fix(rules): Eliminate false positives and apply hardening

Author: rabbitstack

rules/credentail_access_file_access_to_sam_database.yml

@@ -1,6 +1,6 @@
 name: File access to SAM database
 id: e3dace20-4962-4381-884e-40dcdde66626
-version: 1.0.5
+version: 1.0.6
 description: |
   Identifies access to the Security Account Manager on-disk database.
 labels:
@@ -27,7 +27,15 @@ condition: >
               '?:\\Program Files\\*',
               '?:\\Program Files (x86)\\*',
               '?:\\Windows\\System32\\lsass.exe',
-              '?:\\Windows\\System32\\srtasks.exe'
+              '?:\\Windows\\System32\\srtasks.exe',
+              '?:\\Windows\\System32\\svchost.exe',
+              '?:\\Windows\\System32\\Dism.exe',
+              '?:\\Windows\\System32\\vmwp.exe',
+              '?:\\$WINDOWS.~BT\\Sources\\SetupHost.exe',
+              '?:\\Windows\\System32\\wuauclt.exe',
+              '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe',
+              '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MpCopyAccelerator.exe',
+              '?:\\Windows\\System32\\MRT.exe'
             )
 
 min-engine-version: 3.0.0

rules/credential_access_credential_manager_access_via_known_tools.yml

@@ -1,6 +1,6 @@
 name: Credential Manager access via known tools
 id: 5b4130f8-bc73-4890-b5f6-b03cddc75a52
-version: 1.0.0
+version: 1.0.1
 description: |
   Detects access to the Windows Credential Manager using built-in
   utilities such as vaultcmd.exe, cmdkey.exe, rundll32.exe, and
@@ -19,10 +19,10 @@ labels:
 
 condition: >
   spawn_process and
-  ((ps.name ~= 'VaultCmd.exe' or ps.pe.file.name ~= 'vaultcmd.exe') and ps.cmdline imatches '*/list*') or
+  (((ps.name ~= 'VaultCmd.exe' or ps.pe.file.name ~= 'vaultcmd.exe') and ps.cmdline imatches '*/list*') or
   ((ps.name ~= 'rundll32.exe' or ps.pe.file.name ~= 'rundll32.exe') and ps.cmdline imatches '*keymgr.dll*KRShowKeyMgr*') or
   ((ps.name ~= 'cmdkey.exe' or ps.pe.file.name ~= 'cmdkey.exe') and ps.cmdline imatches '*/list*') or
-  ((ps.name ~= 'control.exe' or ps.pe.file.name ~= 'control.exe') and ps.cmdline imatches '*keymgr.dll*')
+  ((ps.name ~= 'control.exe' or ps.pe.file.name ~= 'control.exe') and ps.cmdline imatches '*keymgr.dll*'))
 
 severity: medium
 

rules/credential_access_lsass_access_from_unsigned_executable.yml

@@ -1,6 +1,6 @@
 name: LSASS access from unsigned executable
 id: 348bf896-2201-444f-b1c9-e957a1f063bf
-version: 1.0.3
+version: 1.0.4
 description: |
   Detects attempts by an unsigned process to access the Local Security Authority Subsystem Service (LSASS). 
   Adversaries may try to dump credential information stored in the process memory of LSASS.
@@ -21,7 +21,9 @@ condition: >
   sequence
   maxspan 7m
   by ps.uuid
-    |load_unsigned_executable|
+    |load_unsigned_executable and
+     ps.exe not imatches '?:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe'
+    |
     |((open_process) or (open_thread)) and evt.arg[exe] imatches '?:\\Windows\\System32\\lsass.exe'|
 action:
   - name: kill

rules/credential_access_potential_sam_hive_dumping.yml

@@ -1,6 +1,6 @@
 name: Potential SAM hive dumping
 id: 2f326557-0291-4eb1-a87a-7a17b7d941cb
-version: 1.0.7
+version: 1.0.8
 description:
   Identifies access to the Security Account Manager registry hives.
 labels:
@@ -27,7 +27,8 @@ condition: >
                   '?:\\Program Files (x86)\\*.exe',
                   '?:\\Windows\\System32\\svchost.exe'
                 ) or
-      (ps.cmdline imatches '"?:\\Windows\\Microsoft.NET\\Framework\\*\\ngen.exe" ExecuteQueuedItems /LegacyServiceBehavior')
+      (ps.cmdline imatches '"?:\\Windows\\Microsoft.NET\\Framework\\*\\ngen.exe" ExecuteQueuedItems /LegacyServiceBehavior') or
+      (ps.exe imatches '?:\\WINDOWS\\system32\\wevtutil.exe' and ps.parent.exe imatches '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe')
      )
     |
     |open_registry and
@@ -36,6 +37,7 @@ condition: >
                 (
                   'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users',
                   'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users\\Names',
+                  'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users\\Names\\WDAGUtilityAccount\\ChannelReferences',
                   'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account',
                   'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Account\\Aliases\\*'
                 ) and

