From 360475d6ffb5645febd174d97249e407bbb19006 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 18 Aug 2023 15:15:26 +0200 Subject: [PATCH] fix: apply suggestions from code review Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> --- .../file/file_event/file_event_win_aspnet_temp_files.yml | 2 +- .../image_load/image_load_side_load_mfdetours_unsigned.yml | 2 +- .../proc_creation_win_aspnet_compiler_susp_child_process.yml | 2 +- .../proc_creation_win_aspnet_compiler_susp_paths.yml | 2 +- .../proc_creation_win_bash_command_execution.yml | 2 +- .../process_creation/proc_creation_win_bash_file_execution.yml | 2 +- .../proc_creation_win_powershell_cl_loadassembly.yml | 2 +- .../proc_creation_win_powershell_cl_mutexverifiers.yml | 2 +- .../registry/registry_set/registry_set_bginfo_custom_db.yml | 2 +- .../registry_set/registry_set_bginfo_custom_vbscript.yml | 2 +- .../registry_set/registry_set_bginfo_custom_wmi_query.yml | 2 +- 11 files changed, 11 insertions(+), 11 deletions(-) diff --git a/rules/windows/file/file_event/file_event_win_aspnet_temp_files.yml b/rules/windows/file/file_event/file_event_win_aspnet_temp_files.yml index 259b7d6a7..4862e6b4f 100644 --- a/rules/windows/file/file_event/file_event_win_aspnet_temp_files.yml +++ b/rules/windows/file/file_event/file_event_win_aspnet_temp_files.yml @@ -9,7 +9,7 @@ related: type: similar status: experimental description: | - Detects the creation of new DLL assembly files by "aspnet_compiler.exe". Which could be a sign of "aspnet_compiler" abuse to proxy execution through a build provider. + Detects the creation of new DLL assembly files by "aspnet_compiler.exe", which could be a sign of "aspnet_compiler" abuse to proxy execution through a build provider. references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) diff --git a/rules/windows/image_load/image_load_side_load_mfdetours_unsigned.yml b/rules/windows/image_load/image_load_side_load_mfdetours_unsigned.yml index b9271e24b..ff085caae 100644 --- a/rules/windows/image_load/image_load_side_load_mfdetours_unsigned.yml +++ b/rules/windows/image_load/image_load_side_load_mfdetours_unsigned.yml @@ -4,7 +4,7 @@ related: - id: d2605a99-2218-4894-8fd3-2afb7946514d type: similar status: experimental -description: Detects DLL sideloading of unsigned "mfdetours.dll". While using "mftrace.exe" it can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution. +description: Detects DLL sideloading of unsigned "mfdetours.dll". Executing "mftrace.exe" can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution. references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) diff --git a/rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_child_process.yml index 12ccf2e41..a353c6c49 100644 --- a/rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_child_process.yml @@ -8,7 +8,7 @@ related: - id: a01b8329-5953-4f73-ae2d-aa01e1f35f00 # Exec type: similar status: experimental -description: Detects potential suspicious child process of "aspnet_compiler.exe". +description: Detects potentially suspicious child processes of "aspnet_compiler.exe". references: - https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/ - https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/ diff --git a/rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_paths.yml b/rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_paths.yml index 8168b5e90..ad5e3d071 100644 --- a/rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_paths.yml +++ b/rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_paths.yml @@ -1,4 +1,4 @@ -title: Potential Suspicious ASP.NET Compilation Via AspNetCompiler +title: Potentially Suspicious ASP.NET Compilation Via AspNetCompiler id: 9f50fe98-fe5c-4a2d-86c7-fad7f63ed622 # Susp Paths related: - id: 9ccba514-7cb6-4c5c-b377-700758f2f120 # SuspChild diff --git a/rules/windows/process_creation/proc_creation_win_bash_command_execution.yml b/rules/windows/process_creation/proc_creation_win_bash_command_execution.yml index 01a69f257..4231de2fa 100644 --- a/rules/windows/process_creation/proc_creation_win_bash_command_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_bash_command_execution.yml @@ -1,7 +1,7 @@ title: Indirect Inline Command Execution Via Bash.EXE id: 5edc2273-c26f-406c-83f3-f4d948e740dd status: experimental -description: Detects execution of Microsoft bash launcher with the "-c" flag. This can be used to potentially bypass defenses and execute linux or windows based binaries directly via bash +description: Detects execution of Microsoft bash launcher with the "-c" flag. This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash references: - https://lolbas-project.github.io/lolbas/Binaries/Bash/ author: frack113 diff --git a/rules/windows/process_creation/proc_creation_win_bash_file_execution.yml b/rules/windows/process_creation/proc_creation_win_bash_file_execution.yml index f7df1b5f4..ee152fff4 100644 --- a/rules/windows/process_creation/proc_creation_win_bash_file_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_bash_file_execution.yml @@ -4,7 +4,7 @@ related: - id: 5edc2273-c26f-406c-83f3-f4d948e740dd