diff --git a/rules/apt/apt_chafer_mar18.yml b/rules/apt/apt_chafer_mar18.yml index 635d0678c..1ca41150a 100755 --- a/rules/apt/apt_chafer_mar18.yml +++ b/rules/apt/apt_chafer_mar18.yml @@ -48,8 +48,8 @@ detection: - 'C:\wsc.exe*' selection_process2: EventID: 1 - Image: '*\Windows\Temp\DB\*.exe' + Image: '*\Windows\Temp\DB\\*.exe' selection_process3: EventID: 1 CommandLine: '*\nslookup.exe -q=TXT*' - ParentImage: '*\Autoit*' \ No newline at end of file + ParentImage: '*\Autoit*' diff --git a/rules/apt/apt_sofacy.yml b/rules/apt/apt_sofacy.yml index 443b7ae65..10758cb4c 100755 --- a/rules/apt/apt_sofacy.yml +++ b/rules/apt/apt_sofacy.yml @@ -25,8 +25,8 @@ detection: selection: EventID: 1 CommandLine: - - 'rundll32.exe %APPDATA%\*.dat",*' - - 'rundll32.exe %APPDATA%\*.dll",#1' + - 'rundll32.exe %APPDATA%\\*.dat",*' + - 'rundll32.exe %APPDATA%\\*.dll",#1' --- logsource: product: windows @@ -36,5 +36,5 @@ detection: selection: EventID: 4688 ProcessCommandLine: - - 'rundll32.exe %APPDATA%\*.dat",*' - - 'rundll32.exe %APPDATA%\*.dll",#1' \ No newline at end of file + - 'rundll32.exe %APPDATA%\\*.dat",*' + - 'rundll32.exe %APPDATA%\\*.dll",#1' diff --git a/rules/apt/apt_turla_commands.yml b/rules/apt/apt_turla_commands.yml index 7384ab160..3c4b68280 100755 --- a/rules/apt/apt_turla_commands.yml +++ b/rules/apt/apt_turla_commands.yml @@ -21,8 +21,8 @@ detection: EventID: 1 CommandLine: - 'net use \\%DomainController%\C$ "P@ssw0rd" *' - - 'dir c:\*.doc* /s' - - 'dir %TEMP%\*.exe' + - 'dir c:\\*.doc* /s' + - 'dir %TEMP%\\*.exe' condition: selection level: critical --- diff --git a/rules/windows/builtin/win_net_ntlm_downgrade.yml b/rules/windows/builtin/win_net_ntlm_downgrade.yml index 1742289d7..2eea5b614 100644 --- a/rules/windows/builtin/win_net_ntlm_downgrade.yml +++ b/rules/windows/builtin/win_net_ntlm_downgrade.yml @@ -22,9 +22,9 @@ detection: selection1: EventID: 13 TargetObject: - - '*SYSTEM\*ControlSet*\Control\Lsa\lmcompatibilitylevel' - - '*SYSTEM\*ControlSet*\Control\Lsa\NtlmMinClientSec' - - '*SYSTEM\*ControlSet*\Control\Lsa\RestrictSendingNTLMTraffic' + - '*SYSTEM\\*ControlSet*\Control\Lsa\lmcompatibilitylevel' + - '*SYSTEM\\*ControlSet*\Control\Lsa\NtlmMinClientSec' + - '*SYSTEM\\*ControlSet*\Control\Lsa\RestrictSendingNTLMTraffic' --- # Windows Security Eventlog: Process Creation with Full Command Line logsource: @@ -34,7 +34,7 @@ logsource: detection: selection2: EventID: 4657 - ObjectName: '\REGISTRY\MACHINE\SYSTEM\*ControlSet*\Control\Lsa' + ObjectName: '\REGISTRY\MACHINE\SYSTEM\\*ControlSet*\Control\Lsa' ObjectValueName: - 'LmCompatibilityLevel' - 'NtlmMinClientSec' diff --git a/rules/windows/builtin/win_plugx_susp_exe_locations.yml b/rules/windows/builtin/win_plugx_susp_exe_locations.yml index b2520542e..847eb7663 100644 --- a/rules/windows/builtin/win_plugx_susp_exe_locations.yml +++ b/rules/windows/builtin/win_plugx_susp_exe_locations.yml @@ -19,7 +19,7 @@ detection: CommandLine: '*\CamMute.exe' filter_cammute: EventID: 4688 - CommandLine: '*\Lenovo\Communication Utility\*' + CommandLine: '*\Lenovo\Communication Utility\\*' # Chrome Frame Helper selection_chrome_frame: @@ -27,7 +27,7 @@ detection: CommandLine: '*\chrome_frame_helper.exe' filter_chrome_frame: EventID: 4688 - CommandLine: '*\Google\Chrome\application\*' + CommandLine: '*\Google\Chrome\application\\*' # Microsoft Device Emulator selection_devemu: @@ -35,7 +35,7 @@ detection: CommandLine: '*\dvcemumanager.exe' filter_devemu: EventID: 4688 - CommandLine: '*\Microsoft Device Emulator\*' + CommandLine: '*\Microsoft Device Emulator\\*' # Windows Media Player Gadget selection_gadget: @@ -43,7 +43,7 @@ detection: CommandLine: '*\Gadget.exe' filter_gadget: EventID: 4688 - CommandLine: '*\Windows Media Player\*' + CommandLine: '*\Windows Media Player\\*' # HTML Help Workshop selection_hcc: @@ -51,7 +51,7 @@ detection: CommandLine: '*\hcc.exe' filter_hcc: EventID: 4688 - CommandLine: '*\HTML Help Workshop\*' + CommandLine: '*\HTML Help Workshop\\*' # Hotkey Command Module for Intel Graphics Contollers selection_hkcmd: @@ -60,9 +60,9 @@ detection: filter_hkcmd: EventID: 4688 CommandLine: - - '*\System32\*' - - '*\SysNative\*' - - '*\SysWowo64\*' + - '*\System32\\*' + - '*\SysNative\\*' + - '*\SysWowo64\\*' # McAfee component selection_mc: @@ -82,9 +82,9 @@ detection: filter_msmpeng: EventID: 4688 CommandLine: - - '*\Microsoft Security Client\*' - - '*\Windows Defender\*' - - '*\AntiMalware\*' + - '*\Microsoft Security Client\\*' + - '*\Windows Defender\\*' + - '*\AntiMalware\\*' # Microsoft Security Center selection_msseces: @@ -92,7 +92,7 @@ detection: CommandLine: '*\msseces.exe' filter_msseces: EventID: 4688 - CommandLine: '*\Microsoft Security Center\*' + CommandLine: '*\Microsoft Security Center\\*' # Microsoft Office 2003 OInfo selection_oinfo: @@ -100,7 +100,7 @@ detection: CommandLine: '*\OInfoP11.exe' filter_oinfo: EventID: 4688 - CommandLine: '*\Common Files\Microsoft Shared\*' + CommandLine: '*\Common Files\Microsoft Shared\\*' # OLE View selection_oleview: @@ -112,7 +112,7 @@ detection: - '*\Microsoft Visual Studio*' - '*\Microsoft SDK*' - '*\Windows Kit*' - - '*\Windows Resource Kit\*' + - '*\Windows Resource Kit\\*' # RC selection_rc: @@ -124,8 +124,8 @@ detection: - '*\Microsoft Visual Studio*' - '*\Microsoft SDK*' - '*\Windows Kit*' - - '*\Windows Resource Kit\*' - - '*\Microsoft.NET\*' + - '*\Windows Resource Kit\\*' + - '*\Microsoft.NET\\*' condition: ( selection_cammute and not filter_cammute ) or ( selection_chrome_frame and not filter_chrome_frame ) or diff --git a/rules/windows/builtin/win_susp_powershell_enc_cmd.yml b/rules/windows/builtin/win_susp_powershell_enc_cmd.yml index 1a6b9d7f0..38e7c9657 100644 --- a/rules/windows/builtin/win_susp_powershell_enc_cmd.yml +++ b/rules/windows/builtin/win_susp_powershell_enc_cmd.yml @@ -16,7 +16,7 @@ detection: - '* -encodedcommand JAB*' # Google Rapid Response falsepositive1: - Image: '*\GRR\*' + Image: '*\GRR\\*' # PowerSponse deployments falsepositive2: CommandLine: '* -ExecutionPolicy remotesigned *' diff --git a/rules/windows/builtin/win_susp_process_creations.yml b/rules/windows/builtin/win_susp_process_creations.yml index 10512e5ca..dc0483671 100644 --- a/rules/windows/builtin/win_susp_process_creations.yml +++ b/rules/windows/builtin/win_susp_process_creations.yml @@ -33,8 +33,8 @@ detection: - 'vssadmin.exe delete shadows*' - 'vssadmin delete shadows*' - 'vssadmin create shadow /for=C:*' - - 'copy \\?\GLOBALROOT\Device\*\windows\ntds\ntds.dit*' - - 'copy \\?\GLOBALROOT\Device\*\config\SAM*' + - 'copy \\?\GLOBALROOT\Device\\*\windows\ntds\ntds.dit*' + - 'copy \\?\GLOBALROOT\Device\\*\config\SAM*' - 'reg SAVE HKLM\SYSTEM *' - '* sekurlsa:*' - 'net localgroup adminstrators * /add' @@ -42,12 +42,12 @@ detection: - 'certutil.exe *-urlcache* http*' - 'certutil.exe *-urlcache* ftp*' # Malware - - 'netsh advfirewall firewall *\AppData\*' - - 'attrib +S +H +R *\AppData\*' - - 'schtasks* /create *\AppData\*' + - 'netsh advfirewall firewall *\AppData\\*' + - 'attrib +S +H +R *\AppData\\*' + - 'schtasks* /create *\AppData\\*' - 'schtasks* /sc minute*' - - '*\Regasm.exe *\AppData\*' - - '*\Regasm *\AppData\*' + - '*\Regasm.exe *\AppData\\*' + - '*\Regasm *\AppData\\*' - '*\bitsadmin* /transfer*' - '*\certutil.exe * -decode *' - '*\certutil.exe * -decodehex *' @@ -90,8 +90,8 @@ detection: - 'vssadmin.exe delete shadows*' - 'vssadmin delete shadows*' - 'vssadmin create shadow /for=C:*' - - 'copy \\?\GLOBALROOT\Device\*\windows\ntds\ntds.dit*' - - 'copy \\?\GLOBALROOT\Device\*\config\SAM*' + - 'copy \\?\GLOBALROOT\Device\\*\windows\ntds\ntds.dit*' + - 'copy \\?