rules/credential_access_suspicious_access_to_windows_vault_files.yml

@@ -1,6 +1,6 @@
 name: Suspicious access to Windows Vault files
 id: 44400221-f98d-424a-9388-497c75b18924
-version: 1.0.4
+version: 1.0.5
 description: |
   Identifies attempts from adversaries to acquire credentials from Vault files.
 labels:
@@ -24,10 +24,15 @@ condition: >
   file.extension in vault_extensions and
   ps.exe not imatches
             (
-              '?:\\Program Files\\*',
-              '?:\\Program Files(x86)\\*',
+              '?:\\Program Files\\*.exe',
+              '?:\\Program Files(x86)\\*.exe',
               '?:\\Windows\\System32\\lsass.exe',
-              '?:\\Windows\\System32\\svchost.exe'
+              '?:\\Windows\\System32\\svchost.exe',
+              '?:\\Windows\\System32\\SearchProtocolHost.exe',
+              '?:\\Windows\\Explorer.exe',
+              '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe',
+              '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MpCopyAccelerator.exe',
+              '?:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Platform\\*\\MsSense.exe'
             )
 
 min-engine-version: 3.0.0

rules/credential_access_suspicious_vault_client_dll_load.yml

@@ -1,6 +1,6 @@
 name: Suspicious Vault client DLL load
 id: 64af2e2e-2309-4079-9c0f-985f1dd930f5
-version: 1.0.5
+version: 1.0.6
 description: |
   Identifies loading of the Vault client DLL by an unusual process. Adversaries can abuse the functions provided 
   by the Credential Vault Client Library to enumerate or harvest saved credentials.
@@ -23,28 +23,40 @@ condition: >
   maxspan 2m
   by ps.uuid
     |spawn_process and
-     ps.exe != '' and
-     not
-      (
-        ps.exe imatches
-                    (
-                      '?:\\Windows\\System32\\MDMAppInstaller.exe',
-                      '?:\\Windows\\uus\\*\\MoUsoCoreWorker.exe',
-                      '?:\\Windows\\Microsoft.NET\\Framework64\\*\\dfsvc.exe',
-                      '?:\\Windows\\Microsoft.NET\\Framework64\\*\\mscorsvw.exe',
-                      '?:\\Program Files\\*.exe', 
-                      '?:\\Program Files (x86)\\*.exe',
-                      '?:\\Windows\\winsxs\\*\\TiWorker.exe'
-                    ) or
-        (ps.exe imatches '?:\\WINDOWS\\System32\\taskhostw.exe' and ps.parent.args intersects ('-k', 'netsvcs', '-p', '-s', 'Schedule')) or
-        (ps.exe imatches '?:\\Windows\\System32\\RuntimeBroker.exe') or
-        (ps.exe imatches ('?:\\Program Files\\WindowsApps\\Microsoft.*.exe', '?:\\Windows\\Microsoft.NET\\Framework*\\NGenTask.exe')) or
-        (ps.exe imatches '?:\\WINDOWS\\system32\\BackgroundTaskHost.exe' and ps.args imatches ('-ServerName:*')) or
-        (ps.exe imatches '?:\\Windows\\System32\\SecurityHealth\\*\\SecurityHealthHost.exe') or
-        (ps.exe imatches '?:\\WINDOWS\\uus\\*\\MoUsoCoreWorker.exe') or
-        (ps.parent.exe imatches '?:\\Windows\\System32\\services.exe') or
-        (ps.parent.exe imatches '?:\\Program Files\\Microsoft OneDrive\\OneDriveStandaloneUpdater.exe')
-      )
+     ps.sid not in ('S-1-5-18', 'S-1-5-19', 'S-1-5-20') and ps.exe != '' and
+     not (ps.exe imatches
+                (
+                  '?:\\Windows\\System32\\MDMAppInstaller.exe',
+                  '?:\\Windows\\uus\\*\\MoUsoCoreWorker.exe',
+                  '?:\\Windows\\uus\\*\\WaaSMedicAgent.exe',
+                  '?:\\Windows\\System32\\UCConfigTask.exe',
+                  '?:\\Windows\\System32\\DllHost.exe',
+                  '?:\\Windows\\Microsoft.NET\\Framework64\\*\\dfsvc.exe',
+                  '?:\\Windows\\Microsoft.NET\\Framework64\\*\\mscorsvw.exe',
+                  '?:\\Program Files\\*.exe',
+                  '?:\\Program Files (x86)\\*.exe',
+                  '?:\\Windows\\winsxs\\*\\TiWorker.exe',
+                  '?:\\Windows\\System32\\RuntimeBroker.exe',
+                  '?:\\WINDOWS\\system32\\UCConfigTask.exe',
+                  '?:\\Program Files\\WindowsApps\\Microsoft.*.exe',
+                  '?:\\Windows\\System32\\SecurityHealth\\*\\SecurityHealthHost.exe',
+                  '?:\\Windows\\Microsoft.NET\\Framework*\\NGenTask.exe',
+                  '?:\\Windows\\SystemApps\\MicrosoftWindows.Client.*\\SearchHost.exe',
+                  '?:\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe',
+                  '?:\\Windows\\System32\\PickerHost.exe',
+                  '?:\\WINDOWS\\SystemApps\\MicrosoftWindows.Client.CBS_*\\SearchHost.exe',
+                  '?:\\WINDOWS\\SystemApps\\MicrosoftWindows.Client.CBS_*\\AppActions.exe',
+                  '?:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe',
+                  '?:\\Windows\\Microsoft.NET\\Framework\\*\\ngen.exe',
+                  '?:\\Windows\\Microsoft.NET\\Framework64\\*\\ngen.exe',
+                  '?:\\Windows\\Microsoft.NET\\Framework\\*\\mscorsvw.exe',
+                  '?:\\Windows\\Microsoft.NET\\Framework64\\*\\mscorsvw.exe'
+                ) or
+          (ps.exe imatches '?:\\WINDOWS\\System32\\taskhostw.exe' and ps.parent.args intersects ('-k', 'netsvcs', '-p', '-s', 'Schedule')) or
+          (ps.exe imatches '?:\\WINDOWS\\system32\\BackgroundTaskHost.exe' and ps.args imatches ('-ServerName:*')) or
+          (ps.parent.exe imatches '?:\\Windows\\System32\\services.exe') or
+          (ps.parent.exe imatches '?:\\Program Files\\Microsoft OneDrive\\OneDriveStandaloneUpdater.exe')
+        )
     |
     |load_dll and dll.name ~= 'vaultcli.dll'|
 

rules/credential_access_unusual_access_to_ssh_keys.yml

@@ -1,6 +1,6 @@
 name: Unusual access to SSH keys
 id: 90f5c1bd-abd6-4d1b-94e0-229f04473d60
-version: 1.0.5
+version: 1.0.6
 description: |
   Identifies access by unusual process to saved SSH keys.
 labels:
@@ -16,7 +16,7 @@ labels:
 
 condition: >
   open_file and
-  file.path imatches '?:\\Users\\*\\.ssh\\known_hosts' and
+  evt.pid != 4 and file.path imatches '?:\\Users\\*\\.ssh\\known_hosts' and
   ps.exe not imatches
             (
               '?:\\Program Files\\*',

rules/credential_access_unusual_access_to_web_browser_credential_stores.yml

@@ -1,6 +1,6 @@
 name: Unusual access to Web Browser Credential stores
 id: 9d889b2b-ca13-4a04-8919-ff1151f23a71
-version: 1.0.4
+version: 1.0.5
 description: |
   Identifies access to Web Browser Credential stores by unusual processes.
 labels:
@@ -16,16 +16,18 @@ labels:
 
 condition: >
   open_file and
-  file.path imatches web_browser_cred_stores and
+  evt.pid != 4 and file.path imatches web_browser_cred_stores and
   ps.name not iin web_browser_binaries and
   ps.exe not imatches
             (
               '?:\\Program Files\\*',
               '?:\\Program Files(x86)\\*',
-              '*\\Windows\\System32\\SearchProtocolHost.exe',
-              '*\\Windows\\explorer.exe',
+              '?:\\Windows\\System32\\SearchProtocolHost.exe',
+              '?:\\Windows\\explorer.exe',
               '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe',
-              '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MpCopyAccelerator.exe'
+              '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MpCopyAccelerator.exe',
+              '?:\\Windows\\System32\\svchost.exe',
+              '?:\\Windows\\System32\\taskhostw.exe'
             )
 
 min-engine-version: 3.0.0

rules/defense_evasion_activity_from_unhooked_ntdll_module.yml

@@ -1,6 +1,6 @@
 name: Activity from unhooked NTDLL module
 id: 24f48f6c-9d97-498d-badc-65e179d19599
-version: 1.1.0
+version: 1.1.1
 description: |
   Detects suspicious activity originating from an unhooked or manually mapped copy of NTDLL loaded
   into a process. This behavior is commonly associated with defense evasion frameworks that bypass
@@ -58,7 +58,6 @@ condition: >
     |((spawn_process) or
       (load_module) or
       (create_file) or
-      (set_thread_context) or
       (create_remote_thread) or
       (set_value) or
       (rename_file) or

