From 4319f5807ff4eb8035ecf1a8f86ab3bdc1ab8960 Mon Sep 17 00:00:00 2001
From: phantinuss <79651203+phantinuss@users.noreply.github.com>
Date: Fri, 5 Apr 2024 08:47:18 +0200
Subject: [PATCH] Merge PR #4802 from @phantinuss - FP Fixes

fix: Windows Binaries Write Suspicious Extensions - fix selection
fix: Rundll32 Execution With Uncommon DLL Extension - add optional filter for MS Edge update
---
 ..._event_win_shell_write_susp_files_extensions.yml |  4 ++--
 ...creation_win_rundll32_uncommon_dll_extension.yml | 13 +++++++++++--
 2 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/rules/windows/file/file_event/file_event_win_shell_write_susp_files_extensions.yml b/rules/windows/file/file_event/file_event_win_shell_write_susp_files_extensions.yml
index cebda9579da..31509a82012 100644
--- a/rules/windows/file/file_event/file_event_win_shell_write_susp_files_extensions.yml
+++ b/rules/windows/file/file_event/file_event_win_shell_write_susp_files_extensions.yml
@@ -9,7 +9,7 @@ references:
     - Internal Research
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/08/12
-modified: 2024/04/03
+modified: 2024/04/04
 tags:
     - attack.defense_evasion
     - attack.t1036
@@ -50,7 +50,7 @@ detection:
             - '.iso'
     filter_main_AppLockerPolicyTest:
         Image: 'C:\Windows\System32\dllhost.exe'
-        TargetFilename|contains:
+        TargetFilename|contains|all:
             - ':\Users\'
             - '\AppData\Local\Temp\__PSScriptPolicyTest_'
         TargetFilename|endswith: '.ps1'
diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml b/rules/windows/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml
index 8725e532d05..26141b85ef4 100644
--- a/rules/windows/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml
+++ b/rules/windows/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml
@@ -6,7 +6,7 @@ references:
     - https://twitter.com/mrd0x/status/1481630810495139841?s=12
 author: Tim Shelton, Florian Roth (Nextron Systems), Yassine Oukessou
 date: 2022/01/13
-modified: 2024/02/09
+modified: 2024/04/04
 tags:
     - attack.defense_evasion
     - attack.t1218.011
@@ -49,7 +49,16 @@ detection:
             - ':\Windows\Installer\'
             - '.tmp'
             - 'zzzzInvokeManagedCustomActionOutOfProc'
-    condition: selection and not 1 of filter_main_*
+    filter_optional_EdgeUpdate:
+        ParentCommandLine|contains|all:
+            - ':\Users\'
+            - '\AppData\Local\Microsoft\EdgeUpdate\Install\{'
+            - '\EDGEMITMP_'
+            - '.tmp\setup.exe'
+            - '--install-archive='
+            - '--previous-version='
+            - '--msedgewebview --verbose-logging --do-not-launch-msedge --user-level'
+    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
     - Unknown
 level: medium