Merge PR #4470 From phantinuss - Fix FPs Found In Testing

fix: Generic Password Dumper Activity on LSASS - FP with GoogleUpdate.exe
fix: Rundll32 Execution Without DLL File - FP with another zzzzInvokeManagedCustomActionOutOfProc MSI installer
fix: Suspicious Shim Database Installation via Sdbinst.EXE - FP with being started as a background service
fix: Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation - FP with $WinREAgent folder
fix: Files With System Process Name In Unsuspected Locations - FP with wuaucltcore

---------

Co-authored-by: Nasreddine Bencherchali <[email protected]>

rules-emerging-threats/2023/Exploits/CVE-2023-36874/file_event_win_exploit_cve_2023_36874_wermgr_creation.yml

@@ -7,6 +7,7 @@ references:
     - https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/08/23
+modified: 2023/10/08
 tags:
     - attack.execution
     - cve.2023.36874
@@ -20,6 +21,7 @@ detection:
     filter_main_locations:
         TargetFilename|contains:
             - ':\$WINDOWS.~BT\NewOS\'
+            - ':\$WinREAgent\' # From "wuauclt.exe"
             - ':\Windows\servicing\LCU\'
             - ':\Windows\System32\'
             - ':\Windows\SysWOW64\'

rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml

@@ -7,7 +7,7 @@ references:
     - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
 author: Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update)
 date: 2019/11/01
-modified: 2023/08/03
+modified: 2023/10/06
 tags:
     - attack.credential_access
     - car.2019-04-004
@@ -94,6 +94,10 @@ detection:
     filter_snmp:
         ProcessName: 'C:\Windows\System32\snmp.exe'
         AccessList|contains: '%%4484'
+    filter_googleupdate:
+        ProcessName|startswith: 'C:\Windows\SystemTemp\'
+        ProcessName|endswith: '\GoogleUpdate.exe'
+        AccessList|contains: '%%4484'
     condition: 1 of selection_* and not 1 of filter_*
 falsepositives:
     - Legitimate software accessing LSASS process for legitimate reason; update the whitelist with it

rules/windows/file/file_event/file_event_win_creation_system_file.yml

@@ -2,9 +2,9 @@ title: Files With System Process Name In Unsuspected Locations
 id: d5866ddf-ce8f-4aea-b28e-d96485a20d3d
 status: test
 description: Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64...etc).
-author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali
+author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
 date: 2020/05/26
-modified: 2023/03/23
+modified: 2023/10/08
 tags:
     - attack.defense_evasion
     - attack.t1036.005
@@ -86,47 +86,44 @@ detection:
             - '\WSReset.exe'
             - '\WUDFHost.exe'
             - '\WWAHost.exe'
-    filter1:
-        TargetFilename|startswith:
-            - 'C:\Windows\System32\'
-            - 'C:\Windows\SysWOW64\'
-            - 'C:\Windows\WinSxS\'
-            - 'C:\Windows\SoftwareDistribution\'
+    filter_main_dism_tiworker:
+        TargetFilename|contains:
+            - ':\Windows\SoftwareDistribution\'
+            - ':\Windows\System32\'
+            - ':\Windows\SysWOW64\'
+            - ':\Windows\WinSxS\'
             - '\SystemRoot\System32\'
         Image|endswith:
             - '\Windows\System32\dism.exe'
             - '\TiWorker.exe'
-    filter2:
-        TargetFilename|startswith: 'C:\$WINDOWS.~BT\'
-        Image: 'C:\$WINDOWS.~BT\Sources\SetupHost.exe'
-    filter3:
+    filter_main_setuphost:
+        TargetFilename|contains: ':\$WINDOWS.~BT\'
+        Image|endswith: ':\$WINDOWS.~BT\Sources\SetupHost.exe'
+    filter_main_wbengine:
         TargetFilename|endswith: '\RuntimeBroker.exe'
-        Image: 'C:\Windows\system32\wbengine.exe'
-    filter4:
+        Image|endswith: ':\Windows\system32\wbengine.exe'
+    filter_main_svchost:
         Image|endswith: ':\Windows\system32\svchost.exe'
-        TargetFilename|startswith: 'C:\Windows\SoftwareDistribution\Download\'
-        TargetFilename|endswith:
-            - '\spoolsv.exe'
-            - '\bcdedit.exe'
-    filter5:
-        Image|endswith: ':\Windows\system32\svchost.exe'
-        TargetFilename|startswith: 'C:Program Files\WindowsApps\'
-    filter6:
-        Image: C:\Windows\System32\wuauclt.exe
-    filter7:
-        TargetFilename: 'C:\Windows\explorer.exe'
-    filter8:
+        TargetFilename|contains:
+            - ':\Windows\SoftwareDistribution\Download\'
+            - ':\Program Files\WindowsApps\'
+    filter_main_wuauclt:
+        Image|endswith: ':\Windows\System32\wuauclt.exe'
+    filter_main_explorer:
+        TargetFilename|endswith: ':\Windows\explorer.exe'
+    filter_main_msiexec:
         # This filter handles system processes who are updated/installed using misexec.
-        Image: C:\WINDOWS\system32\msiexec.exe
+        Image|endswith: ':\WINDOWS\system32\msiexec.exe'
         # Add more processes if you find them or simply filter msiexec on its own. If the list grows big
-        TargetFilename: C:\Program Files\PowerShell\7\pwsh.exe
-    filter_healtray:
-        TargetFilename|startswith: 'C:\Windows\System32\SecurityHealth\'
+        TargetFilename|endswith: ':\Program Files\PowerShell\7\pwsh.exe'
+    filter_main_healtray:
+        TargetFilename|contains: ':\Windows\System32\SecurityHealth\'
         TargetFilename|endswith: '\SecurityHealthSystray.exe'
         Image|endswith: '\SecurityHealthSetup.exe'
-    condition: selection and not 1 of filter*
-fields:
-    - Image
+    filter_main_wuaucltcore:
+        Image|endswith: ':\Windows\uus\AMD64\wuaucltcore.exe'
+        TargetFilename|contains: ':\$WinREAgent\'
+    condition: selection and not 1 of filter_main_*
 falsepositives:
     - System processes copied outside their default folders for testing purposes
     - Third party software naming their software with the same names as the processes mentioned here

rules/windows/process_creation/proc_creation_win_rundll32_executable_invalid_extension.yml

@@ -6,7 +6,7 @@ references:
     - https://twitter.com/mrd0x/status/1481630810495139841?s=12
 author: Tim Shelton, Florian Roth (Nextron Systems), Yassine Oukessou (fix + fp)
 date: 2022/01/13
-modified: 2023/03/24
+modified: 2023/10/06
 tags:
     - attack.defense_evasion
     - attack.t1218.011
@@ -46,12 +46,14 @@ detection:
         ParentImage|contains: '\AppData\Local\Microsoft\EdgeUpdate\Install\{'
         ParentImage|endswith: '\setup.exe'
         ParentCommandLine|contains: '\setup.exe" --install-archive="C:\Users\'
-    filter_avira:
+    filter_zzzzInvokeManagedCustomActionOutOfProc:
         CommandLine|contains|all:
             - 'C:\Windows\Installer\MSI'
             - '.tmp'
             - 'zzzzInvokeManagedCustomActionOutOfProc'
+        CommandLine|contains:
             - 'Avira.OE.Setup'
+            - 'FindOldJetBrainsProduct'
     condition: selection and not 1 of filter_*
 fields:
     - Image

rules/windows/process_creation/proc_creation_win_sdbinst_susp_extension.yml

@@ -11,6 +11,7 @@ references:
     - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/08/01
+modified: 2023/10/06
 tags:
     - attack.persistence
     - attack.privilege_escalation
@@ -24,6 +25,10 @@ detection:
         - OriginalFileName: 'sdbinst.exe'
     filter_main_legit_ext:
         CommandLine|contains: '.sdb'
+    filter_main_svchost:
+        ParentImage|endswith: ':\Windows\System32\svchost.exe'
+        Image|endswith: ':\Windows\System32\sdbinst.exe'
+        CommandLine|contains: ' -m -bg'
     condition: selection and not 1 of filter_main_*
 falsepositives:
     - Unknown