From f33530e7561d98bc6f898f5a9137c3b2a7159a1b Mon Sep 17 00:00:00 2001
From: Djordje Lukic <112394060+djlukic@users.noreply.github.com>
Date: Tue, 8 Oct 2024 23:08:50 +0200
Subject: [PATCH] Merge PR #4994 from @djlukic - Multiple FP fixes

update: CodeIntegrity - Unmet Signing Level Requirements By File Under Validation - Add additional filters for third party AV
update: Suspicious Non PowerShell WSMAN COM Provider - Add new filter to cover the edge case where the `HostApplication` field is null
update: Renamed Powershell Under Powershell Channel - Add new filter to cover the edge case where the `HostApplication` field is null

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
---
 .../win_codeintegrity_attempted_dll_load.yml           |  7 ++++++-
 .../powershell_classic/posh_pc_renamed_powershell.yml  | 10 ++++++++--
 .../posh_pc_wsman_com_provider_no_powershell.yml       |  6 +++++-
 3 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml
index 9e948ae6ae8..f9fac468880 100644
--- a/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml
+++ b/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml
@@ -11,7 +11,7 @@ references:
     - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations
 author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
 date: 2022-01-20
-modified: 2024-08-29
+modified: 2024-10-08
 tags:
     - attack.execution
 logsource:
@@ -99,6 +99,11 @@ detection:
         FileNameBuffer|endswith: '\Program Files\ESET\ESET Security\eamsi.dll'
     filter_optional_comodo:
         FileNameBuffer|endswith: '\Program Files\comodo\comodo internet security\amsiprovider_x64.dll'
+    filter_optional_sentinel_one:
+        # Example: program files\sentinelone\sentinel agent 23.4.4.223\inprocessclient64.dll
+        - FileNameBuffer|contains: '\Program Files\SentinelOne\Sentinel Agent'
+        # Example: Program Files\SentinelOne\Sentinel Agent 23.4.4.223\SentinelAgent.exe
+        - ProcessNameBuffer|contains: '\Program Files\SentinelOne\Sentinel Agent'
     condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
     - Antivirus and other third party products are known to trigger this rule quite a lot. Initial filters and tuning is required before using this rule.
diff --git a/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml b/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml
index 2c4b03ef91b..329717393b6 100644
--- a/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml
+++ b/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml
@@ -1,15 +1,17 @@
 title: Renamed Powershell Under Powershell Channel
 id: 30a8cb77-8eb3-4cfb-8e79-ad457c5a4592
 status: test
-description: Detects renamed powershell
+description: |
+    Detects a renamed Powershell execution, which is a common technique used to circumvent security controls and bypass detection logic that's dependent on process names and process paths.
 references:
     - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
 author: Harish Segar, frack113
 date: 2020-06-29
-modified: 2023-10-27
+modified: 2024-10-08
 tags:
     - attack.execution
     - attack.t1059.001
+    - attack.t1036.003
 logsource:
     product: windows
     category: ps_classic_start
@@ -25,6 +27,10 @@ detection:
             # In some cases powershell was invoked with inverted slashes
             - 'HostApplication=C:/Windows/System32/WindowsPowerShell/v1.0/powershell'
             - 'HostApplication=C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell'
+    filter_main_host_application_null:
+        # Note: Since we're using the raw data field to match. There is no easy way to filter out cases where the "HostApplication" field is null (i.e doesn't exist). We're practically forced to use a regex.
+        # If you're already mapping and extracting the field, then obviously use that directly.
+        Data|re: 'HostId=[a-zA-Z0-9-]{36} EngineVersion='
     condition: selection and not 1 of filter_main_*
 falsepositives:
     - Unknown
diff --git a/rules/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml b/rules/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml
index 3ce5fb0c8eb..41f34de7858 100644
--- a/rules/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml
+++ b/rules/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml
@@ -8,7 +8,7 @@ references:
     - https://github.com/bohops/WSMan-WinRM
 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 date: 2020-06-24
-modified: 2023-10-27
+modified: 2024-10-08
 tags:
     - attack.execution
     - attack.t1059.001
@@ -28,6 +28,10 @@ detection:
             # In some cases powershell was invoked with inverted slashes
             - 'HostApplication=C:/Windows/System32/WindowsPowerShell/v1.0/powershell'
             - 'HostApplication=C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell'
+    filter_main_host_application_null:
+        # Note: Since we're using the raw data field to match. There is no easy way to filter out cases where the "HostApplication" field is null (i.e doesn't exist). We're practically forced to use a regex.
+        # If you're already mapping and extracting the field, then obviously use that directly.
+        Data|re: 'HostId=[a-zA-Z0-9-]{36} EngineVersion='
     condition: selection and not 1 of filter_main_*
 falsepositives:
     - Unknown