Merge pull request #4321 from phantinuss/master

fix: false positives + typos
2023-06-21 14:13:22 +02:00
parent c04bef2fbb 6c4408ddff
commit 46eacc3da3
36 changed files with 39 additions and 37 deletions
@@ -1,7 +1,7 @@
 title: Stop Windows Service
 id: eb87818d-db5d-49cc-a987-d5da331fbd90
 status: deprecated
-description: Detects a windows service to be stopped
+description: Detects a Windows service to be stopped
 author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali
 date: 2019/10/23
 modified: 2023/03/05
@@ -1,7 +1,7 @@
 title: NotPetya Ransomware Activity
 id: 79aeeb41-8156-4fac-a0cd-076495ab82a1
 status: test
-description: Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and windows eventlogs are cleared using wevtutil
+description: Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and Windows eventlogs are cleared using wevtutil
 references:
    - https://securelist.com/schroedingers-petya/78870/
    - https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100
@@ -1,7 +1,7 @@
 title: Suspicious Windows Strings In URI
 id: 9f6a34b4-2688-4eb7-a7f5-e39fef573d0e
 status: experimental
-description: Detects suspicious windows strins in URI which could indicate possible exfiltration or webshell communication
+description: Detects suspicious Windows strings in URI which could indicate possible exfiltration or webshell communication
 references:
    - https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/
 author: Nasreddine Bencherchali (Nextron Systems)
@@ -1,7 +1,7 @@
 title: Potential Credential Dumping Via WER - Application
 id: a18e0862-127b-43ca-be12-1a542c75c7c5
 status: experimental
-description: Detects windows error reporting event where the process that crashed is lsass. This could be the cause of an intentional crash by techniques such as Lsass-Shtinkering to dump credential
+description: Detects Windows error reporting event where the process that crashed is lsass. This could be the cause of an intentional crash by techniques such as Lsass-Shtinkering to dump credential
 references:
    - https://github.com/deepinstinct/Lsass-Shtinkering
    - https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf
@@ -1,7 +1,7 @@
 title: Firewall Rule Modified In The Windows Firewall Exception List
 id: 5570c4d9-8fdd-4622-965b-403a5a101aa0
 status: experimental
-description: Detects when a rule has been modified in the windows firewall exception list
+description: Detects when a rule has been modified in the Windows firewall exception list
 references:
    - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
 author: frack113
@@ -1,7 +1,7 @@
 title: Windows Defender Exclusion Set
 id: e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d
 status: test
-description: Detects scenarios where an windows defender exclusion was added in registry where an entity would want to bypass antivirus scanning from windows defender
+description: Detects scenarios where an Windows Defender exclusion was added in registry where an entity would want to bypass antivirus scanning from Windows Defender
 references:
    - https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/
 author: '@BarryShooshooga'
@@ -1,7 +1,7 @@
 title: External Disk Drive Or USB Storage Device
 id: f69a87ea-955e-4fb4-adb2-bb9fd6685632
 status: test
-description: Detects external diskdrives or plugged in USB devices , EventID 6416 on windows 10 or later
+description: Detects external diskdrives or plugged in USB devices, EventID 6416 on Windows 10 or later
 author: Keith Wright
 date: 2019/11/20
 modified: 2022/10/09
@@ -1,7 +1,7 @@
 title: Local User Creation
 id: 66b6be3d-55d0-4f47-9855-d69df21740ea
 status: test
-description: Detects local user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your windows server logs and not on your DC logs.
+description: Detects local user creation on Windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your Windows server logs and not on your DC logs.
