From a22fef872399b5aff2e216420e4604827835fa79 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Mon, 1 Aug 2022 18:16:08 +0200 Subject: [PATCH] [Rule Tuning] Suspicious Process Access via Direct System Call (#2204) Excluding some FPs by calltrace. --- ...picious_process_access_direct_syscall.toml | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml b/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml index 29c368ade..4ee06986d 100644 --- a/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml +++ b/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/10/11" maturity = "production" -updated_date = "2022/03/31" +updated_date = "2022/07/30" [rule] author = ["Elastic"] @@ -35,7 +35,22 @@ process where event.code == "10" and length(winlog.event_data.CallTrace) > 0 and /* Sysmon CallTrace starting with unknown memory module instead of ntdll which host Windows NT Syscalls */ - not winlog.event_data.CallTrace : ("?:\\WINDOWS\\SYSTEM32\\ntdll.dll*", "?:\\WINDOWS\\SysWOW64\\ntdll.dll*") + not winlog.event_data.CallTrace : + ("?:\\WINDOWS\\SYSTEM32\\ntdll.dll*", + "?:\\WINDOWS\\SysWOW64\\ntdll.dll*", + "?:\\Windows\\System32\\wow64cpu.dll*", + "?:\\WINDOWS\\System32\\wow64win.dll*", + "?:\\Windows\\System32\\win32u.dll*") and + + not winlog.event_data.TargetImage : + ("?:\\Program Files (x86)\\Malwarebytes Anti-Exploit\\mbae-svc.exe", + "?:\\Program Files\\Cisco\\AMP\\*\\sfc.exe", + "?:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\*\\msedgewebview2.exe", + "?:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\*\\AcroCEF.exe") and + + not (process.executable : ("?:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\Acrobat.exe", + "?:\\Program Files (x86)\\World of Warcraft\\_classic_\\WowClassic.exe") and + not winlog.event_data.TargetImage : "?:\\WINDOWS\\system32\\lsass.exe") '''