From 1b4ff4d7cd14fbab8af8d69199eb12e05707cb1b Mon Sep 17 00:00:00 2001
From: Qasim Qlf <qlfqasim@gmail.com>
Date: Mon, 26 Feb 2024 15:38:50 +0500
Subject: [PATCH] Merge PR #4728 from @qasimqlf - Update multiple rules to
 cover the '-' arguments along with '/' arguments

update: Suspicious Service Installation Script - Increase coverage by adding for the "/" option in commands flags
update: Console CodePage Lookup Via CHCP - Increase coverage by adding for the "/" option in commands flags
update: Curl Download And Execute Combination - Increase coverage by adding for the "/" option in commands flags
update: File Deletion Via Del - Increase coverage by adding for the "/" option in commands flags
update: Files And Subdirectories Listing Using Dir - Increase coverage by adding for the "/" option in commands flags
update: Suspicious Ping/Copy Command Combination - Increase coverage by adding for the "/" option in commands flags
update: New Generic Credentials Added Via Cmdkey.EXE - Increase coverage by adding for the "/" option in commands flags

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
---
 ...ystem_susp_service_installation_script.yml | 21 +++++++++++--------
 ...proc_creation_win_chcp_codepage_lookup.yml |  5 ++++-
 ...ation_win_cmd_curl_download_exec_combo.yml |  9 ++++----
 .../proc_creation_win_cmd_del_execution.yml   |  5 ++++-
 .../proc_creation_win_cmd_dir_execution.yml   | 15 ++++++++-----
 ...n_win_cmd_ping_copy_combined_execution.yml | 13 ++++++++----
 ...eation_win_cmdkey_adding_generic_creds.yml | 14 ++++++++++---
 7 files changed, 54 insertions(+), 28 deletions(-)

