From a465f2722f55fcf8979afe24ebbed58f3dcd4cc4 Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@nextron-systems.com>
Date: Wed, 24 Mar 2021 11:29:05 +0100
Subject: [PATCH 1/5] refactor: CobaltStrike beacon rule

---
 rules/network/net_mal_dns_cobaltstrike.yml | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/rules/network/net_mal_dns_cobaltstrike.yml b/rules/network/net_mal_dns_cobaltstrike.yml
index 666f7c72b..bc1cf186f 100644
--- a/rules/network/net_mal_dns_cobaltstrike.yml
+++ b/rules/network/net_mal_dns_cobaltstrike.yml
@@ -4,16 +4,18 @@ status: experimental
 description: Detects suspicious DNS queries known from Cobalt Strike beacons
 author: Florian Roth
 date: 2018/05/10
-modified: 2020/08/27
+modified: 2021/03/24
 references:
     - https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns
+    - https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/
 logsource:
     category: dns
 detection:
     selection:
-        query:
-            - 'aaa.stage.*' 
-            - 'post.1*'
+        query|startswith:
+            - 'aaa.stage.' 
+            - 'post.1'
+            - 'www6.'
     condition: selection
 falsepositives:
     - Unknown

From 6d9fc6558590817134321bd40137b0709f39a610 Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@nextron-systems.com>
Date: Wed, 24 Mar 2021 12:37:35 +0100
Subject: [PATCH 2/5] fix: FPs with www6

---
 rules/network/net_mal_dns_cobaltstrike.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/rules/network/net_mal_dns_cobaltstrike.yml b/rules/network/net_mal_dns_cobaltstrike.yml
index bc1cf186f..b7efbe5c2 100644
--- a/rules/network/net_mal_dns_cobaltstrike.yml
+++ b/rules/network/net_mal_dns_cobaltstrike.yml
@@ -15,7 +15,6 @@ detection:
         query|startswith:
             - 'aaa.stage.' 
             - 'post.1'
-            - 'www6.'
     condition: selection
 falsepositives:
     - Unknown

From 6b0f66e876502d95fa2afe91a5ca92b34c5cc115 Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@nextron-systems.com>
Date: Wed, 24 Mar 2021 12:38:00 +0100
Subject: [PATCH 3/5] refactor: change level

---
 rules/network/net_mal_dns_cobaltstrike.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/network/net_mal_dns_cobaltstrike.yml b/rules/network/net_mal_dns_cobaltstrike.yml
index b7efbe5c2..3775bc795 100644
--- a/rules/network/net_mal_dns_cobaltstrike.yml
+++ b/rules/network/net_mal_dns_cobaltstrike.yml
@@ -18,7 +18,7 @@ detection:
     condition: selection
 falsepositives:
     - Unknown
-level: high
+level: critical
 tags:
     - attack.command_and_control
     - attack.t1071 # an old one

From 65a11dde5281a661844d64ecbdabdaa79e66c8a1 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Fri, 9 Apr 2021 15:55:14 +0200
Subject: [PATCH 4/5] fix: rules causing too many false positives

---
 .../builtin/win_invoke_obfuscation_via_var++_services.yml     | 2 +-
 .../powershell/powershell_invoke_obfuscation_via_var++.yml    | 4 ++--
 .../sysmon_always_install_elevated_windows_installer.yml      | 4 ++--
 .../process_creation/win_invoke_obfuscation_via_var++.yml     | 2 +-
 rules/windows/process_creation/win_susp_rar_flags.yml         | 3 +--
 5 files changed, 7 insertions(+), 8 deletions(-)

diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_var++_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_var++_services.yml
index fb74d50bf..0504ec1d4 100644
--- a/rules/windows/builtin/win_invoke_obfuscation_via_var++_services.yml
+++ b/rules/windows/builtin/win_invoke_obfuscation_via_var++_services.yml
@@ -17,7 +17,7 @@ falsepositives:
 level: high
 detection:
     selection_1:
-        - ImagePath|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c|\/r'
+        - ImagePath|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r
     condition: selection and selection_1
 ---
 logsource:
diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml
index 62f796ce2..ac20a73c2 100644
--- a/rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml
+++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml
@@ -17,10 +17,10 @@ logsource:
 detection:
     selection_1:
         EventID: 4104
-        ScriptBlockText|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c|\/r'
+        ScriptBlockText|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c/c' # FPs with |\/r
     selection_2:
         EventID: 4103
-        Payload|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c|\/r'
+        Payload|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r
     condition: selection_1 or selection_2
 falsepositives:
     - Unknown
diff --git a/rules/windows/process_creation/sysmon_always_install_elevated_windows_installer.yml b/rules/windows/process_creation/sysmon_always_install_elevated_windows_installer.yml
index 30cb9b428..8d89e217b 100644
--- a/rules/windows/process_creation/sysmon_always_install_elevated_windows_installer.yml
+++ b/rules/windows/process_creation/sysmon_always_install_elevated_windows_installer.yml
@@ -33,5 +33,5 @@ fields:
     - Image
 falsepositives:
     - System administrator Usage
-    - Penetration test 
-level: high
\ No newline at end of file
+    - Penetration test
+level: medium 
\ No newline at end of file
diff --git a/rules/windows/process_creation/win_invoke_obfuscation_via_var++.yml b/rules/windows/process_creation/win_invoke_obfuscation_via_var++.yml
index 248c69830..caeadc4e8 100644
--- a/rules/windows/process_creation/win_invoke_obfuscation_via_var++.yml
+++ b/rules/windows/process_creation/win_invoke_obfuscation_via_var++.yml
@@ -16,7 +16,7 @@ logsource:
     product: windows
 detection:
     selection:
-        CommandLine|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c|\/r'
+        CommandLine|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r
     condition: selection
 falsepositives:
     - Unknown
diff --git a/rules/windows/process_creation/win_susp_rar_flags.yml b/rules/windows/process_creation/win_susp_rar_flags.yml
index 67e7d2e28..16413091f 100644
--- a/rules/windows/process_creation/win_susp_rar_flags.yml
+++ b/rules/windows/process_creation/win_susp_rar_flags.yml
@@ -11,8 +11,7 @@ tags:
     - attack.collection
     - attack.t1560.001
     - attack.exfiltration # an old one  
-    - attack.t1002        # an old one  
-
+    - attack.t1002        # an old one
 logsource:
     category: process_creation
     product: windows

From 897da252f15d923b50144551bbe2fe1acb19bc00 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Fri, 9 Apr 2021 16:45:07 +0200
Subject: [PATCH 5/5] fix: missing new line placeholder escape

---
 .../powershell/powershell_cmdline_special_characters.yml        | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/powershell/powershell_cmdline_special_characters.yml b/rules/windows/powershell/powershell_cmdline_special_characters.yml
index ec328a9a2..d4c131fb2 100644
--- a/rules/windows/powershell/powershell_cmdline_special_characters.yml
+++ b/rules/windows/powershell/powershell_cmdline_special_characters.yml
@@ -26,7 +26,7 @@ detection:
         CommandLine|re: '.*{.*{.*{.*{.*{.*'
     selection4:
         Image|endswith: '\powershell.exe'
-        CommandLine|re: '.*^.*^.*^.*^.*^.*'
+        CommandLine|re: '.*\^.*\^.*\^.*\^.*\^.*'
     selection5:
         Image|endswith: '\powershell.exe'
         CommandLine|re: '.*`.*`.*`.*`.*`.*'