This is a small addendum to this previous article. After letting this bake in my lab for a period of time, I did experience a small amount of noise. I’ve added a few minor exclusions to get around those issues, but this does strike me as a potential pain point for certain applications. While in general, it is not good practice to copy an executable into a custom writeable area of the OS, I suspect that some organizations will see some issues here. That said, I’ve rewritten both of these rules as custom data sources that can be overridden.
The instructions are fairly straight forward. Both rules related to monitoring writeable OS directions in the next release of Security Monitoring (current target is early 2019) will contain this override. The override will allow for an override based on a specific executable or a specific path. I would note that as it stands right now, these are looking in the same parameter, so technically, you can use these interchangeably, but it’s possible I may opt to change this at some point, so I recommend not doing so.