Merge PR #5513 from @swachchhanda000 - fix FPs observed via Aurora

fix: Suspicious Sysmon as Execution Parent - add filter for Sysmon binary running from temp dir
fix: Remote Thread Created In Shell Application - modify the logic to filter out legit processes creating remote thread in shell apps
fix: Potential Active Directory Reconnaissance/Enumeration Via LDAP - commenting out troublesome LDAP query parameter
fix: Rare Remote Thread Creation By Uncommon Source Image - add several FP filter
fix: Remote Thread Creation By Uncommon Source Image - add several FP filter
fix: ADS Zone.Identifier Deleted By Uncommon Application - filter msedge
fix: Remote Thread Creation In Uncommon Target Image - add FP filters for notepad and sethc
fix: Potential Binary Or Script Dropper Via PowerShell - add filters for legitimate binary dropped by PowerShell
fix: Use Short Name Path in Command Line - add filter for aurora
fix: Suspicious Userinit Child Process - filter null Image
fix: CurrentVersion NT Autorun Keys Modification - add filter for RuntimeBroker.exe
fix: Modification of IE Registry Settings - add filter for RuntimeBroker.exe
fix: Scheduled TaskCache Change by Uncommon Program - add filter for RuntimeBroker.exe
---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>

Author: swachchhanda000

rules-emerging-threats/2022/Exploits/CVE-2022-41120/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml

@@ -8,7 +8,7 @@ references:
     - https://twitter.com/filip_dragovic/status/1590104354727436290
 author: Florian Roth (Nextron Systems), Tim Shelton (fp werfault)
 date: 2022-11-10
-modified: 2023-10-23
+modified: 2025-07-04
 tags:
     - attack.privilege-escalation
     - attack.t1068
@@ -22,6 +22,13 @@ detection:
         ParentImage|endswith:
             - '\Sysmon.exe'
             - '\Sysmon64.exe'
+    filter_main_temp_sysmon:
+        # C:\Users\ADMINI~1\AppData\Local\Temp\2\Sysmon.exe
+        Image|startswith: 'C:\Users\'
+        Image|contains: '\AppData\Local\Temp\'
+        Image|endswith:
+            - '\Sysmon.exe'
+            - '\Sysmon64.exe'
     filter_main_generic:
         Image|contains:
             - ':\Windows\Sysmon.exe'
@@ -31,7 +38,6 @@ detection:
             - ':\Windows\System32\WerFaultSecure.exe' # When Sysmon crashes
             - ':\Windows\System32\wevtutil.exe'
             - ':\Windows\SysWOW64\wevtutil.exe'
-            - '\AppData\Local\Temp\Sysmon.exe' # When launching Sysmon 32bit version.
     filter_main_null:
         Image: null
     condition: selection and not 1 of filter_main_*

rules-threat-hunting/windows/create_remote_thread/create_remote_thread_win_susp_target_shell_application.yml

@@ -9,7 +9,7 @@ references:
     - https://www.binarydefense.com/resources/blog/icedid-gziploader-analysis/
 author: Splunk Research Team
 date: 2024-07-29
-modified: 2025-06-16
+modified: 2025-07-04
 tags:
     - attack.defense-evasion
     - attack.t1055
@@ -24,11 +24,13 @@ detection:
             - '\powershell.exe'
             - '\pwsh.exe'
     filter_main_system:
-        SourceImage: 'C:\Windows\System32\csrss.exe'
+        SourceImage|startswith:
+            - 'C:\Windows\System32\'
+            - 'C:\Windows\SysWOW64\'
+            - 'C:\Program Files (x86)\'
+            - 'C:\Program Files\'
     filter_optional_defender:
         SourceImage|endswith: '\MsMpEng.exe'
-    filter_optional_malwarebytes:
-        SourceImage: 'C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe'
     condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
     - Unknown

rules/windows/builtin/ldap/win_ldap_recon.yml

@@ -11,7 +11,7 @@ references:
     - https://ipurple.team/2024/07/15/sharphound-detection/
 author: Adeem Mawani
 date: 2021-06-22
-modified: 2024-08-27
+modified: 2025-07-04
 tags:
     - attack.discovery
     - attack.t1069.002
@@ -37,7 +37,7 @@ detection:
             - '(sAMAccountType=268435456)'
             - '(objectCategory=groupPolicyContainer)'
             - '(objectCategory=organizationalUnit)'
-            - '(objectCategory=Computer)'
+            # - '(objectCategory=Computer)' Prone to false positives
             - '(objectCategory=nTDSDSA)'
             - '(objectCategory=server)'
             - '(objectCategory=domain)'

rules/windows/create_remote_thread/create_remote_thread_win_susp_relevant_source_image.yml