rules/defense_evasion_dotnet_assembly_loaded_by_unmanaged_process.yml

@@ -1,6 +1,6 @@
 name: .NET assembly loaded by unmanaged process
 id: 34be8bd1-1143-4fa8-bed4-ae2566b1394a
-version: 1.0.11
+version: 1.2.0
 description: |
   Identifies the loading of the .NET assembly by an unmanaged process. Adversaries can load the CLR runtime
   inside unmanaged process and execute the assembly via the ICLRRuntimeHost::ExecuteInDefaultAppDomain method.
@@ -16,31 +16,47 @@ references:
   - https://www.ired.team/offensive-security/code-injection-process-injection/injecting-and-executing-.net-assemblies-to-unmanaged-process
 
 condition: >
-  (load_unsigned_or_untrusted_module) and
-  dll.path not imatches
-                (
-                  '?:\\Windows\\assembly\\*\\*.ni.dll',
-                  '?:\\Program Files\\WindowsPowerShell\\Modules\\*\\*.dll',
-                  '?:\\Windows\\Microsoft.NET\\assembly\\*\\*.dll',
-                  '?:\\$WinREAgent\\Scratch\\*',
-                  '?:\\Windows\\WinSxS\\*',
-                  '?:\\Windows\\CbsTemp\\*',
-                  '?:\\Windows\\SoftwareDistribution\\*'
-                ) and
-  ps.exe != '' and ps.pe.is_dotnet = false and
-  (dll.pe.is_dotnet or thread.callstack.modules imatches ('*clr.dll')) and
-  ps.exe not imatches
+  sequence
+  maxspan 1m
+  by ps.uuid
+    |spawn_process and
+     ps.token.integrity_level != 'SYSTEM' and
+     ps.exe not imatches
                 (
+                  '?:\\Windows\\system32\\DllHost.exe',
+                  '?:\\Windows\\System32\\WindowsPowerShell\\*\\powershell.exe',
                   '?:\\Program Files\\WindowsApps\\*\\CrossDeviceService.exe',
                   '?:\\Program Files\\WindowsApps\\*\\WidgetService.exe',
                   '?:\\Program Files\\WindowsApps\\*\\PhoneExperienceHost.exe',
                   '?:\\Program Files\\WindowsApps\\*\\WindowsSandboxServer.exe',
                   '?:\\Program Files\\Conexant\\SAII\\SmartAudio.exe',
-                  '?:\\Windows\\Microsoft.NET\\Framework*\\mscorsvw.exe'
+                  '?:\\Program Files\\WindowsApps\\Microsoft.WinDbg_*\\*.exe',
+                  '?:\\Windows\\Microsoft.NET\\Framework\\*\\ngen.exe',
+                  '?:\\Windows\\Microsoft.NET\\Framework64\\*\\ngen.exe',
+                  '?:\\Windows\\Microsoft.NET\\Framework\\*\\mscorsvw.exe',
+                  '?:\\Windows\\Microsoft.NET\\Framework64\\*\\mscorsvw.exe',
+                  '?:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_*\\WinStore.DesktopExtension\\StoreDesktopExtension.exe'
                 )
+    |
+    |(load_unsigned_or_untrusted_module) and
+     dll.path not imatches
+                (
+                  '?:\\Windows\\System32\\*.dll',
+                  '?:\\Windows\\assembly\\*\\*.ni.dll',
+                  '?:\\Program Files\\WindowsPowerShell\\Modules\\*\\*.dll',
+                  '?:\\Windows\\Microsoft.NET\\assembly\\*\\*.dll',
+                  '?:\\$WinREAgent\\Scratch\\*.dll',
+                  '?:\\Windows\\WinSxS\\*.dll',
+                  '?:\\Windows\\CbsTemp\\*.dll',
+                  '?:\\Windows\\SoftwareDistribution\\*.dll',
+                  '?:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_*\\*.dll'
+                ) and
+     ps.exe != '' and ps.pe.is_dotnet = false and
+     (dll.pe.is_dotnet or thread.callstack.modules imatches ('*clr.dll'))
+    |
 
 output: >
-  .NET assembly %dll.path loaded by unmanaged process %ps.exe
+  .NET assembly %2.dll.path loaded by unmanaged process %2.ps.exe
 severity: high
 
 min-engine-version: 3.0.0