From 1f99eb0d23db005354ffe10da04cd97d4868ef54 Mon Sep 17 00:00:00 2001 From: rabbitstack Date: Tue, 29 Apr 2025 21:48:58 +0200 Subject: [PATCH] fix(rules): Reduce false positives Reduce false positives in various rules by adding exceptions for process executables or file paths. --- ...ail_access_file_access_to_sam_database.yml | 5 +++-- ...tial_access_potential_sam_hive_dumping.yml | 20 ++++++++----------- ...ccess_suspicious_vault_client_dll_load.yml | 12 +++++++---- ...t_assembly_loaded_by_unmanaged_process.yml | 8 ++++++-- ...e_evasion_hidden_registry_key_creation.yml | 11 ++++++++-- ...s_injection_via_tainted_memory_section.yml | 13 +++++++++--- ...ss_execution_from_self_deleting_binary.yml | 18 ++++++++--------- ...on_suspicious_access_to_the_hosts_file.yml | 6 ++++-- ..._dll_loaded_via_memory_section_mapping.yml | 10 ++++++++-- ...spicious_object_symbolic_link_creation.yml | 8 ++++++-- ...signed_dll_injection_via_remote_thread.yml | 4 +++- ...dll_loaded_by_microsoft_office_process.yml | 7 +++++-- 12 files changed, 78 insertions(+), 44 deletions(-) diff --git a/rules/credentail_access_file_access_to_sam_database.yml b/rules/credentail_access_file_access_to_sam_database.yml index 291f3241b..d9fd3de8a 100644 --- a/rules/credentail_access_file_access_to_sam_database.yml +++ b/rules/credentail_access_file_access_to_sam_database.yml @@ -1,6 +1,6 @@ name: File access to SAM database id: e3dace20-4962-4381-884e-40dcdde66626 -version: 1.0.2 +version: 1.0.3 description: | Identifies access to the Security Account Manager on-disk database. labels: @@ -28,7 +28,8 @@ condition: > ( '?:\\Program Files\\*', '?:\\Program Files (x86)\\*', - '?:\\Windows\\System32\\lsass.exe' + '?:\\Windows\\System32\\lsass.exe', + '?:\\Windows\\System32\\srtasks.exe' ) min-engine-version: 2.4.0 diff --git a/rules/credential_access_potential_sam_hive_dumping.yml b/rules/credential_access_potential_sam_hive_dumping.yml index ff34b041f..48079940d 100644 --- a/rules/credential_access_potential_sam_hive_dumping.yml +++ b/rules/credential_access_potential_sam_hive_dumping.yml @@ -1,6 +1,6 @@ name: Potential SAM hive dumping id: 2f326557-0291-4eb1-a87a-7a17b7d941cb -version: 1.0.3 +version: 1.0.4 description: Identifies access to the Security Account Manager registry hives. labels: @@ -22,18 +22,11 @@ condition: > |spawn_process and not (ps.exe imatches ( '?:\\Program Files\\*.exe', - '?:\\Program Files (x86)\\*.exe' + '?:\\Program Files (x86)\\*.exe', + '?:\\Windows\\System32\\svchost.exe' ) or - (ps.child.exe imatches '?:\\Windows\\System32\\svchost.exe' and ps.child.args intersects ('-k', 'DcomLaunch')) - or - (ps.child.cmdline imatches '?:\\Windows\\System32\\svchost.exe -k defragsvc') - or - (ps.child.cmdline imatches '?:\\Windows\\System32\\svchost.exe -k netsvcs -p -s BITS') - or - (ps.child.cmdline imatches '?:\\Windows\\System32\\svchost.exe -k wusvcs -p -s WaaSMedicSvc') - or - (ps.child.cmdline imatches '?:\\Windows\\Microsoft.NET\\Framework\\*\\ngen.exe ExecuteQueuedItems /LegacyServiceBehavior') + (ps.child.cmdline imatches '"?:\\Windows\\Microsoft.NET\\Framework\\*\\ngen.exe" ExecuteQueuedItems /LegacyServiceBehavior') ) | by ps.child.uuid |open_registry @@ -70,7 +63,10 @@ condition: > '?:\\Windows\\System32\\lpremove.exe', '?:\\Windows\\System32\\LogonUI.exe', '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe', - '?:\\Windows\\System32\\ApplicationFrameHost.exe' + '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MpDefenderCoreService.exe', + '?:\\Windows\\System32\\ApplicationFrameHost.exe', + '?:\\Windows\\System32\\wbem\\WMIADAP.exe', + '?:\\Windows\\System32\\cleanmgr.exe' ) | by ps.uuid diff --git a/rules/credential_access_suspicious_vault_client_dll_load.yml b/rules/credential_access_suspicious_vault_client_dll_load.yml index 4c7d9e25c..7681838b0 100644 --- a/rules/credential_access_suspicious_vault_client_dll_load.yml +++ b/rules/credential_access_suspicious_vault_client_dll_load.yml @@ -1,6 +1,6 @@ name: Suspicious Vault client DLL load id: 64af2e2e-2309-4079-9c0f-985f1dd930f5 -version: 1.0.0 +version: 1.0.1 description: | Identifies loading of the Vault client DLL by an unusual process. Adversaries can abuse the functions provided by the Credential Vault Client Library to enumerate or harvest saved credentials. @@ -42,11 +42,15 @@ condition: > or (ps.exe imatches ('?:\\Program Files\\WindowsApps\\Microsoft.*.exe', '?:\\Windows\\Microsoft.NET\\Framework*\\NGenTask.exe')) or - (ps.child.exe imatches '?:\\WINDOWS\\System32\\svchost.exe' and ps.child.args intersects ('-k', 'wusvcs', '-p', '-s', 'WaaSMedicSvc')) + (ps.child.exe imatches '?:\\WINDOWS\\system32\\BackgroundTaskHost.exe' and ps.child.args imatches ('-ServerName:*')) or - (ps.child.exe imatches '?:\\WINDOWS\\System32\\svchost.exe' and ps.child.args intersects ('-k', 'netsvcs', '-p', '-s', 'TokenBroker')) + (ps.child.exe imatches '?:\\Windows\\System32\\SecurityHealth\\*\\SecurityHealthHost.exe') or - (ps.child.exe imatches '?:\\WINDOWS\\system32\\BackgroundTaskHost.exe' and ps.child.args not in ('-ServerName:BackgroundTaskHost.WebAccountProvider')) + (ps.child.exe imatches '?:\\WINDOWS\\uus\\*\\MoUsoCoreWorker.exe') + or + (ps.exe imatches '?:\\Windows\\System32\\services.exe') + or + (ps.exe imatches '?:\\Program Files\\Microsoft OneDrive\\OneDriveStandaloneUpdater.exe') ) | by ps.child.uuid |load_dll and image.name ~= 'vaultcli.dll'| by ps.uuid diff --git a/rules/defense_evasion_dotnet_assembly_loaded_by_unmanaged_process.yml b/rules/defense_evasion_dotnet_assembly_loaded_by_unmanaged_process.yml index db370af9c..88f353d77 100644 --- a/rules/defense_evasion_dotnet_assembly_loaded_by_unmanaged_process.yml +++ b/rules/defense_evasion_dotnet_assembly_loaded_by_unmanaged_process.yml @@ -1,6 +1,6 @@ name: .NET assembly loaded by unmanaged process id: 34be8bd1-1143-4fa8-bed4-ae2566b1394a -version: 1.0.5 +version: 1.0.6 description: | Identifies the loading of the .NET assembly by an unmanaged process. Adversaries can load the CLR runtime inside unmanaged process and execute the assembly via the ICLRRuntimeHost::ExecuteInDefaultAppDomain method. @@ -30,7 +30,11 @@ condition: > ps.exe not imatches ( '?:\\Program Files\\WindowsApps\\*\\CrossDeviceService.exe', - '?:\\Windows\\Microsoft.NET\\Framework\\*\\mscorsvw.exe' + '?:\\Program Files\\WindowsApps\\*\\WidgetService.exe', + '?:\\Program