Merge PR #4752 from @frack113 - Update rules to use the windash modifier

update: File Enumeration Via Dir Command - Update logic to use a wildcard in addition, for better accuracy. chore: update multiple rules to use the windash modifier --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
2024-03-11 12:01:30 +01:00
parent eac04262c2
commit 48baf1187b
37 changed files with 104 additions and 212 deletions
@@ -6,6 +6,7 @@ references:
    - https://github.com/pr0xylife/Qakbot/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/05/26
+modified: 2024/03/05
 tags:
    - attack.defense_evasion
    - attack.execution
@@ -16,9 +17,7 @@ logsource:
 detection:
    selection:
        Image|endswith: '\regsvr32.exe'
-        CommandLine|contains:
-            - ' /s'
-            - ' -s'
+        CommandLine|contains|windash: ' -s'
        CommandLine|endswith: ' calc'
    condition: selection
 falsepositives:
@@ -8,6 +8,7 @@ references:
    - https://github.com/diego-treitos/linux-smart-enumeration
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/12/28
+modified: 2024/03/05
 tags:
    - attack.discovery
    - attack.t1083
@@ -17,9 +18,7 @@ logsource:
 detection:
    selection:
        Image|endswith: '/getcap'
-        CommandLine|contains:
-            - ' /r '
-            - ' -r '
+        CommandLine|contains|windash: ' -r '
    condition: selection
 falsepositives:
    - Unknown
@@ -6,7 +6,7 @@ references:
    - Internal Research
 author: pH-T (Nextron Systems)
 date: 2022/03/18
-modified: 2024/02/23
+modified: 2024/03/05
 tags:
    - attack.persistence
    - attack.privilege_escalation
@@ -20,12 +20,9 @@ detection:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
    selection_cmd_flags:
-        ImagePath|contains:
-            - ' /c '
+        ImagePath|contains|windash:
            - ' -c '
-            - ' /r '
            - ' -r '
-            - ' /k '
            - ' -k '
    selection_binaries:
        ImagePath|contains:
@@ -1,7 +1,12 @@
 title: Indirect Inline Command Execution Via Bash.EXE
 id: 5edc2273-c26f-406c-83f3-f4d948e740dd
+related:
+    - id: 2d22a514-e024-4428-9dba-41505bd63a5b
+      type: similar
 status: experimental
-description: Detects execution of Microsoft bash launcher with the "-c" flag. This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash
+description: |
+    Detects execution of Microsoft bash launcher with the "-c" flag.
+    This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.
 references:
    - https://lolbas-project.github.io/lolbas/Binaries/Bash/
 author: frack113
@@ -4,7 +4,9 @@ related:
    - id: 5edc2273-c26f-406c-83f3-f4d948e740dd
      type: similar
 status: experimental
-description: Detects execution of Microsoft bash launcher without any flags to execute the content of a bash script directly. This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash
+description: |
+    Detects execution of Microsoft bash launcher without any flags to execute the content of a bash script directly.
+    This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.
 references:
    - https://lolbas-project.github.io/lolbas/Binaries/Bash/
    - https://linux.die.net/man/1/bash
@@ -11,7 +11,7 @@ references:
    - https://lolbas-project.github.io/lolbas/Binaries/Certoc/
 author: Austin Songer @austinsonger
 date: 2021/10/23
-modified: 2023/02/15
+modified: 2024/03/05
 tags:
    - attack.defense_evasion
    - attack.t1218
@@ -23,9 +23,7 @@ detection:
        - Image|endswith: '\certoc.exe'
        - OriginalFileName: 'CertOC.exe'
    selection_cli:
-        CommandLine|contains:
-            - ' -LoadDLL '
-            - ' /LoadDLL '
+        CommandLine|contains|windash: ' -LoadDLL '
    condition: all of selection_*
 fields:
    - CommandLine
@@ -11,6 +11,7 @@ references:
    - https://lolbas-project.github.io/lolbas/Binaries/Certoc/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/02/15
+modified: 2024/03/05
 tags:
    - attack.defense_evasion
    - attack.t1218
@@ -22,9 +23,7 @@ detection:
        - Image|endswith: '\certoc.exe'
        - OriginalFileName: 'CertOC.exe'
    selection_cli:
-        CommandLine|contains:
-            - ' -LoadDLL '
-            - ' /LoadDLL '
+        CommandLine|contains|windash: ' -LoadDLL '
    selection_paths:
        CommandLine|contains:
            - '\Appdata\Local\Temp\'
@@ -13,6 +13,7 @@ references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md
 author: oscd.community, @redcanary, Zach Stanford @svch0st
 date: 2023/03/05
+modified: 2024/03/05
 tags:
    - attack.defense_evasion
    - attack.t1553.004
@@ -25,9 +26,7 @@ detection:
        - Image|endswith: '\certutil.exe'
        - OriginalFileName: 'CertUtil.exe'
    selection_cli_add:
-        CommandLine|contains:
-            - '/addstore'
-            - '-addstore'
+        CommandLine|contains|windash: '-addstore'
    selection_cli_store:
        CommandLine|contains: 'root'
    condition: all of selection_*
@@ -11,6 +11,7 @@ references:
    - https://lolbas-project.github.io/lolbas/Binaries/Certutil/
 author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
 date: 2023/02/15
+modified: 2024/03/05
 tags:
    - attack.defense_evasion
    - attack.t1027
@@ -22,13 +23,9 @@ detection:
        - Image|endswith: '\certutil.exe'
        - OriginalFileName: 'CertUtil.exe'
    selection_cli:
-        CommandLine|contains:
-            # Decode Base64
-            - '-decode '
-            - '/decode '
-            # Decode Hex
-            - '-decodehex '
-            - '/decodehex '
+        CommandLine|contains|windash:
+            - '-decode ' # Decode Base64
+            - '-decodehex ' # Decode Hex
    condition: all of selection_*
 falsepositives:
    - Unknown
@@ -8,7 +8,7 @@ references:
    - https://lolbas-project.github.io/lolbas/Binaries/Certutil/
 author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)
 date: 2019/02/24
-modified: 2023/02/15
+modified: 2024/03/05
 tags:
    - attack.defense_evasion
    - attack.t1027
@@ -20,9 +20,7 @@ detection:
        - Image|endswith: '\certutil.exe'
        - OriginalFileName: 'CertUtil.exe'
    selection_cli:
-        CommandLine|contains:
-            - '-encode'
-            - '/encode'
+        CommandLine|contains|windash: '-encode'
    condition: all of selection_*
 falsepositives:
    - As this is a general purpose rule, legitimate usage of the encode functionality will trigger some false positives. Apply additional filters accordingly
@@ -12,6 +12,7 @@ references:
    - https://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/05/15
+modified: 2024/03/05
 tags:
    - attack.defense_evasion
    - attack.t1027
@@ -23,9 +24,7 @@ detection:
        - Image|endswith: '\certutil.exe'
        - OriginalFileName: 'CertUtil.exe'
    selection_cli:
-        CommandLine|contains:
-            - '-encode'
-            - '/encode'
+        CommandLine|contains|windash: '-encode'
    selection_extension:
        CommandLine|contains:
            - '.acl'
@@ -12,6 +12,7 @@ references:
    - https://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/05/15
+modified: 2024/03/05
 tags:
    - attack.defense_evasion
    - attack.t1027
@@ -23,9 +24,7 @@ detection:
        - Image|endswith: '\certutil.exe'
        - OriginalFileName: 'CertUtil.exe'
    selection_cli:
-        CommandLine|contains:
-            - '-encode'
-            - '/encode'
+        CommandLine|contains|windash: '-encode'
    selection_extension:
        CommandLine|contains:
            # Note: Add more suspicious locations to increase coverage
