Merge pull request #2863 from SigmaHQ/aurora-false-positive-fixing

Aurora false positive fixing
SigmaHQ · Mar 29, 2022 · adce5ef · adce5ef
2 parents 4b5a9db + 0b4bfad
commit adce5ef
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 3 deletions.
diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_setting_change.yml b/rules/windows/builtin/firewall_as/win_firewall_as_setting_change.yml
@@ -4,6 +4,7 @@ status: experimental
 description: Setting have been change in Windows Firewall
 author: frack113
 date: 2022/02/19
+modified: 2022/03/28
 references:
     - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
 logsource:
@@ -16,6 +17,6 @@ detection:
             - 2002  # A Windows Firewall setting has changed.
             - 2003  # A Windows Firewall setting in the %1 profile has changed.
             - 2008  # Windows Firewall Group Policy settings have changed. The new settings have been applied
-            - 2010  # Network profile changed on an interface.
+            # - 2010  # Network profile changed on an interface.
     condition: selection
 level: low
diff --git a/rules/windows/file_event/file_event_win_susp_dropper.yml b/rules/windows/file_event/file_event_win_susp_dropper.yml
@@ -6,7 +6,7 @@ author: frack113
 references:
   - Malware Sandbox
 date: 2022/03/09
-modified: 2022/03/25
+modified: 2022/03/29
 logsource:
   product: windows
   category: file_event
@@ -23,6 +23,8 @@ detection:
     Image|endswith: '\TiWorker.exe'
   filter_msiexec:
     Image: 'C:\Windows\System32\msiexec.exe'
+  filter_cleanmgr:
+    Image: 'C:\WINDOWS\system32\cleanmgr.exe'
   condition: selection and not 1 of filter_*
 falsepositives:
   - Software installers

diff --git a/rules/windows/registry_set/registry_set_ie_persistence.yml b/rules/windows/registry_set/registry_set_ie_persistence.yml
@@ -3,7 +3,7 @@ id: d88d0ab2-e696-4d40-a2ed-9790064e66b3
 description: Detects the modification of the registry settings used for Internet Explorer and other Windows components that use these settings
 author: frack113
 date: 2022/01/22
-modified: 2022/03/26
+modified: 2022/03/29
 status: experimental
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md#atomic-test-5---javascript-in-registry
@@ -25,6 +25,7 @@ detection:
         TargetObject|contains:
             - '\Cache'
             - '\ZoneMap'
+            - '\WpadDecision'
     filter_binary:
         Details: 'Binary Data'
     condition: selection_domains and not 1 of filter_*