various rules cleaning

rules/windows/sysmon/sysmon_susp_office_dotnet_assembly_dll_load.yml

@@ -16,12 +16,12 @@ detection:
     selection:
         EventID: 7
         Image:
-            - '*\winword.exe*'
-            - '*\powerpnt.exe*'
-            - '*\excel.exe*'
-            - '*\outlook.exe*'
+            - '*\winword.exe'
+            - '*\powerpnt.exe'
+            - '*\excel.exe'
+            - '*\outlook.exe'
         ImageLoaded:
-            - '*C:\Windows\assembly\*'
+            - 'C:\Windows\assembly\*'
     condition: selection
 falsepositives:
     - Alerts on legitimate macro usage as well, will need to filter as appropriate

rules/windows/sysmon/sysmon_susp_office_dotnet_gac_dll_load.yml

@@ -16,12 +16,12 @@ detection:
     selection:
         EventID: 7
         Image:
-            - '*\winword.exe*'
-            - '*\powerpnt.exe*'
-            - '*\excel.exe*'
-            - '*\outlook.exe*'
+            - '*\winword.exe'
+            - '*\powerpnt.exe'
+            - '*\excel.exe'
+            - '*\outlook.exe'
         ImageLoaded:
-            - '*C:\Windows\Microsoft.NET\assembly\GAC_MSIL*'
+            - 'C:\Windows\Microsoft.NET\assembly\GAC_MSIL*'
     condition: selection
 falsepositives:
     - Alerts on legitimate macro usage as well, will need to filter as appropriate

rules/windows/sysmon/sysmon_susp_office_kerberos_dll_load.yml

@@ -16,12 +16,12 @@ detection:
     selection:
         EventID: 7
         Image:
-            - '*\winword.exe*'
-            - '*\powerpnt.exe*'
-            - '*\excel.exe*'
-            - '*\outlook.exe*'
+            - '*\winword.exe'
+            - '*\powerpnt.exe'
+            - '*\excel.exe'
+            - '*\outlook.exe'
         ImageLoaded:
-            - '*\kerberos.dll*'
+            - '*\kerberos.dll'
     condition: selection
 falsepositives:
     - Alerts on legitimate macro usage as well, will need to filter as appropriate

rules/windows/sysmon/sysmon_susp_winword_vbadll_load.yml

@@ -16,14 +16,14 @@ detection:
     selection:
         EventID: 7
         Image:
-            - '*\winword.exe*'
-            - '*\powerpnt.exe*'
-            - '*\excel.exe*'
-            - '*\outlook.exe*'
+            - '*\winword.exe'
+            - '*\powerpnt.exe'
+            - '*\excel.exe'
+            - '*\outlook.exe'
         ImageLoaded:
-            - '*\VBE7.DLL*'
-            - '*\VBEUI.DLL*'
-            - '*\VBE7INTL.DLL*'
+            - '*\VBE7.DLL'
+            - '*\VBEUI.DLL'
+            - '*\VBE7INTL.DLL'
     condition: selection
 falsepositives:
     - Alerts on legitimate macro usage as well, will need to filter as appropriate

rules/windows/sysmon/sysmon_svchost_dll_search_order_hijack.yml

@@ -27,12 +27,9 @@ detection:
             - '*\tsvipsrv.dll'
             - '*\wlbsctrl.dll'
     filter:
-        EventID: 7
-        Image:
-            - '*\svchost.exe'
         ImageLoaded:
             - 'C:\Windows\WinSxS\*'        
     condition: selection and not filter
 falsepositives:
     - Pentest
-level: high
+level: high