\GLOBALROOT\Device\\*\config\SAM*' - 'reg SAVE HKLM\SYSTEM *' - '* sekurlsa:*' - 'net localgroup adminstrators * /add' @@ -99,12 +99,12 @@ detection: - 'certutil.exe *-urlcache* http*' - 'certutil.exe *-urlcache* ftp*' # Malware - - 'netsh advfirewall firewall *\AppData\*' - - 'attrib +S +H +R *\AppData\*' - - 'schtasks* /create *\AppData\*' + - 'netsh advfirewall firewall *\AppData\\*' + - 'attrib +S +H +R *\AppData\\*' + - 'schtasks* /create *\AppData\\*' - 'schtasks* /sc minute*' - - '*\Regasm.exe *\AppData\*' - - '*\Regasm *\AppData\*' + - '*\Regasm.exe *\AppData\\*' + - '*\Regasm *\AppData\\*' - '*\bitsadmin* /transfer*' - '*\certutil.exe * -decode *' - '*\certutil.exe * -decodehex *' @@ -133,4 +133,4 @@ detection: # AddInProcess - '*AddInProcess*' # NotPowershell (nps) attack - # - '*msbuild*' # too many false positives \ No newline at end of file + # - '*msbuild*' # too many false positives diff --git a/rules/windows/builtin/win_susp_ps_appdata.yml b/rules/windows/builtin/win_susp_ps_appdata.yml index c7f1354e0..ef8200a82 100644 --- a/rules/windows/builtin/win_susp_ps_appdata.yml +++ b/rules/windows/builtin/win_susp_ps_appdata.yml @@ -24,8 +24,8 @@ detection: selection: EventID: 1 CommandLine: - - '* /c powershell*\AppData\Local\*' - - '* /c powershell*\AppData\Roaming\*' + - '* /c powershell*\AppData\Local\\*' + - '* /c powershell*\AppData\Roaming\\*' --- logsource: product: windows @@ -35,5 +35,5 @@ detection: selection: EventID: 4688 ProcessCommandLine: - - '* /c powershell*\AppData\Local\*' - - '* /c powershell*\AppData\Roaming\*' \ No newline at end of file + - '* /c powershell*\AppData\Local\\*' + - '* /c powershell*\AppData\Roaming\\*' diff --git a/rules/windows/builtin/win_susp_run_locations.yml b/rules/windows/builtin/win_susp_run_locations.yml index 11a26b524..8426baa32 100644 --- a/rules/windows/builtin/win_susp_run_locations.yml +++ b/rules/windows/builtin/win_susp_run_locations.yml @@ -11,10 +11,10 @@ tags: detection: selection: CommandLine: - - "*:\\RECYCLER\\*" - - "*:\\SystemVolumeInformation\\*" - - "%windir%\\Tasks\\*" - - "%systemroot%\\debug\\*" + - '*:\RECYCLER\\*' + - '*:\SystemVolumeInformation\\*' + - '%windir%\Tasks\\*' + - '%systemroot%\debug\\*' condition: selection falsepositives: - False positives depend on scripts and administrative tools used in the monitored environment diff --git a/rules/windows/builtin/win_susp_sysprep_appdata.yml b/rules/windows/builtin/win_susp_sysprep_appdata.yml index 236c690b6..76b238856 100644 --- a/rules/windows/builtin/win_susp_sysprep_appdata.yml +++ b/rules/windows/builtin/win_susp_sysprep_appdata.yml @@ -22,8 +22,8 @@ detection: selection: EventID: 1 CommandLine: - - '*\sysprep.exe *\AppData\*' - - 'sysprep.exe *\AppData\*' + - '*\sysprep.exe *\AppData\\*' + - 'sysprep.exe *\AppData\\*' --- logsource: product: windows @@ -33,5 +33,5 @@ detection: selection: EventID: 4688 ProcessCommandLine: - - '*\sysprep.exe *\AppData\*' - - 'sysprep.exe *\AppData\*' + - '*\sysprep.exe *\AppData\\*' + - 'sysprep.exe *\AppData\\*' diff --git a/rules/windows/builtin/win_susp_sysvol_access.yml b/rules/windows/builtin/win_susp_sysvol_access.yml index f79a58cd3..f3b128ddf 100644 --- a/rules/windows/builtin/win_susp_sysvol_access.yml +++ b/rules/windows/builtin/win_susp_sysvol_access.yml @@ -24,7 +24,7 @@ logsource: detection: selection: EventID: 1 - CommandLine: '*\SYSVOL\*\policies\*' + CommandLine: '*\SYSVOL\\*\policies\\*' --- logsource: product: windows @@ -33,4 +33,4 @@ logsource: detection: selection: EventID: 4688 - ProcessCommandLine: '*\SYSVOL\*\policies\*' + ProcessCommandLine: '*\SYSVOL\\*\policies\\*' diff --git a/rules/windows/malware/av_relevant_files.yml b/rules/windows/malware/av_relevant_files.yml index b183b4b20..a0249867a 100644 --- a/rules/windows/malware/av_relevant_files.yml +++ b/rules/windows/malware/av_relevant_files.yml @@ -9,12 +9,12 @@ logsource: detection: selection: FileName: - - 'C:\Windows\Temp\*' - - 'C:\Temp\*' - - '*\\Client\*' - - 'C:\PerfLogs\*' - - 'C:\Users\Public\*' - - 'C:\Users\Default\*' + - 'C:\Windows\Temp\\*' + - 'C:\Temp\\*' + - '*\\Client\\*' + - 'C:\PerfLogs\\*' + - 'C:\Users\Public\\*' + - 'C:\Users\Default\\*' - '*.ps1' - '*.vbs' - '*.bat' diff --git a/rules/windows/malware/sysmon_malware_dridex.yml b/rules/windows/malware/sysmon_malware_dridex.yml index 9f351c5e7..f7388e994 100644 --- a/rules/windows/malware/sysmon_malware_dridex.yml +++ b/rules/windows/malware/sysmon_malware_dridex.yml @@ -22,7 +22,7 @@ logsource: detection: selection1: EventID: 1 - CommandLine: '*\svchost.exe C:\Users\*\Desktop\*' + CommandLine: '*\svchost.exe C:\Users\\*\Desktop\\*' selection2: EventID: 1 ParentImage: '*\svchost.exe*' @@ -37,4 +37,4 @@ logsource: detection: selection: EventID: 4688 - ProcessCommandLine: '*\svchost.exe C:\Users\*\Desktop\*' \ No newline at end of file + ProcessCommandLine: '*\svchost.exe C:\Users\\*\Desktop\\*' diff --git a/rules/windows/malware/sysmon_malware_notpetya.yml b/rules/windows/malware/sysmon_malware_notpetya.yml index b6d8e50d0..aa7a816e9 100644 --- a/rules/windows/malware/sysmon_malware_notpetya.yml +++ b/rules/windows/malware/sysmon_malware_notpetya.yml @@ -22,7 +22,7 @@ detection: CommandLine: '* deletejournal *' pipe_com: EventID: 1 - CommandLine: '*\AppData\Local\Temp\* \\.\pipe\*' + CommandLine: '*\AppData\Local\Temp\* \\.\pipe\\*' event_clean: EventID: 1 Image: '*\wevtutil.exe' diff --git a/rules/windows/malware/win_mal_adwind.yml b/rules/windows/malware/win_mal_adwind.yml index e75b3094b..20a5ea749 100644 --- a/rules/windows/malware/win_mal_adwind.yml +++ b/rules/windows/malware/win_mal_adwind.yml @@ -53,4 +53,4 @@ detection: selection: EventID: 13 TargetObject: '\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run*' - Details: '%AppData%\Roaming\Oracle\bin\*' + Details: '%AppData%\Roaming\Oracle\bin\\*' diff --git a/rules/windows/sysmon/sysmon_attrib_hiding_files.yml b/rules/windows/sysmon/sysmon_attrib_hiding_files.yml index 8bba17482..1a9c8274e 100644 --- a/rules/windows/sysmon/sysmon_attrib_hiding_files.yml +++ b/rules/windows/sysmon/sysmon_attrib_hiding_files.yml @@ -14,7 +14,7 @@ detection: CommandLine: '*\desktop.ini *' intel: ParentImage: '*\cmd.exe' - CommandLine: '+R +H +S +A \*.cui' + CommandLine: '+R +H +S +A \\*.cui' ParentCommandLine: 'C:\WINDOWS\system32\\*.bat' condition: selection and not (ini or intel) fields: diff --git a/rules/windows/sysmon/sysmon_cactustorch.yml b/rules/windows/sysmon/sysmon_cactustorch.yml index f74754e6f..b972de848 100644 --- a/rules/windows/sysmon/sysmon_cactustorch.yml +++ b/rules/windows/sysmon/sysmon_cactustorch.yml @@ -17,7 +17,7 @@ detection: - '*\System32\mshta.exe' - '*\winword.exe' - '*\excel.exe' - TargetImage: '*\SysWOW64\*' + TargetImage: '*\SysWOW64\\*' StartModule: null condition: selection tags: diff --git a/rules/windows/sysmon/sysmon_malware_script_dropper.yml b/rules/windows/sysmon/sysmon_malware_script_dropper.yml index 95b29fd80..b08eabd72 100644 --- a/rules/windows/sysmon/sysmon_malware_script_dropper.yml +++ b/rules/windows/sysmon/sysmon_malware_script_dropper.yml @@ -12,16 +12,16 @@ detection: - '*\wscript.exe' - '*\cscript.exe' CommandLine: - - '* C:\Users\*.jse *' - - '* C:\Users\*.vbe *' - - '* C:\Users\*.js *' - - '* C:\Users\*.vba *' - - '* C:\Users\*.vbs *' - - '* C:\ProgramData\*.jse *' - - '* C:\ProgramData\*.vbe *' - - '* C:\ProgramData\*.js *' - - '* C:\ProgramData\*.vba *' - - '* C:\ProgramData\*.vbs *' + - '* C:\Users\\*.jse *' + - '* C:\Users\\*.vbe *' + - '* C:\Users\\*.js *' + - '* C:\Users\\*.vba *' + - '* C:\Users\\*.vbs *' + - '* C:\ProgramData\\*.jse *' + - '* C:\ProgramData\\*.vbe *' + - '* C:\ProgramData\\*.js *' + - '* C:\ProgramData\\*.vba *' + - '* C:\ProgramData\\*.vbs *' falsepositive: ParentImage: '*\winzip*' condition: selection diff --git a/rules/windows/sysmon/sysmon_malware_verclsid_shellcode.yml b/rules/windows/sysmon/sysmon_malware_verclsid_shellcode.yml index 