From 1fffb57df0d899cc97c36e0468a1d222c931530a Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 20 Nov 2021 11:33:43 +0100 Subject: [PATCH] fix: FPs with different rules --- rules/windows/builtin/win_av_relevant_match.yml | 3 ++- rules/windows/image_load/sysmon_uipromptforcreds_dlls.yml | 7 +++++-- .../process_access/sysmon_in_memory_assembly_execution.yml | 3 ++- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/rules/windows/builtin/win_av_relevant_match.yml b/rules/windows/builtin/win_av_relevant_match.yml index e799e1e1a1e..a7a05dbb716 100644 --- a/rules/windows/builtin/win_av_relevant_match.yml +++ b/rules/windows/builtin/win_av_relevant_match.yml @@ -4,7 +4,7 @@ description: This detection method points out highly relevant Antivirus events status: experimental author: Florian Roth date: 2017/02/19 -modified: 2021/07/28 +modified: 2021/11/20 logsource: product: windows service: application @@ -33,6 +33,7 @@ detection: filter: - "Keygen" - "Crack" + - "wincredui" condition: keywords and not filter falsepositives: - Some software piracy tools (key generators, cracks) are classified as hack tools diff --git a/rules/windows/image_load/sysmon_uipromptforcreds_dlls.yml b/rules/windows/image_load/sysmon_uipromptforcreds_dlls.yml index d5513ece839..01624cd4f8e 100644 --- a/rules/windows/image_load/sysmon_uipromptforcreds_dlls.yml +++ b/rules/windows/image_load/sysmon_uipromptforcreds_dlls.yml @@ -3,7 +3,7 @@ id: 9ae01559-cf7e-4f8e-8e14-4c290a1b4784 description: Detects potential use of UIPromptForCredentials functions by looking for some of the DLLs needed for it. status: experimental date: 2020/10/20 -modified: 2021/11/16 +modified: 2021/11/20 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.credential_access @@ -25,7 +25,10 @@ detection: - 'credui.dll' - 'wincredui.dll' filter: - Image: 'C:\Windows\System32\Taskmgr.exe' + Image: + - 'C:\Windows\System32\Taskmgr.exe' + - 'C:\Windows\System32\consent.exe' + - 'C:\Windows\explorer.exe' condition: selection and not filter falsepositives: - other legitimate processes loading those DLLs in your environment. diff --git a/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml b/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml index 888b15eb66b..b17f30b121f 100755 --- a/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml +++ b/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml @@ -3,7 +3,7 @@ id: 5f113a8f-8b61-41ca-b90f-d374fa7e4a39 description: Detects the access to processes by other suspicious processes which have reflectively loaded libraries in their memory space. An example is SilentTrinity C2 behaviour. Generally speaking, when Sysmon EventID 10 cannot reference a stack call to a dll loaded from disk (the standard way), it will display "UNKNOWN" as the module name. Usually this means the stack call points to a module that was reflectively loaded in memory. Adding to this, it is not common to see such few calls in the stack (ntdll.dll --> kernelbase.dll --> unknown) which essentially means that most of the functions required by the process to execute certain routines are already present in memory, not requiring any calls to external libraries. The latter should also be considered suspicious. status: experimental date: 2019/10/27 -modified: 2021/10/21 +modified: 2021/11/20 author: Perez Diego (@darkquassar), oscd.community, Jonhnathan Ribeiro references: - https://azure.microsoft.com/en-ca/blog/detecting-in-memory-attacks-with-sysmon-and-azure-security-center/ @@ -44,6 +44,7 @@ detection: - '\Windows\System32\sdiagnhost.exe' - '\procexp64.exe' - '\procexp.exe' + - '\Microsoft VS Code\Code.exe' condition: selection1 or selection2 or selection3 and not filter fields: - ComputerName