FP filters for legitimate events

[djlukic]

Summary of the Pull Request

Proposing fixes for multiple rules where normal legitimate events caused hundreds of false positives per system.

Changelog

Update to following rules:

• Relevant Anti-Virus Signature Keywords In Application Log

  • Slightly chaning a filter to match a correct antivirus detection name.

• Uncommon AppX Package Locations

  • Adding more FP filters.

• BITS Transfer Job With Uncommon Or Suspicious Remote TLD

  • Adding more filters.

• CodeIntegrity - Unmet Signing Level Requirements By File Under Validation

  • Adding more filters.

Example Log Event

Relevant Anti-Virus Signature Keywords In Application Log

HTool detected inside
(Boolean enableAttachTool)

According to VirusTotal, vendor that use HTool in their naming have these variants:

• HTool-
• /HTool
• .HTool

Examples:
Win64.HToolMimiKatz
HTool-MimiKatz

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name=".NET Runtime" /> 
  <EventID Qualifiers="0">1000</EventID> 
  <Version>0</Version> 
  <Level>2</Level> 
  <Task>0</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x80000000000000</Keywords> 
  <TimeCreated SystemTime="2024-10-22T18:51:45.0137500Z" /> 
  <EventRecordID>136198</EventRecordID> 
  <Correlation /> 
  <Execution ProcessID="0" ThreadID="0" /> 
  <Channel>Application</Channel> 
  <Computer>admin</Computer> 
  <Security /> 
  </System>
- <EventData>
  <Data>Application Error Exception caught in: System.Data ## Error Detail ## ============ ##!Message:##! Index 0 is either negative or above rows count. ##!Program:##! System.Data.dll ##!Method:##! GetRow ## Client Stack Trace ## ================== at System.Data.DataView.GetRow(Int32 index) at Ice.Lib.Framework.EpiDataView.BuildCriteriaForColumn(Int32 rowIndex, String sourceColumnName, String targetColumnName) at Ice.Lib.Framework.EpiDataView.BuildChildRowFilter(Int32 rowIndex, EpiDataView childView) at Ice.Lib.Framework.EpiBaseForm.ToggleAttachButtonOnViewChanged(Boolean enableAttachTool) at Ice.Lib.Framework.EpiTransaction.toggleAttachTool() at Ice.Lib.Framework.EpiTransaction.set_LastView(EpiDataView value) at Ice.Lib.Framework.EpiTextBox.EpiTextBox_Enter(Object sender, EventArgs ea)</Data> 
  </EventData>
  </Event>

Uncommon AppX Package Locations

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-AppXDeployment-Server" Guid="{3f471139-acb7-4a01-b7a7-ff5da4ba2d43}" /> 
  <EventID>854</EventID> 
  <Version>0</Version> 
  <Level>4</Level> 
  <Task>3</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x4000000000000001</Keywords> 
  <TimeCreated SystemTime="2024-11-19T17:11:37.8523442Z" /> 
  <EventRecordID>80291</EventRecordID> 
  <Correlation ActivityID="{f84a8895-3843-0002-d791-69f84338db01}" /> 
  <Execution ProcessID="20176" ThreadID="6020" /> 
  <Channel>Microsoft-Windows-AppXDeploymentServer/Operational</Channel> 
  <Computer>admin</Computer> 
  <Security UserID="S-1-5-21-217285702-1915017788-2260533963-1002" /> 
  </System>
- <EventData>
  <Data Name="Path">https://installer.teams.static.microsoft/production-windows-x64/24295.605.3225.8804/MSTeams-x64.msix</Data> 
  </EventData>
  </Event>

BITS Transfer Job With Uncommon Or Suspicious Remote TLD

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-Bits-Client" Guid="{ef1cc15b-46c1-414e-bb95-e76b077bd51e}" /> 
  <EventID>16403</EventID> 
  <Version>0</Version> 
  <Level>4</Level> 
  <Task>0</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x4000000000000000</Keywords> 
  <TimeCreated SystemTime="2024-12-06T20:47:56.3180450Z" /> 
  <EventRecordID>43169</EventRecordID> 
  <Correlation ActivityID="{d11e1d58-4cf1-4226-b15e-593f482a85a4}" /> 
  <Execution ProcessID="17804" ThreadID="20460" /> 
  <Channel>Microsoft-Windows-Bits-Client/Operational</Channel> 
  <Computer>admin</Computer> 
  <Security UserID="S-1-5-21-217285702-1915017788-2260533963-1002" /> 
  </System>
- <EventData>
  <Data Name="User">admin</Data> 
  <Data Name="jobTitle">Push Notification Platform Job: 1</Data> 
  <Data Name="jobId">{10ab9922-463c-46ff-9c53-2967aa28ae57}</Data> 
  <Data Name="jobOwner">admin</Data> 
  <Data Name="fileCount">1</Data> 
  <Data Name="RemoteName">https://site-cdn.onenote.net/161831940451_Images/LiveTileImages/MediumAndLarge/Image3.png</Data> 
  <Data Name="LocalName">C:\Users\admin\AppData\Local\Microsoft\Windows\Notifications\wpnidm\5749c2cf.png</Data> 
  <Data Name="processId">11408</Data> 
  <Data Name="ClientProcessStartKey">39125021762781401</Data> 
  </EventData>
  </Event>

CodeIntegrity - Unmet Signing Level Requirements By File Under Validation

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-CodeIntegrity" Guid="{4ee76bd8-3cf4-44a0-a0ac-3937643e37a3}" /> 
  <EventID>3033</EventID> 
  <Version>0</Version> 
  <Level>2</Level> 
  <Task>1</Task> 
  <Opcode>111</Opcode> 
  <Keywords>0x8000000000000000</Keywords> 
  <TimeCreated SystemTime="2024-12-13T00:07:55.2435813Z" /> 
  <EventRecordID>1481373</EventRecordID> 
  <Correlation ActivityID="{f388ca67-4482-0002-4a83-a1f38244db01}" /> 
  <Execution ProcessID="6832" ThreadID="8720" /> 
  <Channel>Microsoft-Windows-CodeIntegrity/Operational</Channel> 
  <Computer>admin</Computer> 
  <Security UserID="S-1-5-18" /> 
  </System>
- <EventData>
  <Data Name="FileNameLength">63</Data> 
  <Data Name="FileNameBuffer">\Device\HarddiskVolume3\Program Files (x86)\Bonjour\mdnsNSP.dll</Data> 
  <Data Name="ProcessNameLength">105</Data> 
  <Data Name="ProcessNameBuffer">\Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\avp.exe</Data> 
  <Data Name="RequestedPolicy">7</Data> 
  <Data Name="ValidatedPolicy">1</Data> 
  <Data Name="Status">3221226536</Data> 
  </EventData>
  </Event>

Fixed Issues

SigmaHQ Rule Creation Conventions

• If your PR adds new rules, please consider following and applying these conventions