42ba71450..0bf65b856 100644 --- a/rules/windows/sysmon/sysmon_malware_verclsid_shellcode.yml +++ b/rules/windows/sysmon/sysmon_malware_verclsid_shellcode.yml @@ -17,7 +17,7 @@ detection: combination1: CallTrace: '*|UNKNOWN(*VBE7.DLL*' combination2: - SourceImage: '*\Microsoft Office\*' + SourceImage: '*\Microsoft Office\\*' CallTrace: '*|UNKNOWN*' condition: selection and 1 of combination* falsepositives: diff --git a/rules/windows/sysmon/sysmon_plugx_susp_exe_locations.yml b/rules/windows/sysmon/sysmon_plugx_susp_exe_locations.yml index 59f5821a2..6a2416dc8 100644 --- a/rules/windows/sysmon/sysmon_plugx_susp_exe_locations.yml +++ b/rules/windows/sysmon/sysmon_plugx_susp_exe_locations.yml @@ -17,7 +17,7 @@ detection: Image: '*\CamMute.exe' filter_cammute: EventID: 1 - Image: '*\Lenovo\Communication Utility\*' + Image: '*\Lenovo\Communication Utility\\*' # Chrome Frame Helper selection_chrome_frame: @@ -25,7 +25,7 @@ detection: Image: '*\chrome_frame_helper.exe' filter_chrome_frame: EventID: 1 - Image: '*\Google\Chrome\application\*' + Image: '*\Google\Chrome\application\\*' # Microsoft Device Emulator selection_devemu: @@ -33,7 +33,7 @@ detection: Image: '*\dvcemumanager.exe' filter_devemu: EventID: 1 - Image: '*\Microsoft Device Emulator\*' + Image: '*\Microsoft Device Emulator\\*' # Windows Media Player Gadget selection_gadget: @@ -41,7 +41,7 @@ detection: Image: '*\Gadget.exe' filter_gadget: EventID: 1 - Image: '*\Windows Media Player\*' + Image: '*\Windows Media Player\\*' # HTML Help Workshop selection_hcc: @@ -49,7 +49,7 @@ detection: Image: '*\hcc.exe' filter_hcc: EventID: 1 - Image: '*\HTML Help Workshop\*' + Image: '*\HTML Help Workshop\\*' # Hotkey Command Module for Intel Graphics Contollers selection_hkcmd: @@ -58,9 +58,9 @@ detection: filter_hkcmd: EventID: 1 Image: - - '*\System32\*' - - '*\SysNative\*' - - '*\SysWowo64\*' + - '*\System32\\*' + - '*\SysNative\\*' + - '*\SysWowo64\\*' # McAfee component selection_mc: @@ -80,9 +80,9 @@ detection: filter_msmpeng: EventID: 1 Image: - - '*\Microsoft Security Client\*' - - '*\Windows Defender\*' - - '*\AntiMalware\*' + - '*\Microsoft Security Client\\*' + - '*\Windows Defender\\*' + - '*\AntiMalware\\*' # Microsoft Security Center selection_msseces: @@ -90,7 +90,7 @@ detection: Image: '*\msseces.exe' filter_msseces: EventID: 1 - Image: '*\Microsoft Security Center\*' + Image: '*\Microsoft Security Center\\*' # Microsoft Office 2003 OInfo selection_oinfo: @@ -98,7 +98,7 @@ detection: Image: '*\OInfoP11.exe' filter_oinfo: EventID: 1 - Image: '*\Common Files\Microsoft Shared\*' + Image: '*\Common Files\Microsoft Shared\\*' # OLE View selection_oleview: @@ -110,7 +110,7 @@ detection: - '*\Microsoft Visual Studio*' - '*\Microsoft SDK*' - '*\Windows Kit*' - - '*\Windows Resource Kit\*' + - '*\Windows Resource Kit\\*' # RC selection_rc: @@ -122,8 +122,8 @@ detection: - '*\Microsoft Visual Studio*' - '*\Microsoft SDK*' - '*\Windows Kit*' - - '*\Windows Resource Kit\*' - - '*\Microsoft.NET\*' + - '*\Windows Resource Kit\\*' + - '*\Microsoft.NET\\*' condition: ( selection_cammute and not filter_cammute ) or ( selection_chrome_frame and not filter_chrome_frame ) or diff --git a/rules/windows/sysmon/sysmon_sdbinst_shim_persistence.yml b/rules/windows/sysmon/sysmon_sdbinst_shim_persistence.yml index cea5c5ba8..c822885f0 100644 --- a/rules/windows/sysmon/sysmon_sdbinst_shim_persistence.yml +++ b/rules/windows/sysmon/sysmon_sdbinst_shim_persistence.yml @@ -17,7 +17,7 @@ detection: Image: - '*\sdbinst.exe' CommandLine: - - '*\AppPatch\*}.sdb*' + - '*\AppPatch\\*}.sdb*' condition: selection falsepositives: - Unknown diff --git a/rules/windows/sysmon/sysmon_susp_driver_load.yml b/rules/windows/sysmon/sysmon_susp_driver_load.yml index 1bd365f63..1caa95270 100644 --- a/rules/windows/sysmon/sysmon_susp_driver_load.yml +++ b/rules/windows/sysmon/sysmon_susp_driver_load.yml @@ -7,7 +7,7 @@ logsource: detection: selection: EventID: 6 - ImageLoaded: '*\Temp\*' + ImageLoaded: '*\Temp\\*' condition: selection falsepositives: - there is a relevant set of false positives depending on applications in the environment diff --git a/rules/windows/sysmon/sysmon_susp_exec_folder.yml b/rules/windows/sysmon/sysmon_susp_exec_folder.yml index 02a9eb35e..bd57cb816 100644 --- a/rules/windows/sysmon/sysmon_susp_exec_folder.yml +++ b/rules/windows/sysmon/sysmon_susp_exec_folder.yml @@ -13,21 +13,21 @@ detection: selection: EventID: 1 Image: - - 'C:\PerfLogs\*' - - 'C:\$Recycle.bin\*' - - 'C:\Intel\Logs\*' - - 'C:\Users\Default\*' - - 'C:\Users\Public\*' - - 'C:\Users\NetworkService\*' - - 'C:\Windows\Fonts\*' - - 'C:\Windows\Debug\*' - - 'C:\Windows\Media\*' - - 'C:\Windows\Help\*' - - 'C:\Windows\addins\*' - - 'C:\Windows\repair\*' - - 'C:\Windows\security\*' - - '*\RSA\MachineKeys\*' - - 'C:\Windows\system32\config\systemprofile\*' + - 'C:\PerfLogs\\*' + - 'C:\$Recycle.bin\\*' + - 'C:\Intel\Logs\\*' + - 'C:\Users\Default\\*' + - 'C:\Users\Public\\*' + - 'C:\Users\NetworkService\\*' + - 'C:\Windows\Fonts\\*' + - 'C:\Windows\Debug\\*' + - 'C:\Windows\Media\\*' + - 'C:\Windows\Help\\*' + - 'C:\Windows\addins\\*' + - 'C:\Windows\repair\\*' + - 'C:\Windows\security\\*' + - '*\RSA\MachineKeys\\*' + - 'C:\Windows\system32\config\systemprofile\\*' condition: selection falsepositives: - Unknown diff --git a/rules/windows/sysmon/sysmon_susp_execution_path.yml b/rules/windows/sysmon/sysmon_susp_execution_path.yml index d1f06b220..82d22d4d6 100644 --- a/rules/windows/sysmon/sysmon_susp_execution_path.yml +++ b/rules/windows/sysmon/sysmon_susp_execution_path.yml @@ -10,14 +10,14 @@ detection: EventID: 1 Image: - '*\$Recycle.bin' - - '*\Users\All Users\*' - - '*\Users\Default\*' - - '*\Users\Public\*' - - 'C:\Perflogs\*' - - '*\config\systemprofile\*' - - '*\Windows\Fonts\*' - - '*\Windows\IME\*' - - '*\Windows\addins\*' + - '*\Users\All Users\\*' + - '*\Users\Default\\*' + - '*\Users\Public\\*' + - 'C:\Perflogs\\*' + - '*\config\systemprofile\\*' + - '*\Windows\Fonts\\*' + - '*\Windows\IME\\*' + - '*\Windows\addins\\*' condition: selection fields: - CommandLine diff --git a/rules/windows/sysmon/sysmon_susp_execution_path_webserver.yml b/rules/windows/sysmon/sysmon_susp_execution_path_webserver.yml index 017d726cf..b50d8960d 100644 --- a/rules/windows/sysmon/sysmon_susp_execution_path_webserver.yml +++ b/rules/windows/sysmon/sysmon_susp_execution_path_webserver.yml @@ -9,14 +9,14 @@ detection: selection: EventID: 1 Image: - - '*\wwwroot\*' - - '*\wmpub\*' - - '*\htdocs\*' + - '*\wwwroot\\*' + - '*\wmpub\\*' + - '*\htdocs\\*' filter: Image: - - '*bin\*' - - '*\Tools\*' - - '*\SMSComponent\*' + - '*bin\\*' + - '*\Tools\\*' + - '*\SMSComponent\\*' ParentImage: - '*\services.exe' condition: selection and not filter diff --git a/rules/windows/sysmon/sysmon_susp_powershell_parent_combo.yml b/rules/windows/sysmon/sysmon_susp_powershell_parent_combo.yml index 6c6c893d9..c33ee2f04 100644 --- a/rules/windows/sysmon/sysmon_susp_powershell_parent_combo.yml +++ b/rules/windows/sysmon/sysmon_susp_powershell_parent_combo.yml @@ -19,7 +19,7 @@ detection: Image: - '*\powershell.exe' falsepositive: - CurrentDirectory: '*\Health Service State\*' + CurrentDirectory: '*\Health Service State\\*' condition: selection and not falsepositive fields: - CommandLine diff --git a/rules/windows/sysmon/sysmon_susp_prog_location_network_connection.yml b/rules/windows/sysmon/sysmon_susp_prog_location_network_connection.yml index c97aad22d..5008aca29 100644 --- a/rules/windows/sysmon/sysmon_susp_prog_location_network_connection.yml +++ b/rules/windows/sysmon/sysmon_susp_prog_location_network_connection.yml @@ -13,17 +13,17 @@ detection: selection: EventID: 3 Image: - # - '*\ProgramData\*' # too many false positives, e.g. with Webex for Windows + # - '*\ProgramData\\*' # too