Sigma FP fixes

rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml

@@ -11,7 +11,7 @@ references:
     - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations
 author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
 date: 2022-01-20
-modified: 2024-08-29
+modified: 2024-09-02
 tags:
     - attack.execution
 logsource:
@@ -99,6 +99,11 @@ detection:
         FileNameBuffer|endswith: '\Program Files\ESET\ESET Security\eamsi.dll'
     filter_optional_comodo:
         FileNameBuffer|endswith: '\Program Files\comodo\comodo internet security\amsiprovider_x64.dll'
+    filter_optional_sentinel_one:
+        # Example: program files\sentinelone\sentinel agent 23.4.4.223\inprocessclient64.dll
+        - FileNameBuffer|contains: '\Program Files\SentinelOne\Sentinel Agent'
+        # Example: Program Files\SentinelOne\Sentinel Agent 23.4.4.223\SentinelAgent.exe
+        - ProcessNameBuffer|contains: '\Program Files\SentinelOne\Sentinel Agent'
     condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
     - Antivirus and other third party products are known to trigger this rule quite a lot. Initial filters and tuning is required before using this rule.

rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml

@@ -1,22 +1,24 @@
 title: Renamed Powershell Under Powershell Channel
 id: 30a8cb77-8eb3-4cfb-8e79-ad457c5a4592
 status: test
-description: Detects renamed powershell
+description: |
+    Detects a renamed Powershell execution, which is a common technique used to circumvent security controls and bypass detection logic that's dependent on process names and process paths.
 references:
     - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
 author: Harish Segar, frack113
 date: 2020-06-29
-modified: 2023-10-27
+modified: 2024-09-02
 tags:
     - attack.execution
     - attack.t1059.001
+    - attack.t1036.003
 logsource:
     product: windows
     category: ps_classic_start
 detection:
     selection:
         Data|contains: 'HostName=ConsoleHost'
-    # Note: Powershell Logging Data is localized. Meaning that "HostApplication" field will be translated to a different field on a non english layout. This rule doesn't take this into account due to the sheer ammount of possibilities. It's up to the user to add these cases.
+    # Note: Powershell Logging Data is localized. Meaning that "HostApplication" field will be translated to a different field on a non english layout. This rule doesn't take this into account due to the sheer amount of possibilities. It's up to the user to add these cases.
     filter_main_ps:
         Data|contains:
             - 'HostApplication=powershell'
@@ -25,6 +27,8 @@ detection:
             # In some cases powershell was invoked with inverted slashes
             - 'HostApplication=C:/Windows/System32/WindowsPowerShell/v1.0/powershell'
             - 'HostApplication=C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell'
+    filter_main_null:
+        Data|contains: 'HostApplication= EngineVersion='
     condition: selection and not 1 of filter_main_*
 falsepositives:
     - Unknown

rules/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml

@@ -8,7 +8,7 @@ references:
     - https://github.com/bohops/WSMan-WinRM
 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 date: 2020-06-24
-modified: 2023-10-27
+modified: 2024-09-02
 tags:
     - attack.execution
     - attack.t1059.001
@@ -28,6 +28,8 @@ detection:
             # In some cases powershell was invoked with inverted slashes
             - 'HostApplication=C:/Windows/System32/WindowsPowerShell/v1.0/powershell'
             - 'HostApplication=C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell'
+    filter_main_null:
+        Data|contains: 'HostApplication= EngineVersion='
     condition: selection and not 1 of filter_main_*
 falsepositives:
     - Unknown