Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FP filters #5167

Merged
merged 4 commits into from
Jan 30, 2025
Merged

FP filters #5167

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
176a312
False positive filters
djlukic Jan 19, 2025
71a3576
Filter for escaped backslash
djlukic Jan 20, 2025
23e1125
Update win_security_codeintegrity_check_failure.yml
nasbench Jan 22, 2025
a972a36
Update rules/windows/powershell/powershell_classic/posh_pc_renamed_po…
nasbench Jan 30, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 10 additions & 2 deletions rules/windows/builtin/security/win_security_codeintegrity_check_failure.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ references:
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6281
author: Thomas Patzke
date: 2019-12-03
modified: 2023-12-13
modified: 2025-01-19
tags:
- attack.defense-evasion
- attack.t1027.001
Expand All @@ -20,7 +20,15 @@ detection:
EventID:
- 5038
- 6281
condition: selection
filter_optional_crowdstrike:
param1|contains:
- '\CSFalconServiceUninstallTool_'
- '\Program Files\CrowdStrike\'
- '\System32\drivers\CrowdStrike\'
- '\Windows\System32\ScriptControl64_'
filter_optional_sophos:
param1|contains: '\Program Files\Sophos\'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Disk device errors
level: informational
4 changes: 3 additions & 1 deletion rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
author: Harish Segar, frack113
date: 2020-06-29
modified: 2024-12-27
modified: 2025-01-20
tags:
- attack.execution
- attack.t1059.001
Expand All @@ -27,6 +27,8 @@ detection:
# In some cases powershell was invoked with inverted slashes
- 'HostApplication=C:/Windows/System32/WindowsPowerShell/v1.0/powershell'
- 'HostApplication=C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell'
- 'HostApplication=C:\\\\WINDOWS\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe'
- 'HostApplication=C:\\\\WINDOWS\\\\SysWOW64\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe'
filter_main_host_application_null:
# Note: Since we're using the raw data field to match. There is no easy way to filter out cases where the "HostApplication" field is null (i.e doesn't exist). We're practically forced to use a regex.
# If you're already mapping and extracting the field, then obviously use that directly.
Expand Down
Loading