Merge PR SigmaHQ#4802 from @phantinuss - FP Fixes

fix: Windows Binaries Write Suspicious Extensions - fix selection fix: Rundll32 Execution With Uncommon DLL Extension - add optional filter for MS Edge update
frack113 · Apr 5, 2024 · 4319f58 · 4319f58
1 parent 6505e72
commit 4319f58
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 4 deletions.
diff --git a/rules/windows/file/file_event/file_event_win_shell_write_susp_files_extensions.yml b/rules/windows/file/file_event/file_event_win_shell_write_susp_files_extensions.yml
@@ -9,7 +9,7 @@ references:
     - Internal Research
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/08/12
-modified: 2024/04/03
+modified: 2024/04/04
 tags:
     - attack.defense_evasion
     - attack.t1036
@@ -50,7 +50,7 @@ detection:
             - '.iso'
     filter_main_AppLockerPolicyTest:
         Image: 'C:\Windows\System32\dllhost.exe'
-        TargetFilename|contains:
+        TargetFilename|contains|all:
             - ':\Users\'
             - '\AppData\Local\Temp\__PSScriptPolicyTest_'
         TargetFilename|endswith: '.ps1'

diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml b/rules/windows/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml
@@ -6,7 +6,7 @@ references:
     - https://twitter.com/mrd0x/status/1481630810495139841?s=12
 author: Tim Shelton, Florian Roth (Nextron Systems), Yassine Oukessou
 date: 2022/01/13
-modified: 2024/02/09
+modified: 2024/04/04
 tags:
     - attack.defense_evasion
     - attack.t1218.011
@@ -49,7 +49,16 @@ detection:
             - ':\Windows\Installer\'
             - '.tmp'
             - 'zzzzInvokeManagedCustomActionOutOfProc'
-    condition: selection and not 1 of filter_main_*
+    filter_optional_EdgeUpdate:
+        ParentCommandLine|contains|all:
+            - ':\Users\'
+            - '\AppData\Local\Microsoft\EdgeUpdate\Install\{'
+            - '\EDGEMITMP_'
+            - '.tmp\setup.exe'
+            - '--install-archive='
+            - '--previous-version='
+            - '--msedgewebview --verbose-logging --do-not-launch-msedge --user-level'
+    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
     - Unknown
 level: medium