Change status for old rules

2021-11-27 11:33:14 +01:00
parent 6664d6e522
commit 01dc930c17
547 changed files with 11964 additions and 11755 deletions
@@ -1,45 +1,45 @@
 title: Windows Shell Spawning Suspicious Program
 id: 3a6586ad-127a-4d3b-a677-1e6eacdf8fde
-status: experimental
+status: test
 description: Detects a suspicious child process of a Windows shell
-references:
-    - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
 author: Florian Roth
+references:
+  - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
 date: 2018/04/06
-modified: 2020/09/06
-tags:
-    - attack.execution
-    - attack.defense_evasion
-    - attack.t1064 # an old one
-    - attack.t1059.005
-    - attack.t1059.001
-    - attack.t1218    
+modified: 2021/11/27
 logsource:
-    category: process_creation
-    product: windows
+  category: process_creation
+  product: windows
 detection:
-    selection:
-        ParentImage|endswith:
-            - '\mshta.exe'
-            - '\powershell.exe'
+  selection:
+    ParentImage|endswith:
+      - '\mshta.exe'
+      - '\powershell.exe'
            # - '*\cmd.exe'  # too many false positives
-            - '\rundll32.exe'
-            - '\cscript.exe'
-            - '\wscript.exe'
-            - '\wmiprvse.exe'
-        Image|endswith:
-            - '\schtasks.exe'
-            - '\nslookup.exe'
-            - '\certutil.exe'
-            - '\bitsadmin.exe'
-            - '\mshta.exe'
-    falsepositives:
-        CurrentDirectory|contains: '\ccmcache\'
-    condition: selection and not falsepositives
+      - '\rundll32.exe'
+      - '\cscript.exe'
+      - '\wscript.exe'
+      - '\wmiprvse.exe'
+    Image|endswith:
+      - '\schtasks.exe'
+      - '\nslookup.exe'
+      - '\certutil.exe'
+      - '\bitsadmin.exe'
+      - '\mshta.exe'
+  falsepositives:
+    CurrentDirectory|contains: '\ccmcache\'
+  condition: selection and not falsepositives
 fields:
-    - CommandLine
-    - ParentCommandLine
+  - CommandLine
+  - ParentCommandLine
 falsepositives:
-    - Administrative scripts
-    - Microsoft SCCM
+  - Administrative scripts
+  - Microsoft SCCM
 level: high
+tags:
+  - attack.execution
+  - attack.defense_evasion
+  - attack.t1064   # an old one
+  - attack.t1059.005
+  - attack.t1059.001
+  - attack.t1218