many false positives, e.g. with Webex for Windows - '*\$Recycle.bin' - - '*\Users\All Users\*' - - '*\Users\Default\*' - - '*\Users\Public\*' - - 'C:\Perflogs\*' - - '*\config\systemprofile\*' - - '*\Windows\Fonts\*' - - '*\Windows\IME\*' - - '*\Windows\addins\*' + - '*\Users\All Users\\*' + - '*\Users\Default\\*' + - '*\Users\Public\\*' + - 'C:\Perflogs\\*' + - '*\config\systemprofile\\*' + - '*\Windows\Fonts\\*' + - '*\Windows\IME\\*' + - '*\Windows\addins\\*' condition: selection falsepositives: - unknown -level: high \ No newline at end of file +level: high diff --git a/rules/windows/sysmon/sysmon_susp_prog_location_process_starts.yml b/rules/windows/sysmon/sysmon_susp_prog_location_process_starts.yml index d842586ac..b8d3f7ad7 100644 --- a/rules/windows/sysmon/sysmon_susp_prog_location_process_starts.yml +++ b/rules/windows/sysmon/sysmon_susp_prog_location_process_starts.yml @@ -12,15 +12,15 @@ detection: selection: EventID: 1 Image: - # - '*\ProgramData\*' # too many false positives, e.g. with Webex for Windows + # - '*\ProgramData\\*' # too many false positives, e.g. with Webex for Windows - '*\$Recycle.bin' - - '*\Users\Public\*' - - 'C:\Perflogs\*' - - '*\Windows\Fonts\*' - - '*\Windows\IME\*' - - '*\Windows\addins\*' - - '*\Windows\debug\*' + - '*\Users\Public\\*' + - 'C:\Perflogs\\*' + - '*\Windows\Fonts\\*' + - '*\Windows\IME\\*' + - '*\Windows\addins\\*' + - '*\Windows\debug\\*' condition: selection falsepositives: - unknown -level: high \ No newline at end of file +level: high diff --git a/rules/windows/sysmon/sysmon_susp_reg_persist_explorer_run.yml b/rules/windows/sysmon/sysmon_susp_reg_persist_explorer_run.yml index 398ca9b3d..7de64276f 100644 --- a/rules/windows/sysmon/sysmon_susp_reg_persist_explorer_run.yml +++ b/rules/windows/sysmon/sysmon_susp_reg_persist_explorer_run.yml @@ -13,13 +13,13 @@ detection: EventID: 13 TargetObject: '*\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run' Details: - - 'C:\Windows\Temp\*' - - 'C:\ProgramData\*' - - '*\AppData\*' - - 'C:\$Recycle.bin\*' - - 'C:\Temp\*' - - 'C:\Users\Public\*' - - 'C:\Users\Default\*' + - 'C:\Windows\Temp\\*' + - 'C:\ProgramData\\*' + - '*\AppData\\*' + - 'C:\$Recycle.bin\\*' + - 'C:\Temp\\*' + - 'C:\Users\Public\\*' + - 'C:\Users\Default\\*' condition: selection tags: - attack.persistence diff --git a/rules/windows/sysmon/sysmon_susp_regsvr32_anomalies.yml b/rules/windows/sysmon/sysmon_susp_regsvr32_anomalies.yml index 2ed6e2de2..778d147e5 100644 --- a/rules/windows/sysmon/sysmon_susp_regsvr32_anomalies.yml +++ b/rules/windows/sysmon/sysmon_susp_regsvr32_anomalies.yml @@ -16,7 +16,7 @@ detection: selection1: EventID: 1 Image: '*\regsvr32.exe' - CommandLine: '*\Temp\*' + CommandLine: '*\Temp\\*' # Loaded by powershell selection2: EventID: 1 diff --git a/rules/windows/sysmon/sysmon_susp_run_key_img_folder.yml b/rules/windows/sysmon/sysmon_susp_run_key_img_folder.yml index 449e98ecc..de69f0985 100644 --- a/rules/windows/sysmon/sysmon_susp_run_key_img_folder.yml +++ b/rules/windows/sysmon/sysmon_susp_run_key_img_folder.yml @@ -15,16 +15,16 @@ detection: selection: EventID: 13 TargetObject: - - '*\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\*' - - '*\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*' + - '*\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\*' + - '*\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\\*' Details: - - 'C:\Windows\Temp\*' - - '*\AppData\*' - - 'C:\$Recycle.bin\*' - - 'C:\Temp\*' - - 'C:\Users\Public\*' - - 'C:\Users\Default\*' - - 'C:\Users\Desktop\*' + - 'C:\Windows\Temp\\*' + - '*\AppData\\*' + - 'C:\$Recycle.bin\\*' + - 'C:\Temp\\*' + - 'C:\Users\Public\\*' + - 'C:\Users\Default\\*' + - 'C:\Users\Desktop\\*' condition: selection fields: - Image diff --git a/rules/windows/sysmon/sysmon_susp_vssadmin_ntds_activity.yml b/rules/windows/sysmon/sysmon_susp_vssadmin_ntds_activity.yml index ad4a0db3c..396378da1 100644 --- a/rules/windows/sysmon/sysmon_susp_vssadmin_ntds_activity.yml +++ b/rules/windows/sysmon/sysmon_susp_vssadmin_ntds_activity.yml @@ -18,8 +18,8 @@ detection: - 'vssadmin.exe Delete Shadows' # Hacking - 'vssadmin create shadow /for=C:' - - 'copy \\?\GLOBALROOT\Device\*\windows\ntds\ntds.dit' - - 'copy \\?\GLOBALROOT\Device\*\config\SAM' + - 'copy \\?\GLOBALROOT\Device\\*\windows\ntds\ntds.dit' + - 'copy \\?\GLOBALROOT\Device\\*\config\SAM' - 'vssadmin delete shadows /for=C:' - 'reg SAVE HKLM\SYSTEM ' condition: selection diff --git a/rules/windows/sysmon/sysmon_system_exe_anomaly.yml b/rules/windows/sysmon/sysmon_system_exe_anomaly.yml index 4a568ec4f..92f738444 100644 --- a/rules/windows/sysmon/sysmon_system_exe_anomaly.yml +++ b/rules/windows/sysmon/sysmon_system_exe_anomaly.yml @@ -24,8 +24,8 @@ detection: - '*\conhost.exe' filter: Image: - - '*\System32\*' - - '*\SysWow64\*' + - '*\System32\\*' + - '*\SysWow64\\*' condition: selection and not filter tags: - attack.defense_evasion diff --git a/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml b/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml index e4c493f34..0a812ad5d 100644 --- a/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml +++ b/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml @@ -11,7 +11,7 @@ logsource: detection: methregistry: EventID: 13 - TargetObject: 'HKEY_USERS\*\mscfile\shell\open\command' + TargetObject: 'HKEY_USERS\\*\mscfile\shell\open\command' methprocess: EventID: 1 ParentImage: '*\eventvwr.exe' diff --git a/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml b/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml index 152fc12ea..dbb12c818 100644 --- a/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml +++ b/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml @@ -10,7 +10,7 @@ logsource: detection: selection: EventID: 13 - TargetObject: 'HKEY_USERS\*\Classes\exefile\shell\runas\command\isolatedCommand' + TargetObject: 'HKEY_USERS\\*\Classes\exefile\shell\runas\command\isolatedCommand' condition: selection tags: - attack.defense_evasion diff --git a/rules/windows/sysmon/sysmon_win_binary_github_com.yml b/rules/windows/sysmon/sysmon_win_binary_github_com.yml index 50cc23973..39fead4b2 100644 --- a/rules/windows/sysmon/sysmon_win_binary_github_com.yml +++ b/rules/windows/sysmon/sysmon_win_binary_github_com.yml @@ -14,7 +14,7 @@ detection: DestinationHostname: - '*.github.com' - '*.githubusercontent.com' - Image: 'C:\Windows\*' + Image: 'C:\Windows\\*' condition: selection falsepositives: - 'Unknown' diff --git a/rules/windows/sysmon/sysmon_win_binary_susp_com.yml b/rules/windows/sysmon/sysmon_win_binary_susp_com.yml index d2013361a..f0eea3c8c 100644 --- a/rules/windows/sysmon/sysmon_win_binary_susp_com.yml +++ b/rules/windows/sysmon/sysmon_win_binary_susp_com.yml @@ -15,7 +15,7 @@ detection: DestinationHostname: - '*dl.dropboxusercontent.com' - '*.pastebin.com' - Image: 'C:\Windows\*' + Image: 'C:\Windows\\*' condition: selection falsepositives: - 'Unknown' diff --git a/rules/windows/sysmon/sysmon_win_reg_persistence.yml b/rules/windows/sysmon/sysmon_win_reg_persistence.yml index db0502f9b..27dd71e66 100644 --- a/rules/windows/sysmon/sysmon_win_reg_persistence.yml +++ b/rules/windows/sysmon/sysmon_win_reg_persistence.yml @@ -11,9 +11,9 @@ detection: selection_reg1: EventID: 13 TargetObject: - - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*\GlobalFlag' - - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\*\ReportingMode' - - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\*\MonitorProcess' + - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\\*\GlobalFlag' + - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\\*\ReportingMode' + - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\\*\MonitorProcess' EventType: 'SetValue' condition: 1 of them tags: