Merge PR #4564 from @nasbench - Fix Further FPs Found In Testing

remove: Abusing Findstr for Defense Evasion - Deprecate in favour of 2 splitted rules. 587254ee-a24b-4335-b3cd-065c0f1f4baa and 04936b66-3915-43ad-a8e5-809eadfd1141
remove: Windows Update Client LOLBIN - Deprecate in favour of 52d097e2-063e-4c9c-8fbb-855c8948d135
fix: Remote Thread Creation By Uncommon Source Image - Enhance filters to avoid false positives
fix: Suspicious Shim Database Installation via Sdbinst.EXE - Add "null" and "empty" filters to account for cases where the CLI is null or empty
new: Insenstive Subfolder Search Via Findstr.EXE
new: Remote File Download Via Findstr.EXE
new: Windows Defender Exclusion Deleted
new: Windows Defender Exclusion List Modified
new: Windows Defender Exclusion Reigstry Key - Write Access Requested
update: Renamed Office Binary Execution - Add new binaries and filters to increase coverage and tune FPs
update: EVTX Created In Uncommon Location - Enhance filters to cover other drives other than "C:"
update: Findstr GPP Passwords - Add "find.exe" binary to increase coverage
update: Findstr Launching .lnk File - Add "find.exe" binary to increase coverage
update: LSASS Process Reconnaissance Via Findstr.EXE - Add "find.exe" binary to increase coverage
update: Non-DLL Extension File Renamed With DLL Extension - Update title and logic
update: Permission Misconfiguration Reconnaissance Via Findstr.EXE - Add "find.exe" binary to increase coverage
update: Potentially Suspicious Wuauclt Network Connection - Change the logic to use the "CommandLine" field in order to avoid false positives
update: Proxy Execution Via Wuauclt.EXE - Update title and enhance filters
update: Recon Command Output Piped To Findstr.EXE - Add "find.exe" binary to increase coverage
update: Security Tools Keyword Lookup Via Findstr.EXE - Add "find.exe" binary to increase coverage
update: Suspicious Appended Extension - Enhance list of extension
update: Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE - Add "find.exe" binary to increase coverage
fix: Uncommon Userinit Child Process - Add the citrix process cmstart to the filtered processes and make it more strict to avoid abuse. Also enhances the other filters by removing the C: notation.
fix: Bad Opsec Defaults Sacrificial Processes With Improper Arguments - Add FP filter for chrome installer spawning rundll32 without arguments

---------

Co-authored-by: phantinuss <[email protected]>
thanks: @vj-codes for #4554
thanks: @mezzofix for #4520
thanks: @rkmbaxed for #4566 and #4569
thanks: @celalettin-turgut for #4570

README.md

@@ -116,7 +116,7 @@ If you find a false positive or would like to propose a new detection rule idea
 
 ## Credits
 
-This project would've never reached this hight without the help of the hundreds of contributors. Thanks to all past and present contributors for their help.
+This project would've never reached this height without the help of the hundreds of contributors. Thanks to all past and present contributors for their help.
 
 ## Licenses
 

rules/windows/process_creation/proc_creation_win_lolbin_findstr.yml → deprecated/windows/proc_creation_win_lolbin_findstr.yml

@@ -1,14 +1,14 @@
 title: Abusing Findstr for Defense Evasion
 id: bf6c39fc-e203-45b9-9538-05397c1b4f3f
-status: test
+status: deprecated
 description: Attackers can use findstr to hide their artifacts or search specific strings and evade defense mechanism
 references:
     - https://lolbas-project.github.io/lolbas/Binaries/Findstr/
     - https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
     - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
 author: 'Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali'
 date: 2020/10/05
-modified: 2022/10/11
+modified: 2022/10/12
 tags:
     - attack.defense_evasion
     - attack.t1218

rules/windows/process_creation/proc_creation_win_wuauclt_execution.yml → deprecated/windows/proc_creation_win_wuauclt_execution.yml

@@ -1,12 +1,12 @@
 title: Windows Update Client LOLBIN
 id: d7825193-b70a-48a4-b992-8b5b3015cc11
-status: test
+status: deprecated
 description: Detects code execution via the Windows Update client (wuauclt)
 references:
     - https://dtm.uk/wuauclt/
 author: FPT.EagleEye Team
 date: 2020/10/17
-modified: 2022/05/13
+modified: 2023/11/11
 tags:
     - attack.command_and_control
     - attack.execution

rules-threat-hunting/windows/file/file_rename/file_rename_win_non_dll_to_dll_ext.yml

@@ -0,0 +1,47 @@
+title: Non-DLL Extension File Renamed With DLL Extension
+id: bbfd974c-248e-4435-8de6-1e938c79c5c1
+status: experimental
+description: |
+    Detects rename operations of files with non-DLL extensions to files with a DLL extension. This is often performed by malware in order to avoid initial detections based on extensions.
+references:
+    - https://twitter.com/ffforward/status/1481672378639912960
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036/T1036.md#atomic-test-1---system-file-copied-to-unusual-location
+author: frack113
+date: 2022/02/19
+modified: 2023/11/11
+tags:
+    - attack.defense_evasion
+    - attack.t1036.008
+    - detection.threat_hunting
+logsource:
+    product: windows
+    category: file_rename
+    definition: 'Requirements: Microsoft-Windows-Kernel-File Provider with at least the KERNEL_FILE_KEYWORD_RENAME_SETLINK_PATH keyword'
+detection:
+    selection:
+        TargetFilename|endswith: '.dll'
+    filter_main_dll:
+        # Note: To avoid file renames
+        SourceFilename|endswith: '.dll'
+    filter_main_installers:
+        SourceFilename|endswith: '.tmp'
+    filter_main_empty_source:
+        SourceFilename: ''
+    filter_main_null_source:
+        SourceFilename: null
+    filter_main_tiworker:
+        Image|contains: ':\Windows\WinSxS\'
+        Image|endswith: '\TiWorker.exe'
+    filter_main_upgrade:
+        - Image|endswith: ':\Windows\System32\wuauclt.exe'
+        - TargetFilename|contains: ':\$WINDOWS.~BT\Sources\'
+    filter_main_generic:
+        Image|contains:
+            - ':\Program Files (x86)\'
+            - ':\Program Files\'
+    filter_optional_squirrel:
+        SourceFilename|contains: '\SquirrelTemp\temp'
+    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
+falsepositives:
+    - Likely from installers and temporary locations
+level: medium

rules/windows/builtin/security/win_security_windows_defender_exclusions_registry_modified.yml

@@ -0,0 +1,30 @@
+title: Windows Defender Exclusion List Modified
+id: 46a68649-f218-4f86-aea1-16a759d81820
+related:
+    - id: e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d
+      type: derived
+    - id: a33f8808-2812-4373-ae95-8cfb82134978
+      type: derived
+status: test
+description: |
+    Detects modifications to the Windows Defender exclusion registry key. This could indicate a potentially suspicious or even malicious activity by an attacker trying to add a new exclusion in order to bypass security.
+references:
+    - https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/
+author: '@BarryShooshooga'
+date: 2019/10/26
+modified: 2023/11/11
+tags:
+    - attack.defense_evasion
+    - attack.t1562.001
+logsource:
+    product: windows
+    service: security
+    definition: 'Requirements: Audit Policy : Security Settings/Local Policies/Audit Policy, Registry System Access Control (SACL): Auditing/User'
+detection:
+    selection:
+        EventID: 4657 # A registry value was modified.
+        ObjectName|contains: '\Microsoft\Windows Defender\Exclusions\'
+    condition: selection
+falsepositives:
+    - Intended exclusions by administrators
+level: medium

rules/windows/builtin/security/win_security_windows_defender_exclusions_write_access.yml

@@ -0,0 +1,35 @@
+title: Windows Defender Exclusion Reigstry Key - Write Access Requested
+id: e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d
+related:
+    - id: 46a68649-f218-4f86-aea1-16a759d81820
+      type: derived
+    - id: a33f8808-2812-4373-ae95-8cfb82134978
+      type: derived
+status: test
+description: |
+    Detects write access requests to the Windows Defender exclusions registry keys. This could be an indication of an attacker trying to request a handle or access the object to write new exclusions in order to bypass security.
+references:
+    - https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/
+author: '@BarryShooshooga, Nasreddine Bencherchali (Nextron Systems)'
+date: 2019/10/26
+modified: 2023/11/11
+tags:
+    - attack.defense_evasion
+    - attack.t1562.001
+logsource:
+    product: windows
+    service: security
+    definition: 'Requirements: Audit Policy : Security Settings/Local Policies/Audit Policy, Registry System Access Control (SACL): Auditing/User'
+detection:
+    selection:
+        AccessList|contains:
+            - '%%4417' # WriteData
+            - '%%4418' # AppendData
+        EventID:
+            - 4656 # A handle to an object was requested.
+            - 4663 # An attempt was made to access an object.
+        ObjectName|contains: '\Microsoft\Windows Defender\Exclusions\'
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium

rules/windows/builtin/security/win_security_defender_bypass.yml → rules/windows/builtin/security/win_security_windows_defender_exclusions_write_deleted.yml

@@ -1,12 +1,18 @@
-title: Windows Defender Exclusion Set
-id: e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d
+title: Windows Defender Exclusion Deleted
+id: a33f8808-2812-4373-ae95-8cfb82134978
+related:
+    - id: e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d
+      type: derived
+    - id: 46a68649-f218-4f86-aea1-16a759d81820
+      type: derived
 status: test
-description: Detects scenarios where an Windows Defender exclusion was added in registry where an entity would want to bypass antivirus scanning from Windows Defender
+description: |
+    Detects when a Windows Defender exclusion has been deleted. This could indicate an attacker trying to delete their tracks by removing the added exclusions
 references:
     - https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/
 author: '@BarryShooshooga'
 date: 2019/10/26
-modified: 2021/11/27
+modified: 2023/11/11
 tags:
     - attack.defense_evasion
     - attack.t1562.001
@@ -16,13 +22,9 @@ logsource:
     definition: 'Requirements: Audit Policy : Security Settings/Local Policies/Audit Policy, Registry System Access Control (SACL): Auditing/User'
 detection:
     selection:
-        EventID:
-            - 4657
-            - 4656
-            - 4660
-            - 4663
+        EventID: 4660 # An object was deleted.
         ObjectName|contains: '\Microsoft\Windows Defender\Exclusions\'
     condition: selection
 falsepositives:
-    - Intended inclusions by administrator
-level: high
+    - Unknown
+level: medium

rules/windows/create_remote_thread/create_remote_thread_win_uncommon_source_image.yml

