Merge PR SigmaHQ#4560 from @nasbench - Fix FP Found In Testing & Othe…

…r Rule Updates

fix: Bad Opsec Defaults Sacrificial Processes With Improper Arguments - Enhance filter to account for an FP found with MS edge
fix: Files With System Process Name In Unsuspected Locations - Enhance filter to cover other folder variation for windows recovery
fix: Portable Gpg.EXE Execution - Add new legitimate location for GNuGpg
fix: Suspicious WmiPrvSE Child Process - Add a filter for msiexec image used to install new MSI packages via WMI process
update: ISO Image Mounted - Update title and add new filter
update: Potential NT API Stub Patching - Enhance the selection coverage by removing the "C:" prefix to cover other installation possibilities
update: Remote Thread Creation Via PowerShell - Update selection to use endswith modifier for better coverage
update: Remote Thread Creation Via PowerShell In Potentially Suspicious Target - Update title and add a "regsvr32" as a new additional process to increase coverage
update: Suspicious Whoami.EXE Execution - Enhance the selection by using a * wildcard to account for the order and avoid FPs
update: WMI Module Loaded By Non Uncommon Process - Enhance selection by making the System folders filter use a "contains" instead of an exact match

---------

Co-authored-by: phantinuss <[email protected]>

rules-emerging-threats/2017/Malware/NotPetya/proc_creation_win_malware_notpetya.yml

@@ -20,22 +20,19 @@ logsource:
     category: process_creation
     product: windows
 detection:
-    selection_pattern:
+    selection_specific_pattern:
         CommandLine|contains:
             - 'wevtutil cl Application & fsutil usn deletejournal /D C:'
             - 'dllhost.dat %WINDIR%\ransoms'
-    selection_rundll32_dash1:
+    selection_rundll32:
         Image|endswith: '\rundll32.exe'
         CommandLine|endswith:
             - '.dat,#1'
             - '.dat #1' # Sysmon removes comma
             - '.zip.dll",#1'
     selection_perfc_keyword:
         - '\perfc.dat'
-    condition: 1 of selection*
-fields:
-    - CommandLine
-    - ParentCommandLine
+    condition: 1 of selection_*
 falsepositives:
     - Unknown
 level: critical

rules/windows/builtin/security/win_security_scheduled_task_deletion.yml → rules-threat-hunting/windows/builtin/security/win_security_scheduled_task_deletion.yml

@@ -13,6 +13,7 @@ tags:
     - attack.privilege_escalation
     - car.2013-08-001
     - attack.t1053.005
+    - detection.threat_hunting
 logsource:
     product: windows
     service: security

rules/windows/create_remote_thread/create_remote_thread_win_powershell_generic.yml → rules-threat-hunting/windows/create_remote_thread/create_remote_thread_win_powershell_generic.yml

@@ -9,10 +9,11 @@ references:
     - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
 author: Nikita Nazarov, oscd.community
 date: 2020/10/06
-modified: 2023/03/28
+modified: 2023/11/10
 tags:
     - attack.execution
     - attack.t1059.001
+    - detection.threat_hunting
 logsource:
     product: windows
     category: create_remote_thread
@@ -22,7 +23,7 @@ detection:
             - '\powershell.exe'
             - '\pwsh.exe'
     filter_main_compattelrunner:
-        SourceParentImage: 'C:\Windows\System32\CompatTelRunner.exe'
+        SourceParentImage|endswith: ':\Windows\System32\CompatTelRunner.exe'
     condition: selection and not 1 of filter_main_*
 falsepositives:
     - Unknown

rules/windows/file/file_event/file_event_win_scheduled_task_creation.yml → rules-threat-hunting/windows/file/file_event/file_event_win_scheduled_task_creation.yml

@@ -14,6 +14,7 @@ tags:
     - attack.t1053.005
     - attack.s0111
     - car.2013-08-001
+    - detection.threat_hunting
 logsource:
     product: windows
     category: file_event

rules/windows/image_load/image_load_dll_system_drawing_load.yml → rules-threat-hunting/windows/image_load/image_load_dll_system_drawing_load.yml

@@ -11,6 +11,7 @@ modified: 2023/02/22
 tags:
     - attack.collection
     - attack.t1113
+    - detection.threat_hunting
 logsource:
     product: windows
     category: image_load

rules/windows/registry/registry_event/registry_event_scheduled_task_creation.yml → rules-threat-hunting/windows/registry/registry_event/registry_event_scheduled_task_creation.yml

