From 7f030b250e82fda2795bba7ea2f7a102ff5e88fa Mon Sep 17 00:00:00 2001
From: phantinuss <79651203+phantinuss@users.noreply.github.com>
Date: Wed, 30 Mar 2022 11:20:59 +0200
Subject: [PATCH] fix: wrong mapping of Windows Audit Log EventID 4688

reverts some changes introduced by commit c5fa73c328acd5fac5c89c84f2a71c94efc65827
    - removes the unnecessary/wrong field mapping
    - fixes the rules to apply to CommandLine instead of
      ParentCommandLine as the author probably intended
---
 ..._from_proxy_executing_regsvr32_payload.yml |  6 +++---
 ...from_proxy_executing_regsvr32_payload2.yml | 20 +++++++++----------
 ...on_win_office_spawning_wmi_commandline.yml |  4 ++--
 .../proc_creation_win_susp_wuauclt.yml        |  4 ++--
 tools/config/generic/windows-audit.yml        |  2 +-
 5 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/rules/windows/process_creation/proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml b/rules/windows/process_creation/proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml
index bf4a10458..af7736456 100644
--- a/rules/windows/process_creation/proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml
+++ b/rules/windows/process_creation/proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml
@@ -13,7 +13,7 @@ tags:
     - attack.defense_evasion
 status: experimental
 date: 2021/08/23
-modified: 2021/11/09
+modified: 2022/03/30
 logsource:
   product: windows
   category: process_creation
@@ -21,7 +21,7 @@ detection:
   #useful_information: add more LOLBins to the rules logic of your choice.
   selection1:
     - Image|endswith: '\wbem\WMIC.exe'
-    - ParentCommandLine|contains: 'wmic '
+    - CommandLine|contains: 'wmic '
     - OriginalFileName: 'wmic.exe'
     - Description: 'WMI Commandline Utility'
   selection2:
@@ -37,7 +37,7 @@ detection:
       - excel.exe
       - powerpnt.exe
   selection4:
-    ParentCommandLine|contains|all: 
+    CommandLine|contains|all:
       - 'process'
       - 'create'
       - 'call'
diff --git a/rules/windows/process_creation/proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml b/rules/windows/process_creation/proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml
index 153f3bc80..d5fc9911a 100644
--- a/rules/windows/process_creation/proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml
+++ b/rules/windows/process_creation/proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml
@@ -13,32 +13,32 @@ tags:
     - attack.defense_evasion
 status: experimental
 date: 2021/08/23
-modified: 2021/11/09
+modified: 2022/03/30
 logsource:
   product: windows
   category: process_creation
 detection:
   #useful_information: add more LOLBins to the rules logic of your choice.
   selection1:
-    ParentCommandLine:
-      - '*regsvr32*'
-      - '*rundll32*'
-      - '*msiexec*'
-      - '*mshta*'
-      - '*verclsid*'
+    CommandLine|contains:
+      - 'regsvr32'
+      - 'rundll32'
+      - 'msiexec'
+      - 'mshta'
+      - 'verclsid'
   selection2:
     - Image|endswith: '\wbem\WMIC.exe'
-    - ParentCommandLine|contains: 'wmic '
+    - CommandLine|contains: 'wmic '
   selection3:
     ParentImage|endswith:
       - winword.exe
       - excel.exe
       - powerpnt.exe
   selection4:
-    ParentCommandLine|contains|all: 
+    CommandLine|contains|all:
       - 'process'
       - 'create'
-      - 'call' 
+      - 'call'
   condition: selection1 and selection2 and selection3 and selection4
 falsepositives:
 - Unknown
diff --git a/rules/windows/process_creation/proc_creation_win_office_spawning_wmi_commandline.yml b/rules/windows/process_creation/proc_creation_win_office_spawning_wmi_commandline.yml
index c2ea7d396..5d1fdb366 100644
--- a/rules/windows/process_creation/proc_creation_win_office_spawning_wmi_commandline.yml
+++ b/rules/windows/process_creation/proc_creation_win_office_spawning_wmi_commandline.yml
@@ -13,7 +13,7 @@ tags:
     - attack.defense_evasion
 status: experimental
 date: 2021/08/23
-modified: 2021/11/09
+modified: 2022/03/30
 logsource:
   product: windows
   category: process_creation
@@ -21,7 +21,7 @@ detection:
  #useful_information: Add more office applications to the rule logic of choice
   selection1:
     - Image|endswith: '\wbem\WMIC.exe'
-    - ParentCommandLine|contains: 'wmic '
+    - CommandLine|contains: 'wmic '
   selection2:
     ParentImage:
       - winword.exe
diff --git a/rules/windows/process_creation/proc_creation_win_susp_wuauclt.yml b/rules/windows/process_creation/proc_creation_win_susp_wuauclt.yml
index 58a758875..ada2fa1e8 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_wuauclt.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_wuauclt.yml
@@ -17,11 +17,11 @@ logsource:
     category: process_creation
 detection:
     selection:
-        CommandLine|contains|all: 
+        CommandLine|contains|all:
             - '/UpdateDeploymentProvider'
             - '/RunHandlerComServer'
             - '.dll'
-        Image|endswith: 
+        Image|endswith:
             - '\wuauclt.exe'
     filter:
         CommandLine|contains:
diff --git a/tools/config/generic/windows-audit.yml b/tools/config/generic/windows-audit.yml
index 57f11483b..7d54771c7 100644
--- a/tools/config/generic/windows-audit.yml
+++ b/tools/config/generic/windows-audit.yml
@@ -44,5 +44,5 @@ fieldmappings:
     Image: NewProcessName
     ParentImage: ParentProcessName
     Details: NewValue
-    ParentCommandLine: ProcessCommandLine
+    #CommandLine: ProcessCommandLine  # No need to map, as real name of ProcessCommandLine is already CommandLine
     LogonId: SubjectLogonId
\ No newline at end of file