Files\\WindowsApps\\*\\PhoneExperienceHost.exe', + '?:\\Program Files\\WindowsApps\\*\\WindowsSandboxServer.exe', + '?:\\Program Files\\Conexant\\SAII\\SmartAudio.exe', + '?:\\Windows\\Microsoft.NET\\Framework*\\mscorsvw.exe' ) output: > diff --git a/rules/defense_evasion_hidden_registry_key_creation.yml b/rules/defense_evasion_hidden_registry_key_creation.yml index 03d530fe6..ac2464ead 100644 --- a/rules/defense_evasion_hidden_registry_key_creation.yml +++ b/rules/defense_evasion_hidden_registry_key_creation.yml @@ -1,6 +1,6 @@ name: Hidden registry key creation id: 65deda38-9b1d-42a0-9f40-a68903e81b49 -version: 1.1.3 +version: 1.1.4 description: | Identifies the creation of a hidden registry key. Adversaries can utilize the native NtSetValueKey API to create a hidden registry key and conceal payloads @@ -29,7 +29,14 @@ condition: > '?:\\Windows\\System32\\sppsvc.exe', '?:\\Windows\\System32\\compattelrunner.exe', '?:\\Windows\\explorer.exe', - '?:\\Windows\\System32\\lsass.exe' + '?:\\Windows\\System32\\lsass.exe', + '?:\\Windows\\System32\\svchost.exe' + ) + and + ps.parent.exe not imatches + ( + '?:\\WINDOWS\\uus\\*\\wuaucltcore.exe', + '?:\\WINDOWS\\System32\\svchost.exe' ) output: > diff --git a/rules/defense_evasion_potential_process_injection_via_tainted_memory_section.yml b/rules/defense_evasion_potential_process_injection_via_tainted_memory_section.yml index bab944faa..b57d05593 100644 --- a/rules/defense_evasion_potential_process_injection_via_tainted_memory_section.yml +++ b/rules/defense_evasion_potential_process_injection_via_tainted_memory_section.yml @@ -1,6 +1,6 @@ name: Potential process injection via tainted memory section id: 8e4182f3-02e7-4e95-afc3-93d18c9a9c09 -version: 1.0.2 +version: 1.0.3 description: | Identifies potential process injection when the adversary creates and maps a memory section with RW protection rights followed by mapping of the same memory section in @@ -28,14 +28,21 @@ condition: > '?:\\Program Files (x86)\\*.exe', '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe', '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\NisSrv.exe', + '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MpDefenderCoreService.exe', '?:\\WINDOWS\\System32\\csrss.exe', '?:\\WINDOWS\\Explorer.exe', '?:\\WINDOWS\\System32\\svchost.exe', '?:\\WINDOWS\\System32\\lsass.exe', - '?:\\WINDOWS\\System32\\SecurityHealthService.exe' + '?:\\WINDOWS\\System32\\SecurityHealthService.exe', + '?:\\WINDOWS\\System32\\services.exe' ) | as e1 - |map_view_of_section and file.view.protection = 'READONLY|EXECUTE' and file.key = $e1.file.key and kevt.pid != $e1.kevt.pid| + |map_view_of_section and file.view.protection = 'READONLY|EXECUTE' and file.key = $e1.file.key and kevt.pid != $e1.kevt.pid and ps.exe not imatches + ( + '?:\\Program Files\\Mozilla Firefox\\firefox.exe', + '?:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe' + ) + | action: - name: kill diff --git a/rules/defense_evasion_process_execution_from_self_deleting_binary.yml b/rules/defense_evasion_process_execution_from_self_deleting_binary.yml index 4e55f2011..da42abcd4 100644 --- a/rules/defense_evasion_process_execution_from_self_deleting_binary.yml +++ b/rules/defense_evasion_process_execution_from_self_deleting_binary.yml @@ -1,6 +1,6 @@ name: Process execution from a self-deleting binary id: 0f0da517-b22c-4d14-9adc-36baeb621cf7 -version: 1.0.3 +version: 1.0.4 description: | Identifies the execution of the process from a self-deleting binary. The attackers can abuse undocumented API functions to create a process from a file-backed section. The file @@ -22,18 +22,16 @@ condition: > maxspan 1m |delete_file and file.info.is_disposition_delete_file and - ps.exe not imatches + ps.exe not imatches ( '?:\\$WINDOWS.~BT\\Sources\\SetupHost.exe', - '?:\\WINDOWS\\uus\\packages\\preview\\*\\wuaucltcore.exe' + '?:\\WINDOWS\\uus\\packages\\preview\\*\\wuaucltcore.exe', + '?:\\WINDOWS\\uus\\packages\\preview\\*\\MoUsoCoreWorker.exe', + '?:\\WINDOWS\\System32\\svchost.exe', + '?:\\WINDOWS\\winsxs\\*\\TiWorker.exe' ) - and - ps.cmdline not imatches - ( - '?:\\Windows\\system32\\svchost.exe -k wsappx -p -s AppXSvc' - ) - and - file.path not imatches + and + file.path not imatches ( '?:\\Windows\\SoftwareDistribution\\Download\\*', '?:\\Windows\\uus\\packages\\preview\\*' diff --git a/rules/defense_evasion_suspicious_access_to_the_hosts_file.yml b/rules/defense_evasion_suspicious_access_to_the_hosts_file.yml index 0aca5c822..5d894c9e0 100644 --- a/rules/defense_evasion_suspicious_access_to_the_hosts_file.yml +++ b/rules/defense_evasion_suspicious_access_to_the_hosts_file.yml @@ -1,6 +1,6 @@ name: Suspicious access to the hosts file id: f7b2c9d3-99e7-41d5-bb4a-6ea1a5f7f9e2 -version: 1.0.1 +version: 1.0.2 description: > Identifies suspicious process accessing the Windows hosts file for potential tampering. Adversaries can hijack the hosts files to block traffic to download/update servers or redirect the @@ -23,7 +23,9 @@ condition: > '?:\\Windows\\servicing\\TrustedInstaller.exe', '?:\\Windows\\System32\\svchost.exe', '?:\\Windows\\System32\\MicrosoftEdgeUpdate.exe', - '?:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe' + '?:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe', + '?:\\Program Files\\Mozilla Firefox\\firefox.exe', + '?:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe' ) | by ps.child.uuid |open_file and file.path imatches '?:\\Windows\\System32\\drivers\\etc\\hosts'| by ps.uuid diff --git a/rules/defense_evasion_suspicious_dll_loaded_via_memory_section_mapping.yml b/rules/defense_evasion_suspicious_dll_loaded_via_memory_section_mapping.yml index 74dbd3499..5b463ff25 100644 --- a/rules/defense_evasion_suspicious_dll_loaded_via_memory_section_mapping.yml +++ b/rules/defense_evasion_suspicious_dll_loaded_via_memory_section_mapping.yml @@ -1,6 +1,6 @@ name: Suspicious DLL loaded via memory section mapping id: b06653fb-227e-4e63-9a69-55a5a90c79e5 -version: 1.0.0 +version: 1.0.1 description: | Identifies the mapping of a memory section with RX protection followed by unsigned DLL loading. Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses @@ -21,7 +21,13 @@ condition: > sequence maxspan 2m by ps.uuid - |map_view_of_section and file.view.protection = 'READONLY|EXECUTE' and kevt.pid != 4 and file.view.size >= 4096| + |map_view_of_section and file.view.protection = 'READONLY|EXECUTE' and kevt.pid != 4 and file.view.size >= 4096 + and + ps.exe not imatches + ( + '?:\\Program Files\\Mozilla Firefox\\firefox.exe' + ) + | |(load_unsigned_or_untrusted_dll)| action: - name: kill diff --git a/rules/defense_evasion_suspicious_object_symbolic_link_creation.yml b/rules/defense_evasion_suspicious_object_symbolic_link_creation.yml index 3e4803d66..367b49b37 100644 --- a/rules/defense_evasion_suspicious_object_symbolic_link_creation.yml +++ b/rules/defense_evasion_suspicious_object_symbolic_link_creation.yml @@ -1,6 +1,6 @@ name: Suspicious object symbolic link creation id: f9306355-1f5f-4a06-9779-195aa681db80 -version: 1.0.1 +version: 1.0.2 description: | Identifies the creation of the object symbolic link inside the object manager namespace by untrusted or unusual processes. @@ -26,9 +26,13 @@ condition: > '?:\\WINDOWS\\system32\\svchost.exe', '?:\\Program Files\\*', '?:\\Program Files (x86)\\*', - '?:\\Windows\\System32\\vmwp.exe' + '?:\\Windows\\System32\\vmwp.exe', + '?:\\Windows\\System32\\spoolsv.exe', + '?:\\Windows\\System32\\csrss.exe' ) ) + and + kevt.arg[target] not imatches '\\Sessions\\*\\AppContainerNamedObjects\\*' output: > Suspicious object symbolic link %kevt.arg[target] created by process %ps.exe diff --git a/rules/defense_evasion_unsigned_dll_injection_via_remote_thread.yml b/rules/defense_evasion_unsigned_dll_injection_via_remote_thread.yml index d15efb0fc..fd27e6af3 100644 --- a/rules/defense_evasion_unsigned_dll_injection_via_remote_thread.yml +++ b/rules/defense_evasion_unsigned_dll_injection_via_remote_thread.yml @@ -1,6 +1,6 @@ name: Unsigned DLL injection via remote thread id: 21bdd944-3bda-464b-9a72-58fd37ba9163 -version: 1.1.1 +version: 1.1.2 description: | Identifies unsigned DLL injection via remote thread creation. Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses @@ -42,6 +42,8 @@ condition: > '?:\\Program Files\\WindowsPowerShell\\Modules\\*\\*.dll', '?:\\Windows\\Microsoft.NET\\assembly\\*\\*.dll' ) + and + ps.exe not imatches '?:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\Updates\\*\\OfficeClickToRun.exe' | by ps.pid min-engine-version: 2.4.0 diff --git a/rules/initial_access_suspicious_dll_loaded_by_microsoft_office_process.yml b/rules/initial_access_suspicious_dll_loaded_by_microsoft_office_process.yml index 4edb570f4..1c58c599f 100644 --- a/rules/initial_access_suspicious_dll_loaded_by_microsoft_office_process.yml +++ b/rules/initial_access_suspicious_dll_loaded_by_microsoft_office_process.yml @@ -1,6 +1,6 @@ name: Suspicious DLL loaded by Microsoft Office process id: 5868518c-2a83-4b26-ad4b-f14f0b85e744 -version: 1.0.0 +version: 1.0.1 description: Identifies loading of recently dropped DLL by Microsoft Office process. labels: @@ -17,7 +17,10 @@ labels: condition: > sequence maxspan 1h - |create_file and (file.extension iin module_extensions or file.is_dll) and ps.name iin msoffice_binaries| by file.name + |create_file and (file.extension iin module_extensions or file.is_dll) and ps.name iin msoffice_binaries + and + file.path not imatches '?:\\Program Files\\Microsoft Office\\Root\\Office*\\*.dll' + | by file.name |load_module and ps.name iin msoffice_binaries| by image.name min-engine-version: 2.0.0