fix: FPs with different rules

armor · Nov 20, 2021 · 1fffb57 · 1fffb57
1 parent 1cfca93
commit 1fffb57
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 4 deletions.
diff --git a/rules/windows/builtin/win_av_relevant_match.yml b/rules/windows/builtin/win_av_relevant_match.yml
@@ -4,7 +4,7 @@ description: This detection method points out highly relevant Antivirus events
 status: experimental
 author: Florian Roth
 date: 2017/02/19
-modified: 2021/07/28
+modified: 2021/11/20
 logsource:
     product: windows
     service: application
@@ -33,6 +33,7 @@ detection:
     filter:
         - "Keygen"
         - "Crack"
+        - "wincredui"
     condition: keywords and not filter
 falsepositives:
     - Some software piracy tools (key generators, cracks) are classified as hack tools

diff --git a/rules/windows/image_load/sysmon_uipromptforcreds_dlls.yml b/rules/windows/image_load/sysmon_uipromptforcreds_dlls.yml
@@ -3,7 +3,7 @@ id: 9ae01559-cf7e-4f8e-8e14-4c290a1b4784
 description: Detects potential use of UIPromptForCredentials functions by looking for some of the DLLs needed for it.
 status: experimental
 date: 2020/10/20
-modified: 2021/11/16
+modified: 2021/11/20
 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 tags:
     - attack.credential_access
@@ -25,7 +25,10 @@ detection:
             - 'credui.dll'
             - 'wincredui.dll'
     filter:
-        Image: 'C:\Windows\System32\Taskmgr.exe'
+        Image: 
+            - 'C:\Windows\System32\Taskmgr.exe'
+            - 'C:\Windows\System32\consent.exe'
+            - 'C:\Windows\explorer.exe'
     condition: selection and not filter
 falsepositives:
     - other legitimate processes loading those DLLs in your environment.

diff --git a/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml b/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml
@@ -3,7 +3,7 @@ id: 5f113a8f-8b61-41ca-b90f-d374fa7e4a39
 description: Detects the access to processes by other suspicious processes which have reflectively loaded libraries in their memory space. An example is SilentTrinity C2 behaviour. Generally speaking, when Sysmon EventID 10 cannot reference a stack call to a dll loaded from disk (the standard way), it will display "UNKNOWN" as the module name. Usually this means the stack call points to a module that was reflectively loaded in memory. Adding to this, it is not common to see such few calls in the stack (ntdll.dll --> kernelbase.dll --> unknown) which essentially means that most of the functions required by the process to execute certain routines are already present in memory, not requiring any calls to external libraries. The latter should also be considered suspicious.
 status: experimental
 date: 2019/10/27
-modified: 2021/10/21
+modified: 2021/11/20
 author: Perez Diego (@darkquassar), oscd.community, Jonhnathan Ribeiro
 references:
     - https://azure.microsoft.com/en-ca/blog/detecting-in-memory-attacks-with-sysmon-and-azure-security-center/
@@ -44,6 +44,7 @@ detection:
             - '\Windows\System32\sdiagnhost.exe'
             - '\procexp64.exe'
             - '\procexp.exe'
+            - '\Microsoft VS Code\Code.exe'
     condition: selection1 or selection2 or selection3 and not filter
 fields:
     - ComputerName