@@ -7,7 +7,7 @@ references:
     - https://lolbas-project.github.io
 author: Perez Diego (@darkquassar), oscd.community
 date: 2019/10/27
-modified: 2023/09/06
+modified: 2023/11/11
 tags:
     - attack.privilege_escalation
     - attack.defense_evasion
@@ -72,9 +72,9 @@ detection:
             - ':\Windows\System32\services.exe' # happens on Windows 7
             - ':\Windows\System32\wininit.exe' # happens on Windows 7
             - ':\Windows\System32\csrss.exe' # multiple OS
+            - ':\Windows\System32\LogonUI.exe' # multiple OS
     filter_main_winlogon_2:
         SourceImage: 'C:\Windows\System32\winlogon.exe'
-        TargetParentImage: 'System'
         TargetParentProcessId: 4
     filter_main_schtasks_conhost:
         SourceImage|endswith:
@@ -84,10 +84,19 @@ detection:
     filter_main_explorer:
         SourceImage|endswith: ':\Windows\explorer.exe'
         TargetImage|endswith:
-            - ':\Windows\System32\mmc.exe'
-            - ':\Program Files\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA GeForce Experience.exe'
+            - ':\Program Files (x86)\'
+            - ':\Program Files\'
+            - ':\Windows\System32\'
+            - ':\Windows\SysWOW64\'
     filter_main_system:
         TargetImage: 'System'
+    filter_main_msiexec:
+        # Note: MSI installers will trigger this
+        SourceImage|endswith: '\msiexec.exe'
+        TargetImage|contains:
+            - '\AppData\Local\'
+            - ':\Program Files (x86)\'
+            - ':\Program Files\'
     filter_optional_powerpnt:
         # Raised by the following issue: https://github.com/SigmaHQ/sigma/issues/2479
         SourceImage|contains: '\Microsoft Office\'

rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml

@@ -18,14 +18,14 @@ detection:
     selection:
         TargetFilename|endswith: '.evtx'
     filter_main_path:
-        TargetFilename|startswith: 'C:\Windows\System32\winevt\Logs\'
+        TargetFilename|contains: ':\Windows\System32\winevt\Logs\'
     filter_main_baseimage:
-        TargetFilename|startswith: 'C:\ProgramData\Microsoft\Windows\Containers\BaseImages\'
+        TargetFilename|contains: ':\ProgramData\Microsoft\Windows\Containers\BaseImages\'
         TargetFilename|endswith: '\Windows\System32\winevt\Logs\'
     filter_main_generic_img:
-        Image:
-            - 'C:\Windows\explorer.exe'
-            - 'C:\Windows\system32\dllhost.exe'
+        Image|endswith:
+            - ':\Windows\explorer.exe'
+            - ':\Windows\system32\dllhost.exe'
     condition: selection and not 1 of filter_main_*
 falsepositives:
     - Administrator or backup activity

rules/windows/file/file_rename/file_rename_win_ransomware.yml

@@ -7,7 +7,7 @@ references:
     - https://blog.cyble.com/2022/08/10/onyx-ransomware-renames-its-leak-site-to-vsop/
 author: frack113
 date: 2022/07/16
-modified: 2023/01/02
+modified: 2023/11/11
 tags:
     - attack.impact
     - attack.t1486
@@ -18,35 +18,40 @@ logsource:
 detection:
     selection:
         SourceFilename|endswith:
-            - '.lnk'
-            - '.rtf'
-            - '.pst'
+            - '.doc'
             - '.docx'
-            - '.xlsx'
-            - '.jpg'
             - '.jpeg'
-            - '.png'
+            - '.jpg'
+            - '.lnk'
             - '.pdf'
+            - '.png'
+            - '.pst'
+            - '.rtf'
+            - '.xls'
+            - '.xlsx'
         TargetFilename|contains:
-            - '.lnk.'
-            - '.rtf.'
-            - '.pst.'
+            - '.doc.'
             - '.docx.'
-            - '.xlsx.'
-            - '.jpg.'
             - '.jpeg.'
-            - '.png.'
+            - '.jpg.'
+            - '.lnk.'
             - '.pdf.'
+            - '.png.'
+            - '.pst.'
+            - '.rtf.'
+            - '.xls.'
+            - '.xlsx.'
     filter_main_generic:
         TargetFilename|endswith:
-            - '.tmp'
+            # Note: Please add more used extensions by backup or recovery software
+            - '.backup'
             - '.bak'
             - '.old'
             - '.orig'
-            - '.backup'
             - '.temp'
+            - '.tmp'
     filter_optional_anaconda:
-        TargetFilename|startswith: 'C:\ProgramData\Anaconda3\'
+        TargetFilename|contains: ':\ProgramData\Anaconda3\'
         TargetFilename|endswith: '.c~'
     condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives: