fix(rules): Eliminate false positives and harden rules

rules/credentail_access_file_access_to_sam_database.yml

@@ -1,6 +1,6 @@
 name: File access to SAM database
 id: e3dace20-4962-4381-884e-40dcdde66626
-version: 1.0.5
+version: 1.0.6
 description: |
   Identifies access to the Security Account Manager on-disk database.
 labels:
@@ -27,7 +27,15 @@ condition: >
               '?:\\Program Files\\*',
               '?:\\Program Files (x86)\\*',
               '?:\\Windows\\System32\\lsass.exe',
-              '?:\\Windows\\System32\\srtasks.exe'
+              '?:\\Windows\\System32\\srtasks.exe',
+              '?:\\Windows\\System32\\svchost.exe',
+              '?:\\Windows\\System32\\Dism.exe',
+              '?:\\Windows\\System32\\vmwp.exe',
+              '?:\\$WINDOWS.~BT\\Sources\\SetupHost.exe',
+              '?:\\Windows\\System32\\wuauclt.exe',
+              '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe',
+              '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MpCopyAccelerator.exe',
+              '?:\\Windows\\System32\\MRT.exe'
             )
 
 min-engine-version: 3.0.0

rules/credential_access_lsass_access_from_unsigned_executable.yml

@@ -1,6 +1,6 @@
 name: LSASS access from unsigned executable
 id: 348bf896-2201-444f-b1c9-e957a1f063bf
-version: 1.0.2
+version: 1.0.3
 description: |
   Detects attempts by an unsigned process to access the Local Security Authority Subsystem Service (LSASS). 
   Adversaries may try to dump credential information stored in the process memory of LSASS.
@@ -20,7 +20,9 @@ condition: >
   sequence
   maxspan 7m
   by ps.uuid
-    |load_unsigned_executable|
+    |load_unsigned_executable and
+     ps.exe not imatches '?:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe'
+    |
     |((open_process) or (open_thread)) and evt.arg[exe] imatches '?:\\Windows\\System32\\lsass.exe'|
 action:
   - name: kill

rules/credential_access_suspicious_access_to_windows_vault_files.yml

@@ -1,6 +1,6 @@
 name: Suspicious access to Windows Vault files
 id: 44400221-f98d-424a-9388-497c75b18924
-version: 1.0.4
+version: 1.0.5
 description: |
   Identifies attempts from adversaries to acquire credentials from Vault files.
 labels:
@@ -27,7 +27,12 @@ condition: >
               '?:\\Program Files\\*',
               '?:\\Program Files(x86)\\*',
               '?:\\Windows\\System32\\lsass.exe',
-              '?:\\Windows\\System32\\svchost.exe'
+              '?:\\Windows\\System32\\svchost.exe',
+              '?:\\Windows\\System32\\SearchProtocolHost.exe',
+              '?:\\Windows\\Explorer.exe',
+              '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe',
+              '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MpCopyAccelerator.exe',
+              '?:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Platform\\*\\MsSense.exe'
             )
 
 min-engine-version: 3.0.0

rules/credential_access_suspicious_vault_client_dll_load.yml

@@ -1,6 +1,6 @@
 name: Suspicious Vault client DLL load
 id: 64af2e2e-2309-4079-9c0f-985f1dd930f5
-version: 1.0.5
+version: 1.0.6
 description: |
   Identifies loading of the Vault client DLL by an unusual process. Adversaries can abuse the functions provided 
   by the Credential Vault Client Library to enumerate or harvest saved credentials.
@@ -23,28 +23,39 @@ condition: >
   maxspan 2m
   by ps.uuid
     |spawn_process and
-     ps.exe != '' and
-     not
-      (
-        ps.exe imatches
-                    (
-                      '?:\\Windows\\System32\\MDMAppInstaller.exe',
-                      '?:\\Windows\\uus\\*\\MoUsoCoreWorker.exe',
-                      '?:\\Windows\\Microsoft.NET\\Framework64\\*\\dfsvc.exe',
-                      '?:\\Windows\\Microsoft.NET\\Framework64\\*\\mscorsvw.exe',
-                      '?:\\Program Files\\*.exe', 
-                      '?:\\Program Files (x86)\\*.exe',
-                      '?:\\Windows\\winsxs\\*\\TiWorker.exe'
-                    ) or
-        (ps.exe imatches '?:\\WINDOWS\\System32\\taskhostw.exe' and ps.parent.args intersects ('-k', 'netsvcs', '-p', '-s', 'Schedule')) or
-        (ps.exe imatches '?:\\Windows\\System32\\RuntimeBroker.exe') or
-        (ps.exe imatches ('?:\\Program Files\\WindowsApps\\Microsoft.*.exe', '?:\\Windows\\Microsoft.NET\\Framework*\\NGenTask.exe')) or
-        (ps.exe imatches '?:\\WINDOWS\\system32\\BackgroundTaskHost.exe' and ps.args imatches ('-ServerName:*')) or
-        (ps.exe imatches '?:\\Windows\\System32\\SecurityHealth\\*\\SecurityHealthHost.exe') or
-        (ps.exe imatches '?:\\WINDOWS\\uus\\*\\MoUsoCoreWorker.exe') or
-        (ps.parent.exe imatches '?:\\Windows\\System32\\services.exe') or
-        (ps.parent.exe imatches '?:\\Program Files\\Microsoft OneDrive\\OneDriveStandaloneUpdater.exe')
-      )
+     ps.sid not in ('S-1-5-18', 'S-1-5-19', 'S-1-5-20') and ps.exe != '' and
+     not (ps.exe imatches
+                (
+                  '?:\\Windows\\System32\\MDMAppInstaller.exe',
+                  '?:\\Windows\\uus\\*\\MoUsoCoreWorker.exe',
+                  '?:\\Windows\\uus\\*\\WaaSMedicAgent.exe',
+                  '?:\\Windows\\System32\\UCConfigTask.exe',
+                  '?:\\Windows\\System32\\DllHost.exe',
+                  '?:\\Windows\\Microsoft.NET\\Framework64\\*\\dfsvc.exe',
+                  '?:\\Windows\\Microsoft.NET\\Framework64\\*\\mscorsvw.exe',
+                  '?:\\Program Files\\*.exe', 
+                  '?:\\Program Files (x86)\\*.exe',
+                  '?:\\Windows\\winsxs\\*\\TiWorker.exe',
+                  '?:\\WINDOWS\\system32\\UCConfigTask.exe',
+                  '?:\\Windows\\SystemApps\\MicrosoftWindows.Client.*\\SearchHost.exe',
+                  '?:\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe',
+                  '?:\\Windows\\System32\\PickerHost.exe',
+                  '?:\\WINDOWS\\SystemApps\\MicrosoftWindows.Client.CBS_*\\SearchHost.exe',
+                  '?:\\WINDOWS\\SystemApps\\MicrosoftWindows.Client.CBS_*\\AppActions.exe',
+                  '?:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe',
+                  '?:\\Windows\\Microsoft.NET\\Framework\\*\\ngen.exe',
+                  '?:\\Windows\\Microsoft.NET\\Framework64\\*\\ngen.exe',
+                  '?:\\Windows\\Microsoft.NET\\Framework\\*\\mscorsvw.exe',
+                  '?:\\Windows\\Microsoft.NET\\Framework64\\*\\mscorsvw.exe'
+                ) or
+          (ps.exe imatches '?:\\WINDOWS\\System32\\taskhostw.exe' and ps.parent.args intersects ('-k', 'netsvcs', '-p', '-s', 'Schedule')) or
+          (ps.exe imatches '?:\\Windows\\System32\\RuntimeBroker.exe') or
+          (ps.exe imatches ('?:\\Program Files\\WindowsApps\\Microsoft.*.exe', '?:\\Windows\\Microsoft.NET\\Framework*\\NGenTask.exe')) or
+          (ps.exe imatches '?:\\WINDOWS\\system32\\BackgroundTaskHost.exe' and ps.args imatches ('-ServerName:*')) or
+          (ps.exe imatches '?:\\Windows\\System32\\SecurityHealth\\*\\SecurityHealthHost.exe') or
+          (ps.parent.exe imatches '?:\\Windows\\System32\\services.exe') or
+          (ps.parent.exe imatches '?:\\Program Files\\Microsoft OneDrive\\OneDriveStandaloneUpdater.exe')
+        )
     |
     |load_dll and dll.name ~= 'vaultcli.dll'|
 

rules/credential_access_unusual_access_to_ssh_keys.yml

@@ -1,6 +1,6 @@
 name: Unusual access to SSH keys
 id: 90f5c1bd-abd6-4d1b-94e0-229f04473d60
-version: 1.0.5
+version: 1.0.6
 description: |
   Identifies access by unusual process to saved SSH keys.
 labels:
@@ -16,7 +16,7 @@ labels:
 
