[Rule Tuning] Potential System Tampering via File Modification

[khalavak]

Link to Rule

detection-rules/rules/windows/impact_mod_critical_os_files.toml

Line 4 in f52aedf

maturity = "production"

Rule Tuning Type

False Positives - Reducing benign events mistakenly identified as threats.

Description

Hello!
We are getting False Positives for Windows Update process modifying files in the SoftwareDistribution folder C:\Windows\SoftwareDistribution\Download\ for the processes monitored in the rule "winload.exe", "winlod.efi", "ntoskrnl.exe" and "bootmgr".

Example:

C:\Windows\SoftwareDistribution\Download\da6f28916f1443950a7aca0ea8936b75\Package_for_RollupFix~~amd64~~26100.7019.1.34\amd64_microsoft-windows-b..vironment-os-loader_31bf3856ad364e35_10.0.26100.7019_none_f71417c91c8d1d11\f\winload.exe

This can be fixed by excluding the C:\Windows\SoftwareDistribution\ folder in the EQL rule:

file where host.os.type == "windows" and event.type in ("change", "deletion") and
 file.name : ("winload.exe", "winlod.efi", "ntoskrnl.exe", "bootmgr") and
 file.path : ("?:\\Windows\\*", "\\Device\\HarddiskVolume*\\Windows\\*") and
 not process.executable : ("?:\\Windows\\System32\\poqexec.exe", "\\Device\\HarddiskVolume*\\Windows\\System32\\poqexec.exe") and not file.path : ("C:\\Windows\\SoftwareDistribution\\*")

Not sure if the other NT-style/Kernel-mode/Device-path needs to be added also?

• "\Device\HarddiskVolume*\Windows\SoftwareDistribution\*"

Example Data

file where host.os.type == "windows" and event.type in ("change", "deletion") and
 file.name : ("winload.exe", "winlod.efi", "ntoskrnl.exe", "bootmgr") and
 file.path : ("?:\\Windows\\*", "\\Device\\HarddiskVolume*\\Windows\\*") and
 not process.executable : ("?:\\Windows\\System32\\poqexec.exe", "\\Device\\HarddiskVolume*\\Windows\\System32\\poqexec.exe") and not file.path : ("C:\\Windows\\SoftwareDistribution\\*")