Rule Update

rules/windows/file_event/file_event_win_ripzip_attack.yml

@@ -6,6 +6,7 @@ references:
     - https://twitter.com/jonasLyk/status/1549338335243534336?t=CrmPocBGLbDyE4p6zTX1cg&s=19
 author: Greg (rule)
 date: 2022/07/21
+modified: 2022/07/25
 tags:
     - attack.t1547
     - attack.persistence
@@ -13,11 +14,10 @@ logsource:
     category: file_event
     product: windows
 detection:
-    selection1: # %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\target.lnk.{0AFACED1-E828-11D1-9187-B532F1E9575D}\target.lnk
+    selection: # %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\target.lnk.{0AFACED1-E828-11D1-9187-B532F1E9575D}\target.lnk
         TargetFileName|contains|all:
             - '\Microsoft\Windows\Start Menu\Programs\Startup'
             - '.lnk.{0AFACED1-E828-11D1-9187-B532F1E9575D}'
-    selection2:
         Image|endswith: '\explorer.exe'
-    condition: all of selection*
+    condition: selection
 level: high

rules/windows/process_creation/proc_creation_win_lolbin_winword.yml

@@ -1,12 +1,19 @@
 title: Winword LOLBIN Usage
 id: 4ae3e30b-b03f-43aa-87e3-b622f4048eed
+related:
+    - id: 2621b3a6-3840-4810-ac14-a02426086171
+      type: obsoletes
+related:
 status: experimental
-description: Winword can be abused as a LOLBIN to download arbitary file or load arbitary DLLs
-author: Nasreddine Bencherchali
+description: |
+    Detects Winword process loading custmom dlls via the '/l' switch.
+    Winword can be abused as a LOLBIN to download arbitary file or load arbitary DLLs.
+author: Nasreddine Bencherchali, Victor Sergeev, oscd.community
 references:
     - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/
     - https://github.com/D4Vinci/One-Lin3r/blob/9fdfa5f0b9c698dfbd4cdfe7d2473192777ae1c6/one_lin3r/core/liners/windows/cmd/dll_loader_word.py
 date: 2022/05/17
+modified: 2022/07/25
 logsource:
     category: process_creation
     product: windows
@@ -14,15 +21,16 @@ detection:
     selection_img:
         - Image|endswith: '\WINWORD.exe'
         - OriginalFileName: 'WinWord.exe'
-    selection_cli_http:
-        CommandLine|contains:
-            - 'http://'
-            - 'https://'
-    selection_cli_dll:
+    selection_susp:
         CommandLine|contains:
             - '/l '
             - '.dll'
-    condition: selection_img and 1 of selection_cli*
+            - 'http://'
+            - 'https://'
+    condition: all of selection_*
 falsepositives:
     - Unknown
 level: high
+tags:
+    - attack.defense_evasion
+    - attack.t1202

rules/windows/process_creation/proc_creation_win_winword_dll_load.yml

@@ -1,25 +0,0 @@
-title: Winword.exe Loads Suspicious DLL
-id: 2621b3a6-3840-4810-ac14-a02426086171
-status: test
-description: Detects Winword.exe loading of custmom dll via /l cmd switch
-author: Victor Sergeev, oscd.community
-references:
-    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/
-date: 2020/10/09
-modified: 2022/07/11
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        Image|endswith: '\winword.exe'
-        CommandLine|contains: '/l'
-    condition: selection
-fields:
-    - CommandLine
-falsepositives:
-    - Unknown
-level: medium
-tags:
-    - attack.defense_evasion
-    - attack.t1202