 condition: >
   open_file and
-  file.path imatches '?:\\Users\\*\\.ssh\\known_hosts' and
+  evt.pid != 4 and file.path imatches '?:\\Users\\*\\.ssh\\known_hosts' and
   ps.exe not imatches
             (
               '?:\\Program Files\\*',

rules/credential_access_unusual_access_to_web_browser_credential_stores.yml

@@ -1,6 +1,6 @@
 name: Unusual access to Web Browser Credential stores
 id: 9d889b2b-ca13-4a04-8919-ff1151f23a71
-version: 1.0.4
+version: 1.0.5
 description: |
   Identifies access to Web Browser Credential stores by unusual processes.
 labels:
@@ -16,16 +16,18 @@ labels:
 
 condition: >
   open_file and
-  file.path imatches web_browser_cred_stores and
+  evt.pid != 4 and file.path imatches web_browser_cred_stores and
   ps.name not iin web_browser_binaries and
   ps.exe not imatches
             (
               '?:\\Program Files\\*',
               '?:\\Program Files(x86)\\*',
-              '*\\Windows\\System32\\SearchProtocolHost.exe',
-              '*\\Windows\\explorer.exe',
+              '?:\\Windows\\System32\\SearchProtocolHost.exe',
+              '?:\\Windows\\explorer.exe',
               '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe',
-              '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MpCopyAccelerator.exe'
+              '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MpCopyAccelerator.exe',
+              '?:\\Windows\\System32\\svchost.exe',
+              '?:\\Windows\\System32\\taskhostw.exe'
             )
 
 min-engine-version: 3.0.0

rules/defense_evasion_activity_from_unhooked_ntdll_module.yml

@@ -1,6 +1,6 @@
 name: Activity from unhooked NTDLL module
 id: 24f48f6c-9d97-498d-badc-65e179d19599
-version: 1.1.0
+version: 1.1.1
 description: |
   Detects suspicious activity originating from an unhooked or manually mapped copy of NTDLL loaded
   into a process. This behavior is commonly associated with defense evasion frameworks that bypass
@@ -58,7 +58,6 @@ condition: >
     |((spawn_process) or
       (load_module) or
       (create_file) or
-      (set_thread_context) or
       (create_remote_thread) or
       (set_value) or
       (rename_file) or

rules/defense_evasion_dotnet_assembly_loaded_by_unmanaged_process.yml

@@ -1,6 +1,6 @@
 name: .NET assembly loaded by unmanaged process
 id: 34be8bd1-1143-4fa8-bed4-ae2566b1394a
-version: 1.0.11
+version: 1.2.0
 description: |
   Identifies the loading of the .NET assembly by an unmanaged process. Adversaries can load the CLR runtime
   inside unmanaged process and execute the assembly via the ICLRRuntimeHost::ExecuteInDefaultAppDomain method.
@@ -16,31 +16,47 @@ references:
   - https://www.ired.team/offensive-security/code-injection-process-injection/injecting-and-executing-.net-assemblies-to-unmanaged-process
 
