From 2ecf9ec7e16707513524c2f3c82fa471663cacad Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Date: Tue, 4 Oct 2022 20:57:11 +0200
Subject: [PATCH] Updates

---
 .../file_event_win_powershell_exploit_scripts.yml      |  3 ++-
 .../network_connection/net_connection_win_certutil.yml |  9 ++++-----
 ...win_lolbin_syncappvpublishingserver_execute_psh.yml | 10 ++++++----
 3 files changed, 12 insertions(+), 10 deletions(-)

diff --git a/rules/windows/file_event/file_event_win_powershell_exploit_scripts.yml b/rules/windows/file_event/file_event_win_powershell_exploit_scripts.yml
index 0f81b25b9..73ec4a996 100755
--- a/rules/windows/file_event/file_event_win_powershell_exploit_scripts.yml
+++ b/rules/windows/file_event/file_event_win_powershell_exploit_scripts.yml
@@ -15,7 +15,7 @@ references:
     - https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1
     - https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1
 date: 2018/04/07
-modified: 2022/06/22
+modified: 2022/10/04
 logsource:
     category: file_event
     product: windows
@@ -207,6 +207,7 @@ detection:
             - '\Invoke-Zerologon.ps1'
             - '\Get-USBKeystrokes.ps1'
             - '\Start-WebcamRecorder.ps1'
+            - '\PSAsyncShell.ps1'
     condition: selection
 falsepositives:
     - Unknown
diff --git a/rules/windows/network_connection/net_connection_win_certutil.yml b/rules/windows/network_connection/net_connection_win_certutil.yml
index 12d8c9b0f..e27328c5d 100644
--- a/rules/windows/network_connection/net_connection_win_certutil.yml
+++ b/rules/windows/network_connection/net_connection_win_certutil.yml
@@ -6,6 +6,7 @@ author: frack113, Florian Roth
 references:
     - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
 date: 2022/09/02
+modified: 2022/10/04
 tags:
     - attack.command_and_control
     - attack.t1105
@@ -13,17 +14,15 @@ logsource:
     category: network_connection
     product: windows
 detection:
-    selection_certutil:
-        - Image|endswith: '\certutil.exe'
-        - OriginalFilename: 'CertUtil.exe'
-    selection_network:
+    selection:
+        Image|endswith: '\certutil.exe'
         Initiated: 'true'
         DestinationPort:
             - 80
             - 443
             - 135
             - 445
-    condition: all of selection*
+    condition: selection
 falsepositives:
     - Legitimate certutil network connection
 level: high
diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml b/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml
index e9ec82123..6cc958976 100644
--- a/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml
+++ b/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml
@@ -6,7 +6,7 @@ related:
 status: experimental
 author: frack113
 date: 2021/07/12
-modified: 2021/09/12
+modified: 2022/10/04
 description: Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe.
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md
@@ -18,10 +18,12 @@ logsource:
     category: process_creation
     product: windows
 detection:
-    selection:
-        Image|endswith: '\SyncAppvPublishingServer.exe'
+    selection_img:
+        - Image|endswith: '\SyncAppvPublishingServer.exe'
+        - OriginalFileName: 'syncappvpublishingserver.exe'
+    selection_cli:
         CommandLine|contains: '"n; '
-    condition: selection
+    condition: all of selection_*
 fields:
     - ComputerName
     - User