fix(rules): Reduce false positives

Reduce false positives in various rules by adding
exceptions for process executables or file paths.

Author: rabbitstack

rules/credentail_access_file_access_to_sam_database.yml

@@ -1,6 +1,6 @@
 name: File access to SAM database
 id: e3dace20-4962-4381-884e-40dcdde66626
-version: 1.0.2
+version: 1.0.3
 description: |
   Identifies access to the Security Account Manager on-disk database.
 labels:
@@ -28,7 +28,8 @@ condition: >
     (
       '?:\\Program Files\\*',
       '?:\\Program Files (x86)\\*',
-      '?:\\Windows\\System32\\lsass.exe'
+      '?:\\Windows\\System32\\lsass.exe',
+      '?:\\Windows\\System32\\srtasks.exe'
     )
 
 min-engine-version: 2.4.0

rules/credential_access_potential_sam_hive_dumping.yml

@@ -1,6 +1,6 @@
 name: Potential SAM hive dumping
 id: 2f326557-0291-4eb1-a87a-7a17b7d941cb
-version: 1.0.3
+version: 1.0.4
 description:
   Identifies access to the Security Account Manager registry hives.
 labels:
@@ -22,18 +22,11 @@ condition: >
     |spawn_process and not (ps.exe imatches
       (
         '?:\\Program Files\\*.exe',
-        '?:\\Program Files (x86)\\*.exe'
+        '?:\\Program Files (x86)\\*.exe',
+        '?:\\Windows\\System32\\svchost.exe'
       )
         or
-      (ps.child.exe imatches '?:\\Windows\\System32\\svchost.exe' and ps.child.args intersects ('-k', 'DcomLaunch'))
-        or
-      (ps.child.cmdline imatches '?:\\Windows\\System32\\svchost.exe -k defragsvc')
-        or
-      (ps.child.cmdline imatches '?:\\Windows\\System32\\svchost.exe -k netsvcs -p -s BITS')
-        or
-      (ps.child.cmdline imatches '?:\\Windows\\System32\\svchost.exe -k wusvcs -p -s WaaSMedicSvc')
-        or
-      (ps.child.cmdline imatches '?:\\Windows\\Microsoft.NET\\Framework\\*\\ngen.exe ExecuteQueuedItems /LegacyServiceBehavior')
+      (ps.child.cmdline imatches '"?:\\Windows\\Microsoft.NET\\Framework\\*\\ngen.exe" ExecuteQueuedItems /LegacyServiceBehavior')
      )
     | by ps.child.uuid
     |open_registry
@@ -70,7 +63,10 @@ condition: >
         '?:\\Windows\\System32\\lpremove.exe',
         '?:\\Windows\\System32\\LogonUI.exe',
         '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe',
-        '?:\\Windows\\System32\\ApplicationFrameHost.exe'
+        '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MpDefenderCoreService.exe',
+        '?:\\Windows\\System32\\ApplicationFrameHost.exe',
+        '?:\\Windows\\System32\\wbem\\WMIADAP.exe',
+        '?:\\Windows\\System32\\cleanmgr.exe'
        )
       | by ps.uuid
 

rules/credential_access_suspicious_vault_client_dll_load.yml

@@ -1,6 +1,6 @@
 name: Suspicious Vault client DLL load
 id: 64af2e2e-2309-4079-9c0f-985f1dd930f5
-version: 1.0.0
+version: 1.0.1
 description: |
   Identifies loading of the Vault client DLL by an unusual process. Adversaries can abuse the functions provided 
   by the Credential Vault Client Library to enumerate or harvest saved credentials.
@@ -42,11 +42,15 @@ condition: >
           or
         (ps.exe imatches ('?:\\Program Files\\WindowsApps\\Microsoft.*.exe', '?:\\Windows\\Microsoft.NET\\Framework*\\NGenTask.exe'))
           or
-        (ps.child.exe imatches '?:\\WINDOWS\\System32\\svchost.exe' and ps.child.args intersects ('-k', 'wusvcs', '-p', '-s', 'WaaSMedicSvc'))
+        (ps.child.exe imatches '?:\\WINDOWS\\system32\\BackgroundTaskHost.exe' and ps.child.args imatches ('-ServerName:*'))
           or
-        (ps.child.exe imatches '?:\\WINDOWS\\System32\\svchost.exe' and ps.child.args intersects ('-k', 'netsvcs', '-p', '-s', 'TokenBroker'))
+        (ps.child.exe imatches '?:\\Windows\\System32\\SecurityHealth\\*\\SecurityHealthHost.exe')
           or
-        (ps.child.exe imatches '?:\\WINDOWS\\system32\\BackgroundTaskHost.exe' and ps.child.args not in ('-ServerName:BackgroundTaskHost.WebAccountProvider'))
+        (ps.child.exe imatches '?:\\WINDOWS\\uus\\*\\MoUsoCoreWorker.exe')
+          or
+        (ps.exe imatches '?:\\Windows\\System32\\services.exe')
+          or
+        (ps.exe imatches '?:\\Program Files\\Microsoft OneDrive\\OneDriveStandaloneUpdater.exe')
       )
     | by ps.child.uuid
     |load_dll and image.name ~= 'vaultcli.dll'| by ps.uuid