type: similar status: experimental -description: Detects execution of Microsoft bash launcher without any flags to execute the content of a bash script directly. This can be used to potentially bypass defenses and execute linux or windows based binaries directly via bash +description: Detects execution of Microsoft bash launcher without any flags to execute the content of a bash script directly. This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash references: - https://lolbas-project.github.io/lolbas/Binaries/Bash/ - https://linux.die.net/man/1/bash diff --git a/rules/windows/process_creation/proc_creation_win_powershell_cl_loadassembly.yml b/rules/windows/process_creation/proc_creation_win_powershell_cl_loadassembly.yml index 4fbe8d313..7f57f1401 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_cl_loadassembly.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_cl_loadassembly.yml @@ -1,7 +1,7 @@ title: Assembly Loading Via CL_LoadAssembly.ps1 id: c57872c7-614f-4d7f-a40d-b78c8df2d30d status: experimental -description: Detects calls to "LoadAssemblyFromPath" or "LoadAssemblyFromNS" that are part of the "CL_LoadAssembly.ps1" script. Which can be abused to load different assemblies and bypass App locker controls. +description: Detects calls to "LoadAssemblyFromPath" or "LoadAssemblyFromNS" that are part of the "CL_LoadAssembly.ps1" script. This can be abused to load different assemblies and bypass App locker controls. references: - https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/ - https://lolbas-project.github.io/lolbas/Scripts/CL_LoadAssembly/ diff --git a/rules/windows/process_creation/proc_creation_win_powershell_cl_mutexverifiers.yml b/rules/windows/process_creation/proc_creation_win_powershell_cl_mutexverifiers.yml index 495e181a6..f1a55bf3f 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_cl_mutexverifiers.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_cl_mutexverifiers.yml @@ -1,7 +1,7 @@ title: Potential Script Proxy Execution Via CL_Mutexverifiers.ps1 id: 1e0e1a81-e79b-44bc-935b-ddb9c8006b3d status: experimental -description: Detects the use of the Microsoft signed script "CL_mutexverifiers" to proxy the execution of additional powershell script commands +description: Detects the use of the Microsoft signed script "CL_mutexverifiers" to proxy the execution of additional PowerShell script commands references: - https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/ author: Nasreddine Bencherchali (Nextron Systems), oscd.community, Natalia Shornikova, frack113 diff --git a/rules/windows/registry/registry_set/registry_set_bginfo_custom_db.yml b/rules/windows/registry/registry_set/registry_set_bginfo_custom_db.yml index 0eedceb2f..a94e9bf5b 100644 --- a/rules/windows/registry/registry_set/registry_set_bginfo_custom_db.yml +++ b/rules/windows/registry/registry_set/registry_set_bginfo_custom_db.yml @@ -1,7 +1,7 @@ title: New BgInfo.EXE Custom DB Path Registry Configuration id: 53330955-dc52-487f-a3a2-da24dcff99b5 status: experimental -description: Detects setting of a new registry database value related to BgInfo configuration. Attackers can set this value to save the results of the commands executed by BgInfo in order to exfiltrate information for example. +description: Detects setting of a new registry database value related to BgInfo configuration. Attackers can for example set this value to save the results of the commands executed by BgInfo in order to exfiltrate information. references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) diff --git a/rules/windows/registry/registry_set/registry_set_bginfo_custom_vbscript.yml b/rules/windows/registry/registry_set/registry_set_bginfo_custom_vbscript.yml index 88d73fecf..692590c37 100644 --- a/rules/windows/registry/registry_set/registry_set_bginfo_custom_vbscript.yml +++ b/rules/windows/registry/registry_set/registry_set_bginfo_custom_vbscript.yml @@ -4,7 +4,7 @@ related: - id: cd277474-5c52-4423-a52b-ac2d7969902f type: similar status: experimental -description: Detects setting of a new registry value related to BgInfo configuration. Which can be abused to execute custom VBScript via "BgInfo.exe" +description: Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom VBScript via "BgInfo.exe" references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) diff --git a/rules/windows/registry/registry_set/registry_set_bginfo_custom_wmi_query.yml b/rules/windows/registry/registry_set/registry_set_bginfo_custom_wmi_query.yml index cf3403f7c..1ee4681fd 100644 --- a/rules/windows/registry/registry_set/registry_set_bginfo_custom_wmi_query.yml +++ b/rules/windows/registry/registry_set/registry_set_bginfo_custom_wmi_query.yml @@ -4,7 +4,7 @@ related: - id: 992dd79f-dde8-4bb0-9085-6350ba97cfb3 type: similar status: experimental -description: Detects setting of a new registry value related to BgInfo configuration. Which can be abused to execute custom WMI query via "BgInfo.exe" +description: Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom WMI query via "BgInfo.exe" references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems)