feat: wmiprvse rule updates and merger

rules-deprecated/windows/proc_creation_win_susp_cmd_exectution_via_wmi.yml

@@ -1,6 +1,6 @@
 title: Suspicious Cmd Execution via WMI
 id: e31f89f7-36fb-4697-8ab6-48823708353b
-status: experimental
+status: deprecated
 description: Detects suspicious command execution (cmd) via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement.
 references:
     - https://www.elastic.co/guide/en/security/current/suspicious-cmd-execution-via-wmi.html

rules/windows/process_creation/proc_creation_win_impacket_lateralization.yml

@@ -1,5 +1,8 @@
-title: Impacket Lateralization Detection
+title: Potential Impacket Lateral Movement Activity
 id: 10c14723-61c7-4c75-92ca-9af245723ad2
+related:
+    - id: e31f89f7-36fb-4697-8ab6-48823708353b
+      type: obsoletes
 status: stable
 description: Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework
 references:
@@ -7,9 +10,10 @@ references:
     - https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/atexec.py
     - https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/smbexec.py
     - https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/dcomexec.py
-author: Ecco, oscd.community, Jonhnathan Ribeiro
+    - https://www.elastic.co/guide/en/security/current/suspicious-cmd-execution-via-wmi.html
+author: Ecco, oscd.community, Jonhnathan Ribeiro, Tim Rauch
 date: 2019/09/03
-modified: 2022/12/08
+modified: 2023/01/19
 tags:
     - attack.execution
     - attack.t1047

rules/windows/process_creation/proc_creation_win_lolbins_with_wmiprvse_parent_process.yml

@@ -1,33 +0,0 @@
-title: Lolbins Process Creation with WmiPrvse
-id: 8a582fe2-0882-4b89-a82a-da6b2dc32937
-status: experimental
-description: This rule will monitor LOLBin process creations by wmiprvse. Add more LOLBins to rule logic if needed.
-references:
-    - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
-    - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
-author: 'Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)'
-date: 2021/08/23
-modified: 2022/07/11
-tags:
-    - attack.t1204.002
-    - attack.t1047
-    - attack.t1218.010
-    - attack.execution
-    - attack.defense_evasion
-logsource:
-    product: windows
-    category: process_creation
-detection:
-    #useful_information: add more LOLBins to the rules logic of your choice.
-    selection:
-        Image|endswith:
-            - '\regsvr32.exe'
-            - '\rundll32.exe'
-            - '\msiexec.exe'
-            - '\mshta.exe'
-            - '\verclsid.exe'
-        ParentImage|endswith: '\wbem\WmiPrvSE.exe'
-    condition: selection
-falsepositives:
-    - Unknown
-level: high

rules/windows/process_creation/proc_creation_win_shell_spawn_susp_program.yml

@@ -1,12 +1,12 @@
-title: Windows Shell Spawning Suspicious Program
+title: Windows Shell/Scripting Processes Spawning Suspicious Programs
 id: 3a6586ad-127a-4d3b-a677-1e6eacdf8fde
 status: test
-description: Detects a suspicious child process of a Windows shell
+description: Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc.
 references:
     - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
 author: Florian Roth, Tim Shelton
 date: 2018/04/06
-modified: 2022/07/27
+modified: 2023/01/19
 tags:
     - attack.execution
     - attack.defense_evasion
@@ -22,7 +22,7 @@ detection:
             - '\mshta.exe'
             - '\powershell.exe'
             - '\pwsh.exe'
-            #- '*\cmd.exe'  # too many false positives
+            #- '\cmd.exe'  # too many false positives
             - '\rundll32.exe'
             - '\cscript.exe'
             - '\wscript.exe'
@@ -34,18 +34,18 @@ detection:
             - '\certutil.exe'
             - '\bitsadmin.exe'
             - '\mshta.exe'
-    falsepositives_1:
+    filter_ccmcache:
         CurrentDirectory|contains: '\ccmcache\'
-    falsepositives_2:
+    filter_amazon:
         ParentCommandLine|contains:
             # FP - Amazon Workspaces
             - '\Program Files\Amazon\WorkSpacesConfig\Scripts\setup-scheduledtask.ps1'
             - '\Program Files\Amazon\WorkSpacesConfig\Scripts\set-selfhealing.ps1'
             - '\Program Files\Amazon\WorkSpacesConfig\Scripts\check-workspacehealth.ps1'
             - '\nessus_' # Tenable/Nessus VA Scanner
-    falsepositives_3:
+    filter_nessus:
         CommandLine|contains: '\nessus_' # Tenable/Nessus VA Scanner
-    condition: selection and not 1 of falsepositives*
+    condition: selection and not 1 of filter_*
 fields:
     - CommandLine
     - ParentCommandLine

rules/windows/process_creation/proc_creation_win_susp_powershell_parent_process.yml

@@ -1,12 +1,12 @@
 title: Suspicious PowerShell Parent Process
 id: 754ed792-634f-40ae-b3bc-e0448d33f695
 status: test
-description: Detects a suspicious parents of powershell.exe process
+description: Detects a suspicious or uncommon parent processes of PowerShell
 references:
     - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=26
 author: Teymur Kheirkhabarov, Harish Segar (rule)
 date: 2020/03/20
-modified: 2023/01/05
+modified: 2023/01/19
 tags:
     - attack.execution
     - attack.t1059.001
@@ -14,18 +14,6 @@ logsource:
     category: process_creation
     product: windows
 detection:
-    selection_powershell:
-        - Image|endswith:
-            - '\powershell.exe'
-            - '\pwsh.exe'
-        - CommandLine|contains:
-            - '/c powershell'  # FPs with sub processes that contained "powershell" soemwhere in the command line
-            - '/c pwsh'
-        - Description: 'Windows PowerShell'
-        - Product: 'PowerShell Core 6'
-        - OriginalFileName:
-            - 'PowerShell.EXE'
-            - 'pwsh.dll'
     selection_parent:
         - ParentImage|endswith:
             - '\mshta.exe'
@@ -33,7 +21,7 @@ detection:
             - '\regsvr32.exe'
             - '\services.exe'
             - '\winword.exe'
-            - '\wmiprvse.exe'
+            #- '\wmiprvse.exe' # This process is covered in the rule 692f0bec-83ba-4d04-af7e-e884a96059b6
             - '\powerpnt.exe'
             - '\excel.exe'
             - '\msaccess.exe'
@@ -59,7 +47,19 @@ detection:
             - '\jbosssvc.exe'
             - '\MicrosoftEdgeSH.exe'
         - ParentImage|contains: 'tomcat'
-    condition: all of selection*
+    selection_powershell:
+        - Image|endswith:
+            - '\powershell.exe'
+            - '\pwsh.exe'
+        - CommandLine|contains:
+            - '/c powershell'  # FPs with sub processes that contained "powershell" soemwhere in the command line
+            - '/c pwsh'
+        - Description: 'Windows PowerShell'
+        - Product: 'PowerShell Core 6'
+        - OriginalFileName:
+            - 'PowerShell.EXE'
+            - 'pwsh.dll'
+    condition: all of selection_*
 falsepositives:
     - Other scripts
 level: high

rules/windows/process_creation/proc_creation_win_wmiprvse_spawning_process.yml

@@ -1,12 +1,17 @@
-title: Wmiprvse Spawning Process
+title: WmiPrvSE Spawned A Process
 id: d21374ff-f574-44a7-9998-4a8c8bf33d7d
-status: experimental
+related:
+    - id: 8a582fe2-0882-4b89-a82a-da6b2dc32937
+      type: similar
+    - id: 692f0bec-83ba-4d04-af7e-e884a96059b6
+      type: similar
+status: stable
 description: Detects wmiprvse spawning processes
 references:
     - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190810201010.html
 author: Roberto Rodriguez @Cyb3rWard0g
 date: 2019/08/15
-modified: 2022/05/27
+modified: 2023/01/19
 tags:
     - attack.execution
     - attack.t1047
@@ -16,7 +21,7 @@ logsource:
 detection:
     selection:
         ParentImage|endswith: '\WmiPrvSe.exe'
-    filter:
+    filter_generic:
         - LogonId:
             - '0x3e7'  # LUID 999 for SYSTEM
             - 'null'   # too many false positives
@@ -28,7 +33,7 @@ detection:
             - '\WerFault.exe'
     filter_null:  # some backends need the null value in a separate expression
         LogonId: null
-    condition: selection and not filter and not filter_null
+    condition: selection and not 1 of filter_*
 falsepositives:
     - Unknown
-level: high
+level: medium