 references:
    - https://patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/
 author: Patrick Bareiss
@@ -1,7 +1,7 @@
 title: Volume Shadow Copy Mount
 id: f512acbf-e662-4903-843e-97ce4652b740
 status: test
-description: Detects volume shadow copy mount via windows event log
+description: Detects volume shadow copy mount via Windows event log
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy
 author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)
@@ -1,7 +1,7 @@
 title: KrbRelayUp Service Installation
 id: e97d9903-53b2-41fc-8cb9-889ed4093e80
 status: experimental
-description: Detects service creation from KrbRelayUp tool used for privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings)
+description: Detects service creation from KrbRelayUp tool used for privilege escalation in Windows domain environments where LDAP signing is not enforced (the default settings)
 references:
    - https://github.com/Dec0ne/KrbRelayUp
 author: Sittikorn S, Tim Shelton
@@ -4,7 +4,7 @@ related:
    - id: d6b5520d-3934-48b4-928c-2aa3f92d6963
      type: similar
 status: experimental
-description: Detects windows services that got terminated for whatever reason
+description: Detects Windows services that got terminated for whatever reason
 references:
    - https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/
 author: Nasreddine Bencherchali (Nextron Systems)
@@ -4,7 +4,7 @@ related:
    - id: acfa2210-0d71-4eeb-b477-afab494d596c
      type: similar
 status: experimental
-description: Detects important or interesting windows services that got terminated for whatever reason
+description: Detects important or interesting Windows services that got terminated for whatever reason
 references:
    - https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/
 author: Nasreddine Bencherchali (Nextron Systems)
@@ -1,7 +1,7 @@
 title: Important Windows Service Terminated Unexpectedly
 id: 56abae0c-6212-4b97-adc0-0b559bb950c3
 status: experimental
-description: Detects important or interesting windows services that got terminated unexpectedly.
+description: Detects important or interesting Windows services that got terminated unexpectedly.
 references:
    - https://www.randori.com/blog/vulnerability-analysis-queuejumper-cve-2023-21554/
 author: Nasreddine Bencherchali (Nextron Systems)
@@ -21,7 +21,7 @@ detection:
        # Use this If you collect the binary value provided from this event, which is the wide hex encoded value of the service name.
        - Binary|contains:
            - '4d0053004d005100' # MSMQ (Microsoft Message Queuing). Encoded in upper case just in case
-            - '6d0073006d007100' # msmq 
+            - '6d0073006d007100' # msmq
    condition: all of selection_*
 falsepositives:
    - Rare false positives could occur since service termination could happen due to multiple reasons
@@ -6,7 +6,7 @@ related:
    - id: a3ab73f1-bd46-4319-8f06-4b20d0617886
      type: similar
 status: stable
-description: Detects suspicious changes to the windows defender configuration
+description: Detects suspicious changes to the Windows Defender configuration
 references:
    - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide
    - https://bidouillesecurity.com/disable-windows-defender-in-powershell/#DisableAntiSpyware
@@ -4,7 +4,7 @@ related:
    - id: 1277f594-a7d1-4f28-a2d3-73af5cbeab43
      type: derived
 status: experimental
-description: Detects windows executables that writes files with suspicious extensions
+description: Detects Windows executables that writes files with suspicious extensions
 references:
    - Internal Research
 author: Nasreddine Bencherchali (Nextron Systems)
@@ -6,7 +6,7 @@ related:
    - id: 3215aa19-f060-4332-86d5-5602511f3ca8
      type: similar
 status: experimental
-description: Detects dropped files with double extensions, which is often used by malware as a method to abuse the fact that windows hide default extensions by default.
+description: Detects dropped files with double extensions, which is often used by malware as a method to abuse the fact that Windows hide default extensions by default.
 references:
    - https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/
    - https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations
@@ -4,7 +4,7 @@ related:
    - id: cc36992a-4671-4f21-a91d-6c2b72a2edf5
      type: derived
 status: experimental
-description: Detects usage of known powershell cmdlets such as "Clear-EventLog" to clear the windows event logs
+description: Detects usage of known powershell cmdlets such as "Clear-EventLog" to clear the Windows event logs
 references:
    - https://twitter.com/oroneequalsone/status/1568432028361830402
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md
@@ -4,7 +4,7 @@ related:
    - id: 07e3cb2c-0608-410d-be4b-1511cb1a0448
      type: similar
 status: experimental
-description: Detects attempts to remove windows defender configuration using the 'MpPreference' cmdlet
+description: Detects attempts to remove Windows Defender configuration using the 'MpPreference' cmdlet
 references:
    - https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088
 author: Nasreddine Bencherchali (Nextron Systems)
@@ -4,7 +4,7 @@ related:
    - id: ec19ebab-72dc-40e1-9728-4c0b805d722c
      type: derived
 status: experimental
-description: Detects powershell scripts attempting to disable scheduled scanning and other parts of windows defender atp or set default actions to allow.
+description: Detects PowerShell scripts attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
    - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps
@@ -1,7 +1,7 @@
 title: Potential Svchost Memory Access
 id: 166e9c50-8cd9-44af-815d-d1f0c0e90dde
 status: experimental
-description: Detects potential access to svchost process memory such as that used by Invoke-Phantom to kill the winRM windows event logging service.
+description: Detects potential access to svchost process memory such as that used by Invoke-Phantom to kill the winRM Windows event logging service.
 references:
    - https://github.com/hlldz/Invoke-Phant0m
    - https://twitter.com/timbmsft/status/900724491076214784
@@ -1,7 +1,7 @@
 title: Files And Subdirectories Listing Using Dir
 id: 7c9340a9-e2ee-4e43-94c5-c54ebbea1006
 status: experimental
-description: Detects usage of the "dir" command that's part of windows batch/cmd to collect information about directories
+description: Detects usage of the "dir" command that is part of Windows batch/cmd to collect information about directories
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md
 author: frack113
@@ -6,7 +6,7 @@ related:
    - id: 4f4eaa9f-5ad4-410c-a4be-bc6132b0175a
      type: similar
 status: experimental
-description: Detects inline windows shell commands redirecting output via the ">" symbol to a suspicious location
+description: Detects inline Windows shell commands redirecting output via the ">" symbol to a suspicious location
 references:
    - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/
 author: Nasreddine Bencherchali (Nextron Systems)
@@ -1,7 +1,7 @@
 title: HackTool - KrbRelayUp Execution
 id: 12827a56-61a4-476a-a9cb-f3068f191073
 status: experimental
-description: Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in windows domain environments where LDAP signing is not enforced
+description: Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in Windows domain environments where LDAP signing is not enforced
 references:
    - https://github.com/Dec0ne/KrbRelayUp
 author: Florian Roth (Nextron Systems)
@@ -1,7 +1,7 @@
 title: Use of PktMon.exe
 id: f956c7c1-0f60-4bc5-b7d7-b39ab3c08908
 status: test
-description: Tools to Capture Network Packets on the windows 10 with October 2018 Update or later.
+description: Tools to capture network packets on Windows 10 with October 2018 update or later.
 references:
    - https://lolbas-project.github.io/lolbas/Binaries/Pktmon/
 author: frack113
@@ -4,7 +4,7 @@ related:
    - id: ae2bdd58-0681-48ac-be7f-58ab4e593458
      type: similar
 status: experimental
-description: Detects attempts to remove windows defender configuration using the 'MpPreference' cmdlet
+description: Detects attempts to remove Windows Defender configurations using the 'MpPreference' cmdlet
 references:
    - https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088
 author: Nasreddine Bencherchali (Nextron Systems)
@@ -1,7 +1,7 @@
 title: PUA - Crassus Execution
 id: 2c32b543-1058-4808-91c6-5b31b8bed6c5
 status: experimental
-description: Detects Crassus a windows privilege escalation discovery tool based on PE metadata characteristics.
+description: Detects Crassus, a Windows privilege escalation discovery tool, based on PE metadata characteristics.
 references:
    - https://github.com/vu-ls/Crassus
 author: pH-T (Nextron Systems)
@@ -1,7 +1,7 @@
 title: Suspicious Elevated System Shell
 id: 178e615d-e666-498b-9630-9ed363038101
 status: experimental
-description: Detects when a shell program such as the windows Command Prompt or PowerShell is launched with system privileges.
