From 5ee9428e593c189ddcd032b925e87bc7a28c8d82 Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Date: Thu, 3 Nov 2022 09:39:48 +0100
Subject: [PATCH] Fix

---
 .../file_event_win_susp_dropper.yml           | 11 +++++--
 ..._win_excel_outbound_network_connection.yml |  4 +--
 .../net_connection_win_susp_rdp.yml           |  5 ++-
 .../posh_pm_alternate_powershell_hosts.yml    |  2 ++
 .../powershell_script/posh_ps_susp_gwmi.yml   | 12 +++++--
 ...ccess_win_in_memory_assembly_execution.yml | 31 +++++++++++++------
 6 files changed, 46 insertions(+), 19 deletions(-)

diff --git a/rules/windows/file/file_event/file_event_win_susp_dropper.yml b/rules/windows/file/file_event/file_event_win_susp_dropper.yml
index 1889fa5a8..ac94078be 100644
--- a/rules/windows/file/file_event/file_event_win_susp_dropper.yml
+++ b/rules/windows/file/file_event/file_event_win_susp_dropper.yml
@@ -6,7 +6,7 @@ references:
     - Malware Sandbox
 author: frack113
 date: 2022/03/09
-modified: 2022/07/27
+modified: 2022/11/02
 tags:
     - attack.resource_development
     - attack.t1587.001
@@ -43,9 +43,16 @@ detection:
         Image|startswith: 'C:\ProgramData\Microsoft\Windows Defender\'
     filter_windows_apps:
         TargetFilename|contains: '\Microsoft\WindowsApps\'
+    filter_teams:
+        Image|startswith: 'C:\Users\'
+        Image|endswith: '\AppData\Local\Microsoft\Teams\Update.exe'
+        TargetFilename|startswith: 'C:\Users\'
+        TargetFilename|endswith:
+            - '\AppData\Local\Microsoft\Teams\stage\Teams.exe'
+            - '\AppData\Local\Microsoft\Teams\stage\Squirrel.exe'
     condition: selection and not 1 of filter_*
 falsepositives:
     - Software installers
     - Update utilities
-#Please contribute to FP to go up the level
+#Please contribute to FP to increase the level
 level: low
diff --git a/rules/windows/network_connection/net_connection_win_excel_outbound_network_connection.yml b/rules/windows/network_connection/net_connection_win_excel_outbound_network_connection.yml
index bd9b901e7..f06512b26 100644
--- a/rules/windows/network_connection/net_connection_win_excel_outbound_network_connection.yml
+++ b/rules/windows/network_connection/net_connection_win_excel_outbound_network_connection.yml
@@ -2,8 +2,8 @@ title: Excel Network Connections
 id: 75e33ce3-ae32-4dcc-9aa8-a2a3029d6f84
 status: experimental
 description: |
-  Detects an Excel process that opens suspicious network connections to non-private IP addresses, and attempts to cover CVE-2021-42292.
-  You will likely have to tune this rule for your organization, but it is certainly something you should look for and could have applications for malicious activity beyond CVE-2021-42292.
+    Detects an Excel process that opens suspicious network connections to non-private IP addresses, and attempts to cover CVE-2021-42292.
+    You will likely have to tune this rule for your organization, but it is certainly something you should look for and could have applications for malicious activity beyond CVE-2021-42292.
 references:
     - https://corelight.com/blog/detecting-cve-2021-42292
 author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton
diff --git a/rules/windows/network_connection/net_connection_win_susp_rdp.yml b/rules/windows/network_connection/net_connection_win_susp_rdp.yml
index b33a326da..0c2e482b6 100755
--- a/rules/windows/network_connection/net_connection_win_susp_rdp.yml
+++ b/rules/windows/network_connection/net_connection_win_susp_rdp.yml
@@ -44,9 +44,8 @@ detection:
             - '\Avast Software\Avast\AvastSvc.exe'
             - '\Ranger\SentinelRanger.exe' # sentinel one
             - '\Avast\AvastSvc.exe'
-        - Image|startswith:
-            - 'C:\Program Files\SplunkUniversalForwarder\bin\'
-            - 'C:\Program Files\Mozilla Firefox\firefox.exe'
+        - Image|startswith: 'C:\Program Files\SplunkUniversalForwarder\bin\'
+        - Image: 'C:\Program Files\Mozilla Firefox\firefox.exe'
     condition: selection and not filter
 falsepositives:
     - Other Remote Desktop RDP tools
diff --git a/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml
index 89ebf709e..7f7928774 100644
--- a/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml
+++ b/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml
@@ -28,6 +28,8 @@ detection:
             # In some cases powershell was invoked with inverted slashes
             - '= C:/Windows/System32/WindowsPowerShell/v1.0/powershell'
             - '= C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell'
+            # When MSDT is launched
+            - '= C:\WINDOWS\System32\sdiagnhost.exe -Embedding '
     filter_citrix:
         ContextInfo|contains: 'ConfigSyncRun.exe'
     filter_adace:  # Active Directory Administrative Center Enhancements
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_gwmi.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_gwmi.yml
index e3e8c2397..982006546 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_gwmi.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_gwmi.yml
@@ -7,6 +7,7 @@ references:
     - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7
 author: frack113
 date: 2022/01/12
+modified: 2022/11/02
 tags:
     - attack.persistence
     - attack.t1546
@@ -17,9 +18,14 @@ logsource:
 detection:
     selection:
         ScriptBlockText|contains:
-            - Get-WmiObject
-            - gwmi
-    condition: selection
+            - 'Get-WmiObject'
+            - 'gwmi'
+    filter_cl_utility:
+        Path|endswith: '\CL_Utility.ps1'
+        ScriptBlockText|contains|all:
+            - 'function Get-FreeSpace'
+            - 'SELECT * FROM Win32_LogicalDisk WHERE MediaType=12'
+    condition: selection and not 1 of filter_*
 falsepositives:
     - Legitimate PowerShell scripts
 level: low
diff --git a/rules/windows/process_access/proc_access_win_in_memory_assembly_execution.yml b/rules/windows/process_access/proc_access_win_in_memory_assembly_execution.yml
index c9b159c94..34da732cf 100644
--- a/rules/windows/process_access/proc_access_win_in_memory_assembly_execution.yml
+++ b/rules/windows/process_access/proc_access_win_in_memory_assembly_execution.yml
@@ -2,17 +2,17 @@ title: Suspicious In-Memory Module Execution
 id: 5f113a8f-8b61-41ca-b90f-d374fa7e4a39
 status: experimental
 description: |
-  Detects the access to processes by other suspicious processes which have reflectively loaded libraries in their memory space.
-  An example is SilentTrinity C2 behaviour. Generally speaking, when Sysmon EventID 10 cannot reference a stack call to a dll loaded from disk (the standard way),
-  it will display "UNKNOWN" as the module name. Usually this means the stack call points to a module that was reflectively loaded in memory.
-  Adding to this, it is not common to see such few calls in the stack (ntdll.dll --> kernelbase.dll --> unknown) which essentially means that
-  most of the functions required by the process to execute certain routines are already present in memory, not requiring any calls to external libraries.
-  The latter should also be considered suspicious.
+    Detects the access to processes by other suspicious processes which have reflectively loaded libraries in their memory space.
+    An example is SilentTrinity C2 behaviour. Generally speaking, when Sysmon EventID 10 cannot reference a stack call to a dll loaded from disk (the standard way),
+    it will display "UNKNOWN" as the module name. Usually this means the stack call points to a module that was reflectively loaded in memory.
+    Adding to this, it is not common to see such few calls in the stack (ntdll.dll --> kernelbase.dll --> unknown) which essentially means that
+    most of the functions required by the process to execute certain routines are already present in memory, not requiring any calls to external libraries.
+    The latter should also be considered suspicious.
 references:
     - https://azure.microsoft.com/en-ca/blog/detecting-in-memory-attacks-with-sysmon-and-azure-security-center/
 author: Perez Diego (@darkquassar), oscd.community, Jonhnathan Ribeiro
 date: 2019/10/27
-modified: 2022/03/16
+modified: 2022/11/02
 tags:
     - attack.privilege_escalation
     - attack.defense_evasion
@@ -68,7 +68,6 @@ detection:
             - 'C:\WINDOWS\System32\DriverStore\'
             - 'C:\Windows\System32\WindowsPowerShell\'
         - SourceImage:
-            - 'C:\Users\\*\AppData\Local\Programs\Microsoft VS Code\Code.exe'
             - 'C:\WINDOWS\system32\taskhostw.exe'
             - 'C:\WINDOWS\system32\ctfmon.exe'
             - 'C:\WINDOWS\system32\NhNotifSys.exe'
@@ -94,7 +93,21 @@ detection:
     filter_openwith:
         SourceImage: 'C:\Windows\system32\OpenWith.exe'
         TargetImage: 'C:\Windows\Explorer.EXE'
-    condition: ( selection1 or selection2 or selection3 ) and not 1 of filter*
+    filter_teams_:
+        SourceImage|startswith: 'C:\Users\'
+        SourceImage|endswith: '\AppData\Local\Microsoft\Teams\current\Teams.exe'
+        TargetImage|endswith:
+            - ':\Windows\Explorer.EXE'
+            - '\AppData\Local\Microsoft\Teams\Update.exe'
+            - '\AppData\Local\Microsoft\Teams\current\Teams.exe'
+            - '\MsMpEng.exe'
+    filter_wwahost:
+        SourceImage: 'C:\Windows\System32\WWAHost.exe'
+        TargetImage: 'C:\Windows\System32\svchost.exe'
+    filter_sppsvc:
+        SourceImage: C:\WINDOWS\system32\sppsvc.exe
+        TargetImage: C:\WINDOWS\system32\SppExtComObj.exe
+    condition: 1 of selection* and not 1 of filter*
 fields:
     - ComputerName
     - User