@@ -10,7 +10,7 @@ references:
     - https://lolbas-project.github.io
 author: Perez Diego (@darkquassar), oscd.community
 date: 2019-10-27
-modified: 2025-05-13
+modified: 2025-07-08
 tags:
     - attack.privilege-escalation
     - attack.defense-evasion
@@ -62,12 +62,22 @@ detection:
             - '\winword.exe'
             - '\wmic.exe'
             - '\wscript.exe'
-    filter_main_defrag_conhost:
-        SourceImage: 'C:\Windows\System32\Defrag.exe'
+    filter_main_conhost:
+        SourceImage:
+            - 'C:\Windows\System32\Defrag.exe'
+            - 'C:\Windows\System32\makecab.exe'
         TargetImage: 'C:\Windows\System32\conhost.exe'
     filter_main_provtol_svchost:
         SourceImage: 'C:\Windows\System32\provtool.exe'
         TargetImage: 'C:\Windows\System32\svchost.exe'
+    filter_main_userinit:
+        SourceImage: 'C:\Windows\System32\userinit.exe'
+        TargetImage: 'C:\Windows\explorer.exe'
+    filter_main_winword:
+        SourceImage|endswith: '\WINWORD.EXE'
+        TargetImage|startswith:
+            - 'C:\Program Files (x86)\' # C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
+            - 'C:\Program Files\' # C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exe
     filter_optional_explorer_vmtools:
         SourceImage|endswith: '\SysWOW64\explorer.exe'
         TargetImage:

rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_source_image.yml

@@ -10,7 +10,7 @@ references:
     - https://lolbas-project.github.io
 author: Perez Diego (@darkquassar), oscd.community
 date: 2019-10-27
-modified: 2025-03-07
+modified: 2025-07-08
 tags:
     - attack.privilege-escalation
     - attack.defense-evasion
@@ -35,6 +35,10 @@ detection:
             - 'C:\Windows\System32\csrss.exe' # multiple OS
             - 'C:\Windows\System32\LogonUI.exe' # multiple OS
             - 'C:\Windows\System32\wlrmdr.exe'
+            - 'C:\Windows\System32\AtBroker.exe'
+            - 'C:\Windows\System32\dwm.exe'
+            - 'C:\Windows\System32\fontdrvhost.exe'
+            - 'C:\Windows\System32\userinit.exe'
     filter_main_winlogon_2:
         SourceImage: 'C:\Windows\System32\winlogon.exe'
         TargetParentProcessId: 4
@@ -52,13 +56,29 @@ detection:
             - 'C:\Windows\SysWOW64\'
     filter_main_system:
         TargetImage: 'System'
-    filter_main_msiexec:
+    filter_main_msiexec_1:
         # Note: MSI installers will trigger this
         SourceImage|endswith: '\msiexec.exe'
         TargetImage|contains:
             - '\AppData\Local\'
             - 'C:\Program Files (x86)\'
             - 'C:\Program Files\'
+            - 'C:\Windows\Microsoft.NET\Framework64\' # C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
+    filter_main_msiexec_2:
+        SourceImage|endswith: '\msiexec.exe'
+        TargetImage:
+            - 'C:\Windows\System32\msiexec.exe'
+            - 'C:\Windows\SysWOW64\msiexec.exe'
+    filter_main_iexplore:
+        SourceImage: 'C:\Program Files\Internet Explorer\iexplore.exe'
+        TargetImage:
+            - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
+            - 'C:\Windows\System32\rundll32.exe'
+    filter_main_powerpnt:
+        SourceImage|endswith: '\POWERPNT.EXE'
+        TargetImage|contains:
+            - 'C:\Program Files\Microsoft Office\' # C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exe
+            - 'C:\Program Files (x86)\Microsoft Office\'
     filter_optional_aurora_smartconsole1:
         SourceImage: 'C:\Program Files\internet explorer\iexplore.exe'
         SourceCommandLine|contains|all:
@@ -86,6 +106,12 @@ detection:
     filter_optional_onedrive:
         SourceImage: 'C:\Windows\explorer.exe'
         TargetImage|endswith: '\AppData\Local\Microsoft\OneDrive\OneDrive.exe'
+    filter_optional_aurora:
+        SourceImage: 'C:\Windows\explorer.exe'
+        TargetImage|endswith: '\aurora-dashboard.exe'
+    filter_optional_officesetup:
+        SourceImage: 'C:\Windows\explorer.exe'
+        TargetImage|endswith: '\OfficeSetup.exe'
     condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
     - This rule is best put in testing first in order to create a baseline that reflects the data in your environment.

rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_target_image.yml

@@ -9,7 +9,7 @@ references:
     - https://web.archive.org/web/20220319032520/https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection
 author: Florian Roth (Nextron Systems)
 date: 2022-03-16
-modified: 2024-07-15
+modified: 2025-07-04
 tags:
     - attack.defense-evasion
     - attack.privilege-escalation
@@ -31,6 +31,14 @@ detection:
             - '\write.exe'
     filter_main_csrss:
         SourceImage: 'C:\Windows\System32\csrss.exe'
+    filter_main_notepad:
+        SourceImage:
+            - 'C:\Windows\System32\explorer.exe'
+            - 'C:\Windows\System32\OpenWith.exe'
+        TargetImage: 'C:\Windows\System32\notepad.exe'
+    filter_main_sethc:
+        SourceImage: 'C:\Windows\System32\AtBroker.exe'
+        TargetImage: 'C:\Windows\System32\Sethc.exe'
     filter_optional_aurora_1:
         StartFunction: 'EtwpNotificationThread'
     filter_optional_aurora_2:

rules/windows/file/file_delete/file_delete_win_zone_identifier_ads_uncommon.yml

@@ -10,7 +10,7 @@ references:
     - Internal Research
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023-09-04
-modified: 2024-04-26
+modified: 2025-07-04
 tags:
     - attack.defense-evasion
     - attack.t1070.004
@@ -37,6 +37,10 @@ detection:
         Image:
             - 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
             - 'C:\Program Files\Mozilla Firefox\firefox.exe'
+    filter_optional_browsers_msedge:
+        Image:
+            - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
+            - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
     condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
     - Other third party applications not listed.

rules/windows/file/file_event/file_event_win_powershell_drop_binary_or_script.yml

@@ -6,7 +6,7 @@ references:
     - https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution
 author: frack113, Nasreddine Bencherchali (Nextron Systems)
 date: 2023-03-17
-modified: 2025-03-05
+modified: 2025-07-04
 tags:
     - attack.persistence
 logsource:
@@ -16,6 +16,7 @@ detection:
     selection:
         Image|endswith:
             - '\powershell.exe'
+            - '\powershell_ise.exe'
             - '\pwsh.exe'
         TargetFilename|endswith:
             - '.bat'
@@ -47,6 +48,13 @@ detection:
         TargetFilename|endswith:
             - '.dll'
             - '.exe'
+    filter_main_powershell_module:
+        TargetFilename|startswith: 'C:\Users\'
+        TargetFilename|contains: '\WindowsPowerShell\Modules\' # C:\Users\xxxx\Documents\WindowsPowerShell\Modules\powershell-yaml\0.4.12\lib\net47\PowerShellYamlSerializer.dll
+        TargetFilename|endswith: '.dll'
+    filter_main_nuget:
+        TargetFilename|startswith: 'C:\Program Files\PackageManagement\ProviderAssemblies\nuget\'
+        TargetFilename|endswith: '\Microsoft.PackageManagement.NuGetProvider.dll'
     condition: selection and not 1 of filter_main_*
 falsepositives:
     - False positives will differ depending on the environment and scripts used. Apply additional filters accordingly.

rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml

@@ -11,7 +11,7 @@ references:
     - https://twitter.com/frack113/status/1555830623633375232
 author: frack113, Nasreddine Bencherchali
 date: 2022-08-07
-modified: 2022-10-26
+modified: 2025-07-04
 tags:
     - attack.defense-evasion
     - attack.t1564.004
@@ -34,6 +34,8 @@ detection:
               - '\veam.backup.shell.exe'
               - '\winget.exe'
               - '\Everything\Everything.exe'
+              - '\aurora-agent-64.exe'
+              - '\aurora-agent.exe'
         - ParentImage|contains: '\AppData\Local\Temp\WinGet\'
         - CommandLine|contains:
               - '\appdata\local\webex\webex64\meetings\wbxreport.exe'

rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml

@@ -6,7 +6,7 @@ references:
     - https://twitter.com/SBousseaden/status/1139811587760562176
 author: Florian Roth (Nextron Systems), Samir Bousseaden (idea)
 date: 2019-06-17
-modified: 2022-12-09
+modified: 2025-07-04
 tags:
     - attack.defense-evasion
     - attack.t1055
@@ -16,12 +16,14 @@ logsource:
 detection:
     selection:
         ParentImage|endswith: '\userinit.exe'
-    filter1:
+    filter_main_netlogon:
         CommandLine|contains: '\netlogon\'
-    filter2:
+    filter_main_explorer:
         - Image|endswith: '\explorer.exe'
         - OriginalFileName: 'explorer.exe'
-    condition: selection and not 1 of filter*
+    filter_main_null:
+        Image: null
+    condition: selection and not 1 of filter_main_*
 fields:
     - CommandLine
     - ParentCommandLine