rules/windows/process_creation/proc_creation_win_wmiprvse_spawns_powershell.yml

@@ -1,12 +1,17 @@
-title: WMI Spawning Windows PowerShell
+title: WmiPrvSE Spawned PowerShell
 id: 692f0bec-83ba-4d04-af7e-e884a96059b6
-status: experimental
-description: Detects WMI spawning a PowerShell process
+related:
+    - id: 8a582fe2-0882-4b89-a82a-da6b2dc32937
+      type: similar
+    - id: d21374ff-f574-44a7-9998-4a8c8bf33d7d
+      type: similar
+status: stable
+description: Detects Powershell as a child of the WmiPrvSE process. Which could be a signe of remote access via WMI
 references:
     - https://any.run/report/68bc255f9b0db6a0d30a8f2dadfbee3256acfe12497bf93943bc1eab0735e45e/a2385d6f-34f7-403c-90d3-b1f9d2a90a5e
-author: Markus Neis / @Karneades
+author: Markus Neis @Karneades
 date: 2019/04/03
-modified: 2022/07/14
+modified: 2023/01/19
 tags:
     - attack.execution
     - attack.t1047
@@ -24,11 +29,11 @@ detection:
         - OriginalFileName:
             - 'PowerShell.EXE'
             - 'pwsh.dll'
-    filter_null1:
+    filter_null_1:
         CommandLine: 'null'
-    filter_null2:  # some backends need the null value in a separate expression
+    filter_null_2:  # some backends need the null value in a separate expression
         CommandLine: null
-    condition: all of selection* and not filter_null1 and not filter_null2
+    condition: all of selection* and not 1 of filter_*
 falsepositives:
     - AppvClient
     - CCM

rules/windows/process_creation/proc_creation_win_wmiprvse_susp_child_processes.yml

@@ -0,0 +1,51 @@
+title: Suspicious WmiPrvse Child Process Spawned
+id: 8a582fe2-0882-4b89-a82a-da6b2dc32937
+related:
+    - id: 692f0bec-83ba-4d04-af7e-e884a96059b6
+      type: similar
+    - id: d21374ff-f574-44a7-9998-4a8c8bf33d7d
+      type: similar
+status: test
+description: Detects suspicious and uncommon child processes of WmiPrvSE
+references:
+    - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
+    - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
+    - https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/
+author: Vadim Khrykov (ThreatIntel), Cyb3rEng
+date: 2021/08/23
+modified: 2023/01/19
+tags:
+    - attack.execution
+    - attack.defense_evasion
+    - attack.t1047
+    - attack.t1204.002
+    - attack.t1218.010
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    selection_parent:
+        ParentImage|endswith: '\wbem\WmiPrvSE.exe'
+    selection_children_1:
+        # TODO: Think to add more LOLBINs or suspicious processes that make sens in your environment
+        Image|endswith:
+            - '\regsvr32.exe'
+            - '\rundll32.exe'
+            - '\msiexec.exe'
+            - '\mshta.exe'
+            - '\verclsid.exe'
+    selection_children_2:
+        # This is in a seperate selection due to the nature of FP generated with CMD
+        Image|endswith: '\cmd.exe'
+        CommandLine|contains:
+            - 'powershell'
+            - 'pwsh'
+            - 'mshta'
+            - 'rundll32'
+            - 'regsvr32'
+            - 'wscript'
+            - 'cscript'
+    condition: selection_parent and 1 of selection_children_*
+falsepositives:
+    - Unknown
+level: high