diff --git a/rules/windows/builtin/system/service_control_manager/win_system_susp_service_installation_script.yml b/rules/windows/builtin/system/service_control_manager/win_system_susp_service_installation_script.yml
index 6785a6d39..98b29b79c 100644
--- a/rules/windows/builtin/system/service_control_manager/win_system_susp_service_installation_script.yml
+++ b/rules/windows/builtin/system/service_control_manager/win_system_susp_service_installation_script.yml
@@ -6,7 +6,7 @@ references:
     - Internal Research
 author: pH-T (Nextron Systems)
 date: 2022/03/18
-modified: 2022/11/18
+modified: 2024/02/23
 tags:
     - attack.persistence
     - attack.privilege_escalation
@@ -16,24 +16,27 @@ logsource:
     product: windows
     service: system
 detection:
-    selection:
+    selection_eid:
         Provider_Name: 'Service Control Manager'
         EventID: 7045
-    suspicious1:
+    selection_cmd_flags:
         ImagePath|contains:
             - ' /c '
+            - ' -c '
             - ' /r '
+            - ' -r '
             - ' /k '
-    suspicious2:
+            - ' -k '
+    selection_binaries:
         ImagePath|contains:
-            - 'powershell'
-            - 'pwsh'
-            - 'wscript'
             - 'cscript'
             - 'mshta'
-            - 'rundll32'
+            - 'powershell'
+            - 'pwsh'
             - 'regsvr32'
-    condition: selection and all of suspicious*
+            - 'rundll32'
+            - 'wscript'
+    condition: all of selection_*
 falsepositives:
     - Unknown
 level: high
diff --git a/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup.yml b/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup.yml
index 28cdd22c2..0608b0339 100644
--- a/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup.yml
+++ b/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup.yml
@@ -7,7 +7,7 @@ references:
     - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/chcp
 author: _pete_0, TheDFIRReport
 date: 2022/02/21
-modified: 2023/05/05
+modified: 2024/02/16
 tags:
     - attack.discovery
     - attack.t1614.001
@@ -19,8 +19,11 @@ detection:
         ParentImage|endswith: '\cmd.exe'
         ParentCommandLine|contains:
             - ' /c '
+            - ' -c '
             - ' /r '
+            - ' -r '
             - ' /k '
+            - ' -k '
         Image|endswith: '\chcp.com'
         CommandLine|endswith:
             - 'chcp'
diff --git a/rules/windows/process_creation/proc_creation_win_cmd_curl_download_exec_combo.yml b/rules/windows/process_creation/proc_creation_win_cmd_curl_download_exec_combo.yml
index 191db3ac6..5658158fb 100644
--- a/rules/windows/process_creation/proc_creation_win_cmd_curl_download_exec_combo.yml
+++ b/rules/windows/process_creation/proc_creation_win_cmd_curl_download_exec_combo.yml
@@ -6,7 +6,7 @@ references:
     - https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983 # Dead Link
 author: Sreeman, Nasreddine Bencherchali (Nextron Systems)
 date: 2020/01/13
-modified: 2023/03/06
+modified: 2024/02/17
 tags:
     - attack.execution
     - attack.t1218
@@ -17,16 +17,15 @@ logsource:
     product: windows
 detection:
     selection:
-        CommandLine|contains|all:
+        CommandLine|contains:
             - ' /c '
+            - ' -c '
+        CommandLine|contains|all:
             - 'curl '
             - 'http'
             - '-o'
             - '&'
     condition: selection
-fields:
-    - ParentImage
-    - CommandLine
 falsepositives:
     - Unknown
 level: high
diff --git a/rules/windows/process_creation/proc_creation_win_cmd_del_execution.yml b/rules/windows/process_creation/proc_creation_win_cmd_del_execution.yml
index 48471fc16..43f177cfd 100644
--- a/rules/windows/process_creation/proc_creation_win_cmd_del_execution.yml
+++ b/rules/windows/process_creation/proc_creation_win_cmd_del_execution.yml
@@ -11,7 +11,7 @@ references:
     - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase
 author: frack113
 date: 2022/01/15
-modified: 2023/03/06
+modified: 2024/02/17
 tags:
     - attack.defense_evasion
     - attack.t1070.004
@@ -29,8 +29,11 @@ detection:
     selection_flags:
         CommandLine|contains:
             - ' /f' # Force deleting of read-only files.
+            - ' -f'
             - ' /s' # Delete specified files from all subdirectories.
+            - ' -s'
             - ' /q' # Quiet mode, do not ask if ok to delete on global wildcard
+            - ' -q'
     condition: all of selection_*
 falsepositives:
     - False positives levels will differ Depending on the environment. You can use a combination of ParentImage and other keywords from the CommandLine field to filter legitimate activity
diff --git a/rules/windows/process_creation/proc_creation_win_cmd_dir_execution.yml b/rules/windows/process_creation/proc_creation_win_cmd_dir_execution.yml
index f242d335e..8a0c4599c 100644
--- a/rules/windows/process_creation/proc_creation_win_cmd_dir_execution.yml
+++ b/rules/windows/process_creation/proc_creation_win_cmd_dir_execution.yml
@@ -6,7 +6,7 @@ references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md
 author: frack113
 date: 2021/12/13
-modified: 2023/03/07
+modified: 2024/02/17
 tags:
     - attack.discovery
     - attack.t1217
@@ -14,12 +14,17 @@ logsource:
     category: process_creation
     product: windows
 detection:
-    selection:
-        CommandLine|contains|all:
-            - 'dir '
+    selection_dir:
+        CommandLine|contains: 'dir '
+    selection_cli_1:
+        CommandLine|contains:
             - ' /s'
+            - ' -s'
+    selection_cli_2:
+        CommandLine|contains:
             - ' /b'
-    condition: selection
+            - ' -b'
+    condition: all of selection_*
 falsepositives:
     - Unknown
 level: low
diff --git a/rules/windows/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml b/rules/windows/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml
index ce960abcb..c69cd9be9 100644
--- a/rules/windows/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml
+++ b/rules/windows/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml
@@ -6,6 +6,7 @@ references:
     - Internal Research
 author: X__Junior (Nextron Systems)
 date: 2023/07/18
+modified: 2024/02/26
 tags:
     - attack.defense_evasion
     - attack.t1070.004
@@ -17,14 +18,18 @@ detection:
     selection_cmd:
         - Image|endswith: '\cmd.exe'
         - OriginalFileName: 'Cmd.Exe'
-    selection_cli:
-        CommandLine|contains: # Count
-            - ' -n '
-            - ' /n '
+    selection_action:
         CommandLine|contains|all:
             - 'ping' # Covers "ping" and "ping.exe"
             - 'copy '
+    selection_cli_1:
+        CommandLine|contains: # Count
+            - ' -n '
+            - ' /n '
+    selection_cli_2:
+        CommandLine|contains:
             - ' /y '
+            - ' -y '
     condition: all of selection_*
 falsepositives:
     - Unknown
diff --git a/rules/windows/process_creation/proc_creation_win_cmdkey_adding_generic_creds.yml b/rules/windows/process_creation/proc_creation_win_cmdkey_adding_generic_creds.yml
index d22f3cb67..d15cb9832 100644
--- a/rules/windows/process_creation/proc_creation_win_cmdkey_adding_generic_creds.yml
+++ b/rules/windows/process_creation/proc_creation_win_cmdkey_adding_generic_creds.yml
@@ -6,6 +6,7 @@ references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol
 author: frack113, Nasreddine Bencherchali (Nextron Systems)
 date: 2023/02/03
+modified: 2024/02/23
 tags:
     - attack.credential_access
     - attack.t1003.005
@@ -16,12 +17,19 @@ detection:
     selection_img:
         - Image|endswith: '\cmdkey.exe'
         - OriginalFileName: 'cmdkey.exe'
-    selection_cli:
-        CommandLine|contains|all:
+    selection_cli_1:
+        CommandLine|contains:
             - ' /g'
+            - ' -g'
+    selection_cli_2:
+        CommandLine|contains:
             - ' /u'
+            - ' -u'
+    selection_cli_3:
+        CommandLine|contains:
             - ' /p'
-    condition: all of selection*
+            - ' -p'
+    condition: all of selection_*
 falsepositives:
     - Legitimate usage for administration purposes
 level: medium