From 79cc5f73eaa6faca1d9fa3e10038e87ab76add65 Mon Sep 17 00:00:00 2001
From: phantinuss <79651203+phantinuss@users.noreply.github.com>
Date: Thu, 2 Jun 2022 16:14:39 +0200
Subject: [PATCH] add more suspicious child processes / relevant parent
 processes

---
 .../proc_create_win_msdt_susp_parent.yml             |  3 +++
 ...c_creation_win_lolbins_by_office_applications.yml |  5 ++++-
 ...ion_win_office_spawn_exe_from_users_directory.yml |  4 +++-
 ..._creation_win_office_spawning_wmi_commandline.yml | 12 ++++++++----
 4 files changed, 18 insertions(+), 6 deletions(-)

diff --git a/rules/windows/process_creation/proc_create_win_msdt_susp_parent.yml b/rules/windows/process_creation/proc_create_win_msdt_susp_parent.yml
index ac134c807..f014392af 100644
--- a/rules/windows/process_creation/proc_create_win_msdt_susp_parent.yml
+++ b/rules/windows/process_creation/proc_create_win_msdt_susp_parent.yml
@@ -7,6 +7,7 @@ references:
   - https://twitter.com/nao_sec/status/1530196847679401984
   - https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/
 date: 2022/06/01
+modified: 2022/06/02
 tags:
   - attack.defense_evasion
   - attack.t1036
@@ -23,6 +24,8 @@ detection:
       - '\cscript.exe'
       - '\wscript.exe'
       - '\wsl.exe'
+      - '\rundll32.exe'
+      - '\regsvr32.exe'
       # office apps are covered by other rules
   selection_msdt:
     - Image|endswith: '\msdt.exe'
diff --git a/rules/windows/process_creation/proc_creation_win_lolbins_by_office_applications.yml b/rules/windows/process_creation/proc_creation_win_lolbins_by_office_applications.yml
index e812862f8..5827d97ec 100644
--- a/rules/windows/process_creation/proc_creation_win_lolbins_by_office_applications.yml
+++ b/rules/windows/process_creation/proc_creation_win_lolbins_by_office_applications.yml
@@ -33,7 +33,10 @@ detection:
       - '\winword.exe'
       - '\excel.exe'
       - '\powerpnt.exe'
+      - '\msaccess.exe'
+      - '\mspub.exe'
+      - '\eqnedt32.exe'
   condition: selection1 and selection2
 falsepositives:
   - Unknown
-level: high
+level: high
\ No newline at end of file
diff --git a/rules/windows/process_creation/proc_creation_win_office_spawn_exe_from_users_directory.yml b/rules/windows/process_creation/proc_creation_win_office_spawn_exe_from_users_directory.yml
index cb55b83bf..1a4ea2df4 100644
--- a/rules/windows/process_creation/proc_creation_win_office_spawn_exe_from_users_directory.yml
+++ b/rules/windows/process_creation/proc_creation_win_office_spawn_exe_from_users_directory.yml
@@ -12,7 +12,7 @@ tags:
     - car.2013-05-002
 author: Jason Lynch
 date: 2019/04/02
-modified: 2021/04/01
+modified: 2022/06/02
 logsource:
     category: process_creation
     product: windows
@@ -24,6 +24,8 @@ detection:
             - '\POWERPNT.exe'
             - '\MSPUB.exe'
             - '\VISIO.exe'
+            - '\MSACCESS.exe'
+            - '\EQNEDT32.exe'
             # - '\OUTLOOK.EXE' too many FPs
         Image|startswith: 'C:\users\'
         Image|endswith: '.exe'
diff --git a/rules/windows/process_creation/proc_creation_win_office_spawning_wmi_commandline.yml b/rules/windows/process_creation/proc_creation_win_office_spawning_wmi_commandline.yml
index 5d1fdb366..6bb2e96c7 100644
--- a/rules/windows/process_creation/proc_creation_win_office_spawning_wmi_commandline.yml
+++ b/rules/windows/process_creation/proc_creation_win_office_spawning_wmi_commandline.yml
@@ -13,7 +13,7 @@ tags:
     - attack.defense_evasion
 status: experimental
 date: 2021/08/23
-modified: 2022/03/30
+modified: 2022/06/02
 logsource:
   product: windows
   category: process_creation
@@ -24,9 +24,13 @@ detection:
     - CommandLine|contains: 'wmic '
   selection2:
     ParentImage:
-      - winword.exe
-      - excel.exe
-      - powerpnt.exe
+      - '\winword.exe'
+      - '\excel.exe'
+      - '\powerpnt.exe'
+      - '\msaccess.exe'
+      - '\mspub.exe'
+      - '\eqnedt32.exe'
+      - '\visio.exe'
   condition: selection1 and selection2
 falsepositives:
 - Unknown