feat: update browsers selections and filters

rules/windows/create_stream_hash/create_stream_hash_creation_internet_file.yml

@@ -6,7 +6,7 @@ references:
     - https://www.bleepingcomputer.com/news/security/exploited-windows-zero-day-lets-javascript-files-bypass-security-warnings/
 author: frack113
 date: 2022/10/22
-modified: 2022/10/31
+modified: 2023/04/18
 tags:
     - attack.defense_evasion
 logsource:
@@ -33,23 +33,46 @@ detection:
             - '.wsc'
             - '.wsf'
             - '.xlsx'
-    filter:
-        # Add missing browsers you use and exclude the ones you don't
+    filter_optional_brave:
+        Image|endswith: '\brave.exe'
+    filter_optional_chrome:
+        Image:
+            - 'C:\Program Files\Google\Chrome\Application\chrome.exe'
+            - 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
+    filter_optional_firefox:
+        Image:
+            - 'C:\Program Files\Mozilla Firefox\firefox.exe'
+            - 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
+    filter_optional_ie:
+        Image:
+            - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
+            - 'C:\Program Files\Internet Explorer\iexplore.exe'
+    filter_optional_maxthon:
+        Image|endswith: '\maxthon.exe'
+    filter_optional_edge_1:
+        - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
+        - Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
+        - Image:
+            - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
+            - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
+    filter_optional_edge_2:
+        Image|startswith:
+            - 'C:\Program Files (x86)\Microsoft\EdgeCore\'
+            - 'C:\Program Files\Microsoft\EdgeCore\'
         Image|endswith:
-            - '\brave.exe'
-            - '\Google\Chrome\Application\chrome.exe'
-            - '\chromium.exe'
-            - '\firefox.exe'
             - '\msedge.exe'
-            - '\opera.exe'
-            - '\microsoftedge.exe'
-            - '\iexplorer.exe'
-            - '\vivaldi.exe'
-            - '\CCleaner Browser\Application\CCleanerBrowser.exe'
-    condition: selection and not filter
-fields:
-    - TargetFilename
-    - Image
+            - '\msedgewebview2.exe'
+    filter_optional_opera:
+        Image|endswith: '\opera.exe'
+    filter_optional_safari:
+        Image|endswith: '\safari.exe'
+    filter_optional_seamonkey:
+        Image|endswith: '\seamonkey.exe'
+    filter_optional_vivaldi:
+        Image|endswith: '\vivaldi.exe'
+    filter_optional_whale:
+        Image|endswith: '\whale.exe'
+    condition: selection and not 1 of filter_optional_*
 falsepositives:
     - Other legitimate browsers not currently included in the filter (please add them)
     - Legitimate downloads via scripting or command-line tools (Investigate to determine if it's legitimate)

rules/windows/dns_query/dns_query_win_remote_access_software_domains.yml

@@ -19,7 +19,7 @@ references:
     - https://redcanary.com/blog/misbehaving-rats/
 author: frack113, Connor Martin
 date: 2022/07/11
-modified: 2022/12/23
+modified: 2023/04/18
 tags:
     - attack.command_and_control
     - attack.t1219
@@ -72,21 +72,48 @@ detection:
             - 'relay.kaseya.net'
             - 'license.bomgar.com'
             - '.beyondtrustcloud.com'
-    filter:
-        # Exclude browsers for legitimate visits of the domains mentioned above
-        # Add missing browsers you use and exclude the ones you don't
+    # Exclude browsers for legitimate visits of the domains mentioned above
+    # Add missing browsers you use and exclude the ones you don't
+    filter_optional_brave:
+        Image|endswith: '\brave.exe'
+    filter_optional_chrome:
+        Image:
+            - 'C:\Program Files\Google\Chrome\Application\chrome.exe'
+            - 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
+    filter_optional_firefox:
+        Image:
+            - 'C:\Program Files\Mozilla Firefox\firefox.exe'
+            - 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
+    filter_optional_ie:
+        Image:
+            - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
+            - 'C:\Program Files\Internet Explorer\iexplore.exe'
+    filter_optional_maxthon:
+        Image|endswith: '\maxthon.exe'
+    filter_optional_edge_1:
+        - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
+        - Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
+        - Image:
+            - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
+            - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
+    filter_optional_edge_2:
+        Image|startswith:
+            - 'C:\Program Files (x86)\Microsoft\EdgeCore\'
+            - 'C:\Program Files\Microsoft\EdgeCore\'
         Image|endswith:
-            - '\Google\Chrome\Application\chrome.exe'
-            - '\brave.exe'
-            - '\chromium.exe'
-            - '\firefox.exe'
             - '\msedge.exe'
-            - '\opera.exe'
-            - '\microsoftedge.exe'
-            - '\iexplorer.exe'
-            - '\vivaldi.exe'
-            - '\CCleaner Browser\Application\CCleanerBrowser.exe'
+            - '\msedgewebview2.exe'
+    filter_optional_opera:
+        Image|endswith: '\opera.exe'
+    filter_optional_safari:
+        Image|endswith: '\safari.exe'
+    filter_optional_seamonkey:
+        Image|endswith: '\seamonkey.exe'
+    filter_optional_vivaldi:
+        Image|endswith: '\vivaldi.exe'
+    filter_optional_whale:
+        Image|endswith: '\whale.exe'
     condition: selection and not filter
 falsepositives:
-    - Legitimate usage of the software mentioned above
+    - Likely with other browser software
 level: medium

rules/windows/dns_query/dns_query_win_susp_ipify.yml

@@ -1,21 +1,21 @@
 title: Suspicious DNS Query for IP Lookup Service APIs
 id: ec82e2a5-81ea-4211-a1f8-37a0286df2c2
 status: test
-description: Detects DNS queries for ip lookup services such as api.ipify.org not originating from a non browser process.
+description: Detects DNS queries for ip lookup services such as "api.ipify.org" originating from a non browser process.
 references:
     - https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon
     - https://twitter.com/neonprimetime/status/1436376497980428318
 author: Brandon George (blog post), Thomas Patzke (rule)
 date: 2021/07/08
-modified: 2022/11/18
+modified: 2023/04/18
 tags:
     - attack.reconnaissance
     - attack.t1590
 logsource:
     product: windows
     category: dns_query
 detection:
-    dns_request:
+    selection:
         QueryName:
             - 'canireachthe.net'
             - 'ipv4.icanhazip.com'
@@ -34,21 +34,46 @@ detection:
             - 'freegeoip.app'
             - 'ifconfig.me'
             - 'ipwho.is'
-    filter_browser:
+    filter_optional_brave:
+        Image|endswith: '\brave.exe'
+    filter_optional_chrome:
+        Image:
+            - 'C:\Program Files\Google\Chrome\Application\chrome.exe'
+            - 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
+    filter_optional_firefox:
+        Image:
+            - 'C:\Program Files\Mozilla Firefox\firefox.exe'
+            - 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
+    filter_optional_ie:
+        Image:
+            - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
+            - 'C:\Program Files\Internet Explorer\iexplore.exe'
+    filter_optional_maxthon:
+        Image|endswith: '\maxthon.exe'
+    filter_optional_edge_1:
+        - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
+        - Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
+        - Image:
+            - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
+            - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
+    filter_optional_edge_2:
+        Image|startswith:
+            - 'C:\Program Files (x86)\Microsoft\EdgeCore\'
+            - 'C:\Program Files\Microsoft\EdgeCore\'
         Image|endswith:
-            # Add missing browsers you use and exclude the ones you don't
-            - '\Google\Chrome\Application\chrome.exe'
-            - '\iexplore.exe'
-            - '\firefox.exe'
-            - '\brave.exe'
-            - '\opera.exe'
             - '\msedge.exe'
-            - '\vivaldi.exe'
-            - '\chromium.exe'
-            - '\microsoftedge.exe'
-            - '\iexplorer.exe'
-            - '\CCleaner Browser\Application\CCleanerBrowser.exe'
-    condition: dns_request and not filter_browser
+            - '\msedgewebview2.exe'
+    filter_optional_opera:
+        Image|endswith: '\opera.exe'
+    filter_optional_safari:
+        Image|endswith: '\safari.exe'
+    filter_optional_seamonkey:
+        Image|endswith: '\seamonkey.exe'
+    filter_optional_vivaldi:
+        Image|endswith: '\vivaldi.exe'
+    filter_optional_whale:
+        Image|endswith: '\whale.exe'
+    condition: selection and not 1 of filter_optional_*
 falsepositives:
     - Legitimate usage of ip lookup services such as ipify API
 level: medium

rules/windows/file/file_event/file_event_win_mal_vhd_download.yml

@@ -1,34 +1,41 @@
 title: Suspicious VHD Image Download From Browser
 id: 8468111a-ef07-4654-903b-b863a80bbc95
 status: test
-description: Malware can use mountable Virtual Hard Disk .vhd file to encapsulate payloads and evade security controls
+description: |
+    Detects creation of ".vhd"/".vhdx" files by browser processes.
+    Malware can use mountable Virtual Hard Disk ".vhd" files to encapsulate payloads and evade security controls.
 references:
     - https://redcanary.com/blog/intelligence-insights-october-2021/
     - https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/
     - https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
 author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'
 date: 2021/10/25
-modified: 2022/06/02
+modified: 2023/04/18
 tags:
     - attack.resource_development
     - attack.t1587.001
 logsource:
     category: file_event
     product: windows
-    definition: in sysmon add "<TargetFilename condition="end with">.vhd</TargetFilename> <!--vhd files for ZLoader and lazarus malware vectors -->"
 detection:
     selection:
         Image|endswith:
+            - '\brave.exe'
             - '\chrome.exe'
             - '\firefox.exe'
-            - '\microsoftedge.exe'
-            - '\microsoftedgecp.exe'
+            - '\iexplore.exe'
+            - '\maxthon.exe'
+            - '\MicrosoftEdge.exe'
             - '\msedge.exe'
-            - '\iexplorer.exe'
-            - '\brave.exe'
+            - '\msedgewebview2.exe'
             - '\opera.exe'
-        TargetFilename|contains: '.vhd' #not endswith to get the alternate data stream log Too TargetFilename: C:\Users\Frack113\Downloads\windows.vhd:Zone.Identifier
+            - '\safari.exe'
+            - '\seamonkey.exe'
+            - '\vivaldi.exe'
+            - '\whale.exe'
+        # We don't use "endswith" to also match with ADS logs and ".vhdx". Example: "TargetFilename: C:\Users\xxx\Downloads\windows.vhd:Zone.Identifier"
+        TargetFilename|contains: '.vhd'
     condition: selection
 falsepositives:
-    - Legitimate user creation
+    - Legitimate downloads of ".vhd" files would also trigger this
 level: medium

rules/windows/file/file_event/file_event_win_office_macro_files_downloaded.yml

@@ -10,6 +10,7 @@ references:
     - https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/01/23
+modified: 2023/04/18
 tags:
     - attack.initial_access
     - attack.t1566.001
@@ -20,18 +21,23 @@ detection:
     selection_processes:
         Image|endswith:
             # Email clients
+            - '\RuntimeBroker.exe' # Windows Email clients uses RuntimeBroker to create the files
             - '\outlook.exe'
             - '\thunderbird.exe'
-            - '\HxOutlook.exe'
             # Browsers
             - '\brave.exe'
             - '\chrome.exe'
             - '\firefox.exe'
-            - '\iexplorer.exe'
-            - '\microsoftedge.exe'
-            - '\microsoftedgecp.exe'
+            - '\iexplore.exe'
+            - '\maxthon.exe'
+            - '\MicrosoftEdge.exe'
             - '\msedge.exe'
+            - '\msedgewebview2.exe'
             - '\opera.exe'
+            - '\safari.exe'
+            - '\seamonkey.exe'
+            - '\vivaldi.exe'
+            - '\whale.exe'
     selection_ext:
         - TargetFilename|endswith:
             - '.docm'
@@ -50,5 +56,5 @@ detection:
     condition: all of selection_*
 falsepositives:
     - Legitimate macro files downloaded from the internet
-    - Legitimate macro files sent as attachemnts via emails
+    - Legitimate macro files sent as attachments via emails
 level: medium

rules/windows/image_load/image_load_abusing_azure_browser_sso.yml

@@ -8,7 +8,7 @@ references:
     - https://posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30
 author: Den Iuzvyk
 date: 2020/07/15
-modified: 2023/03/28
+modified: 2023/04/18
 tags:
     - attack.defense_evasion
     - attack.privilege_escalation
@@ -31,15 +31,15 @@ detection:
             - 'C:\Program Files (x86)\Microsoft Visual Studio\'
         Image|endswith: '\IDE\devenv.exe'
     filter_optional_ie:
-        Image|startswith:
+        Image:
             - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
             - 'C:\Program Files\Internet Explorer\iexplore.exe'
     filter_optional_edge_1:
         - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
-        - Image|endswith:
+        - Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
+        - Image:
             - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
             - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
-            - '\WindowsApps\MicrosoftEdge.exe'
     filter_optional_edge_2:
         Image|startswith:
             - 'C:\Program Files (x86)\Microsoft\EdgeCore\'