+description: Detects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges.
 references:
    - https://github.com/Wh04m1001/SysmonEoP
 author: frack113, Tim Shelton (update fp)
@@ -10,7 +10,7 @@ references:
    - https://learn.microsoft.com/en-us/windows-server/administration/server-core/server-core-sconfig#powershell-is-the-default-shell-on-server-core
 author: Tom Ueltschi (@c_APT_ure), Tim Shelton
 date: 2019/01/12
-modified: 2023/01/31
+modified: 2023/06/21
 tags:
    - attack.t1037.001
    - attack.persistence
@@ -36,6 +36,8 @@ detection:
            - 'C:\Windows\SysWOW64\proquota.exe'
    filter_optional_citrix:
        Image|endswith: '\Citrix\System32\icast.exe'
+    filter_optional_image_null:
+        Image: null
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
    - Legitimate logon scripts or custom shells may trigger false positives. Apply additional filters accordingly.
@@ -4,7 +4,7 @@ related:
    - id: 2267fe65-0681-42ad-9a6d-46553d3f3480 # Generic susp child processes rules
      type: similar
 status: test
-description: Detects potential abuse of Windows Subsystem for Linux (WSL) binary as a LOLBIN to execute arbitrary linux and windows commands
+description: Detects potential abuse of Windows Subsystem for Linux (WSL) binary as a LOLBIN to execute arbitrary Linux or Windows commands
 references:
    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/
    - https://twitter.com/nas_bench/status/1535431474429808642
@@ -1,7 +1,7 @@
 title: UAC Bypass Via Wsreset
 id: 6ea3bf32-9680-422d-9f50-e90716b12a66
 status: test
-description: Unfixed method for UAC bypass from windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry.
+description: Unfixed method for UAC bypass from Windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry.
 references:
    - https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly
    - https://lolbas-project.github.io/lolbas/Binaries/Wsreset
@@ -1,7 +1,7 @@
 title: Change Winevt Event Access Permission Via Registry
 id: 7d9263bd-dc47-4a58-bc92-5474abab390c
 status: experimental
-description: Detects tampering with the "ChannelAccess" registry key in order to change access to windows event channel
+description: Detects tampering with the "ChannelAccess" registry key in order to change access to Windows event channel
 references:
    - https://app.any.run/tasks/77b2e328-8f36-46b2-b2e2-8a80398217ab/
    - https://learn.microsoft.com/en-us/windows/win32/api/winevt/
@@ -1,7 +1,7 @@
 title: Disable Windows Security Center Notifications
 id: 3ae1a046-f7db-439d-b7ce-b8b366b81fa6
 status: experimental
-description: Detect set UseActionCenterExperience to 0 to disable the windows security center notification
+description: Detect set UseActionCenterExperience to 0 to disable the Windows security center notification
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md
 author: frack113
@@ -1,7 +1,7 @@
 title: Disable Windows Firewall by Registry
 id: e78c408a-e2ea-43cd-b5ea-51975cf358c0
 status: experimental
-description: Detect set EnableFirewall to 0 to disable the windows firewall
+description: Detect set EnableFirewall to 0 to disable the Windows firewall
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.004/T1562.004.md
 author: frack113
@@ -1,7 +1,7 @@
 title: Disable Windows Event Logging Via Registry
 id: 2f78da12-f7c7-430b-8b19-a28f269b77a3
 status: experimental
-description: Detects tampering with the "Enabled" registry key in order to disable windows logging of a windows event channel
+description: Detects tampering with the "Enabled" registry key in order to disable Windows logging of a Windows event channel
 references:
    - https://twitter.com/WhichbufferArda/status/1543900539280293889
    - https://github.com/DebugPrivilege/CPP/blob/c39d365617dbfbcb01fffad200d52b6239b2918c/Windows%20Defender/RestoreDefenderConfig.cpp
@@ -1,7 +1,7 @@
 title: Activate Suppression of Windows Security Center Notifications
 id: 0c93308a-3f1b-40a9-b649-57ea1a1c1d63
 status: experimental
-description: Detect set Notification_Suppress to 1 to disable the windows security center notification
+description: Detect set Notification_Suppress to 1 to disable the Windows security center notification
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md
 author: frack113
@@ -6,7 +6,7 @@ related:
    - id: fd115e64-97c7-491f-951c-fc8da7e042fa
      type: obsoletes
 status: experimental
-description: Detects when attackers or tools disable Windows Defender functionalities via the windows registry
+description: Detects when attackers or tools disable Windows Defender functionalities via the Windows registry
 references:
    - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
    - https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105