@@ -6,7 +6,7 @@ references:
    - https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html
 author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)
 date: 2023/02/15
-modified: 2023/02/20
+modified: 2024/03/05
 tags:
    - attack.defense_evasion
    - attack.t1027
@@ -18,9 +18,7 @@ detection:
        - Image|endswith: '\certutil.exe'
        - OriginalFileName: 'CertUtil.exe'
    selection_cli:
-        CommandLine|contains:
-            - '-exportPFX '
-            - '/exportPFX '
+        CommandLine|contains|windash: '-exportPFX '
    condition: all of selection_*
 falsepositives:
    - There legitimate reasons to export certificates. Investigate the activity to determine if it's benign
@@ -7,7 +7,7 @@ references:
    - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/chcp
 author: _pete_0, TheDFIRReport
 date: 2022/02/21
-modified: 2024/02/16
+modified: 2024/03/05
 tags:
    - attack.discovery
    - attack.t1614.001
@@ -17,12 +17,9 @@ logsource:
 detection:
    selection:
        ParentImage|endswith: '\cmd.exe'
-        ParentCommandLine|contains:
-            - ' /c '
+        ParentCommandLine|contains|windash:
            - ' -c '
-            - ' /r '
            - ' -r '
-            - ' /k '
            - ' -k '
        Image|endswith: '\chcp.com'
        CommandLine|endswith:
@@ -6,7 +6,7 @@ references:
    - https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983 # Dead Link
 author: Sreeman, Nasreddine Bencherchali (Nextron Systems)
 date: 2020/01/13
-modified: 2024/02/17
+modified: 2024/03/05
 tags:
    - attack.defense_evasion
    - attack.t1218
@@ -17,9 +17,7 @@ logsource:
    product: windows
 detection:
    selection:
-        CommandLine|contains:
-            - ' /c '
-            - ' -c '
+        CommandLine|contains|windash: ' -c '
        CommandLine|contains|all:
            - 'curl '
            - 'http'
@@ -11,7 +11,7 @@ references:
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase
 author: frack113
 date: 2022/01/15
-modified: 2024/02/17
+modified: 2024/03/05
 tags:
    - attack.defense_evasion
    - attack.t1070.004
@@ -27,13 +27,10 @@ detection:
            - 'del '
            - 'erase '
    selection_flags:
-        CommandLine|contains:
-            - ' /f' # Force deleting of read-only files.
-            - ' -f'
-            - ' /s' # Delete specified files from all subdirectories.
-            - ' -s'
-            - ' /q' # Quiet mode, do not ask if ok to delete on global wildcard
-            - ' -q'
+        CommandLine|contains|windash:
+            - ' -f' # Force deleting of read-only files.
+            - ' -s' # Delete specified files from all subdirectories.
+            - ' -q' # Quiet mode, do not ask if ok to delete on global wildcard
    condition: all of selection_*
 falsepositives:
    - False positives levels will differ Depending on the environment. You can use a combination of ParentImage and other keywords from the CommandLine field to filter legitimate activity
@@ -1,12 +1,13 @@
-title: Files And Subdirectories Listing Using Dir
+title: File Enumeration Via Dir Command
 id: 7c9340a9-e2ee-4e43-94c5-c54ebbea1006
 status: test
-description: Detects usage of the "dir" command that is part of Windows batch/cmd to collect information about directories
+description: |
+    Detects usage of the "dir" command part of Widows CMD with the "/S" command line flag in order to enumerate files in a specified directory and all subdirectories.
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md
 author: frack113
 date: 2021/12/13
-modified: 2024/02/17
+modified: 2024/03/06
 tags:
    - attack.discovery
    - attack.t1217
@@ -14,17 +15,9 @@ logsource:
    category: process_creation
    product: windows
 detection:
-    selection_dir:
-        CommandLine|contains: 'dir '
-    selection_cli_1:
-        CommandLine|contains:
-            - ' /s'
-            - ' -s'
-    selection_cli_2:
-        CommandLine|contains:
-            - ' /b'
-            - ' -b'
-    condition: all of selection_*
+    selection:
+        CommandLine|contains|windash: 'dir*-s'
+    condition: selection
 falsepositives:
-    - Unknown
+    - Likely
 level: low
@@ -1,12 +1,13 @@
-title: Suspicious Ping/Copy Command Combination
+title: Potentially Suspicious Ping/Copy Command Combination
 id: ded2b07a-d12f-4284-9b76-653e37b6c8b0
 status: experimental
-description: Detects uncommon one-liner command having ping and copy at the same time, which is usually used by malware.
+description: |
+    Detects uncommon and potentially suspicious one-liner command containing both "ping" and "copy" at the same time, which is usually used by malware.
 references:
    - Internal Research
 author: X__Junior (Nextron Systems)
 date: 2023/07/18
-modified: 2024/02/26
+modified: 2024/03/06
 tags:
    - attack.defense_evasion
    - attack.t1070.004
@@ -23,13 +24,9 @@ detection:
            - 'ping' # Covers "ping" and "ping.exe"
            - 'copy '
    selection_cli_1:
-        CommandLine|contains: # Count
-            - ' -n '
-            - ' /n '
+        CommandLine|contains|windash: ' -n ' # Count
    selection_cli_2:
-        CommandLine|contains:
-            - ' /y '
-            - ' -y '
+        CommandLine|contains|windash: ' -y '
    condition: all of selection_*
 falsepositives:
    - Unknown
@@ -9,7 +9,7 @@ references:
    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware
 author: Ilya Krestinichev
 date: 2022/11/03
-modified: 2023/02/07
+modified: 2024/03/05
 tags:
    - attack.defense_evasion
    - attack.t1070.004
@@ -20,16 +20,12 @@ detection:
    # Note: In the case of sysmon and similar logging utilities, see this discussion https://github.com/SigmaHQ/sigma/discussions/4277
    # Example: "C:\Windows\System32\cmd.exe"  /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\User\Desktop\lockbit\lockbit.exe" & Del /f /q "C:\Users\User\Desktop\lockbit\lockbit.exe".
    selection_count:
-        CommandLine|contains:
-            - ' -n '
-            - ' /n '
+        CommandLine|contains|windash: ' -n '
    selection_nul:
        CommandLine|contains: 'Nul' # Covers "> Nul" and ">Nul "
    selection_del_param:
-        CommandLine|contains:
-            - ' /f '
+        CommandLine|contains|windash:
            - ' -f '
-            - ' /q '
            - ' -q '
    selection_all:
        CommandLine|contains|all:
@@ -1,12 +1,14 @@
 title: New Generic Credentials Added Via Cmdkey.EXE
 id: b1ec66c6-f4d1-4b5c-96dd-af28ccae7727
 status: test
-description: Detects usage of cmdkey to add generic credentials. As an example, this has to be used before connecting to an RDP session via command line interface.
+description: |
+    Detects usage of "cmdkey.exe" to add generic credentials.
+    As an example, this can be used before connecting to an RDP session via command line interface.
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol
 author: frack113, Nasreddine Bencherchali (Nextron Systems)
 date: 2023/02/03
-modified: 2024/02/23
+modified: 2024/03/05
 tags:
    - attack.credential_access
    - attack.t1003.005
@@ -17,18 +19,12 @@ detection:
    selection_img:
        - Image|endswith: '\cmdkey.exe'
        - OriginalFileName: 'cmdkey.exe'
-    selection_cli_1:
-        CommandLine|contains:
-            - ' /g'
-            - ' -g'
-    selection_cli_2:
-        CommandLine|contains:
-            - ' /u'
-            - ' -u'
-    selection_cli_3:
-        CommandLine|contains:
-            - ' /p'
-            - ' -p'
+    selection_cli_generic:
+        CommandLine|contains|windash: ' -g' # Generic
+    selection_cli_user:
+        CommandLine|contains|windash: ' -u' # User
+    selection_cli_password:
+        CommandLine|contains|windash: ' -p' # Password
    condition: all of selection_*
 falsepositives:
    - Legitimate usage for administration purposes
@@ -8,7 +8,7 @@ references:
    - https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1003.005/T1003.005.md#atomic-test-1---cached-credential-dump-via-cmdkey
 author: jmallette, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
 date: 2019/01/16
-modified: 2023/02/03
+modified: 2024/03/05
 tags:
    - attack.credential_access
    - attack.t1003.005
@@ -20,9 +20,7 @@ detection:
        - Image|endswith: '\cmdkey.exe'
        - OriginalFileName: 'cmdkey.exe'
    selection_cli:
-        CommandLine|contains:
-            - ' /l'
-            - ' -l'
+        CommandLine|contains|windash: ' -l'
    condition: all of selection*
 fields:
    - CommandLine
@@ -23,6 +23,7 @@ references:
    - https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/09/15
+modified: 2024/03/05
 tags:
    - attack.defense_evasion
    - attack.t1218
@@ -34,9 +35,7 @@ detection:
        - OriginalFileName: 'diskshadow.exe'
        - Image|endswith: '\diskshadow.exe'
    selection_flag:
-        CommandLine|contains:
