[Rule Tuning] Logic Overlap between Execution from Unusual Path - Command Line and Process Execution from an Usual Directory #5290
Description
Link to Rule
Rule Tuning Type
Data Quality - Ensuring integrity and quality of data used by detection rules.
Description
There's logic overlap between:
The overlap occurs when suspicious processes in Execution from Unusual Directory - Command Line are executed FROM the suspicious directories that Process Execution from an Usual Directory monitors.
For example:
Execution from Unusual Directory - Command Line would catch powershell.exe with args pointing to C:\Windows\Tasks\*
Process Execution from an Usual Directory would catch powershell.exe located at C:\Windows\Tasks\malicious.exe
Possible fixes
Execution from Unusual Directory - Command Line
process where host.os.type "windows" and event.type "start" and
process.name : ("wscript.exe", "cscript.exe", "rundll32.exe", "regsvr32.exe",
"cmstp.exe", "RegAsm.exe", "installutil.exe", "mshta.exe",
"RegSvcs.exe", "powershell.exe", "pwsh.exe", "cmd.exe") and
/* Suspicious execution paths in arguments */
process.args : ("C:\\PerfLogs\\*", "C:\\Users\\Public\\*", "C:\\Windows\\Tasks\\*",
"C:\\Intel\\*", "C:\\AMD\\Temp\\*", "C:\\Windows\\AppReadiness\\*",
"C:\\Windows\\ServiceState\\*", "C:\\Windows\\security\\*",
"C:\\Windows\\IdentityCRL\\*", "C:\\Windows\\Branding\\*",
"C:\\Windows\\csc\\*", "C:\\Windows\\DigitalLocker\\*",
"C:\\Windows\\en-US\\*", "C:\\Windows\\wlansvc\\*",
"C:\\Windows\\Prefetch\\*", "C:\\Windows\\Fonts\\*",
"C:\\Windows\\diagnostics\\*", "C:\\Windows\\TAPI\\*",
"C:\\Windows\\INF\\*", "C:\\Windows\\System32\\Speech\\*",
"C:\\windows\\tracing\\*", "c:\\windows\\IME\\*",
"c:\\Windows\\Performance\\*", "c:\\windows\\intel\\*",
"c:\\windows\\ms\\*", "C:\\Windows\\dot3svc\\*",
"C:\\Windows\\panther\\*", "C:\\Windows\\RemotePackages\\*",
"C:\\Windows\\OCR\\*", "C:\\Windows\\appcompat\\*",
"C:\\Windows\\apppatch\\*", "C:\\Windows\\addins\\*",
"C:\\Windows\\Setup\\*", "C:\\Windows\\Help\\*",
"C:\\Windows\\SKB\\*", "C:\\Windows\\Vss\\*",
"C:\\Windows\\servicing\\*", "C:\\Windows\\CbsTemp\\*",
"C:\\Windows\\Logs\\*", "C:\\Windows\\WaaS\\*",
"C:\\Windows\\twain_32\\*", "C:\\Windows\\ShellExperiences\\*",
"C:\\Windows\\ShellComponents\\*", "C:\\Windows\\PLA\\*",
"C:\\Windows\\Migration\\*", "C:\\Windows\\debug\\*",
"C:\\Windows\\Cursors\\*", "C:\\Windows\\Containers\\*",
"C:\\Windows\\Boot\\*", "C:\\Windows\\bcastdvr\\*",
"C:\\Windows\\TextInput\\*", "C:\\Windows\\schemas\\*",
"C:\\Windows\\SchCache\\*", "C:\\Windows\\Resources\\*",
"C:\\Windows\\rescache\\*", "C:\\Windows\\Provisioning\\*",
"C:\\Windows\\PrintDialog\\*", "C:\\Windows\\PolicyDefinitions\\*",
"C:\\Windows\\media\\*", "C:\\Windows\\Globalization\\*",
"C:\\Windows\\L2Schemas\\*", "C:\\Windows\\LiveKernelReports\\*",
"C:\\Windows\\ModemLogs\\*", "C:\\Windows\\ImmersiveControlPanel\\*",
"C:\\$Recycle.Bin\\*") and
/* EXCLUDE processes executing FROM suspicious directories to avoid overlap with Process Execution from an Usual Directory */
not process.executable : ("?:\\PerfLogs\\*", "?:\\Users\\Public\\*", "?:\\Windows\\Tasks\\*",
"?:\\Intel\\*", "?:\\AMD\\Temp\\*", "?:\\Windows\\AppReadiness\\*",
"?:\\Windows\\ServiceState\\*", "?:\\Windows\\security\\*",
"?:\\Windows\\IdentityCRL\\*", "?:\\Windows\\Branding\\*",
"?:\\Windows\\csc\\*", "?:\\Windows\\DigitalLocker\\*",
"?:\\Windows\\en-US\\*", "?:\\Windows\\wlansvc\\*",
"?:\\Windows\\Prefetch\\*", "?:\\Windows\\Fonts\\*",
"?:\\Windows\\diagnostics\\*", "?:\\Windows\\TAPI\\*",
"?:\\Windows\\INF\\*", "?:\\Windows\\System32\\Speech\\*",
"?:\\windows\\tracing\\*", "?:\\windows\\IME\\*",
"?:\\Windows\\Performance\\*", "?:\\windows\\intel\\*",
"?:\\windows\\ms\\*", "?:\\Windows\\dot3svc\\*",
"?:\\Windows\\panther\\*", "?:\\Windows\\RemotePackages\\*",
"?:\\Windows\\OCR\\*", "?:\\Windows\\appcompat\\*",
"?:\\Windows\\apppatch\\*", "?:\\Windows\\addins\\*",
"?:\\Windows\\Setup\\*", "?:\\Windows\\Help\\*",
"?:\\Windows\\SKB\\*", "?:\\Windows\\Vss\\*",
"?:\\Windows\\servicing\\*", "?:\\Windows\\CbsTemp\\*",
"?:\\Windows\\Logs\\*", "?:\\Windows\\WaaS\\*",
"?:\\Windows\\ShellExperiences\\*", "?:\\Windows\\ShellComponents\\*",
"?:\\Windows\\PLA\\*", "?:\\Windows\\Migration\\*",
"?:\\Windows\\debug\\*", "?:\\Windows\\Cursors\\*",
"?:\\Windows\\Containers\\*", "?:\\Windows\\Boot\\*",
"?:\\Windows\\bcastdvr\\*", "?:\\Windows\\TextInput\\*",
"?:\\Windows\\schemas\\*", "?:\\Windows\\SchCache\\*",
"?:\\Windows\\Resources\\*", "?:\\Windows\\rescache\\*",
"?:\\Windows\\Provisioning\\*", "?:\\Windows\\PrintDialog\\*",
"?:\\Windows\\PolicyDefinitions\\*", "?:\\Windows\\media\\*",
"?:\\Windows\\Globalization\\*", "?:\\Windows\\L2Schemas\\*",
"?:\\Windows\\LiveKernelReports\\*", "?:\\Windows\\ModemLogs\\*",
"?:\\Windows\\ImmersiveControlPanel\\*") and
/* Original exclusions remain */
not process.parent.executable : ("C:\\WINDOWS\\System32\\DriverStore\\FileRepository\\*\\igfxCUIService*.exe",
"C:\\Windows\\System32\\spacedeskService.exe",
"C:\\Program Files\\Dell\\SupportAssistAgent\\SRE\\SRE.exe") and
not (process.name : "rundll32.exe" and
process.args : ("uxtheme.dll,#64", "PRINTUI.DLL,PrintUIEntry",
"?:\\Windows\\System32\\FirewallControlPanel.dll,ShowNotificationDialog",
"?:\\WINDOWS\\system32\\Speech\\SpeechUX\\sapi.cpl",
"?:\\Windows\\system32\\shell32.dll,OpenAs_RunDLL")) and
not (process.name : "cscript.exe" and process.args : "?:\\WINDOWS\\system32\\calluxxprovider.vbs") and
not (process.name : "cmd.exe" and process.args : "?:\\WINDOWS\\system32\\powercfg.exe" and process.args : "?:\\WINDOWS\\inf\\PowerPlan.log") and
not (process.name : "regsvr32.exe" and process.args : "?:\\Windows\\Help\\OEM\\scripts\\checkmui.dll") and
not (process.name : "cmd.exe" and
process.parent.executable : ("?:\\Windows\\System32\\oobe\\windeploy.exe",
"?:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe",
"?:\\Windows\\System32\\igfxCUIService.exe",
"?:\\Windows\\Temp\\IE*.tmp\\IE*-support\\ienrcore.exe"))
Process Execution from an Usual Directory
process where host.os.type "windows" and event.type "start" and
/* Executables located in suspicious paths */
process.executable : (
"?:\\PerfLogs\\*.exe", "?:\\Users\\Public\\*.exe", "?:\\Windows\\Tasks\\*.exe",
"?:\\Intel\\*.exe", "?:\\AMD\\Temp\\*.exe", "?:\\Windows\\AppReadiness\\*.exe",
"?:\\Windows\\ServiceState\\*.exe", "?:\\Windows\\security\\*.exe", "?:\\Windows\\IdentityCRL\\*.exe",
"?:\\Windows\\Branding\\*.exe", "?:\\Windows\\csc\\*.exe", "?:\\Windows\\DigitalLocker\\*.exe",
"?:\\Windows\\en-US\\*.exe", "?:\\Windows\\wlansvc\\*.exe", "?:\\Windows\\Prefetch\\*.exe",
"?:\\Windows\\Fonts\\*.exe", "?:\\Windows\\diagnostics\\*.exe", "?:\\Windows\\TAPI\\*.exe",
"?:\\Windows\\INF\\*.exe", "?:\\Windows\\System32\\Speech\\*.exe", "?:\\windows\\tracing\\*.exe",
"?:\\windows\\IME\\*.exe", "?:\\Windows\\Performance\\*.exe", "?:\\windows\\intel\\*.exe",
"?:\\windows\\ms\\*.exe", "?:\\Windows\\dot3svc\\*.exe", "?:\\Windows\\panther\\*.exe",
"?:\\Windows\\RemotePackages\\*.exe", "?:\\Windows\\OCR\\*.exe", "?:\\Windows\\appcompat\\*.exe",
"?:\\Windows\\apppatch\\*.exe", "?:\\Windows\\addins\\*.exe", "?:\\Windows\\Setup\\*.exe",
"?:\\Windows\\Help\\*.exe", "?:\\Windows\\SKB\\*.exe", "?:\\Windows\\Vss\\*.exe",
"?:\\Windows\\Web\\*.exe", "?:\\Windows\\servicing\\*.exe", "?:\\Windows\\CbsTemp\\*.exe",
"?:\\Windows\\Logs\\*.exe", "?:\\Windows\\WaaS\\*.exe", "?:\\Windows\\ShellExperiences\\*.exe",
"?:\\Windows\\ShellComponents\\*.exe", "?:\\Windows\\PLA\\*.exe", "?:\\Windows\\Migration\\*.exe",
"?:\\Windows\\debug\\*.exe", "?:\\Windows\\Cursors\\*.exe", "?:\\Windows\\Containers\\*.exe",
"?:\\Windows\\Boot\\*.exe", "?:\\Windows\\bcastdvr\\*.exe", "?:\\Windows\\assembly\\*.exe",
"?:\\Windows\\TextInput\\*.exe", "?:\\Windows\\schemas\\*.exe",
"?:\\Windows\\SchCache\\*.exe", "?:\\Windows\\Resources\\*.exe", "?:\\Windows\\rescache\\*.exe",
"?:\\Windows\\Provisioning\\*.exe", "?:\\Windows\\PrintDialog\\*.exe", "?:\\Windows\\PolicyDefinitions\\*.exe",
"?:\\Windows\\media\\*.exe", "?:\\Windows\\Globalization\\*.exe", "?:\\Windows\\L2Schemas\\*.exe",
"?:\\Windows\\LiveKernelReports\\*.exe", "?:\\Windows\\ModemLogs\\*.exe",
"?:\\Windows\\ImmersiveControlPanel\\*.exe"
) and
/* Original exclusions remain */
not process.name : ("SpeechUXWiz.exe", "SystemSettings.exe", "TrustedInstaller.exe",
"PrintDialog.exe", "MpSigStub.exe", "LMS.exe", "mpam-*.exe") and
not process.executable : ("?:\\Intel\\Wireless\\WUSetupLauncher.exe",
"?:\\Intel\\Wireless\\Setup.exe", "?:\\Intel\\Move Mouse.exe",
"?:\\windows\\Panther\\DiagTrackRunner.exe",
"?:\\Windows\\servicing\\GC64\\tzupd.exe",
"?:\\Users\\Public\\res\\RemoteLite.exe",
"?:\\Users\\Public\\IBM\\ClientSolutions\\*.exe",
"?:\\Users\\Public\\Documents\\syspin.exe",
"?:\\Users\\Public\\res\\FileWatcher.exe")
Example Data
No response