9..0c4040836 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml
@@ -9,6 +9,7 @@ references:
     - https://github.com/danielbohannon/Invoke-Obfuscation
 author: frack113
 date: 2022/12/27
+modified: 2023/01/03
 tags:
     - attack.defense_evasion
     - attack.t1027.009
@@ -25,8 +26,10 @@ detection:
         #   ${e`Nv:pATh}
         - ScriptBlockText|re: '\w+\`(\w+|-|.)\`[\w+|\s]'
         #- ScriptBlockText|re: '\((\'(\w|-|\.)+\'\+)+\'(\w|-|\.)+\'\)' TODO: fixme
-        - ScriptBlockText|re: '"({\d})+"\s*-f'
-        - ScriptBlockText|re: '\${((e|n|v)*`(e|n|v)*)+:path}|\${((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+}|\${env:((p|a|t|h)*`(p|a|t|h)*)+}'
+        - ScriptBlockText|re: '"(\{\d\})+"\s*-f'
+        - ScriptBlockText|re: '\$\{((e|n|v)*`(e|n|v)*)+:path\}|\$\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\}|\$\{env:((p|a|t|h)*`(p|a|t|h)*)+\}'
+    filter:
+        - ScriptBlockText|contains: 'it will return true or false instead'  # Chocolatey install script https://github.com/chocolatey/chocolatey
     condition: selection
 falsepositives:
     - Unknown
diff --git a/rules/windows/process_creation/proc_creation_win_susp_cmd.yml b/rules/windows/process_creation/proc_creation_win_susp_cmd.yml
index 5af183017..6308dd90f 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_cmd.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_cmd.yml
@@ -6,7 +6,7 @@ references:
     - https://github.com/Wh04m1001/SysmonEoP
 author: frack113
 date: 2022/12/05
-modified: 2022/12/07
+modified: 2023/01/03
 tags:
     - attack.privilege_escalation
     - attack.defense_evasion
@@ -35,6 +35,19 @@ detection:
         ParentCommandLine|contains: '-m:appraiser.dll -f:DoScheduledTelemetryRun'
         OriginalFileName: 'PowerShell.EXE'
         CommandLine|contains: '-ExecutionPolicy Restricted -Command Write-Host'
+    filter_erl:
+        # Example:
+        #   C:\Program Files\erl-23.2\erts-11.1.4\bin\erl.exe" -service_event ErlSrv_RabbitMQ -nohup -sname rabbit@localhost -s rabbit boot -boot start_sasl +W w +MBas ageffcbf +MHas ageffcbf +MBlmbcs 512 +MHlmbcs 512 +MMmcs 30 +P 1048576 +t 5000000 +stbt db +zdbbl 128000 +sbwt none +sbwtdcpu none +sbwtdio none -kernel inet_dist_listen_min 25672 -kernel inet_dist_listen_max 25672 -lager crash_log false -lager handlers []
+        ParentImage|startswith: 'C:\Program Files\erl-'
+        ParentImage|endswith: '\bin\erl.exe'
+    filter_vmware:
+        ParentImage: 'C:\Windows\System32\CompatTelRunner.exe'
+        CommandLine|contains: 'get-vmswitch '
+    filter_asgard:
+        ParentImage: 'C:\Windows\System32\asgard2-agent\bin\generic.exe'
+        CommandLine|contains|all:
+            - ' -taskid '
+            - ' -name asgard2-agent '
     condition: all of selection_* and not 1 of filter_*
 falsepositives:
     - Unknown