From a231aa73b306a3330885d13af44f05a53e93d9e7 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Thu, 26 Aug 2021 13:33:25 +0200
Subject: [PATCH 1/2] fix: FPs with whoami rule and 4688 event IDs without
 parent info

---
 .../process_creation/win_susp_whoami_anomaly.yml       | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/rules/windows/process_creation/win_susp_whoami_anomaly.yml b/rules/windows/process_creation/win_susp_whoami_anomaly.yml
index 621843776..123646b0f 100644
--- a/rules/windows/process_creation/win_susp_whoami_anomaly.yml
+++ b/rules/windows/process_creation/win_susp_whoami_anomaly.yml
@@ -7,6 +7,7 @@ references:
     - https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/
 author: Florian Roth
 date: 2021/08/12
+modified: 2021/08/26
 tags:
     - attack.discovery
     - attack.t1033
@@ -17,17 +18,22 @@ logsource:
 detection:
     selection:
         Image|endswith: '\whoami.exe'
-    filter:
+    filter1:
         ParentImage|endswith: 
             - '\cmd.exe'
             - '\powershell.exe'
+    filter2:
+        ParentImage:
+            - 'C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe'
+            - ''
+            - null
     selection_special:
         CommandLine|contains:
             - 'whoami -all'
             - 'whoami /all'
             - 'whoami.exe -all'
             - 'whoami.exe /all'
-    condition: ( selection and not filter ) or selection_special
+    condition: ( selection and not filter1 and not filter2 ) or selection_special
 falsepositives:
     - Admin activity
     - Scripts and administrative tools used in the monitored environment

From 24d8701f15f4b771cf563657269acd8215994515 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Thu, 26 Aug 2021 13:54:18 +0200
Subject: [PATCH 2/2] fix: null cannot be used in a list with other values

---
 rules/windows/process_creation/win_susp_whoami_anomaly.yml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/rules/windows/process_creation/win_susp_whoami_anomaly.yml b/rules/windows/process_creation/win_susp_whoami_anomaly.yml
index 123646b0f..f802e6ef6 100644
--- a/rules/windows/process_creation/win_susp_whoami_anomaly.yml
+++ b/rules/windows/process_creation/win_susp_whoami_anomaly.yml
@@ -26,14 +26,15 @@ detection:
         ParentImage:
             - 'C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe'
             - ''
-            - null
+    filter3:
+        ParentImage: null
     selection_special:
         CommandLine|contains:
             - 'whoami -all'
             - 'whoami /all'
             - 'whoami.exe -all'
             - 'whoami.exe /all'
-    condition: ( selection and not filter1 and not filter2 ) or selection_special
+    condition: ( selection and not filter1 and not filter2 and not filter3 ) or selection_special
 falsepositives:
     - Admin activity
     - Scripts and administrative tools used in the monitored environment