@@ -14,6 +14,7 @@ tags:
     - attack.s0111
     - attack.t1053.005
     - car.2013-08-001
+    - detection.threat_hunting
 logsource:
     product: windows
     category: registry_event
@@ -24,5 +25,5 @@ detection:
             - '\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\'
     condition: selection
 falsepositives:
-    - Normal behaviour on Windows
+    - Likely as this is a normal behaviour on Windows
 level: low

rules/windows/builtin/security/win_security_iso_mount.yml

@@ -1,15 +1,15 @@
-title: ISO Image Mount
+title: ISO Image Mounted
 id: 0248a7bc-8a9a-4cd8-a57e-3ae8e073a073
 status: test
-description: Detects the mount of ISO images on an endpoint
+description: Detects the mount of an ISO image on an endpoint
 references:
     - https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore
     - https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages
     - https://twitter.com/MsftSecIntel/status/1257324139515269121
     - https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image
 author: Syed Hasan (@syedhasan009)
 date: 2021/05/29
-modified: 2022/10/05
+modified: 2023/11/09
 tags:
     - attack.initial_access
     - attack.t1566.001
@@ -23,9 +23,12 @@ detection:
         ObjectServer: 'Security'
         ObjectType: 'File'
         ObjectName|startswith: '\Device\CdRom'
-    filter:
-        ObjectName: '\Device\CdRom0\setup.exe'
-    condition: selection and not filter
+    filter_main_generic:
+        ObjectName:
+            - '\Device\CdRom0\autorun.ico'
+            - '\Device\CdRom0\setup.exe'
+            - '\Device\CdRom0\setup64.exe'
+    condition: selection and not 1 of filter_main_*
 falsepositives:
     - Software installation ISO files
 level: medium

rules/windows/create_remote_thread/create_remote_thread_win_powershell_susp_targets.yml

@@ -1,15 +1,15 @@
-title: Remote Thread Creation Via PowerShell In Rundll32
+title: Remote Thread Creation Via PowerShell In Potentially Suspicious Target
 id: 99b97608-3e21-4bfe-8217-2a127c396a0e
 related:
     - id: eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50
       type: similar
 status: experimental
-description: Detects the creation of a remote thread from a Powershell process in a rundll32 process
+description: Detects the creation of a remote thread from a Powershell process in a potentially suspicious target process
 references:
     - https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html
 author: Florian Roth (Nextron Systems)
 date: 2018/06/25
-modified: 2023/03/28
+modified: 2023/11/10
 tags:
     - attack.defense_evasion
     - attack.execution
@@ -23,8 +23,11 @@ detection:
         SourceImage|endswith:
             - '\powershell.exe'
             - '\pwsh.exe'
-        TargetImage|endswith: '\rundll32.exe'
+        TargetImage|endswith:
+            # Note: Please add additonal potential interesting targets to increase coverage
+            - '\rundll32.exe'
+            - '\regsvr32.exe'
     condition: selection
 falsepositives:
     - Unknown
-level: high
+level: medium

rules/windows/file/file_event/file_event_win_creation_system_file.yml

@@ -4,7 +4,7 @@ status: test
 description: Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64...etc).
 author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
 date: 2020/05/26
-modified: 2023/10/18
+modified: 2023/11/10
 tags:
     - attack.defense_evasion
     - attack.t1036.005
@@ -123,7 +123,8 @@ detection:
         TargetFilename|endswith: '\SecurityHealthSystray.exe'
         Image|endswith: '\SecurityHealthSetup.exe'
     filter_main_wuaucltcore:
-        Image|endswith: ':\Windows\uus\AMD64\wuaucltcore.exe'
+        Image|contains: ':\Windows\uus\'
+        Image|endswith: '\wuaucltcore.exe'
         TargetFilename|contains: ':\$WinREAgent\'
     condition: selection and not 1 of filter_main_*
 falsepositives:

rules/windows/image_load/image_load_wmi_module_load_by_uncommon_process.yml

@@ -6,7 +6,7 @@ references:
     - https://threathunterplaybook.com/hunts/windows/190811-WMIModuleLoad/notebook.html
 author: Roberto Rodriguez @Cyb3rWard0g
 date: 2019/08/10
-modified: 2023/08/08
+modified: 2023/11/07
 tags:
     - attack.execution
     - attack.t1047
@@ -25,41 +25,15 @@ detection:
             - '\WMINet_Utils.dll'
             - '\wmiprov.dll'
             - '\wmiutils.dll'
-    filter_optional_generic:
+    filter_main_generic:
         Image|contains:
             - ':\Microsoft\Teams\current\Teams.exe'
             - ':\Microsoft\Teams\Update.exe'
             - ':\Windows\\explorer.exe'
             - ':\Windows\Sysmon.exe'
             - ':\Windows\Sysmon64.exe'
-            - ':\Windows\System32\CompatTelRunner.exe'
-            - ':\Windows\System32\DeviceCensus.exe'
-            - ':\Windows\System32\dfsrs.exe'
-            - ':\Windows\System32\dispdiag.exe'
-            - ':\Windows\System32\dxdiag.exe'
-            - ':\Windows\System32\gpresult.exe'
-            - ':\Windows\System32\logman.exe'
-            - ':\Windows\System32\MoUsoCoreWorker.exe'  # c:\windows\System32\MoUsoCoreWorker.exe on win10 20H04 at least
-            - ':\Windows\System32\sdiagnhost.exe'
-            - ':\Windows\System32\SecurityHealthService.exe'
-            - ':\Windows\System32\ServerManager.exe'
-            - ':\Windows\System32\SIHClient.exe'
-            - ':\Windows\System32\svchost.exe'
-            - ':\Windows\System32\systeminfo.exe'
-            - ':\Windows\System32\taskhostw.exe'  # c:\windows\system32\taskhostw.exe
-            - ':\Windows\System32\tasklist.exe'
-            - ':\Windows\System32\vds.exe'
-            - ':\Windows\System32\wbem\unsecapp.exe'
-            - ':\Windows\System32\wbem\WMIADAP.exe'  # https://github.com/SigmaHQ/sigma/issues/1871
-            - ':\Windows\System32\wbem\WmiApSrv.exe'
-            - ':\Windows\System32\wbem\WMIC.exe'
-            - ':\Windows\System32\wbem\WmiPrvSE.exe'
-            - ':\Windows\SysWOW64\explorer.exe'
-            - ':\Windows\SysWOW64\logman.exe'
-            - ':\Windows\SysWOW64\sdiagnhost.exe'
-            - ':\Windows\SysWOW64\svchost.exe'
-            - ':\Windows\SysWOW64\systeminfo.exe'
-            - ':\Windows\SysWOW64\wbem\WmiPrvSE.exe'
+            - ':\Windows\System32\'
+            - ':\Windows\SysWOW64\'
     filter_optional_other:
         Image|endswith:
             - '\WindowsAzureGuestAgent.exe'
@@ -79,7 +53,7 @@ detection:
         Image|contains:
             - ':\Program Files\'
             - ':\Program Files (x86)\'
-    condition: selection and not 1 of filter_optional_*
+    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
     - Unknown
 level: low

rules/windows/process_access/proc_access_win_invoke_patchingapi.yml

@@ -7,7 +7,7 @@ references:
     - https://twitter.com/D1rkMtr/status/1611471891193298944?s=20
 author: frack113
 date: 2023/01/07
-modified: 2023/01/25
+modified: 2023/11/09
 tags:
     - attack.defense_evasion
     - attack.t1562.002
@@ -20,59 +20,58 @@ detection:
         CallTrace|startswith: 'C:\Windows\SYSTEM32\ntdll.dll+'
         CallTrace|contains: '|UNKNOWN('
         CallTrace|endswith: ')'
-    filter_generic:
+    filter_main_generic:
         # To avoid FP with installed applications. This filter assumes that if an application is located here. The attacker has already achieved admin rights
-        - SourceImage|startswith:
-              - 'C:\Program Files\'
-              - 'C:\Program Files (x86)\'
-              - 'C:\Windows\System32\'
-              - 'C:\Windows\SysWOW64\'
-        - TargetImage|startswith:
-              - 'C:\Program Files\'
-              - 'C:\Program Files (x86)\'
-              - 'C:\Windows\System32\'
-              - 'C:\Windows\SysWOW64\'
-    filter_thor:
-        SourceImage|startswith: 'C:\Windows\Temp\asgard2-agent\'
-        SourceImage|endswith: '\thor64.exe'
-    filter_githubdesktop:
-        SourceImage|startswith: 'C:\Users\'
-        SourceImage|contains: '\AppData\Local\GitHubDesktop\app-'
+        - SourceImage|contains:
+              - ':\Program Files\'
+              - ':\Program Files (x86)\'
+              - ':\Windows\System32\'
+              - ':\Windows\SysWOW64\'
+        - TargetImage|contains:
+              - ':\Program Files\'
+              - ':\Program Files (x86)\'
+              - ':\Windows\System32\'
+              - ':\Windows\SysWOW64\'
+    filter_optional_thor:
+        SourceImage|endswith:
+            - '\thor.exe'
+            - '\thor64.exe'
+    filter_optional_githubdesktop:
+        SourceImage|contains|all:
+            - ':\Users\'
+            - '\AppData\Local\GitHubDesktop\app-'
         SourceImage|endswith:
             - '\GitHubDesktop.exe'
             - '\resources\app\git\usr\bin\sh.exe'
-        TargetImage|startswith: 'C:\Users\'
-        TargetImage|contains: '\AppData\Local\GitHubDesktop\app-'
-    filter_dotnet:
-        SourceImage|startswith:
-            - 'C:\Windows\Microsoft.NET\Framework\v'
-            - 'C:\Windows\Microsoft.NET\Framework64\v'
+        TargetImage|contains|all:
+            - ':\Users\'
+            - '\AppData\Local\GitHubDesktop\app-'
+    filter_main_dotnet:
+        SourceImage|contains:
+            - ':\Windows\Microsoft.NET\Framework\v'
+            - ':\Windows\Microsoft.NET\Framework64\v'
         SourceImage|endswith: '\NGenTask.exe'
-        TargetImage|startswith:
-            - 'C:\Windows\Microsoft.NET\Framework\v'
-            - 'C:\Windows\Microsoft.NET\Framework64\v'
-    filter_taskhost:
-        SourceImage:
-            - 'C:\WINDOWS\system32\taskhostw.exe'
-            - 'C:\Windows\system32\taskhost.exe'
-        TargetImage|startswith:
-            - 'C:\Windows\Microsoft.NET\Framework\v'
-            - 'C:\Windows\Microsoft.NET\Framework64\v'
+        TargetImage|contains:
+            - ':\Windows\Microsoft.NET\Framework\v'
+            - ':\Windows\Microsoft.NET\Framework64\v'
+    filter_main_taskhost:
+        SourceImage|contains:
+            - ':\WINDOWS\system32\taskhostw.exe'
+            - ':\Windows\system32\taskhost.exe'
+        TargetImage|contains:
+            - ':\Windows\Microsoft.NET\Framework\v'
+            - ':\Windows\Microsoft.NET\Framework64\v'
         TargetImage|endswith: '\NGenTask.exe'
-    filter_teams_to_update:
-        SourceImage|startswith: 'C:\Users\'
+    filter_optional_teams_to_update:
         SourceImage|endswith: '\AppData\Local\Microsoft\Teams\stage\Teams.exe'
-        TargetImage|startswith: 'C:\Users\'
         TargetImage|endswith: '\AppData\Local\Microsoft\Teams\Update.exe'
-    filter_teams_update_regsvr32:
-        SourceImage|startswith: 'C:\Users\'
+    filter_optional_teams_update_regsvr32:
         SourceImage|endswith: '\AppData\Local\Microsoft\Teams\Update.exe'
-        TargetImage: 'C:\WINDOWS\SysWOW64\regsvr32.exe'
-    filter_teams_update_to_teams:
-        SourceImage|startswith: 'C:\Users\'
+        TargetImage|endswith: ':\WINDOWS\SysWOW64\regsvr32.exe'
+    filter_optional_teams_update_to_teams:
         SourceImage|endswith: '\AppData\Local\Microsoft\Teams\Update.exe'
         TargetImage|endswith: '\AppData\Local\Microsoft\Teams\stage\Teams.exe'
-    condition: selection and not 1 of filter_*
+    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
     - Unknown
 level: medium

rules/windows/process_creation/proc_creation_win_gpg4win_portable_execution.yml

@@ -8,6 +8,7 @@ references:
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md
 author: frack113, Nasreddine Bencherchali (Nextron Systems)
 date: 2023/08/06
+modified: 2023/11/10
 tags:
     - attack.impact
     - attack.t1486
@@ -23,8 +24,9 @@ detection:
         - Description: 'GnuPG’s OpenPGP tool'
     filter_main_legit_location:
         Image|contains:
-            - ':\Program Files (x86)\GnuPG\bin\'
             - ':\Program Files (x86)\GNU\GnuPG\bin\'
+            - ':\Program Files (x86)\GnuPG VS-Desktop\'
+            - ':\Program Files (x86)\GnuPG\bin\'
             - ':\Program Files (x86)\Gpg4win\bin\'
     condition: selection and not 1 of filter_main_*
-level: high
+level: medium