 condition: >
-  (load_unsigned_or_untrusted_module) and
-  dll.path not imatches
-                (
-                  '?:\\Windows\\assembly\\*\\*.ni.dll',
-                  '?:\\Program Files\\WindowsPowerShell\\Modules\\*\\*.dll',
-                  '?:\\Windows\\Microsoft.NET\\assembly\\*\\*.dll',
-                  '?:\\$WinREAgent\\Scratch\\*',
-                  '?:\\Windows\\WinSxS\\*',
-                  '?:\\Windows\\CbsTemp\\*',
-                  '?:\\Windows\\SoftwareDistribution\\*'
-                ) and
-  ps.exe != '' and ps.pe.is_dotnet = false and
-  (dll.pe.is_dotnet or thread.callstack.modules imatches ('*clr.dll')) and
-  ps.exe not imatches
+  sequence
+  maxspan 1m
+  by ps.uuid
+    |spawn_process and
+     ps.token.integrity_level != 'SYSTEM' and
+     ps.exe not imatches
                 (
+                  '?:\\Windows\\system32\\DllHost.exe',
+                  '?:\\Windows\\System32\\WindowsPowerShell\\*\\powershell.exe',
                   '?:\\Program Files\\WindowsApps\\*\\CrossDeviceService.exe',
                   '?:\\Program Files\\WindowsApps\\*\\WidgetService.exe',
                   '?:\\Program Files\\WindowsApps\\*\\PhoneExperienceHost.exe',
                   '?:\\Program Files\\WindowsApps\\*\\WindowsSandboxServer.exe',
                   '?:\\Program Files\\Conexant\\SAII\\SmartAudio.exe',
-                  '?:\\Windows\\Microsoft.NET\\Framework*\\mscorsvw.exe'
+                  '?:\\Program Files\\WindowsApps\\Microsoft.WinDbg_*\\*.exe',
+                  '?:\\Windows\\Microsoft.NET\\Framework\\*\\ngen.exe',
+                  '?:\\Windows\\Microsoft.NET\\Framework64\\*\\ngen.exe',
+                  '?:\\Windows\\Microsoft.NET\\Framework\\*\\mscorsvw.exe',
+                  '?:\\Windows\\Microsoft.NET\\Framework64\\*\\mscorsvw.exe',
+                  '?:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_*\\WinStore.DesktopExtension\\StoreDesktopExtension.exe'
                 )
+    |
+    |(load_unsigned_or_untrusted_module) and
+     dll.path not imatches
+                (
+                  '?:\\Windows\\System32\\*.dll',
+                  '?:\\Windows\\assembly\\*\\*.ni.dll',
+                  '?:\\Program Files\\WindowsPowerShell\\Modules\\*\\*.dll',
+                  '?:\\Windows\\Microsoft.NET\\assembly\\*\\*.dll',
+                  '?:\\$WinREAgent\\Scratch\\*.dll',
+                  '?:\\Windows\\WinSxS\\*.dll',
+                  '?:\\Windows\\CbsTemp\\*.dll',
+                  '?:\\Windows\\SoftwareDistribution\\*.dll',
+                  '?:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_*\\*.dll'
+                ) and
+     ps.exe != '' and ps.pe.is_dotnet = false and
+     (dll.pe.is_dotnet or thread.callstack.modules imatches ('*clr.dll'))
+    |
 
 output: >
-  .NET assembly %dll.path loaded by unmanaged process %ps.exe
+  .NET assembly %2.dll.path loaded by unmanaged process %2.ps.exe
 severity: high
 
 min-engine-version: 3.0.0

rules/defense_evasion_hidden_registry_key_creation.yml

@@ -1,6 +1,6 @@
 name: Hidden registry key creation
 id: 65deda38-9b1d-42a0-9f40-a68903e81b49
-version: 1.1.6
+version: 1.1.7
 description: |
   Identifies the creation of a hidden registry key. Adversaries can utilize the
   native NtSetValueKey API to create a hidden registry key and conceal payloads
@@ -28,7 +28,9 @@ condition: >
               '?:\\Windows\\System32\\compattelrunner.exe',
               '?:\\Windows\\explorer.exe',
               '?:\\Windows\\System32\\lsass.exe',
-              '?:\\Windows\\System32\\svchost.exe'
+              '?:\\Windows\\System32\\svchost.exe',
+              '?:\\Windows\\WinSxS\\*\\TiWorker.exe',
+              '?:\\Windows\\UUS\\*\\wuaucltcore.exe'
             ) and
   ps.parent.exe not imatches
             (

rules/defense_evasion_potential_ntdll_unhooking_via_file_mapping.yml

@@ -1,6 +1,6 @@
 name: Potential NTDLL unhooking via file mapping
 id: b000955d-90df-44eb-8e32-8269d395f0ef
-version: 1.0.0
+version: 1.0.1
 description: |
   Identifies processes that map a fresh image view of NTDLL.dll
   from disk, a behavior commonly associated with user-mode API
@@ -30,7 +30,8 @@ condition: >
               '?:\\Windows\\System32\\WerFault.exe',
               '?:\\Windows\\SysWOW64\\WerFault.exe',
               '?:\\Windows\\System32\\wermgr.exe',
-              '?:\\Windows\\SysWOW64\\wermgr.exe'
+              '?:\\Windows\\SysWOW64\\wermgr.exe',
+              '?:\\Windows\\System32\\taskhostw.exe'
             )
 
 severity: high

rules/defense_evasion_process_creation_from_stomped_module.yml

@@ -1,6 +1,6 @@
 name: Process creation from a stomped module
 id: f85d1e80-49ec-4bbe-9bf5-7e2a3a8a7319
-version: 1.0.0
+version: 1.0.1
 description: |
   Identifies the creation of the process from the parent where the call stack
   exhibits suspicious memory properties. The pattern is typical of stomped module
@@ -19,32 +19,32 @@ references:
 
 condition: >
   spawn_process and
+  ps.sid != 'S-1-5-18' and ps.exe not imatches
+                                      (
+                                        '?:\\Program Files\\*.exe',
+                                        '?:\\Program Files(x86)\\*.exe'
+                                      ) and
   foreach(thread._callstack, $frame, $frame.module imatches ('?:\\Windows\\System32\\*.dll', '?:\\Windows\\SysWOW64\\*.dll') and $frame.allocation_size >= 10000) and
   not foreach(thread._callstack, $frame, $frame.module imatches
                                 (
                                   '?:\\Program Files\\*.dll',
                                   '?:\\Program Files (x86)\\*.dll',
-                                  '?:\\Windows\\System32\\umppc*.dll'
-                                ) or
-                                (
-                                  $frame.allocation_size >= 10000 and $frame.module imatches
-                                     (
-                                       '?:\\Windows\\System32\\ntdll.dll',
-                                       '?:\\Windows\\System32\\rpcrt4.dll',
-                                       '?:\\Windows\\SysWOW64\\rpcrt4.dll',
-                                       '?:\\Windows\\System32\\KernelBase.dll',
-                                       '?:\\Windows\\SysWOW64\\KernelBase.dll',
-                                       '?:\\Windows\\System32\\combase.dll',
-                                       '?:\\Windows\\SysWOW64\\combase.dll',
-                                       '?:\\Windows\\System32\\user32.dll',
-                                       '?:\\Windows\\SysWOW64\\user32.dll',
-                                       '?:\\Windows\\System32\\ws2_32.dll',
-                                       '?:\\Windows\\SysWOW64\\ws2_32.dll',
-                                       '?:\\Windows\\System32\\spool\\drivers\\*',
-                                       '?:\\Windows\\assembly\\NativeImages_*',
-                                       '?:\\Windows\\System32\\DriverStore\\FileRepository\\*'
-                                     )
-                                  ))
+                                  '?:\\Windows\\System32\\umppc*.dll',
+                                  '?:\\Windows\\System32\\ntdll.dll',
+                                  '?:\\Windows\\System32\\rpcrt4.dll',
+                                  '?:\\Windows\\SysWOW64\\rpcrt4.dll',
+                                  '?:\\Windows\\System32\\KernelBase.dll',
+                                  '?:\\Windows\\SysWOW64\\KernelBase.dll',
+                                  '?:\\Windows\\System32\\combase.dll',
+                                  '?:\\Windows\\SysWOW64\\combase.dll',
+                                  '?:\\Windows\\System32\\user32.dll',
+                                  '?:\\Windows\\SysWOW64\\user32.dll',
+                                  '?:\\Windows\\System32\\ws2_32.dll',
+                                  '?:\\Windows\\SysWOW64\\ws2_32.dll',
+                                  '?:\\Windows\\System32\\spool\\drivers\\*',
+                                  '?:\\Windows\\assembly\\NativeImages_*',
+                                  '?:\\Windows\\System32\\DriverStore\\FileRepository\\*'
+                                ))
 action:
   - name: kill
 

rules/defense_evasion_process_execution_from_hollowed_memory_section.yml

@@ -1,6 +1,6 @@
 name: Process execution from hollowed memory section
 id: 2a3fbae8-5e8c-4b71-b9da-56c3958c0d53
-version: 2.1.1
+version: 2.1.2
 description: |
   Adversaries may inject malicious code into suspended and hollowed processes in order to
   evade process-based defenses. Process hollowing is a method of executing arbitrary code
@@ -35,7 +35,8 @@ condition: >
                     )
     | by ps.uuid, file.view.base
     |load_executable and
-     module.path not imatches '?:\\Windows\\SoftwareDistribution\\Download\\*\\Package_for_RollupFix*\\*.exe'
+     module.path not imatches '?:\\Windows\\SoftwareDistribution\\Download\\*\\Package_for_RollupFix*\\*.exe' and
+     (ps.exe not imatches '?:\\Windows\\System32\\conhost.exe' and ps.cmdline not imatches '*0xffffffff -ForceV1' and ps.parent.name not imatches '?:\\Windows\\System32\\WindowsPowerShell\\*\\powershell.exe')
     | by ps.uuid, module.base
 action:
   - name: kill