Merge PR #4728 from @qasimqlf - Update multiple rules to cover the '-' arguments along with '/' arguments

update: Suspicious Service Installation Script - Increase coverage by adding for the "/" option in commands flags
update: Console CodePage Lookup Via CHCP - Increase coverage by adding for the "/" option in commands flags
update: Curl Download And Execute Combination - Increase coverage by adding for the "/" option in commands flags
update: File Deletion Via Del - Increase coverage by adding for the "/" option in commands flags
update: Files And Subdirectories Listing Using Dir - Increase coverage by adding for the "/" option in commands flags
update: Suspicious Ping/Copy Command Combination - Increase coverage by adding for the "/" option in commands flags
update: New Generic Credentials Added Via Cmdkey.EXE - Increase coverage by adding for the "/" option in commands flags
 
---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>

rules/windows/builtin/system/service_control_manager/win_system_susp_service_installation_script.yml

@@ -6,7 +6,7 @@ references:
     - Internal Research
 author: pH-T (Nextron Systems)
 date: 2022/03/18
-modified: 2022/11/18
+modified: 2024/02/23
 tags:
     - attack.persistence
     - attack.privilege_escalation
@@ -16,24 +16,27 @@ logsource:
     product: windows
     service: system
 detection:
-    selection:
+    selection_eid:
         Provider_Name: 'Service Control Manager'
         EventID: 7045
-    suspicious1:
+    selection_cmd_flags:
         ImagePath|contains:
             - ' /c '
+            - ' -c '
             - ' /r '
+            - ' -r '
             - ' /k '
-    suspicious2:
+            - ' -k '
+    selection_binaries:
         ImagePath|contains:
-            - 'powershell'
-            - 'pwsh'
-            - 'wscript'
             - 'cscript'
             - 'mshta'
-            - 'rundll32'
+            - 'powershell'
+            - 'pwsh'
             - 'regsvr32'
-    condition: selection and all of suspicious*
+            - 'rundll32'
+            - 'wscript'
+    condition: all of selection_*
 falsepositives:
     - Unknown
 level: high

rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup.yml

@@ -7,7 +7,7 @@ references:
     - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/chcp
 author: _pete_0, TheDFIRReport
 date: 2022/02/21
-modified: 2023/05/05
+modified: 2024/02/16
 tags:
     - attack.discovery
     - attack.t1614.001
@@ -19,8 +19,11 @@ detection:
         ParentImage|endswith: '\cmd.exe'
         ParentCommandLine|contains:
             - ' /c '
+            - ' -c '
             - ' /r '
+            - ' -r '
             - ' /k '
+            - ' -k '
         Image|endswith: '\chcp.com'
         CommandLine|endswith:
             - 'chcp'

rules/windows/process_creation/proc_creation_win_cmd_curl_download_exec_combo.yml

@@ -6,7 +6,7 @@ references:
     - https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983 # Dead Link
 author: Sreeman, Nasreddine Bencherchali (Nextron Systems)
 date: 2020/01/13
-modified: 2023/03/06
+modified: 2024/02/17
 tags:
     - attack.execution
     - attack.t1218
@@ -17,16 +17,15 @@ logsource:
     product: windows
 detection:
     selection:
-        CommandLine|contains|all:
+        CommandLine|contains:
             - ' /c '
+            - ' -c '
+        CommandLine|contains|all:
             - 'curl '
             - 'http'
             - '-o'
             - '&'
     condition: selection
-fields:
-    - ParentImage
-    - CommandLine
 falsepositives:
     - Unknown
 level: high

rules/windows/process_creation/proc_creation_win_cmd_del_execution.yml

@@ -11,7 +11,7 @@ references:
     - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase
 author: frack113
 date: 2022/01/15
-modified: 2023/03/06
+modified: 2024/02/17
 tags:
     - attack.defense_evasion
     - attack.t1070.004
@@ -29,8 +29,11 @@ detection:
     selection_flags:
         CommandLine|contains:
             - ' /f' # Force deleting of read-only files.
+            - ' -f'
             - ' /s' # Delete specified files from all subdirectories.
+            - ' -s'
             - ' /q' # Quiet mode, do not ask if ok to delete on global wildcard
+            - ' -q'
     condition: all of selection_*
 falsepositives:
     - False positives levels will differ Depending on the environment. You can use a combination of ParentImage and other keywords from the CommandLine field to filter legitimate activity

rules/windows/process_creation/proc_creation_win_cmd_dir_execution.yml

@@ -6,7 +6,7 @@ references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md
 author: frack113
 date: 2021/12/13
-modified: 2023/03/07
+modified: 2024/02/17
 tags:
     - attack.discovery
     - attack.t1217
@@ -14,12 +14,17 @@ logsource:
     category: process_creation
     product: windows
 detection:
-    selection:
-        CommandLine|contains|all:
-            - 'dir '
+    selection_dir:
+        CommandLine|contains: 'dir '
+    selection_cli_1:
+        CommandLine|contains:
             - ' /s'
+            - ' -s'
+    selection_cli_2:
+        CommandLine|contains:
             - ' /b'
-    condition: selection
+            - ' -b'
+    condition: all of selection_*
 falsepositives:
     - Unknown
 level: low

rules/windows/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml

@@ -6,6 +6,7 @@ references:
     - Internal Research
 author: X__Junior (Nextron Systems)
 date: 2023/07/18
+modified: 2024/02/26
 tags:
     - attack.defense_evasion
     - attack.t1070.004
@@ -17,14 +18,18 @@ detection:
     selection_cmd:
         - Image|endswith: '\cmd.exe'
         - OriginalFileName: 'Cmd.Exe'
-    selection_cli:
-        CommandLine|contains: # Count
-            - ' -n '
-            - ' /n '
+    selection_action:
         CommandLine|contains|all:
             - 'ping' # Covers "ping" and "ping.exe"
             - 'copy '
+    selection_cli_1:
+        CommandLine|contains: # Count
+            - ' -n '
+            - ' /n '
+    selection_cli_2:
+        CommandLine|contains:
             - ' /y '
+            - ' -y '
     condition: all of selection_*
 falsepositives:
     - Unknown

rules/windows/process_creation/proc_creation_win_cmdkey_adding_generic_creds.yml

@@ -6,6 +6,7 @@ references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol
 author: frack113, Nasreddine Bencherchali (Nextron Systems)
 date: 2023/02/03
+modified: 2024/02/23
 tags:
     - attack.credential_access
     - attack.t1003.005
@@ -16,12 +17,19 @@ detection:
     selection_img:
         - Image|endswith: '\cmdkey.exe'
         - OriginalFileName: 'cmdkey.exe'
-    selection_cli:
-        CommandLine|contains|all:
+    selection_cli_1:
+        CommandLine|contains:
             - ' /g'
+            - ' -g'
+    selection_cli_2:
+        CommandLine|contains:
             - ' /u'
+            - ' -u'
+    selection_cli_3:
+        CommandLine|contains:
             - ' /p'
-    condition: all of selection*
+            - ' -p'
+    condition: all of selection_*
 falsepositives:
     - Legitimate usage for administration purposes
 level: medium