rules/defense_evasion_dotnet_assembly_loaded_by_unmanaged_process.yml

@@ -1,6 +1,6 @@
 name: .NET assembly loaded by unmanaged process
 id: 34be8bd1-1143-4fa8-bed4-ae2566b1394a
-version: 1.0.5
+version: 1.0.6
 description: |
   Identifies the loading of the .NET assembly by an unmanaged process. Adversaries can load the CLR runtime
   inside unmanaged process and execute the assembly via the ICLRRuntimeHost::ExecuteInDefaultAppDomain method.
@@ -30,7 +30,11 @@ condition: >
   ps.exe not imatches
     (
       '?:\\Program Files\\WindowsApps\\*\\CrossDeviceService.exe',
-      '?:\\Windows\\Microsoft.NET\\Framework\\*\\mscorsvw.exe'
+      '?:\\Program Files\\WindowsApps\\*\\WidgetService.exe',
+      '?:\\Program Files\\WindowsApps\\*\\PhoneExperienceHost.exe',
+      '?:\\Program Files\\WindowsApps\\*\\WindowsSandboxServer.exe',
+      '?:\\Program Files\\Conexant\\SAII\\SmartAudio.exe',
+      '?:\\Windows\\Microsoft.NET\\Framework*\\mscorsvw.exe'
     )
 
 output: >

rules/defense_evasion_hidden_registry_key_creation.yml

@@ -1,6 +1,6 @@
 name: Hidden registry key creation
 id: 65deda38-9b1d-42a0-9f40-a68903e81b49
-version: 1.1.3
+version: 1.1.4
 description: |
   Identifies the creation of a hidden registry key. Adversaries can utilize the
   native NtSetValueKey API to create a hidden registry key and conceal payloads
@@ -29,7 +29,14 @@ condition: >
       '?:\\Windows\\System32\\sppsvc.exe',
       '?:\\Windows\\System32\\compattelrunner.exe',
       '?:\\Windows\\explorer.exe',
-      '?:\\Windows\\System32\\lsass.exe'
+      '?:\\Windows\\System32\\lsass.exe',
+      '?:\\Windows\\System32\\svchost.exe'
+    )
+    and
+  ps.parent.exe not imatches
+    (
+      '?:\\WINDOWS\\uus\\*\\wuaucltcore.exe',
+      '?:\\WINDOWS\\System32\\svchost.exe'
     )
 
 output: >

rules/defense_evasion_potential_process_injection_via_tainted_memory_section.yml

@@ -1,6 +1,6 @@
 name: Potential process injection via tainted memory section
 id: 8e4182f3-02e7-4e95-afc3-93d18c9a9c09
-version: 1.0.2
+version: 1.0.3
 description: |
   Identifies potential process injection when the adversary creates and maps a memory
   section with RW protection rights followed by mapping of the same memory section in
@@ -28,14 +28,21 @@ condition: >
         '?:\\Program Files (x86)\\*.exe',
         '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe',
         '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\NisSrv.exe',
+        '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MpDefenderCoreService.exe',
         '?:\\WINDOWS\\System32\\csrss.exe',
         '?:\\WINDOWS\\Explorer.exe',
         '?:\\WINDOWS\\System32\\svchost.exe',
         '?:\\WINDOWS\\System32\\lsass.exe',
-        '?:\\WINDOWS\\System32\\SecurityHealthService.exe'
+        '?:\\WINDOWS\\System32\\SecurityHealthService.exe',
+        '?:\\WINDOWS\\System32\\services.exe'
       )
     | as e1
-    |map_view_of_section and file.view.protection = 'READONLY|EXECUTE' and file.key = $e1.file.key and kevt.pid != $e1.kevt.pid|
+    |map_view_of_section and file.view.protection = 'READONLY|EXECUTE' and file.key = $e1.file.key and kevt.pid != $e1.kevt.pid and ps.exe not imatches
+      (
+        '?:\\Program Files\\Mozilla Firefox\\firefox.exe',
+        '?:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe'
+      )
+    |
 action:
   - name: kill
 