-            - '/s '
-            - '-s '
+        CommandLine|contains|windash: '-s '
    filter_main_ext:
        # Note: can be changed to an "endswith" to avoid rare FPs. But you need to account for quoted paths
        # Note: Using the ".txt" is based on the MS documentation example. Best add the extension you use internally before using this rule
@@ -21,6 +21,7 @@ references:
    - https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/09/15
+modifier: 2024/03/05
 tags:
    - attack.defense_evasion
    - attack.t1218
@@ -32,9 +33,7 @@ detection:
        - OriginalFileName: 'diskshadow.exe'
        - Image|endswith: '\diskshadow.exe'
    selection_cli:
-        CommandLine|contains:
-            - '/s '
-            - '-s '
+        CommandLine|contains|windash: '-s '
    selection_paths:
        CommandLine|contains:
            # Note: Add additional susp paths based on your org needs
@@ -8,7 +8,7 @@ references:
    - https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/
 author: frack113
 date: 2022/02/13
-modified: 2022/10/31
+modified: 2024/03/05
 tags:
    - attack.collection
    - attack.t1005
@@ -20,9 +20,7 @@ detection:
        - Image|endswith: '\esentutl.exe'
        - OriginalFileName: 'esentutl.exe'
    selection_flag:
-        CommandLine|contains:
-            - '/r'
-            - '-r'
+        CommandLine|contains|windash: '-r'
    selection_webcache:
        CommandLine|contains: '\Windows\WebCache'
    condition: all of selection*
@@ -7,7 +7,7 @@ references:
    - https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/
 author: Bhabesh Raj, X__Junior (Nextron Systems)
 date: 2021/07/30
-modified: 2023/11/02
+modified: 2024/03/05
 tags:
    - attack.defense_evasion
    - attack.t1218
@@ -17,9 +17,7 @@ logsource:
 detection:
    selection_cmd:
        Image|endswith: '\expand.exe'
-        CommandLine|contains:
-            - '/F:'
-            - '-F:'
+        CommandLine|contains|windash: '-F:'
    selection_folders_1:
        CommandLine|contains:
            - ':\Perflogs\'
@@ -12,7 +12,7 @@ references:
    - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
 author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems)
 date: 2020/10/05
-modified: 2023/11/12
+modified: 2024/03/05
 tags:
    - attack.defense_evasion
    - attack.t1218
@@ -28,13 +28,9 @@ detection:
        - Image|endswith: 'findstr.exe'
        - OriginalFileName: 'FINDSTR.EXE'
    selection_cli_download_1:
-        CommandLine|contains:
-            - ' /v '
-            - ' -v '
+        CommandLine|contains|windash: ' -v '
    selection_cli_download_2:
-        CommandLine|contains:
-            - ' /l '
-            - ' -l '
+        CommandLine|contains|windash: ' -l '
    selection_cli_download_3:
        CommandLine|contains: '\\\\'
    condition: selection_findstr and all of selection_cli_download_*
@@ -12,7 +12,7 @@ references:
    - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
 author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems)
 date: 2020/10/05
-modified: 2023/11/12
+modified: 2024/03/05
 tags:
    - attack.defense_evasion
    - attack.t1218
@@ -28,13 +28,9 @@ detection:
        - Image|endswith: 'findstr.exe'
        - OriginalFileName: 'FINDSTR.EXE'
    selection_cli_search_subfolder:
-        CommandLine|contains:
-            - ' /s '
-            - ' -s '
+        CommandLine|contains|windash: ' -s '
    selection_cli_search_insensitive:
-        CommandLine|contains:
-            - ' /i '
-            - ' -i '
+        CommandLine|contains|windash: ' -i '
    condition: selection_findstr and all of selection_cli_search_*
 falsepositives:
    - Administrative or software activity
@@ -15,7 +15,7 @@ references:
    - https://pentestlab.blog/2020/07/06/indirect-command-execution/
 author: Tim Rauch, Elastic, E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
 date: 2022/06/14
-modified: 2024/01/05
+modified: 2024/03/05
 tags:
    - attack.execution
    - attack.t1059
@@ -27,9 +27,7 @@ detection:
        - Image|endswith: '\forfiles.exe'
        - OriginalFileName: 'forfiles.exe'
    selection_cli:
-        CommandLine|contains:
-            - ' /c '
-            - ' -c '
+        CommandLine|contains|windash: ' -c '
    condition: all of selection_*
 falsepositives:
    - Legitimate use via a batch script or by an administrator.
@@ -6,6 +6,7 @@ references:
    - https://learn.microsoft.com/en-us/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/06/15
+modified: 2024/03/05
 tags:
    - attack.execution
 logsource:
@@ -16,9 +17,7 @@ detection:
        Image|endswith: '\lodctr.exe'
        OriginalFileName: 'LODCTR.EXE'
    selection_cli:
-        CommandLine|contains:
-            - ' /r'
-            - ' -r'
+        CommandLine|contains|windash: ' -r'
    condition: all of selection_*
 falsepositives:
    - Legitimate usage by an administrator
@@ -14,6 +14,7 @@ references:
    - https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/
 author: Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community, Nasreddine Bencherchali (Nextron Systems)
 date: 2023/05/22
+modified: 2024/03/05
 tags:
    - attack.defense_evasion
    - attack.t1218.008
@@ -25,9 +26,7 @@ detection:
        - Image|endswith: '\odbcconf.exe'
        - OriginalFileName: 'odbcconf.exe'
    selection_cli:
-        CommandLine|contains:
-            - ' -f '
-            - ' /f '
+        CommandLine|contains|windash: ' -f '
    selection_rsp_ext:
        CommandLine|contains: '.rsp'
    condition: all of selection_*
@@ -6,7 +6,7 @@ references:
    - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/10/12
-modified: 2023/11/06
+modified: 2024/03/05
 tags:
    - attack.command_and_control
    - attack.lateral_movement
@@ -19,9 +19,7 @@ logsource:
 detection:
    selection:
        Image|endswith: '\ssh.exe'
-        CommandLine|contains:
-            - ' -R '
-            - ' /R '
+        CommandLine|contains|windash: ' -R '
    condition: selection
 falsepositives:
    - Administrative activity using a remote port forwarding to a local port
@@ -11,7 +11,7 @@ references:
    - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
 author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
 date: 2021/11/23
-modified: 2023/02/28
+modified: 2024/03/05
 tags:
    - attack.resource_development
    - attack.t1587.001
@@ -20,43 +20,22 @@ logsource:
    product: windows
 detection:
    selection_sys: # Escalation to LOCAL_SYSTEM
-        CommandLine|contains:
+        CommandLine|contains|windash:
            # Note that you don't need to add the ".exe" part when using psexec/paexec
            # The "-" can also be replaced with "/"
            # The order of args isn't important
            # "cmd" can be replaced by "powershell", "pwsh" or any other console like software
            - ' -s cmd'
-            - ' /s cmd'
            - ' -s -i cmd'
-            - ' /s /i cmd'
-            - ' /s -i cmd'
-            - ' -s /i cmd'
            - ' -i -s cmd'
-            - ' /i /s cmd'
-            - ' -i /s cmd'
-            - ' /i -s cmd'
            # Pwsh (For PowerShell 7)
            - ' -s pwsh'
-            - ' /s pwsh'
            - ' -s -i pwsh'
-            - ' /s /i pwsh'
-            - ' /s -i pwsh'
-            - ' -s /i pwsh'
            - ' -i -s pwsh'
-            - ' /i /s pwsh'
-            - ' -i /s pwsh'
-            - ' /i -s pwsh'
            # PowerShell (For PowerShell 5)
            - ' -s powershell'
-            - ' /s powershell'
            - ' -s -i powershell'
-            - ' /s /i powershell'
-            - ' /s -i powershell'
-            - ' -s /i powershell'
            - ' -i -s powershell'
-            - ' /i /s powershell'
-            - ' -i /s powershell'
-            - ' /i -s powershell'
    selection_other:
        CommandLine|contains:
            - 'psexec'
@@ -9,7 +9,7 @@ references:
    - https://twitter.com/EricaZelic/status/1614075109827874817
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2021/12/18
-modified: 2023/01/16
+modified: 2024/03/05
 tags:
    - attack.discovery
    - attack.t1087
@@ -30,17 +30,12 @@ detection:
            - ' application'
            - ' system'
    selection_cli_flags:
-        CommandLine|contains:
+        CommandLine|contains|windash:
            - ' -d'
-            - ' /d'
            - ' -x'
-            - ' /x'
            - ' -s'
-            - ' /s'
            - ' -c' # Clear event log after displaying
-            - ' /c'
            - ' -g' # Export an event log as an evt file.
-            - ' /g'
    condition: all of selection_*
 falsepositives:
    - Another tool that uses the command line switches of PsLogList
@@ -11,7 +11,7 @@ references:
    - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
 author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
 date: 2021/05/22
-modified: 2023/02/27
+modified: 2024/03/05
 tags:
    - attack.resource_development
    - attack.t1587.001
@@ -21,43 +21,22 @@ logsource:
 detection:
    selection:
        # Escalation to LOCAL_SYSTEM
-        CommandLine|contains:
+        CommandLine|contains|windash:
            # Note that you don't need to add the ".exe" part when using psexec/paexec
            # The "-" can also be replaced with "/"
            # The order of args isn't important
            # "cmd" can be replaced by "powershell", "pwsh" or any other console like software
            - ' -s cmd'
-            - ' /s cmd'
            - ' -s -i cmd'
-            - ' /s /i cmd'
-            - ' /s -i cmd'
-            - ' -s /i cmd'
            - ' -i -s cmd'
-            - ' /i /s cmd'
-            - ' -i /s cmd'
-            - ' /i -s cmd'
            # Pwsh (For PowerShell 7)
            - ' -s pwsh'
-            - ' /s pwsh'
            - ' -s -i pwsh'
-            - ' /s /i pwsh'
-            - ' /s -i pwsh'
-            - ' -s /i pwsh'
            - ' -i -s pwsh'
-            - ' /i /s pwsh'
-            - ' -i /s pwsh'
-            - ' /i -s pwsh'
            # PowerShell (For PowerShell 5)
            - ' -s powershell'
-            - ' /s powershell'
            - ' -s -i powershell'
-            - ' /s /i powershell'
-            - ' /s -i powershell'
-            - ' -s /i powershell'
            - ' -i -s powershell'
-            - ' /i /s powershell'
-            - ' -i /s powershell'
-            - ' /i -s powershell'
    filter_main_exclude_coverage:
        # This filter exclude strings covered by 8834e2f7-6b4b-4f09-8906-d2276470ee23
        CommandLine|contains:
@@ -8,6 +8,7 @@ references:
    - https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s
 author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
 date: 2023/12/04
+modified: 2024/03/05
 tags:
    - attack.discovery
    - attack.t1033
@@ -20,9 +21,7 @@ detection:
        - Image|endswith: '\whoami.exe'
        - OriginalFileName: 'whoami.exe'
    selection_main_cli:
-        CommandLine|contains:
-            - ' -all'
-            - ' /all'
+        CommandLine|contains|windash: ' -all'
    condition: all of selection_main_*
 falsepositives:
    - Unknown
@@ -9,7 +9,7 @@ references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md
 author: Timur Zinniatullin, oscd.community, Swachchhanda Shrawan Poudel
 date: 2019/10/21
-modified: 2023/11/09
+modified: 2024/03/05
 tags:
    - attack.defense_evasion
    - attack.t1220
@@ -19,9 +19,7 @@ logsource:
 detection:
    selection:
        Image|endswith: '\wmic.exe'
-        CommandLine|contains:
-            - '/format'     # wmic process list /FORMAT /?
-            - '-format'     # wmic process list -FORMAT /?
+        CommandLine|contains|windash: '-format'     # wmic process list -FORMAT /? or wmic process list /FORMAT /?
    filter_main_known_format:
        CommandLine|contains:
            - 'Format:List'
@@ -70,6 +70,7 @@ exclusions:
    fb502828-2db0-438e-93e6-801c7548686d: escaped_wildcard
    59e938ff-0d6d-4dc3-b13f-36cc28734d4e: escaped_wildcard
    2e7bbd54-2f26-476e-b4a1-ba5f1a012614: escaped_wildcard
+    7c9340a9-e2ee-4e43-94c5-c54ebbea1006: escaped_wildcard
    # number_as_string
    5c84856b-55a5-45f1-826f-13f37250cf4e: number_as_string
    85b88e05-dadc-430b-8a9e-53ff1cd30aae: number_as_string