fix: fp found in testing

Author: nasbench

rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml

@@ -7,7 +7,7 @@ references:
     - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
 author: Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update)
 date: 2019/11/01
-modified: 2023/03/13
+modified: 2023/03/21
 tags:
     - attack.credential_access
     - car.2019-04-004
@@ -85,6 +85,11 @@ detection:
         # Example: C:\a70de9569c3a5aa22184ef52a890177b\x64\SCENARIOENGINE.EXE
         ProcessName|endswith: '\x64\SCENARIOENGINE.EXE'
         AccessList: '%%4484'
+    filter_avira:
+        ProcessName|startswith: 'C:\Users\'
+        ProcessName|contains: '\AppData\Local\Temp\is-'
+        ProcessName|endswith: '\avira_system_speedup.tmp'
+        AccessList: '%%4484'
     condition: 1 of selection_* and not 1 of filter_*
 falsepositives:
     - Legitimate software accessing LSASS process for legitimate reason; update the whitelist with it

rules/windows/network_connection/net_connection_win_susp_rdp.yml

@@ -6,7 +6,7 @@ references:
     - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
 author: Markus Neis
 date: 2019/05/15
-modified: 2022/09/02
+modified: 2023/03/21
 tags:
     - attack.lateral_movement
     - attack.t1021.001
@@ -18,7 +18,7 @@ detection:
     selection:
         DestinationPort: 3389
         Initiated: 'true'
-    filter:
+    filter_generic:
         - Image|endswith:
             - '\mstsc.exe'
             - '\RTSApp.exe'
@@ -46,7 +46,11 @@ detection:
             - '\Avast\AvastSvc.exe'
         - Image|startswith: 'C:\Program Files\SplunkUniversalForwarder\bin\'
         - Image: 'C:\Program Files\Mozilla Firefox\firefox.exe'
-    condition: selection and not filter
+    filter_null:
+        Image: null
+    filter_empty:
+        Image: ''
+    condition: selection and not 1 of filter_*
 falsepositives:
     - Other Remote Desktop RDP tools
     - Domain controller using dns.exe

rules/windows/process_creation/proc_creation_win_susp_elevated_system_shell.yml

@@ -6,7 +6,7 @@ references:
     - https://github.com/Wh04m1001/SysmonEoP
 author: frack113, Tim Shelton (update fp)
 date: 2022/12/05
-modified: 2023/03/14
+modified: 2023/03/21
 tags:
     - attack.privilege_escalation
     - attack.defense_evasion
@@ -67,6 +67,9 @@ detection:
     filter_empty_parent_2:
         Image|endswith: '\cmd.exe'
         CommandLine|contains: '/d /c C:\Windows\system32\silcollector.cmd'
+    filter_empty_parent_3:
+        Image|endswith: '\cmd.exe'
+        CommandLine|endswith: 'cmd.exe /c btool server list replication_port --no-log'
     condition: all of selection_* and not 1 of filter_*
 falsepositives:
     - Unknown

rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_image.yml

@@ -11,7 +11,7 @@ references:
     - https://twitter.com/frack113/status/1555830623633375232
 author: frack113, Nasreddine Bencherchali
 date: 2022/08/07
-modified: 2022/09/18
+modified: 2023/03/21
 tags:
     - attack.defense_evasion
     - attack.t1564.004
@@ -43,4 +43,4 @@ detection:
     condition: selection and not 1 of filter*
 falsepositives:
     - Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process.
-level: high
+level: medium