rules/defense_evasion_process_execution_from_self_deleting_binary.yml

@@ -1,6 +1,6 @@
 name: Process execution from a self-deleting binary
 id: 0f0da517-b22c-4d14-9adc-36baeb621cf7
-version: 1.0.3
+version: 1.0.4
 description: |
   Identifies the execution of the process from a self-deleting binary. The attackers can
   abuse undocumented API functions to create a process from a file-backed section. The file 
@@ -22,18 +22,16 @@ condition: >
   maxspan 1m 
     |delete_file and file.info.is_disposition_delete_file
       and
-     ps.exe not imatches 
+     ps.exe not imatches
       (
         '?:\\$WINDOWS.~BT\\Sources\\SetupHost.exe',
-        '?:\\WINDOWS\\uus\\packages\\preview\\*\\wuaucltcore.exe'
+        '?:\\WINDOWS\\uus\\packages\\preview\\*\\wuaucltcore.exe',
+        '?:\\WINDOWS\\uus\\packages\\preview\\*\\MoUsoCoreWorker.exe',
+        '?:\\WINDOWS\\System32\\svchost.exe',
+        '?:\\WINDOWS\\winsxs\\*\\TiWorker.exe'
       )
-      and 
-     ps.cmdline not imatches 
-      (
-        '?:\\Windows\\system32\\svchost.exe -k wsappx -p -s AppXSvc'
-      )
-      and 
-     file.path not imatches 
+      and
+     file.path not imatches
       (
         '?:\\Windows\\SoftwareDistribution\\Download\\*',
         '?:\\Windows\\uus\\packages\\preview\\*'

rules/defense_evasion_suspicious_access_to_the_hosts_file.yml

@@ -1,6 +1,6 @@
 name: Suspicious access to the hosts file
 id: f7b2c9d3-99e7-41d5-bb4a-6ea1a5f7f9e2
-version: 1.0.1
+version: 1.0.2
 description: >
   Identifies suspicious process accessing the Windows hosts file for potential tampering.
   Adversaries can hijack the hosts files to block traffic to download/update servers or redirect the
@@ -23,7 +23,9 @@ condition: >
         '?:\\Windows\\servicing\\TrustedInstaller.exe',
         '?:\\Windows\\System32\\svchost.exe',
         '?:\\Windows\\System32\\MicrosoftEdgeUpdate.exe',
-        '?:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe'
+        '?:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe',
+        '?:\\Program Files\\Mozilla Firefox\\firefox.exe',
+        '?:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe'
       )
     | by ps.child.uuid
     |open_file and file.path imatches '?:\\Windows\\System32\\drivers\\etc\\hosts'| by ps.uuid

rules/defense_evasion_suspicious_dll_loaded_via_memory_section_mapping.yml

@@ -1,6 +1,6 @@
 name: Suspicious DLL loaded via memory section mapping
 id: b06653fb-227e-4e63-9a69-55a5a90c79e5
-version: 1.0.0
+version: 1.0.1
 description: |
   Identifies the mapping of a memory section with RX protection followed by unsigned DLL loading.
   Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses
@@ -21,7 +21,13 @@ condition: >
   sequence
   maxspan 2m
   by ps.uuid
-    |map_view_of_section and file.view.protection = 'READONLY|EXECUTE' and kevt.pid != 4 and file.view.size >= 4096|
+    |map_view_of_section and file.view.protection = 'READONLY|EXECUTE' and kevt.pid != 4 and file.view.size >= 4096
+      and
+     ps.exe not imatches 
+      (
+        '?:\\Program Files\\Mozilla Firefox\\firefox.exe'
+      )
+    |
     |(load_unsigned_or_untrusted_dll)|
 action:
   - name: kill

rules/defense_evasion_suspicious_object_symbolic_link_creation.yml

@@ -1,6 +1,6 @@
 name: Suspicious object symbolic link creation
 id: f9306355-1f5f-4a06-9779-195aa681db80
-version: 1.0.1
+version: 1.0.2
 description: |
   Identifies the creation of the object symbolic link inside the object manager namespace
   by untrusted or unusual processes.
@@ -26,9 +26,13 @@ condition: >
       '?:\\WINDOWS\\system32\\svchost.exe',
       '?:\\Program Files\\*',
       '?:\\Program Files (x86)\\*',
-      '?:\\Windows\\System32\\vmwp.exe'
+      '?:\\Windows\\System32\\vmwp.exe',
+      '?:\\Windows\\System32\\spoolsv.exe',
+      '?:\\Windows\\System32\\csrss.exe'
     )
   )
+    and
+  kevt.arg[target] not imatches '\\Sessions\\*\\AppContainerNamedObjects\\*'
 
 output: >
   Suspicious object symbolic link %kevt.arg[target] created by process %ps.exe