Merge PR #5144 from @djlukic - Fix multiple FPs

fix: Relevant Anti-Virus Signature Keywords In Application Log - Enhances the `HTool` string to avoid unintended matches. fix: Uncommon AppX Package Locations - Add `https://installer.teams.static.microsoft/` fix: BITS Transfer Job With Uncommon Or Suspicious Remote TLD - Add `dn.onenote.net/` and `cdn.office.net/` fix: CodeIntegrity - Unmet Signing Level Requirements By File Under Validation - Add filter for `Kaspersky` and `mDNS Responder`
SigmaHQ · Dec 27, 2024 · 1df3c34 · 1df3c34
1 parent 7c83045
commit 1df3c34
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 5 deletions.
diff --git a/rules/windows/builtin/application/Other/win_av_relevant_match.yml b/rules/windows/builtin/application/Other/win_av_relevant_match.yml
@@ -10,7 +10,7 @@ references:
     - https://www.nextron-systems.com/?s=antivirus
 author: Florian Roth (Nextron Systems), Arnim Rupp
 date: 2017-02-19
-modified: 2024-08-29
+modified: 2024-12-25
 tags:
     - attack.resource-development
     - attack.t1588
@@ -43,7 +43,9 @@ detection:
         - 'GrandCrab '
         - 'HackTool'
         - 'HKTL'
-        - 'HTool'
+        - 'HTool-'
+        - '/HTool'
+        - '.HTool'
         - 'IISExchgSpawnCMD'
         - 'Impacket'
         - 'JSP/BackDoor '

diff --git a/...ws/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml b/...ws/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml
@@ -9,7 +9,7 @@ references:
     - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023-01-11
-modified: 2024-08-29
+modified: 2024-12-25
 tags:
     - attack.defense-evasion
 logsource:
@@ -33,6 +33,7 @@ detection:
             - 'https://statics.teams.cdn.live.net/'
             - 'https://statics.teams.cdn.office.net/'
             - 'microsoft.com' # Example: https://go.microsoft.com/fwlink/?linkid=2160968
+            - 'https://installer.teams.static.microsoft/'
     condition: selection and not 1 of filter_main_*
 falsepositives:
     - Unknown

diff --git a/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_uncommon_tld.yml b/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_uncommon_tld.yml
@@ -7,7 +7,7 @@ references:
     - https://twitter.com/malmoeb/status/1535142803075960832
 author: Florian Roth (Nextron Systems)
 date: 2022-06-10
-modified: 2023-03-27
+modified: 2024-12-25
 tags:
     - attack.defense-evasion
     - attack.persistence
@@ -24,6 +24,8 @@ detection:
             - '.com/'
             - '.sfx.ms/'
             - 'download.mozilla.org/' # https://download.mozilla.org/?product=firefox-101.0.1-partial-101.0&amp;os=win64&amp;lang=en-US
+            - 'cdn.onenote.net/'
+            - 'cdn.office.net/'
     condition: selection and not 1 of filter_main_*
 falsepositives:
     - This rule doesn't exclude other known TLDs such as ".org" or ".net". It's recommended to apply additional filters for software and scripts that leverage the BITS service

diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml
@@ -11,7 +11,7 @@ references:
     - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations
 author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
 date: 2022-01-20
-modified: 2024-10-08
+modified: 2024-12-25
 tags:
     - attack.execution
 logsource:
@@ -104,6 +104,17 @@ detection:
         - FileNameBuffer|contains: '\Program Files\SentinelOne\Sentinel Agent'
         # Example: Program Files\SentinelOne\Sentinel Agent 23.4.4.223\SentinelAgent.exe
         - ProcessNameBuffer|contains: '\Program Files\SentinelOne\Sentinel Agent'
+    filter_optional_national_instruments:
+        # Example: \device\harddiskvolume3\program files\national instruments\shared\mdns responder\nimdnsnsp.dll
+        FileNameBuffer|contains: '\National Instruments\Shared\mDNS Responder\'
+    filter_optional_kaspersky:
+        # Example: \Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\x64\antimalware_provider.dll
+        - ProcessNameBuffer|contains|all:
+              - '\Kaspersky Lab\'
+              - '\avp.exe'
+        - FileNameBuffer|contains|all:
+              - '\Kaspersky Lab\'
+              - '\antimalware_provider.dll'
     condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
     - Antivirus and other third party products are known to trigger this rule quite a lot. Initial filters and tuning is required before using this rule.