Skip to content

Commit 3355c0e

Browse files
rabbitstackrabbitstack
rabbitstack
authored and
rabbitstack
committed
fix(rules): Rework rule for better resistance to false positives
1 parent 9f8d98c commit 3355c0e

File tree

1 file changed

+24
-10
lines changed

1 file changed

+24
-10
lines changed

rules/persistence_script_interpreter_or_untrusted_process_persistence.yml

Lines changed: 24 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,9 @@
11
name: Script interpreter host or untrusted process persistence
22
id: cc41ee3a-6e44-4903-85a4-0147ec6a7eea
3-
version: 1.0.4
3+
version: 1.1.0
44
description: |
5-
Identifies the script interpreter or untrusted process writing
6-
to commonly abused run keys or the Startup folder locations.
5+
Identifies the script interpreter or untrusted process writing to commonly
6+
abused run keys or the Startup folder locations.
77
labels:
88
tactic.id: TA0006
99
tactic.name: Persistence
@@ -16,19 +16,33 @@ labels:
1616
subtechnique.ref: https://attack.mitre.org/techniques/T1547/001/
1717

1818
condition: >
19-
(modify_registry or create_file)
19+
(((modify_registry) or (create_file)) and kevt.pid != 4)
2020
and
2121
(ps.name in script_interpreters or ps.parent.name in script_interpreters or pe.is_trusted = false)
2222
and
2323
(registry.path imatches registry_run_keys or file.path imatches startup_locations)
2424
and
2525
not
26-
ps.exe imatches
27-
(
28-
'?:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe',
29-
'?:\\Program Files (x86)\\Microsoft\\Edge\\Application\\*\\msedge.exe',
30-
'?:\\Program Files\\Microsoft\\Edge\\Application\\*\\msedge.exe'
31-
)
26+
(
27+
ps.exe imatches
28+
(
29+
'?:\\Windows\\explorer.exe',
30+
'?:\\Windows\\System32\\services.exe',
31+
'?:\\Windows\\System32\\svchost.exe',
32+
'?:\\Windows\\System32\\msiexec.exe',
33+
'?:\\Program Files*\\Google\\Chrome\\Application\\chrome.exe',
34+
'?:\\Program Files*\\Mozilla Firefox\\firefox.exe',
35+
'?:\\Program Files*\\Opera\\*\\opera.exe',
36+
'?:\\Program Files*\\Microsoft\\Edge\\Application\\msedge.exe',
37+
'?:\\Program Files\\Microsoft\\Edge\\Application\\*\\msedge.exe',
38+
'?:\\Program Files (x86)\\Microsoft\\Edge\\Application\\*\\msedge.exe',
39+
'?:\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe',
40+
'?:\\Program Files\\Google\\Drive File Stream\\*\\GoogleDriveFS.exe',
41+
'?:\\Users\\*\\AppData\\Local\\Dropbox\\Dropbox.exe'
42+
)
43+
or
44+
(pe.is_signed = true and pe.cert.subject imatches '*Microsoft*')
45+
)
3246
action:
3347
- name: kill
3448

0 commit comments

Comments
 (0)