Merge branch 'master' into rule-devel

2022-05-16 16:05:12 +02:00
parent 9138730dd6 17369f2671
commit 54d5f3ad67
225 changed files with 1222 additions and 749 deletions
@@ -0,0 +1,13 @@
+# These are supported funding model platforms
+
+github: [thomaspatzke]
+patreon: # Replace with a single Patreon username
+open_collective: # Replace with a single Open Collective username
+ko_fi: # Replace with a single Ko-fi username
+tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel
+community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry
+liberapay: # Replace with a single Liberapay username
+issuehunt: # Replace with a single IssueHunt username
+otechie: # Replace with a single Otechie username
+lfx_crowdfunding: # Replace with a single LFX Crowdfunding project-name e.g., cloud-foundry
+custom: # Replace with up to 4 custom sponsorship URLs e.g., ['link1', 'link2']
@@ -24,5 +24,5 @@ detection:
          ObjectName: '\Device\ConDrv'
    condition: selection
 falsepositives:
-    - legal admin action
+    - Legal admin action
 level: low
@@ -12,14 +12,12 @@ logsource:
  service: activitylogs
 detection:
    selection1:
-          properties.message|startswith:
-            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO
+          properties.message|startswith: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO
          properties.message|endswith:
            - /MUTATINGWEBHOOKCONFIGURATIONS/WRITE
            - /VALIDATINGWEBHOOKCONFIGURATIONS/WRITE
    selection2:
-          properties.message|startswith:
-            - MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO
+          properties.message|startswith: MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO
          properties.message|endswith:
            - /MUTATINGWEBHOOKCONFIGURATIONS/WRITE
            - /VALIDATINGWEBHOOKCONFIGURATIONS/WRITE
@@ -14,14 +14,12 @@ logsource:
    service: activitylogs
 detection:
    selection1:
-          properties.message|startswith:
-            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/BATCH
+          properties.message|startswith: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/BATCH
          properties.message|endswith:
            - /CRONJOBS/WRITE
            - /JOBS/WRITE
    selection2:
-          properties.message|startswith:
-            - MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/BATCH
+          properties.message|startswith: MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/BATCH
          properties.message|endswith:
            - /CRONJOBS/WRITE
            - /JOBS/WRITE
@@ -32,5 +30,5 @@ tags:
    - attack.privilege_escalation
    - attack.execution
 falsepositives:
-    - Azure Kubernetes CronJob/Job may be done by a system administrator. 
+    - Azure Kubernetes CronJob/Job may be done by a system administrator.
    - If known behavior is causing false positives, it can be exempted from the rule.
@@ -11,8 +11,7 @@ logsource:
  service: activitylogs
 detection:
    selection1:
-        properties.message: 
-            - MICROSOFT.AUTHORIZATION/ELEVATEACCESS/ACTION
+        properties.message: MICROSOFT.AUTHORIZATION/ELEVATEACCESS/ACTION
    condition: selection1
 level: high
 falsepositives:
@@ -11,13 +11,12 @@ logsource:
  service: activitylogs
 detection:
    selection:
-        properties.message: 
-            - MICROSOFT.SECURITY/ALERTSSUPPRESSIONRULES/WRITE
+        properties.message: MICROSOFT.SECURITY/ALERTSSUPPRESSIONRULES/WRITE
    condition: selection
 level: medium
 tags:
    - attack.impact
 falsepositives:
- - Suppression Rule being created may be performed by a system administrator. 
- - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - Suppression Rule being created may be performed by a system administrator.
+ - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
 - Suppression Rule created from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
@@ -12,16 +12,14 @@ logsource:
  service: gcp.audit
 detection:
    selection1:
-        gcp.audit.method_name|startswith: 
-            - admissionregistration.k8s.io.v*.mutatingwebhookconfigurations.
-        gcp.audit.method_name|endswith: 
+        gcp.audit.method_name|startswith: admissionregistration.k8s.io.v*.mutatingwebhookconfigurations.
+        gcp.audit.method_name|endswith:
            - create
            - patch
            - replace
    selection2:
-        gcp.audit.method_name|startswith: 
-            - admissionregistration.k8s.io.v*.validatingwebhookconfigurations.
-        gcp.audit.method_name|endswith: 
+        gcp.audit.method_name|startswith: admissionregistration.k8s.io.v*.validatingwebhookconfigurations.
+        gcp.audit.method_name|endswith:
            - create
            - patch
            - replace
@@ -18,7 +18,7 @@ detection:
    status: success
  condition: selection
 falsepositives:
-  -
+  - Unknown
 level: medium
 tags:
  - attack.initial_access
@@ -13,8 +13,7 @@ logsource:
  service: okta
 detection:
    selection:
-        displaymessage:
-            - User attempted unauthorized access to app
+        displaymessage: User attempted unauthorized access to app
    condition: selection
 level: medium
 tags:
@@ -15,8 +15,7 @@ logsource:
    service: security
 detection:
    selection:
-        EventID:
-            - 4800
+        EventID: 4800
    condition: selection
 falsepositives:
    - Unknown
@@ -15,12 +15,9 @@ logsource:
 detection:
   selection:
       type: EXECVE
-       a0:
-           - arecord
-       a1:
-           - '-vv'
-       a2:
-           - '-fdat'
+       a0: arecord
+       a1: '-vv'
+       a2: '-fdat'
   condition: selection
 tags:
   - attack.collection
@@ -12,8 +12,7 @@ logsource:
  service: auditd
 detection:
  selection:
-    key:
-      - 'susp_activity'
+    key: 'susp_activity'
  condition: selection
 falsepositives:
  - Admin or User activity
@@ -29,7 +29,7 @@ fields:
  - key
 falsepositives:
  - Legitimate administrative activity
-  - Ligitimate software, cleaning hist file
+  - Legitimate software, cleaning hist file
 level: medium
 tags:
  - attack.credential_access
@@ -16,12 +16,11 @@ detection:
    type: 'PATH'
    nametype: 'CREATE'
  name_1:
-    name|startswith: 
+    name|startswith:
         - '/usr/lib/systemd/system/'
         - '/etc/systemd/system/'
  name_2:
-    name|contains:
-         - '/.config/systemd/user/'
+    name|contains: '/.config/systemd/user/'
  condition: path and 1 of name_*
 falsepositives:
  - Admin work like legit service installs.
@@ -19,8 +19,7 @@ logsource:
 detection:
   commands:
       type: EXECVE
-       a0:
-           - unzip
+       a0: unzip
   a1:
       a1|endswith:
           - '.jpg'
@@ -3,7 +3,7 @@ id: f8341cb2-ee25-43fa-a975-d8a5a9714b39
 status: experimental
 description: Detects the usage of the unsafe bpftrace option
 author: Andreas Hunkeler (@Karneades)
-tags: 
+tags:
  - attack.execution
  - attack.t1059.004
 references:
@@ -15,10 +15,8 @@ logsource:
  product: linux
 detection:
  selection1:
-    Image|endswith:
-      - 'bpftrace'
-    CommandLine|contains:
-      - '--unsafe'
+    Image|endswith: 'bpftrace'
+    CommandLine|contains: '--unsafe'
  condition: selection1
 falsepositives:
  - Legitimate usage of the unsafe option
@@ -12,25 +12,19 @@ logsource:
  product: linux
 detection:
  selection_1:
-    Image|endswith:
-      - '/lastlog'
+    Image|endswith: '/lastlog'
  selection_2:
-    CommandLine|contains:
-      - '''x:0:'''
+    CommandLine|contains: '''x:0:'''
  selection_3:
-    Image|endswith:
-      - '/cat'
+    Image|endswith: '/cat'
    CommandLine|contains:
      - '/etc/passwd'
      - '/etc/sudoers'
  selection_4:
-    Image|endswith:
-      - '/id'
+    Image|endswith: '/id'
  selection_5:
-    Image|endswith:
-      - '/lsof'
-    CommandLine|contains:
-      - '-u'
+    Image|endswith: '/lsof'
+    CommandLine|contains: '-u'
  condition: 1 of selection*
 falsepositives:
  - Legitimate administration activities
@@ -12,13 +12,10 @@ logsource:
  product: linux
 detection:
  selection_1:
-    Image|endswith:
-      - '/groups'
+    Image|endswith: '/groups'
  selection_2:
-    Image|endswith:
-      - '/cat'
-    CommandLine|contains:
-      - '/etc/group'
+    Image|endswith: '/cat'
+    CommandLine|contains: '/etc/group'
  condition: 1 of selection*
 falsepositives:
  - Legitimate administration activities
@@ -12,10 +12,8 @@ logsource:
  product: linux
 detection:
  selection:
-    Image|endswith:
-      - 'crontab'
-    CommandLine|contains:
-      - '/tmp/'
+    Image|endswith: 'crontab'
+    CommandLine|contains: '/tmp/'
  condition: selection
 falsepositives:
  - Legitimate administration activities
@@ -5,7 +5,7 @@ description: Detects suspicious sub processes of web server processes
 references:
   - https://www.acunetix.com/blog/articles/web-shells-101-using-php-introduction-web-shells-part-2/
 date: 2021/10/15
-modified: 2022/03/14
+modified: 2022/05/09
 author: Florian Roth
 tags:
    - attack.persistence
@@ -26,18 +26,18 @@ detection:
      ParentCommandLine|contains|all:
         - '/bin/java'
         - 'tomcat'
-   selection_websphere:  # ? just guessing 
+   selection_websphere:  # ? just guessing
      ParentCommandLine|contains|all:
         - '/bin/java'
         - 'websphere'
   selection_sub_processes:
-      Image|endswith: 
+      Image|endswith:
         - '/whoami'
         - '/ifconfig'
         - '/usr/bin/ip'
         - '/bin/uname'
-   condition: selection_sub_processes and ( selection_general or selection_tomcat )
+   condition: selection_sub_processes and ( selection_general or selection_tomcat or selection_websphere)
 falsepositives:
-   - Web applications that invoke Linux command line tools 
+   - Web applications that invoke Linux command line tools
 level: critical

@@ -12,10 +12,8 @@ logsource:
  product: macos
 detection:
  selection:
-    Image|endswith:
-      - '/osascript'
-    CommandLine|contains|all:
-      - '-e'
+    Image|endswith: '/osascript'
+    CommandLine|contains: '-e'
  condition: selection
 falsepositives:
  - Application installers might contain scripts as part of the installation process.
@@ -12,15 +12,11 @@ logsource:
  category: process_creation
 detection:
  selection1:
-    Image|endswith:
-      - '/truncate'
-    CommandLine|contains:
-      - '-s'
+    Image|endswith: '/truncate'
+    CommandLine|contains: '-s'
  selection2:
-    Image|endswith:
-      - '/dd'
-    CommandLine|contains:
-      - 'if='
+    Image|endswith: '/dd'
+    CommandLine|contains: 'if='
  filter:
    CommandLine|contains: 'of='
  condition: selection1 or (selection2 and not filter)
@@ -12,10 +12,8 @@ logsource:
  product: macos
 detection:
  selection:
-    Image|endswith:
-      - '/dscl'
-    CommandLine|contains:
-      - 'create'
+    Image|endswith: '/dscl'
+    CommandLine|contains: 'create'
  condition: selection
 falsepositives:
  - Legitimate administration activities
@@ -12,10 +12,8 @@ logsource:
  category: process_creation
 detection:
  selection1:
-    Image|endswith:
-      - '/grep'
-    CommandLine|contains:
-      - 'password'
+    Image|endswith: '/grep'
+    CommandLine|contains: 'password'
  selection2:
    CommandLine|contains: 'laZagne'
  condition: selection1 or selection2
@@ -13,8 +13,7 @@ logsource:
    category: process_creation
 detection:
    selection1:
-        Image:
-            - '/usr/sbin/osascript'
+        Image: '/usr/sbin/osascript'
    selection2:
        CommandLine|contains|all:
            - '-e'
@@ -12,34 +12,27 @@ logsource:
  product: macos
 detection:
  selection_1:
-    Image|endswith:
-      - '/dscl'
+    Image|endswith: '/dscl'
    CommandLine|contains|all:
      - 'list'
      - '/users'
  selection_2:
-    Image|endswith:
-      - '/dscacheutil'
+    Image|endswith: '/dscacheutil'
    CommandLine|contains|all:
      - '-q'
      - 'user'
  selection_3:
-    CommandLine|contains:
-      - '''x:0:'''
+    CommandLine|contains: '''x:0:'''
  selection_4:
-    Image|endswith:
-      - '/cat'
+    Image|endswith: '/cat'
    CommandLine|contains:
      - '/etc/passwd'
      - '/etc/sudoers'
  selection_5:
-    Image|endswith:
-      - '/id'
+    Image|endswith: '/id'
  selection_6:
-    Image|endswith:
-      - '/lsof'
-    CommandLine|contains:
-      - '-u'
+    Image|endswith: '/lsof'
+    CommandLine|contains: '-u'
  condition: 1 of selection*
 falsepositives:
  - Legitimate administration activities
@@ -12,19 +12,15 @@ logsource:
  product: macos
 detection:
  selection_1:
-    Image|endswith:
-      - '/dscacheutil'
+    Image|endswith: '/dscacheutil'
    CommandLine|contains|all:
