From 7e0c5f953f252cb22dc1675ddf73718719b2a362 Mon Sep 17 00:00:00 2001 From: rabbitstack Date: Thu, 13 Feb 2025 17:04:58 +0100 Subject: [PATCH] fix(rules): Add exclusions to reduce false positives --- ...tial_access_potential_sam_hive_dumping.yml | 12 +++++++-- ...t_assembly_loaded_by_unmanaged_process.yml | 5 ++-- ...ss_execution_from_self_deleting_binary.yml | 26 +++++++++++++++---- ...signed_dll_injection_via_remote_thread.yml | 10 ++++--- 4 files changed, 40 insertions(+), 13 deletions(-) diff --git a/rules/credential_access_potential_sam_hive_dumping.yml b/rules/credential_access_potential_sam_hive_dumping.yml index 82c81e218..ba9cb4a9e 100644 --- a/rules/credential_access_potential_sam_hive_dumping.yml +++ b/rules/credential_access_potential_sam_hive_dumping.yml @@ -1,6 +1,6 @@ name: Potential SAM hive dumping id: 2f326557-0291-4eb1-a87a-7a17b7d941cb -version: 1.0.1 +version: 1.0.2 description: Identifies access to the Security Account Manager registry hives. labels: @@ -25,7 +25,15 @@ condition: > '?:\\Program Files (x86)\\*.exe' ) or - (ps.exe imatches 'C:\\Windows\\System32\\svchost.exe' and ps.args iin ('-k', 'DcomLaunch')) + (ps.child.exe imatches '?:\\Windows\\System32\\svchost.exe' and ps.child.args intersects ('-k', 'DcomLaunch')) + or + (ps.child.cmdline imatches '?:\\Windows\\System32\\svchost.exe -k defragsvc') + or + (ps.child.cmdline imatches '?:\\Windows\\System32\\svchost.exe -k netsvcs -p -s BITS') + or + (ps.child.cmdline imatches '?:\\Windows\\System32\\svchost.exe -k wusvcs -p -s WaaSMedicSvc') + or + (ps.child.cmdline imatches '?:\\Windows\\Microsoft.NET\\Framework\\*\\ngen.exe ExecuteQueuedItems /LegacyServiceBehavior') ) | by ps.child.uuid |open_registry diff --git a/rules/defense_evasion_dotnet_assembly_loaded_by_unmanaged_process.yml b/rules/defense_evasion_dotnet_assembly_loaded_by_unmanaged_process.yml index 8209cd503..732d76539 100644 --- a/rules/defense_evasion_dotnet_assembly_loaded_by_unmanaged_process.yml +++ b/rules/defense_evasion_dotnet_assembly_loaded_by_unmanaged_process.yml @@ -1,6 +1,6 @@ name: .NET assembly loaded by unmanaged process id: 34be8bd1-1143-4fa8-bed4-ae2566b1394a -version: 1.0.3 +version: 1.0.4 description: | Identifies the loading of the .NET assembly by an unmanaged process. Adversaries can load the CLR runtime inside unmanaged process and execute the assembly via the ICLRRuntimeHost::ExecuteInDefaultAppDomain method. @@ -31,7 +31,8 @@ condition: > not ps.exe imatches ( - '?:\\Program Files\\WindowsApps\\*\\CrossDeviceService.exe' + '?:\\Program Files\\WindowsApps\\*\\CrossDeviceService.exe', + '?:\\Windows\\Microsoft.NET\\Framework\\*\\mscorsvw.exe' ) output: > diff --git a/rules/defense_evasion_process_execution_from_self_deleting_binary.yml b/rules/defense_evasion_process_execution_from_self_deleting_binary.yml index 2a311f341..7a3c5aade 100644 --- a/rules/defense_evasion_process_execution_from_self_deleting_binary.yml +++ b/rules/defense_evasion_process_execution_from_self_deleting_binary.yml @@ -1,6 +1,6 @@ name: Process execution from a self-deleting binary id: 0f0da517-b22c-4d14-9adc-36baeb621cf7 -version: 1.0.1 +version: 1.0.2 description: | Identifies the execution of the process from a self-deleting binary. The attackers can abuse undocumented API functions to create a process from a file-backed section. The file @@ -20,13 +20,29 @@ references: condition: > sequence maxspan 1m - |delete_file + |delete_file and file.info.is_disposition_delete_file + and + not + ps.exe imatches + ( + '?:\\$WINDOWS.~BT\\Sources\\SetupHost.exe', + '?:\\WINDOWS\\uus\\packages\\preview\\*\\wuaucltcore.exe' + ) and - file.info.is_disposition_delete_file + not + ps.cmdline imatches + ( + '?:\\Windows\\system32\\svchost.exe -k wsappx -p -s AppXSvc' + ) and - not file.name imatches '?:\\Windows\\SoftwareDistribution\\Download\\*' + not + file.path imatches + ( + '?:\\Windows\\SoftwareDistribution\\Download\\*', + '?:\\Windows\\uus\\packages\\preview\\*' + ) | by file.name - |load_module| by image.name + |load_module and ext(image.path) != '.dll'| by image.name output: > Process %2.image.path spawned from self-deleting binary diff --git a/rules/defense_evasion_unsigned_dll_injection_via_remote_thread.yml b/rules/defense_evasion_unsigned_dll_injection_via_remote_thread.yml index 64309f6bc..d04dbe71e 100644 --- a/rules/defense_evasion_unsigned_dll_injection_via_remote_thread.yml +++ b/rules/defense_evasion_unsigned_dll_injection_via_remote_thread.yml @@ -1,6 +1,6 @@ name: Unsigned DLL injection via remote thread id: 21bdd944-3bda-464b-9a72-58fd37ba9163 -version: 1.0.1 +version: 1.0.2 description: | Identifies unsigned DLL injection via remote thread creation. Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses @@ -28,13 +28,15 @@ condition: > '?:\\Program Files (x86)\\*.exe' ) or - (ps.exe imatches 'C:\\Windows\\System32\\svchost.exe' and ps.args iin ('-k', 'DcomLaunch')) + (ps.exe imatches 'C:\\Windows\\System32\\svchost.exe' and ps.args intersects ('-k', 'DcomLaunch')) + or + (ps.cmdline imatches '?:\\Windows\\Microsoft.NET\\Framework\\*\\ngen.exe ExecuteQueuedItems /LegacyServiceBehavior') ) | by thread.pid |(load_unsigned_or_untrusted_dll) and not - image.name imatches + image.path imatches ( '?:\\Program Files\\Git\\mingw64\\bin\\*.dll', '?:\\Windows\\assembly\\*\\*.ni.dll', @@ -43,4 +45,4 @@ condition: > ) | by ps.pid -min-engine-version: 2.0.0 +min-engine-version: 2.4.0