From cc457436694499881355f22bd1d3964f60cbcd99 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Tue, 29 Mar 2022 15:21:47 +0200
Subject: [PATCH] refactor: more robust reg add ImagePath rule

---
 ..._creation_win_reg_service_imagepath_change.yml | 15 +++++++++------
 ..._creation_win_susp_powershell_iex_patterns.yml |  1 +
 2 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/rules/windows/process_creation/proc_creation_win_reg_service_imagepath_change.yml b/rules/windows/process_creation/proc_creation_win_reg_service_imagepath_change.yml
index c17fe5de4..0cff37fc3 100644
--- a/rules/windows/process_creation/proc_creation_win_reg_service_imagepath_change.yml
+++ b/rules/windows/process_creation/proc_creation_win_reg_service_imagepath_change.yml
@@ -9,19 +9,22 @@ references:
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md#atomic-test-2---service-imagepath-change-with-regexe
 author: frack113
 date: 2021/12/30
+modified: 2022/03/29
 logsource:
     category: process_creation
     product: windows
 detection:
     selection:
-        Image|endswith: \reg.exe 
+        Image|endswith: \reg.exe
         CommandLine|contains|all:
             - 'add '
-            - 'HKLM\SYSTEM\CurrentControlSet\Services\'
-            - '/v '
-            - 'ImagePath '
-            - '/d '
-    condition: selection
+            - 'SYSTEM\CurrentControlSet\Services\'
+            - ' ImagePath '
+    selection_value:
+        CommandLine|contains:
+            - ' /d '
+            - ' -d '
+    condition: all of selection*
 falsepositives:
     - Unknown
 level: medium
diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_iex_patterns.yml b/rules/windows/process_creation/proc_creation_win_susp_powershell_iex_patterns.yml
index 47fce53b0..7f0a7ba3e 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_powershell_iex_patterns.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_powershell_iex_patterns.yml
@@ -4,6 +4,7 @@ status: experimental
 description: Detects suspicious ways to run Invoke-Execution using IEX acronym
 author: Florian Roth
 date: 2022/03/24
+modified:
 references:
    - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.2
 logsource: