Merge PR #4545 from @nasbench - Fix False Positives

fix: Creation of an Executable by an Executable
fix: Import New Module Via PowerShell CommandLine
fix: File or Folder Permissions Modifications
fix: Process Terminated Via Taskkill

---------

Co-authored-by: phantinuss <[email protected]>

rules-threat-hunting/windows/file/file_event/file_event_win_susp_binary_dropper.yml

@@ -6,7 +6,7 @@ references:
     - Malware Sandbox
 author: frack113
 date: 2022/03/09
-modified: 2023/09/06
+modified: 2023/11/06
 tags:
     - attack.resource_development
     - attack.t1587.001
@@ -19,47 +19,47 @@ detection:
         Image|endswith: '.exe'
         TargetFilename|endswith: '.exe'
     filter_main_generic_1:
-        Image:
-            - 'C:\Windows\System32\msiexec.exe'
-            - 'C:\Windows\system32\cleanmgr.exe'
-            - 'C:\Windows\explorer.exe'
-            - 'C:\WINDOWS\system32\dxgiadaptercache.exe'
-            - 'C:\WINDOWS\system32\Dism.exe'
-            - 'C:\Windows\System32\wuauclt.exe'
+        Image|endswith:
+            - ':\Windows\System32\msiexec.exe'
+            - ':\Windows\system32\cleanmgr.exe'
+            - ':\Windows\explorer.exe'
+            - ':\WINDOWS\system32\dxgiadaptercache.exe'
+            - ':\WINDOWS\system32\Dism.exe'
+            - ':\Windows\System32\wuauclt.exe'
     filter_main_update:
         # Security_UserID: S-1-5-18
         # Example:
         #   TargetFilename: C:\Windows\SoftwareDistribution\Download\803d1df4c931df4f3e50a022cda56e88\WindowsUpdateBox.exe
-        Image: 'C:\WINDOWS\system32\svchost.exe'
-        TargetFilename|startswith: 'C:\Windows\SoftwareDistribution\Download\'
+        Image|endswith: ':\WINDOWS\system32\svchost.exe'
+        TargetFilename|contains: ':\Windows\SoftwareDistribution\Download\'
     filter_main_upgrade:
-        Image: 'C:\Windows\system32\svchost.exe'
+        Image|endswith: ':\Windows\system32\svchost.exe'
         TargetFilename|contains|all:
             # Example:
             #   This example was seen during windows upgrade
             #   TargetFilename: :\WUDownloadCache\803d1df4c931df4f3e50a022cda56e29\WindowsUpdateBox.exe
             - ':\WUDownloadCache\'
             - '\WindowsUpdateBox.exe'
-    filter_windows_update_box:
+    filter_main_windows_update_box:
         # This FP was seen during Windows Upgrade
         # ParentCommandLine: C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s wuauserv
-        Image|startswith: 'C:\WINDOWS\SoftwareDistribution\Download\'
+        Image|contains: ':\WINDOWS\SoftwareDistribution\Download\'
         Image|endswith: '\WindowsUpdateBox.Exe'
-        TargetFilename|startswith: 'C:\$WINDOWS.~BT\Sources\'
+        TargetFilename|contains: ':\$WINDOWS.~BT\Sources\'
     filter_main_tiworker:
-        Image|startswith: 'C:\Windows\WinSxS\'
+        Image|contains: ':\Windows\WinSxS\'
         Image|endswith: '\TiWorker.exe'
     filter_main_programfiles:
-        - Image|startswith:
-              - 'C:\Program Files\'
-              - 'C:\Program Files (x86)\'
-        - TargetFilename|startswith:
-              - 'C:\Program Files\'
-              - 'C:\Program Files (x86)\'
+        - Image|contains:
+              - ':\Program Files\'
+              - ':\Program Files (x86)\'
+        - TargetFilename|contains:
+              - ':\Program Files\'
+              - ':\Program Files (x86)\'
     filter_main_defender:
-        Image|startswith:
-            - 'C:\ProgramData\Microsoft\Windows Defender\'
-            - 'C:\Program Files\Windows Defender\'
+        Image|contains:
+            - ':\ProgramData\Microsoft\Windows Defender\'
+            - ':\Program Files\Windows Defender\'
     filter_main_windows_apps:
         TargetFilename|contains: '\AppData\Local\Microsoft\WindowsApps\'
     filter_main_teams:
@@ -75,9 +75,9 @@ detection:
         #       TargetFilename: C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\4f8c-0\MSBuild.exe
         #       TargetFilename: C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\49bc-0\testhost.net47.x86.exe
         #       TargetFilename: C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\39d8-0\fsc.exe
-        Image|startswith: 'C:\Windows\Microsoft.NET\Framework\'
+        Image|contains: ':\Windows\Microsoft.NET\Framework\'
         Image|endswith: '\mscorsvw.exe'
-        TargetFilename|startswith: 'C:\Windows\assembly\NativeImages_'
+        TargetFilename|contains: ':\Windows\assembly\NativeImages_'
     filter_main_vscode:
         Image|contains: '\AppData\Local\'
         Image|endswith: '\Microsoft VS Code\Code.exe'
@@ -89,8 +89,28 @@ detection:
         #   \AppData\Local\SquirrelTemp\tempb\lib\net45\squirrel.exe
         TargetFilename|contains: '\AppData\Local\SquirrelTemp\'
     filter_main_windows_temp:
-        TargetFilename|startswith: 'C:\WINDOWS\TEMP\'
-    condition: selection and not 1 of filter_*
+        - Image|contains: ':\WINDOWS\TEMP\'
+        - TargetFilename|contains: ':\WINDOWS\TEMP\'
+    filter_optional_python:
+        Image|contains: '\Python27\python.exe'
+        TargetFilename|contains:
+            - '\Python27\Lib\site-packages\'
+            - '\Python27\Scripts\'
+            - '\AppData\Local\Temp\'
+    filter_optional_squirrel:
+        Image|contains: '\AppData\Local\SquirrelTemp\Update.exe'
+        TargetFilename|contains: '\AppData\Local'
+    filter_main_temp_installers:
+        - Image|contains: '\AppData\Local\Temp\'
+        - TargetFilename|contains: '\AppData\Local\Temp\'
+    filter_optional_chrome:
+        Image|endswith: '\ChromeSetup.exe'
+        TargetFilename|contains: '\Google'
+    filter_main_dot_net:
+        Image|contains: ':\Windows\Microsoft.NET\Framework'
+        Image|endswith: '\mscorsvw.exe'
+        TargetFilename|contains: ':\Windows\assembly'
+    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
     # Please contribute to FP to increase the level
     - Software installers

rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_import_module.yml

@@ -7,6 +7,7 @@ references:
     - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/import-module?view=powershell-5.1
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/05/09
+modified: 2023/11/06
 tags:
     - attack.execution
     - detection.threat_hunting
@@ -25,7 +26,14 @@ detection:
         CommandLine|contains:
             - 'Import-Module '
             - 'ipmo '
-    condition: all of selection_*
+    filter_main_vsstudio:
+        ParentImage|contains:
+            - ':\Program Files\WindowsApps\Microsoft.WindowsTerminal_'
+            - ':\Windows\System32\cmd.exe'
+        CommandLine|contains|all:
+            - ':\Program Files\Microsoft Visual Studio\'
+            - 'Tools\Microsoft.VisualStudio.DevShell.dll'
+    condition: all of selection_* and not all of filter_main_*
 falsepositives:
     - Depending on the environement, many legitimate scripts will import modules inline. This rule is targeted for hunting purposes.
 level: low

rules-threat-hunting/windows/process_creation/proc_creation_win_susp_file_permission_modifications.yml

@@ -8,7 +8,7 @@ references:
     - https://github.com/swagkarna/Defeat-Defender-V1.2.0
 author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems)
 date: 2019/10/23
-modified: 2022/11/18
+modified: 2023/11/06
 tags:
     - attack.defense_evasion
     - attack.t1222.001
@@ -39,8 +39,13 @@ detection:
             - 'ICACLS C:\ProgramData\dynatrace\gateway\config\config.properties /grant :r '
             - 'S-1-5-19:F'
     filter_optional_vscode:
-        - CommandLine|contains: '\AppData\Local\Programs\Microsoft VS Code'
-        - ParentImage|endswith: '\Microsoft VS Code\Code.exe'
+        CommandLine|contains:
+            - '\AppData\Local\Programs\Microsoft VS Code'
+            - ':\Program Files\Microsoft VS Code\'
+    filter_optional_avira:
+        CommandLine|contains:
+            - ':\Program Files (x86)\Avira\'
+            - ':\Program Files\Avira\'
     condition: 1 of selection_* and not 1 of filter_optional_*
 falsepositives:
     - Users interacting with the files on their own (unlikely unless privileged users).

rules-threat-hunting/windows/process_creation/proc_creation_win_taskkill_execution.yml

@@ -8,7 +8,7 @@ references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1489/T1489.md#atomic-test-3---windows---stop-service-by-killing-process
 author: frack113
 date: 2021/12/26
-modified: 2023/08/28
+modified: 2023/11/06
 tags:
     - attack.impact
     - attack.t1489
@@ -24,7 +24,12 @@ detection:
         CommandLine|contains|all:
             - ' /f'
             - ' /im '
-    condition: all of selection_*
+    filter_main_installers:
+        ParentImage|contains:
+            - '\AppData\Local\Temp\'
+            - ':\Windows\Temp'
+        ParentImage|endswith: '.tmp'
+    condition: all of selection_* and not 1 of filter_main_*
 falsepositives:
     - Expected FP with some processes using this techniques to terminate one of their processes during installations and updates
 level: low