chore(rules): Eliminate false positives

rabbitstack · rabbitstack · commit 32c294fd40ee · 2024-11-27T22:22:56.000+01:00
Make the rules less noisy by adding various conditions
to prevent false positives. Also, reformat some rules
for better readability.
diff --git a/rules/credential_access_potential_sam_hive_dumping.yml b/rules/credential_access_potential_sam_hive_dumping.yml
@@ -19,15 +19,12 @@ references:
 condition: >
   sequence
   maxspan 10m
-    |spawn_process
-      and
-      not
-     (ps.exe imatches
-        (
-          '?:\\Program Files\\*.exe',
-          '?:\\Program Files (x86)\\*.exe'
-        )
-      or
+    |spawn_process and not (ps.exe imatches
+      (
+        '?:\\Program Files\\*.exe',
+        '?:\\Program Files (x86)\\*.exe'
+      )
+        or
       (ps.exe imatches 'C:\\Windows\\System32\\svchost.exe' and ps.args iin ('-k', 'DcomLaunch'))
      )
     | by ps.child.uuid
diff --git a/rules/defense_evasion_dotnet_assembly_loaded_by_unmanaged_process.yml b/rules/defense_evasion_dotnet_assembly_loaded_by_unmanaged_process.yml
@@ -1,6 +1,6 @@
 name: .NET assembly loaded by unmanaged process
 id: 34be8bd1-1143-4fa8-bed4-ae2566b1394a
-version: 1.0.0
+version: 1.0.1
 description: |
   Identifies the loading of the .NET assembly by an unmanaged process. Adversaries can load the CLR runtime
   inside unmanaged process and execute the assembly via the ICLRRuntimeHost::ExecuteInDefaultAppDomain method.
@@ -27,6 +27,12 @@ condition: >
       '?:\\Program Files\\WindowsPowerShell\\Modules\\*\\*.dll',
       '?:\\Windows\\Microsoft.NET\\assembly\\*\\*.dll'
     )
+    and
+    not
+  ps.exe imatches
+    (
+      '?:\\Program Files\\WindowsApps\\*\\CrossDeviceService.exe'
+    )
 
 output: >
   .NET assembly %image.name loaded by unmanaged process %ps.exe
diff --git a/rules/defense_evasion_hidden_registry_key_creation.yml b/rules/defense_evasion_hidden_registry_key_creation.yml
@@ -1,6 +1,6 @@
 name: Hidden registry key creation
 id: 65deda38-9b1d-42a0-9f40-a68903e81b49
-version: 1.0.0
+version: 1.0.1
 description: |
   Identifies the creation of a hidden registry key. Adversaries can utilize the
   native NtSetValueKey API to create a hidden registry key and conceal payloads
@@ -19,6 +19,14 @@ condition: >
   set_value and kevt.pid != 4 and registry.key.name endswith '\\' 
     and 
   thread.callstack.symbols not imatches ('KernelBase.dll!RegSetValue*', 'KernelBase.dll!RegLoadAppKey*', 'KernelBase.dll!GetFileAttributes*')
+    and
+    not
+  ps.exe imatches
+    (
+      '?:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe',
+      '?:\\Program Files\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe',
+      '?:\\Windows\\System32\\sppsvc.exe'
+    )
 
 output: >
   Hidden registry key %registry.key.name created by process %ps.exe
diff --git a/rules/defense_evasion_potential_process_hollowing_injection.yml b/rules/defense_evasion_potential_process_hollowing_injection.yml
@@ -1,6 +1,6 @@
 name: Potential Process Hollowing
 id: 2a3fbae8-5e8c-4b71-b9da-56c3958c0d53
-version: 1.1.0
+version: 1.1.1
 description: |
   Adversaries may inject malicious code into suspended and hollowed processes in order to
   evade process-based defenses. Process hollowing is a method of executing arbitrary code
@@ -29,7 +29,12 @@ references:
 condition: >
   sequence
   maxspan 2m
-    |spawn_process| by ps.child.uuid
+    |spawn_process and not ps.sid in ('S-1-5-18', 'S-1-5-19', 'S-1-5-20') and not ps.exe imatches 
+      (
+        '?:\\Program Files\\*', 
+        '?:\\Program Files (x86)\\*'
+      )
+    | by ps.child.uuid
     |unmap_view_of_section and file.view.size > 20000 and file.view.protection != 'READONLY' and (length(file.name) = 0 or not ext(file.name) = '.dll')| by ps.uuid
     |load_executable| by ps.uuid
 action:
diff --git a/rules/defense_evasion_potential_process_injection_via_tainted_memory_section.yml b/rules/defense_evasion_potential_process_injection_via_tainted_memory_section.yml
@@ -23,10 +23,7 @@ condition: >
   sequence
   maxspan 1m
     |map_view_of_section and file.view.protection = 'READWRITE' and kevt.pid != 4 and file.view.size >= 4096| as e1
-    |map_view_of_section and file.view.protection = 'READONLY|EXECUTE' and file.key = $e1.file.key and kevt.pid != $e1.kevt.pid
-      and
-      not
-     ps.exe imatches
+    |map_view_of_section and file.view.protection = 'READONLY|EXECUTE' and file.key = $e1.file.key and kevt.pid != $e1.kevt.pid and not ps.exe imatches
       (
         '?:\\Program Files\\Mozilla Firefox\\firefox.exe',
         '?:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe'
diff --git a/rules/defense_evasion_potential_thread_execution_hijacking.yml b/rules/defense_evasion_potential_thread_execution_hijacking.yml
@@ -30,10 +30,7 @@ condition: >
   sequence
   maxspan 2m
   by ps.uuid
-    |open_remote_thread and thread.access.mask.names in ('ALL_ACCESS', 'SUSPEND_THREAD')
-      and
-      not
-     ps.exe imatches
+    |open_remote_thread and thread.access.mask.names in ('ALL_ACCESS', 'SUSPEND_THREAD') and not ps.exe imatches
       (
         '?:\\Program Files\\*',
         '?:\\Program Files (x86)\\*'
diff --git a/rules/defense_evasion_thread_context_set_from_unbacked_memory.yml b/rules/defense_evasion_thread_context_set_from_unbacked_memory.yml
@@ -1,6 +1,6 @@
 name: Thread context set from unbacked memory
 id: f8219274-ee68-416b-8489-4d2e635c7844
-version: 1.0.0
+version: 1.0.1
 description: |
   Identifies manipulation of the thread context from unbacked memory region. This may be
   indicative of process injection.
@@ -14,5 +14,13 @@ labels:
 
 condition: >
   set_thread_context and thread.callstack.summary imatches ('ntdll.dll|kernelbase.dll|unbacked')
+    and
+    not
+  ps.exe imatches
+    (
+      '?:\\Program Files\\Git\\mingw64\\bin\\git.exe',
+      '?:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe',
+      '?:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe'
+    )
 
 min-engine-version: 2.2.0
diff --git a/rules/defense_evasion_unsigned_dll_injection_via_remote_thread.yml b/rules/defense_evasion_unsigned_dll_injection_via_remote_thread.yml
@@ -22,15 +22,12 @@ references:
 condition: >
   sequence
   maxspan 1m
-    |create_remote_thread
-      and
-      not
-     (ps.exe imatches
-        (
-          '?:\\Program Files\\*',
-          '?:\\Program Files (x86)\\*'
-        )
-      or
+    |create_remote_thread and not (ps.exe imatches
+      (
+        '?:\\Program Files\\*',
+        '?:\\Program Files (x86)\\*'
+      )
+        or
       (ps.exe imatches 'C:\\Windows\\System32\\svchost.exe' and ps.args iin ('-k', 'DcomLaunch'))
      )
     | by thread.pid
diff --git a/rules/initial_access_macro_execution_via_script_interpreter.yml b/rules/initial_access_macro_execution_via_script_interpreter.yml
@@ -31,15 +31,8 @@ condition: >
       (create_file)
         or
       (
-        load_module
-          and
-          not
-        image.name imatches
-          (
-            '?:\\Program Files\\*',
-            '?:\\Program Files (x86)\\*'
-          )
-       )
+        load_module and not image.name imatches ('?:\\Program Files\\*', '?:\\Program Files (x86)\\*')
+      )
      )
     | by ps.uuid
 