      - '-q'
      - 'group'
  selection_2:
-    Image|endswith:
-      - '/cat'
-    CommandLine|contains:
-      - '/etc/group'
+    Image|endswith: '/cat'
+    CommandLine|contains: '/etc/group'
  selection_3:
-    Image|endswith:
-      - '/dscl'
+    Image|endswith: '/dscl'
    CommandLine|contains|all:
      - '-list'
      - '/groups'
@@ -12,13 +12,10 @@ logsource:
  product: macos
 detection:
  selection_1:
-    Image|endswith:
-      - '/arp'
-    CommandLine|contains:
-      - '-a'
+    Image|endswith: '/arp'
+    CommandLine|contains: '-a'
  selection_2:
-    Image|endswith:
-      - '/ping'
+    Image|endswith: '/ping'
    CommandLine|contains:
      - ' 10.' #10.0.0.0/8
      - ' 192.168.' #192.168.0.0/16
@@ -12,10 +12,8 @@ logsource:
  product: macos
 detection:
  selection:
-    Image|endswith:
-      - '/crontab'
-    CommandLine|contains:
-      - '/tmp/'
+    Image|endswith: '/crontab'
+    CommandLine|contains: '/tmp/'
  condition: selection
 falsepositives:
  - Legitimate administration activities
@@ -22,7 +22,7 @@ detection:
  condition: selection
 falsepositives:
  - Legitimate administrative activity
-  - Ligitimate software, cleaning hist file
+  - Legitimate software, cleaning hist file
 level: medium
 tags:
  - attack.credential_access
@@ -24,5 +24,5 @@ fields:
    - id.resp_h
    - answers
 falsepositives:
-  - unknown
+  - Unknown
 level: low
@@ -33,6 +33,8 @@ detection:
        - '172.29.'
        - '172.30.'
        - '172.31.'
+        - 'fd'
+        - '2620:83:800f'
    #approved_rdp:
      #dst_ip:
        #- x.x.x.x
@@ -35,7 +35,7 @@ detection:
      - 'MsFteWds'
  condition: selection1 and not selection2
 falsepositives:
-  - update the excluded named pipe to filter out any newly observed legit named pipe
+  - Update the excluded named pipe to filter out any newly observed legit named pipe
 level: high
 tags:
  - attack.lateral_movement
@@ -32,7 +32,7 @@ fields:
  - SubjectUserName
  - RelativeTargetName
 falsepositives:
-  - Help Desk operator doing backup or re-imaging end user machine or pentest or backup software
+  - Help Desk operator doing backup or re-imaging end user machine or backup software
  - Users working with these data types or exchanging message files
 level: medium
 tags:
@@ -18,7 +18,7 @@ detection:
    service|startswith: '$'
  condition: selection and not computer_acct
 falsepositives:
-  - normal enterprise SPN requests activity
+  - Normal enterprise SPN requests activity
 level: medium
 tags:
  - attack.credential_access
@@ -13,8 +13,7 @@ logsource:
  category: proxy
 detection:
  selection:
-    r-dns:
-      - 'api.telegram.org'        # Often used by Bots
+    r-dns: 'api.telegram.org'  # Often used by Bots
  filter:
    c-useragent|contains:
            # Used https://core.telegram.org/bots/samples for this list
@@ -2,9 +2,9 @@ title: Bitsadmin to Uncommon TLD
 id: 9eb68894-7476-4cd6-8752-23b51f5883a7
 status: experimental
 description: Detects Bitsadmin connections to domains with uncommon TLDs - https://twitter.com/jhencinski/status/1102695118455349248 - https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/
-author: Florian Roth
+author: Florian Roth, Tim Shelton
 date: 2019/03/07
-modified: 2021/08/09
+modified: 2022/05/09
 logsource:
    category: proxy
 detection:
@@ -15,6 +15,7 @@ detection:
            - '.com' 
            - '.net' 
            - '.org' 
+            - '.scdn.co' # spotify streaming
    condition: selection and not falsepositives
 fields:
    - ClientIP
@@ -14,5 +14,5 @@ detection:
    - '__pthread_tpp_change_priority: Assertion `new_prio == -1 || (new_prio >= fifo_min_prio && new_prio <= fifo_max_prio)'
  condition: keywords
 falsepositives:
-  - https://bz.apache.org/bugzilla/show_bug.cgi?id=46185
+  - 3rd party apache modules - https://bz.apache.org/bugzilla/show_bug.cgi?id=46185
 level: medium
@@ -17,12 +17,12 @@ tags:
    - attack.t1190
    - cve.2021.20090
    - cve.2021.20091
-logsource: 
+logsource:
  category: webserver
 detection:
  path_traversal:
-    c-uri|contains: # CVE-2021-20090 (Bypass Auth: Path Traversal)
-      - '..%2f'
+    # CVE-2021-20090 (Bypass Auth: Path Traversal)
+    c-uri|contains: '..%2f'
  config_file_inj:
    c-uri|contains|all: # Chaining of CVE-2021-20090 (Bypass Auth) and CVE-2021-20091 (Config File Injection)
      - '..%2f'
@@ -13,8 +13,7 @@ logsource:
  category: webserver
 detection:
  selection:
-    c-uri|contains:
-      - /manager/controllers/default/resource/tvs.php?class_key=../../../../../../../../../../windows/win.ini%00
+    c-uri|contains: /manager/controllers/default/resource/tvs.php?class_key=../../../../../../../../../../windows/win.ini%00
  condition: selection
 falsepositives:
  - Scanning from Nuclei
@@ -29,7 +29,7 @@ fields:
    - cs-method
    - cs-User-Agent
 falsepositives:
-    - web applications that use the same URL parameters as ReGeorg
+    - Web applications that use the same URL parameters as ReGeorg
 level: high
 tags:
    - attack.persistence
@@ -28,7 +28,7 @@ fields:
  - FileHash
  - Fqbn
 falsepositives:
-  - need tuning applocker or add exceptions in SIEM
+  - Need tuning applocker or add exceptions in SIEM
 level: medium
 tags:
  - attack.execution
@@ -4,7 +4,7 @@ description: backdooring domain object to grant the rights associated with DCSyn
    Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer
 status: experimental
 date: 2019/04/03
-modified: 2022/05/05
+modified: 2022/05/10
 author: Samir Bousseaden; Roberto Rodriguez @Cyb3rWard0g; oscd.community; Tim Shelton
 references:
    - https://twitter.com/menasec1/status/1111556090137903104
@@ -24,7 +24,9 @@ detection:
         - '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2'
         - '89e95b76-444d-4c62-991a-0facbeda640c'
    filter1:
-        ObjectType: 'dnsNode'
+        ObjectType:
+         - 'dnsNode'
+         - 'dnsZoneScope'
    condition: selection and not 1 of filter*
 falsepositives:
    - New Domain Controller computer account, check user SIDs within the value attribute of event 5136 and verify if it's a regular user or DC computer account.
@@ -34,5 +34,5 @@ detection:
        - ObjectName|contains: 'admin'
    condition: selection and selection_object
 falsepositives:
-    - if source account name is not an admin then its super suspicious
+    - If source account name is not an admin then its super suspicious
 level: high
@@ -15,8 +15,7 @@ detection:
  selection_base:
    EventID: 4704
  selection_keywords:
-    PrivilegeList|contains:
-      - 'SeEnableDelegationPrivilege'
+    PrivilegeList|contains: 'SeEnableDelegationPrivilege'
  condition: all of selection*
 falsepositives:
  - Unknown
@@ -22,7 +22,7 @@ detection:
      - '%%4417'
  condition: selection
 falsepositives:
-  - if the source IP is not localhost then it's super suspicious, better to monitor both local and remote changes to GPO scheduledtasks
+  - If the source IP is not localhost then it's super suspicious, better to monitor both local and remote changes to GPO scheduledtasks
 level: high
 tags:
  - attack.persistence
@@ -38,7 +38,7 @@ detection:
      - 'sql\query'
  condition: selection1 and not false_positives
 falsepositives:
-  - update the excluded named pipe to filter out any newly observed legit named pipe
+  - Update the excluded named pipe to filter out any newly observed legit named pipe
 level: high
 tags:
  - attack.lateral_movement
@@ -23,6 +23,6 @@ detection:
        PasswordLastSet: '-'
    condition: selection and not filter
 falsepositives:
-    - automatic DC computer account password change
+    - Automatic DC computer account password change
    - Legitimate DC computer account password change
 level: high
@@ -67,8 +67,7 @@ detection:
            - C:\Windows\Temp\asgard2-agent\
            - C:\ProgramData\Microsoft\Windows Defender\Platform\
    filter2:
-        ProcessName|startswith:
-            - 'C:\Program Files'  # too many false positives with legitimate AV and EDR solutions
+        ProcessName|startswith: 'C:\Program Files'  # too many false positives with legitimate AV and EDR solutions
    filter3:
        ProcessName: 'C:\Windows\CCM\CcmExec.exe'
    condition: 1 of selection_* and not 1 of filter*
@@ -34,6 +34,6 @@ fields:
    - SubjectUserName
    - RelativeTargetName
 falsepositives:
-    - Help Desk operator doing backup or re-imaging end user machine or pentest or backup software
+    - Help Desk operator doing backup or re-imaging end user machine or backup software
    - Users working with these data types or exchanging message files
 level: medium
@@ -0,0 +1,22 @@
+title: KrbRelayUp Service Installation
+id: e97d9903-53b2-41fc-8cb9-889ed4093e80
+status: experimental
+description: Detects service creation from KrbRelayUp tool used for privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings)
+author: Sittikorn S
+date: 2022/05/11
+references:
+  - https://github.com/Dec0ne/KrbRelayUp
+logsource:
+  product: windows
+  category: system
+detection:
+  selection:
+    EventID: '7045'
+    ServiceName: 'KrbSCM'
+  condition: selection
+falsepositives:
+  - Unknown
+level: high
+tags:
+  - attack.privilege_escalation
+  - attack.t1543
@@ -14,7 +14,7 @@ detection:
    Caption: 'sysmon64.exe - Application Error'
  condition: selection
 falsepositives:
-  - none
+  - Unknown
 level: high
 tags:
  - attack.t1562
@@ -12,8 +12,7 @@ detection:
  selection:
    EventID: 106
  filter1:
-    TaskName: 
-      - \Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan
+    TaskName: \Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan
  timeframe: 7d
  condition: selection and not 1 of filter* | count() by TaskName < 5
 falsepositives:
@@ -17,8 +17,7 @@ logsource:
    service: windefend
 detection:
    selection:
-        EventID:
-            - 5013
+        EventID: 5013
        Value|endswith:
            - '\Windows Defender\DisableAntiSpyware = 0x1()'
            - '\Real-Time Protection\DisableRealtimeMonitoring = (Current)'
@@ -13,7 +13,7 @@ detection:
    ImageLoaded|contains: '\Temp\'
  condition: selection
 falsepositives:
-  - there is a relevant set of false positives depending on applications in the environment
+  - There is a relevant set of false positives depending on applications in the environment
 level: high
 tags:
  - attack.persistence
@@ -21,8 +21,7 @@ logsource:
    product: windows
 detection:
    selection:
-        TargetFilename|contains: 
-            - 'C:\Windows\System32\spool\drivers\x64\3\old\1\123'
+        TargetFilename|contains: 'C:\Windows\System32\spool\drivers\x64\3\old\1\123'
    condition: selection
 fields:
    - ComputerName
@@ -14,13 +14,12 @@ logsource:
    category: file_event
 detection:
    selection:
-        TargetFilename|endswith: 
+        TargetFilename|endswith:
            - '.iso.lnk'
            - '.img.lnk'
            - '.vhd.lnk'
            - '.vhdx.lnk'
-        TargetFilename|contains:
-            - '\Microsoft\Windows\Recent\'
+        TargetFilename|contains: '\Microsoft\Windows\Recent\'
    condition: selection
 falsepositives:
    - Cases in which a user mounts an image file for legitimate reasons
@@ -12,10 +12,9 @@ tags:
 logsource:
    product: windows
    category: file_event
-detection: 
+detection:
   mimikatz_memssp_filename:
-      TargetFilename|endswith:
-         - 'mimilsa.log'
+      TargetFilename|endswith: 'mimilsa.log'
   condition: mimikatz_memssp_filename
 falsepositives:
   - Unlikely
@@ -1,6 +1,6 @@
 title: Suspcious CLR Logs Creation
 id: e4b63079-6198-405c-abd7-3fe8b0ce3263
-description: Detects suspicious .NET assembly executions. Could detect using Cobalt Strike's command execute-assembly. 
+description: Detects suspicious .NET assembly executions. Could detect using Cobalt Strike's command execute-assembly.
 references:
    - https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html
    - https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/
@@ -33,5 +33,5 @@ detection:
          - 'svchost'
    condition: selection
 falsepositives:
-  - https://twitter.com/SBousseaden/status/1388064061087260675 - rundll32.exe with zzzzInvokeManagedCustomActionOutOfProc in command line and msiexec.exe as parent process
+  - Rundll32.exe with zzzzInvokeManagedCustomActionOutOfProc in command line and msiexec.exe as parent process - https://twitter.com/SBousseaden/status/1388064061087260675
 level: high
@@ -21,7 +21,7 @@ detection:
  condition: selection and not filter
 falsepositives:
  - Operations performed through Windows SCCM or equivalent
-  - read only access list authority
+  - Read only access list authority
 level: medium
 tags:
  - attack.persistence
@@ -6,7 +6,7 @@ author: frack113
 references:
  - Malware Sandbox
 date: 2022/03/09
-modified: 2022/04/28
+modified: 2022/05/08
 logsource:
  product: windows
  category: file_event
@@ -14,6 +14,11 @@ detection:
  selection:
    Image|endswith: '.exe'
    TargetFilename|endswith: '.exe'
+  filter_whitelist:
+    Image: 
+      - 'C:\Windows\System32\msiexec.exe'
+      - 'C:\Windows\system32\cleanmgr.exe'
+      - 'C:\Windows\explorer.exe'
  filter_update:
    Image: 'C:\WINDOWS\system32\svchost.exe'
    TargetFilename|startswith: 'C:\Windows\SoftwareDistribution\Download\Install\'
@@ -21,10 +26,6 @@ detection:
  filter_tiworker:
    Image|startswith: 'C:\Windows\WinSxS\'
    Image|endswith: '\TiWorker.exe'
-  filter_msiexec:
-    Image: 'C:\Windows\System32\msiexec.exe'
-  filter_cleanmgr:
-    Image: 'C:\WINDOWS\system32\cleanmgr.exe'
  filter_programfiles:
    - Image|startswith:
      - 'C:\Program Files\'
@@ -0,0 +1,29 @@
+title: Creation of an WerFault.exe in Unusual Folder
+id: 28a452f3-786c-4fd8-b8f2-bddbe9d616d1
+status: experimental
+description: Detects WerFault copoed to a suspicious folder, which could be a sign of WerFault DLL hijacking
+author: frack113
+references:
+  - https://www.bleepingcomputer.com/news/security/hackers-are-now-hiding-malware-in-windows-event-logs/
+date: 2022/05/09
+logsource:
+  product: windows
+  category: file_event
+detection:
+  selection:
+    TargetFilename|endswith:
+      - '\WerFault.exe'
+      - '\wer.dll'
+  filter_whitelist:
+    TargetFilename|contains:
+      - '\System32\'
+      - '\SysWOW64\'
+      - '\WinSxS\'
+  condition: selection and not filter_whitelist
+falsepositives:
+  - Unknown
+level: high
+tags:
+  - attack.persistence
+  - attack.defense_evasion
+  - attack.t1574.001
@@ -15,10 +15,10 @@ detection:
    to_dll:
        TargetFilename|endswith: '.dll'
    filter_from_dll:
-        - OriginalFilename|endswith: 
+        - OriginalFilename|endswith:
            - '.dll'
            - '.tmp'  # VSCode FP
-        - OriginalFilename|contains: 
+        - OriginalFilename|contains:
            - '.dll.'
            - '\SquirrelTemp\temp'
    filter_tiworker:
@@ -12,13 +12,10 @@ logsource:
  product: windows
 detection:
  selection:
-    Image|endswith:
-      - fxssvc.exe
-    ImageLoaded|endswith:
-      - ualapi.dll
+    Image|endswith: fxssvc.exe
+    ImageLoaded|endswith: ualapi.dll
  filter:
-    ImageLoaded|startswith:
-      - C:\Windows\WinSxS\
+    ImageLoaded|startswith: C:\Windows\WinSxS\
  condition: selection and not filter
 falsepositives:
  - Unlikely
@@ -12,8 +12,7 @@ logsource:
  product: windows
 detection:
  selection:
-    Image|endswith:
-      - '\notepad.exe'
+    Image|endswith: '\notepad.exe'
    ImageLoaded|endswith:
      - '\samlib.dll'
      - '\WinSCard.dll'
@@ -17,8 +17,7 @@ detection:
      - '\powerpnt.exe'
      - '\excel.exe'
      - '\outlook.exe'
-    ImageLoaded|startswith:
-      - 'C:\Windows\assembly\'
+    ImageLoaded|startswith: 'C:\Windows\assembly\'
  condition: selection
 falsepositives:
  - Alerts on legitimate macro usage as well, will need to filter as appropriate
@@ -17,8 +17,7 @@ detection:
      - '\powerpnt.exe'
      - '\excel.exe'
      - '\outlook.exe'
-    ImageLoaded|contains:
-      - '\clr.dll'
+    ImageLoaded|contains: '\clr.dll'
  condition: selection
 falsepositives:
  - Alerts on legitimate macro usage as well, will need to filter as appropriate
@@ -17,8 +17,7 @@ detection:
      - '\powerpnt.exe'
      - '\excel.exe'
      - '\outlook.exe'
-    ImageLoaded|startswith:
-      - 'C:\Windows\Microsoft.NET\assembly\GAC_MSIL'
+    ImageLoaded|startswith: 'C:\Windows\Microsoft.NET\assembly\GAC_MSIL'
  condition: selection
 falsepositives:
  - Alerts on legitimate macro usage as well, will need to filter as appropriate
@@ -17,8 +17,7 @@ detection:
      - '\powerpnt.exe'
      - '\excel.exe'
      - '\outlook.exe'
-    ImageLoaded|contains:
-      - '\dsparse.dll'
+    ImageLoaded|contains: '\dsparse.dll'
  condition: selection
 falsepositives:
  - Alerts on legitimate macro usage as well, will need to filter as appropriate
@@ -17,8 +17,7 @@ detection:
      - '\powerpnt.exe'
      - '\excel.exe'
      - '\outlook.exe'
-    ImageLoaded|endswith:
-      - '\kerberos.dll'
+    ImageLoaded|endswith: '\kerberos.dll'
  condition: selection
 falsepositives:
  - Alerts on legitimate macro usage as well, will need to filter as appropriate
@@ -7,18 +7,17 @@ date: 2021/07/07
 modified: 2022/05/06
 references:
    - 1bd85e1caa1415ebdc8852c91e37bbb7
-    - https://twitter.com/am0nsec/status/1412232114980982787    
+    - https://twitter.com/am0nsec/status/1412232114980982787
 tags:
    - attack.defense_evasion
-    - attack.impact 
+    - attack.impact
    - attack.t1490
 logsource:
    category: image_load
    product: windows
 detection:
    selection:
-        ImageLoaded|endswith:
-            - '\vss_ps.dll'
+        ImageLoaded|endswith: '\vss_ps.dll'
    filter:
        Image|endswith:
            - '\svchost.exe'
@@ -39,4 +38,4 @@ detection:
    condition: selection and not filter
 falsepositives:
    - Unknown
-level: high 
+level: high
@@ -12,15 +12,13 @@ logsource:
  product: windows
 detection:
  selection:
-    Image|endswith:
-      - '\svchost.exe'
+    Image|endswith: '\svchost.exe'
    ImageLoaded|endswith:
      - '\tsmsisrv.dll'
      - '\tsvipsrv.dll'
      - '\wlbsctrl.dll'
  filter:
-    ImageLoaded|startswith:
-      - 'C:\Windows\WinSxS\'
+    ImageLoaded|startswith: 'C:\Windows\WinSxS\'
  condition: selection and not filter
 falsepositives:
  - Unknown
@@ -18,13 +18,10 @@ logsource:
    product: windows
 detection:
    selection:
-        Image|endswith:
-            - '\dism.exe'
-        ImageLoaded|endswith:
-            - '\dismcore.dll'
+        Image|endswith: '\dism.exe'
+        ImageLoaded|endswith: '\dismcore.dll'
    filter:
-        ImageLoaded:
-            - 'C:\Windows\System32\Dism\dismcore.dll'
+        ImageLoaded: 'C:\Windows\System32\Dism\dismcore.dll'
    condition: selection and not filter
 falsepositives:
    - Actions of a legitimate telnet client
@@ -38,5 +38,5 @@ detection:
        - Image|contains: '\Local\Microsoft\OneDrive\'
    condition: selection and not filter
 falsepositives:
-    - other legitimate processes loading those DLLs in your environment.
+    - Other legitimate processes loading those DLLs in your environment.
 level: medium
@@ -41,7 +41,7 @@ detection:
  condition: selection and not filter
 falsepositives:
  - Other Remote Desktop RDP tools
-  - domain controller using dns.exe
+  - Domain controller using dns.exe
 level: high
 tags:
  - attack.lateral_movement
@@ -6,7 +6,7 @@ related:
 status: experimental
 description: Detects keywords that could indicate clearing PowerShell history
 date: 2019/10/25
-modified: 2021/10/16
+modified: 2022/05/10
 author: Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
 references:
    - https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a
@@ -18,19 +18,24 @@ logsource:
    category: ps_module
    definition: PowerShell Module Logging must be enabled
 detection:
-    selection_payload_1:
+    selection_1a_payload:
        Payload|contains:
            - 'del'
            - 'Remove-Item'
            - 'rm'
-        Payload|contains|all:
-            - '(Get-PSReadlineOption).HistorySavePath'
+    selection_1b_payload:
+        Payload|contains: '(Get-PSReadlineOption).HistorySavePath'
    selection_payload_2:
        Payload|contains|all:
            - 'Set-PSReadlineOption'
-            - '–HistorySaveStyle'
+            - '–HistorySaveStyle'  # not sure if the homoglyph –/- is intended, just checking for both
            - 'SaveNothing'
-    condition: selection_payload_1 or selection_payload_2
+    selection_payload_3:
+        Payload|contains|all:
+            - 'Set-PSReadlineOption'
+            - '-HistorySaveStyle'
+            - 'SaveNothing'
+    condition: 1 of selection_payload_* or all of selection_1*
 falsepositives:
    - Legitimate PowerShell scripts
 level: medium
@@ -22,5 +22,5 @@ detection:
            - 'DatabasePath '
    condition: selection
 falsepositives:
-    - unknown
+    - Unknown
 level: high
@@ -22,8 +22,7 @@ detection:
            - ' = ServerRemoteHost ' #  HostName: 'ServerRemoteHost'  french : Nom d’hôte = 
            - 'wsmprovhost.exe'      #  HostApplication|contains: 'wsmprovhost.exe' french  Application hôte = 
    false_positive_1:
-        ContextInfo|contains:
-            - '\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Archive\Microsoft.PowerShell.Archive.psm1'
+        ContextInfo|contains: '\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Archive\Microsoft.PowerShell.Archive.psm1'
    condition: selection and not 1 of false_positive*

 falsepositives:
@@ -9,24 +9,30 @@ author: Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
 references:
    - https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a
 date: 2022/01/25
+modified: 2022/05/10
 logsource:
    product: windows
    category: ps_script
    definition: Script block logging must be enabled
 detection:
-    selection_1:
+    selection1a:
        ScriptBlockText|contains:
            - 'del'
            - 'Remove-Item'
            - 'rm'
-        ScriptBlockText|contains|all: 
-            - '(Get-PSReadlineOption).HistorySavePath'
+    selection1b:
+        ScriptBlockText|contains: '(Get-PSReadlineOption).HistorySavePath'
    selection_2:
        ScriptBlockText|contains|all:
            - 'Set-PSReadlineOption'
-            - '–HistorySaveStyle'
+            - '–HistorySaveStyle'  # not sure if the homoglyph –/- is intended, just checking for both
            - 'SaveNothing'
-    condition: 1 of selection_*
+    selection_3:
+        ScriptBlockText|contains|all:
+            - 'Set-PSReadlineOption'
+            - '-HistorySaveStyle'
+            - 'SaveNothing'
+    condition: 1 of selection_* or all of selection1*
 falsepositives:
    - Legitimate PowerShell scripts
 level: medium
@@ -11,10 +11,9 @@ references:
 logsource:
      product: windows
      category: ps_script
-detection: 
+detection:
    selection1:
-        ScriptBlockText|contains:
-            - Clear-History
+        ScriptBlockText|contains: Clear-History
    selection2a:
        ScriptBlockText|contains:
            - Remove-Item
@@ -26,5 +26,5 @@ detection:
            - '[IO.File]::SetLastWriteTime'
    condition: selection_ioc
 falsepositives:
-    - Legitimeate admin script
+    - Legitimate admin script
 level: medium
@@ -4,15 +4,28 @@ description: Detects the usage of the direct syscall of NtOpenProcess which migh
 references:
    - https://medium.com/falconforce/falconfriday-direct-system-calls-and-cobalt-strike-bofs-0xff14-741fa8e1bdd6
 status: experimental
-author: Christian Burkard
+author: Christian Burkard, Tim Shelton
 date: 2021/07/28
+modified: 2022/05/15
 logsource:
    category: process_access
    product: windows
 detection:
    selection:
        CallTrace|startswith: 'UNKNOWN'
-    condition: selection
+    falsepositive1:
+        TargetImage: 'C:\Program Files\Cylance\Desktop\CylanceUI.exe'
+        SourceImage: 'C:\Windows\Explorer.EXE'
+    falsepositive2:
+        TargetImage: 'C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe'
+        SourceImage: 'C:\Program Files (x86)\Microsoft\Temp\*\MicrosoftEdgeUpdate.exe'
+    falsepositive3:
+        TargetImage|endswith: 'vcredist_x64.exe'
+        SourceImage|endswith: 'vcredist_x64.exe'
+    falsepositive4:
+        TargetImage: 'C:\Windows\system32\systeminfo.exe'
+        SourceImage|endswith: 'setup64.exe' #vmware
+    condition: selection and not 1 of falsepositive*
 falsepositives:
    - Unknown
 level: critical
@@ -72,8 +72,7 @@ detection:
        - TargetImage|endswith: '\Microsoft VS Code\Code.exe'
        - CallTrace|contains: '|C:\WINDOWS\System32\RPCRT4.dll+'  # attempt to save the rule with a broader filter
    filter_set_1:
-        SourceImage:
-            - 'C:\WINDOWS\Explorer.EXE'
+        SourceImage: 'C:\WINDOWS\Explorer.EXE'
        TargetImage:
            - 'C:\WINDOWS\system32\backgroundTaskHost.exe'
            - 'C:\WINDOWS\explorer.exe'
@@ -26,5 +26,5 @@ tags:
    - attack.t1021.006
    - attack.s0002
 falsepositives:
-    - low
+    - Unlikely
 level: high
@@ -59,8 +59,7 @@ detection:
        SourceImage|startswith:
            - 'C:\Program Files\'
            - 'C:\Program Files (x86)\'
-        SourceImage|contains:
-            - 'Antivirus'
+        SourceImage|contains: 'Antivirus'
    filter7:
        SourceImage: 'C:\WINDOWS\system32\wbem\wmiprvse.exe'
    filter8:
@@ -69,7 +68,7 @@ detection:
        SourceImage: 'C:\Program Files\Common Files\McAfee\MMSSHost\MMSSHOST.exe'
    filter_nextron:
        SourceImage|startswith: 'C:\Windows\Temp\asgard2-agent\'
-        SourceImage|endswith: 
+        SourceImage|endswith:
            - '\thor64.exe'
            - '\thor.exe'
    # Generic Filter for 0x1410 filter (caused by so many programs like DropBox updates etc.)
@@ -77,8 +77,7 @@ detection:
        SourceImage|startswith:
            - 'C:\Progra Files\'
            - 'C:\Progra Files (x86)\'
-        SourceImage|contains:
-            - 'Antivirus'
+        SourceImage|contains: 'Antivirus'
    filter_mrt:
        SourceImage: 'C:\WINDOWS\system32\MRT.exe'
        GrantedAccess: '0x1418'
@@ -86,7 +85,7 @@ detection:
        SourceImage: 'C:\Program Files\Common Files\McAfee\MMSSHost\MMSSHOST.exe'
    filter_nextron:
        SourceImage|startswith: 'C:\Windows\Temp\asgard2-agent\'
-        SourceImage|endswith: 
+        SourceImage|endswith:
            - '\thor64.exe'
            - '\thor.exe'
        GrantedAccess: '0x1fffff'
@@ -19,8 +19,7 @@ detection:
    ParentImage|contains|all:
      - '\Windows\Installer\'
      - 'msi'
-    ParentImage|endswith:
-      - 'tmp'
+    ParentImage|endswith: 'tmp'
  condition: image and parent_image
 fields:
  - Image
@@ -13,8 +13,7 @@ logsource:
  product: windows
 detection:
  selection:
-    Image|endswith:
-      - '\crackmapexec.exe'
+    Image|endswith: '\crackmapexec.exe'
  condition: selection
 falsepositives:
  - Unknown
@@ -13,7 +13,7 @@ references:
    - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)
 tags:
    - attack.credential_access
-    - attack.t1212 
+    - attack.t1212
    - attack.command_and_control
    - attack.t1071
 logsource:
@@ -25,8 +25,7 @@ detection:
            - ':\Program Files(x86)\'
            - ':\Program Files\'
    legitimate_executable:
-        sha1:
-            - 'e570585edc69f9074cb5e8a790708336bd45ca0f'
+        sha1: 'e570585edc69f9074cb5e8a790708336bd45ca0f'
    condition: legitimate_executable and not legitimate_process_path
 falsepositives:
    - Unknown
@@ -25,8 +25,7 @@ detection:
            - '/transfer'
            - 'CSIDL_APPDATA'
    selection2:
-        CommandLine|contains:
-            - 'CSIDL_SYSTEM_DRIVE'
+        CommandLine|contains: 'CSIDL_SYSTEM_DRIVE'
    selection3:
        CommandLine|contains:
            - '\msf.ps1'
@@ -7,7 +7,7 @@ references:
 tags:
    - attack.g0032
    - attack.execution
-    - attack.t1106 
+    - attack.t1106
 author: Bhabesh Raj
 date: 2021/04/20
 modified: 2021/06/27
@@ -20,15 +20,11 @@ detection:
            - 'mshta'
            - '.zip'
    selection2:
-        ParentImage:
-            - 'C:\Windows\System32\wbem\wmiprvse.exe'
-        Image:
-            - 'C:\Windows\System32\mshta.exe'
+        ParentImage: 'C:\Windows\System32\wbem\wmiprvse.exe'
+        Image: 'C:\Windows\System32\mshta.exe'
    selection3:
-        ParentImage|contains:
-            - ':\Users\Public\'
-        Image:
-            - 'C:\Windows\System32\rundll32.exe'
+        ParentImage|contains: ':\Users\Public\'
+        Image: 'C:\Windows\System32\rundll32.exe'
    condition: 1 of selection*
 falsepositives:
    - Should not be any false positives
@@ -8,7 +8,7 @@ references:
 tags:
    - attack.g0032
    - attack.execution
-    - attack.t1059 
+    - attack.t1059
 author: Florian Roth
 date: 2020/12/23
 modified: 2021/06/27
@@ -32,8 +32,7 @@ detection:
            - ' > %temp%\~'
    # Network share discovery
    selection4:
-        CommandLine|contains:
-            - '.255 10 C:\ProgramData\'
+        CommandLine|contains: '.255 10 C:\ProgramData\'
    condition: 1 of selection*
 falsepositives:
    - Overlap with legitimate process activity in some cases (especially selection 3 and 4)
@@ -13,12 +13,9 @@ logsource:
  product: windows
 detection:
  selection:
-    Image|endswith:
-      - '\powershell.exe'
-    ParentImage|endswith:
-      - '\excel.exe'
-    CommandLine|contains:
-      - 'DataExchange.dll'
+    Image|endswith: '\powershell.exe'
+    ParentImage|endswith: '\excel.exe'
+    CommandLine|contains: 'DataExchange.dll'
  condition: selection
 falsepositives:
  - Unknown
@@ -22,7 +22,7 @@ detection:
    selection1:
        Image|contains: 'windows\system32\Physmem.sys'
    selection2:
-        Image|contains: 
+        Image|contains:
            - 'Windows\system32\ime\SHARED\WimBootConfigurations.ini'
            - 'Windows\system32\ime\IMEJP\WimBootConfigurations.ini'
            - 'Windows\system32\ime\IMETC\WimBootConfigurations.ini'
@@ -31,10 +31,9 @@ detection:
            - 'windows\system32\filepath2'
            - 'windows\system32\ime'
    registry_command:
-        CommandLine|contains:
-            - 'reg add'
+        CommandLine|contains: 'reg add'
    registry_key:
-        CommandLine|contains: 
+        CommandLine|contains:
            - 'HKEY_LOCAL_MACHINE\software\classes\clsid\{7c857801-7381-11cf-884d-00aa004b2e24}\inprocserver32'
            - 'HKEY_LOCAL_MACHINE\software\classes\clsid\{cf4cc405-e2c5-4ddd-b3ce-5e7582d8c9fa}\inprocserver32'
    condition: selection1 or selection2 or (selection3 and registry_command and registry_key)
@@ -16,11 +16,9 @@ detection:
      - 'dll,MyStart'
      - 'dll MyStart'
  selection2a:
-    CommandLine|endswith:
-      - ' MyStart'
+    CommandLine|endswith: ' MyStart'
  selection2b:
-    CommandLine|contains:
-      - 'rundll32.exe'
+    CommandLine|contains: 'rundll32.exe'
  condition: selection1 or ( selection2a and selection2b )
 falsepositives:
  - Unknown
@@ -17,8 +17,7 @@ logsource:
    product: windows
 detection:
    selection1:
-        CommandLine|contains: 
-            - '7z.exe a -v500m -mx9 -r0 -p'
+        CommandLine|contains: '7z.exe a -v500m -mx9 -r0 -p'
    selection2:
        ParentCommandLine|contains|all:
            - 'wscript.exe'
@@ -32,14 +31,14 @@ detection:
        ParentCommandLine|contains: 'C:\Windows'
        CommandLine|contains: 'cmd.exe /C '
    selection4:
-        CommandLine|contains|all: 
+        CommandLine|contains|all:
            - 'rundll32 c:\windows\'
            - '.dll '
    specific1:
        ParentImage|endswith: '\rundll32.exe'
        Image|endswith: '\dllhost.exe'
    filter1:
-        CommandLine: 
+        CommandLine:
            - ' '
            - ''
    condition: selection1 or selection2 or selection3 or selection4 or ( specific1 and not filter1 )
--- a/Show More
+++ b/Show More