feat: add missing OriginalFileName field

First batch
2022-11-14 23:08:19 +01:00
parent 7adffff8d2
commit 7f736b7443
30 changed files with 161 additions and 99 deletions
@@ -7,21 +7,23 @@ references:
    - https://twitter.com/kagancapar/status/1515219358234161153
 author: frack113
 date: 2022/04/17
-modified: 2022/04/19
+modified: 2022/11/11
 tags:
    - cve.2022.29072
 logsource:
    product: windows
    category: process_creation
 detection:
-    selection:
-        Image|endswith: '\cmd.exe'
+    selection_img:
+        - Image|endswith: '\cmd.exe'
+        - OriginalFileName: 'Cmd.Exe'
+    selection_parent:
        ParentImage|endswith: '\7zFM.exe'
    filter_bat:
        CommandLine|contains: ' /c '
    filter_null:
        CommandLine: null
-    condition: selection and not 1 of filter_*
+    condition: all of selection_* and not 1 of filter_*
 falsepositives:
    - Unknown
 level: high
@@ -6,7 +6,7 @@ references:
    - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-74-638.jpg
 author: 'Semanur Guneysu @semanurtg, oscd.community'
 date: 2020/10/28
-modified: 2022/07/14
+modified: 2022/11/11
 tags:
    - attack.privilege_escalation
    - attack.t1548
@@ -14,7 +14,7 @@ logsource:
    product: windows
    category: process_creation
 detection:
-    selection:
+    selection_parent:
        ParentImage|endswith:
            - '\winlogon.exe'
            - '\services.exe'
@@ -24,18 +24,23 @@ detection:
            - '\wininit.exe'
            - '\spoolsv.exe'
            - '\searchindexer.exe'
-        Image|endswith:
-            - '\powershell.exe'
-            - '\pwsh.exe'
-            - '\cmd.exe'
        User|contains: # covers many language settings
            - 'AUTHORI'
            - 'AUTORI'
+    selection_img:
+        - Image|endswith:
+            - '\powershell.exe'
+            - '\pwsh.exe'
+            - '\cmd.exe'
+        - OriginalFileName:
+            - 'PowerShell.EXE'
+            - 'pwsh.dll'
+            - 'Cmd.Exe'
    filter:
        CommandLine|contains|all:
            - ' route '
            - ' ADD '
-    condition: selection and not filter
+    condition: all of selection_* and not filter
 fields:
    - ParentImage
    - Image
@@ -9,9 +9,9 @@ references:
    - https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf
    - https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer
    - https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20IP%20Scanner
-author: '@ROxPinTeddy, Nasreddine Bencherchali @nas_bench'
+author: '@ROxPinTeddy, Nasreddine Bencherchali'
 date: 2020/05/12
-modified: 2021/12/18
+modified: 2022/11/11
 tags:
    - attack.discovery
    - attack.t1046
@@ -21,7 +21,9 @@ logsource:
    product: windows
 detection:
    selection1:
-        Image|contains: '\advanced_ip_scanner'
+        - Image|contains: '\advanced_ip_scanner' # Covers also advanced_ip_scanner_console.exe
+        - OriginalFileName|contains: 'advanced_ip_scanner' # Covers also advanced_ip_scanner_console.exe
+        - Description|contains: 'Advanced IP Scanner'
    selection2:
        CommandLine|contains|all:
            - '/portable'
@@ -4,8 +4,9 @@ status: experimental
 description: Detects the use of Advanced Port Scanner.
 references:
    - https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20Port%20Scanner
-author: Nasreddine Bencherchali @nas_bench
+author: Nasreddine Bencherchali
 date: 2021/12/18
+modified: 2022/11/11
 tags:
    - attack.discovery
    - attack.t1046
@@ -15,7 +16,9 @@ logsource:
    product: windows
 detection:
    selection1:
-        Image|contains: '\advanced_port_scanner'
+        - Image|contains: '\advanced_port_scanner'
+        - OriginalFileName|contains: 'advanced_port_scanner' # Covers also advanced_port_scanner_console.exe
+        - Description|contains: 'Advanced Port Scanner'
    selection2:
        CommandLine|contains|all:
            - '/portable'
@@ -1,7 +1,7 @@
 title: Execute From Alternate Data Streams
 id: 7f43c430-5001-4f8b-aaa9-c3b88f18fa5c
 status: test
-description: Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection
+description: Detects execution from an Alternate Data Stream (ADS). Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md
 author: frack113
@@ -1,7 +1,7 @@
 title: Always Install Elevated MSI Spawned Cmd And Powershell
 id: 1e53dd56-8d83-4eb4-a43e-b790a05510aa
 status: test
-description: This rule looks for Windows Installer service (msiexec.exe) spawned command line and/or powershell
+description: Detects Windows Installer service (msiexec.exe) spawning "cmd" or "powershell"
 references:
    - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-50-638.jpg
 author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community
@@ -1,7 +1,7 @@
 title: Always Install Elevated Windows Installer
 id: cd951fdc-4b2f-47f5-ba99-a33bf61e3770
 status: experimental
-description: This rule looks for Windows Installer service (msiexec.exe) trying to install MSI packages with SYSTEM privilege
+description: Detects Windows Installer service (msiexec.exe) trying to install MSI packages with SYSTEM privilege
 references:
    - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-48-638.jpg
 author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community
@@ -1,7 +1,7 @@
 title: AnyDesk Silent Installation
 id: 114e7f1c-f137-48c8-8f54-3088c24ce4b9
 status: test
-description: AnyDesk Remote Desktop silent installation can be used by attacker to gain remote access.
+description: Detects AnyDesk Remote Desktop silent installation. Which can be used by attackers to gain remote access.
 references:
    - https://twitter.com/TheDFIRReport/status/1423361119926816776?s=20
    - https://support.anydesk.com/Automatic_Deployment
@@ -6,7 +6,7 @@ references:
    - https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/
 author: Florian Roth
 date: 2019/02/24
-modified: 2021/11/27
+modified: 2022/11/11
 tags:
    - attack.execution
    - attack.t1059.003
@@ -21,9 +21,9 @@ logsource:
 detection:
    selection:
        CommandLine:
-            - reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default"
-            - powershell.exe mshta.exe http*
-            - cmd.exe /c taskkill /im cmd.exe
+            - 'reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default"'
+            - 'powershell.exe mshta.exe http*'
+            - 'cmd.exe /c taskkill /im cmd.exe'
    condition: selection
 falsepositives:
    - Unknown
@@ -6,7 +6,7 @@ references:
    - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
 author: Florian Roth
 date: 2019/02/21
-modified: 2022/08/13
+modified: 2022/11/11
 tags:
    - attack.credential_access
    - attack.t1552.001
@@ -15,8 +15,10 @@ logsource:
    category: process_creation
    product: windows
 detection:
-    selection1:
-        Image|endswith: '\xcopy.exe'
+    selection_xcopy_img:
+        - Image|endswith: '\xcopy.exe'
+        - OriginalFileName: 'XCOPY.EXE'
+    selection_xcopy_cli:
        CommandLine|contains|all:
            - '/S'
            - '/E'
@@ -24,13 +26,15 @@ detection:
            - '/Q'
            - '/H'
            - '\\\\'
-    selection2:
-        Image|endswith: '\adexplorer.exe'
+    selection_adexplorer_img:
+        - Image|endswith: '\adexplorer.exe'
+        - OriginalFileName: 'AdExp'
+    selection_adexplorer_cli:
        CommandLine|contains|all:
            - '-snapshot'
            - '""'
            - 'c:\users\'
-    condition: 1 of selection*
+    condition: all of selection_xcopy_* or all of selection_adexplorer_*
 falsepositives:
    - Unknown
 level: critical
@@ -6,7 +6,7 @@ references:
    - https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
 author: Florian Roth
 date: 2017/04/07
-modified: 2022/09/08
+modified: 2022/11/11
 tags:
    - attack.execution
    - attack.g0045
@@ -15,14 +15,18 @@ logsource:
    category: process_creation
    product: windows
 detection:
-    selection:
-        Image|endswith:
+    selection_img:
+        - Image|endswith:
            - '\cscript.exe'
            - '\wscript.exe'
+        - OriginalFileName:
+            - 'cscript.exe'
+            - 'wscript.exe'
+    selection_cli:
        CommandLine|contains|all:
            - '.vbs'
            - '/shell'
-    condition: selection
+    condition: all of selection_*
 fields:
    - CommandLine
    - ParentCommandLine
@@ -4,7 +4,7 @@ status: test
 description: Detects usage of attrib.exe to hide files from users.
 author: Sami Ruohonen
 date: 2019/01/16
-modified: 2021/11/27
+modified: 2022/11/11
 tags:
    - attack.defense_evasion
    - attack.t1564.001
@@ -12,16 +12,18 @@ logsource:
    category: process_creation
    product: windows
 detection:
-    selection:
-        Image|endswith: '\attrib.exe'
+    selection_img:
+        - Image|endswith: '\attrib.exe'
+        - OriginalFileName: 'ATTRIB.EXE'
+    selection_cli:
        CommandLine|contains: ' +h '
-    ini:
+    filter_ini:
        CommandLine|contains: '\desktop.ini '
-    intel:
+    filter_intel:
        ParentImage|endswith: '\cmd.exe'
        CommandLine: +R +H +S +A \\*.cui
        ParentCommandLine: C:\WINDOWS\system32\\*.bat
-    condition: selection and not (ini or intel)
+    condition: all of selection_* and not 1 of filter_*
 fields:
    - CommandLine
    - ParentCommandLine
@@ -7,6 +7,7 @@ references:
    - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/attrib
 author: frack113
 date: 2022/02/04
+modified: 2022/11/11
 tags:
    - attack.defense_evasion
    - attack.t1564.001
@@ -14,10 +15,12 @@ logsource:
    category: process_creation
    product: windows
 detection:
-    selection:
-        Image|endswith: '\attrib.exe'
+    selection_img:
+        - Image|endswith: '\attrib.exe'
+        - OriginalFileName: 'ATTRIB.EXE'
+    selection_cli:
        CommandLine|contains: ' +s '
-    condition: selection
+    condition: all of selection_*
 falsepositives:
    - Unknown
 level: low
@@ -10,6 +10,7 @@ references:
    - https://app.any.run/tasks/cfc8870b-ccd7-4210-88cf-a8087476a6d0
 author: Nasreddine Bencherchali
 date: 2022/06/28
+modified: 2022/11/11
 tags:
    - attack.defense_evasion
    - attack.t1564.001
@@ -17,8 +18,10 @@ logsource:
    category: process_creation
    product: windows
 detection:
-    selection_basic:
-        Image|endswith: '\attrib.exe'
+    selection_img:
+        - Image|endswith: '\attrib.exe'
+        - OriginalFileName: 'ATTRIB.EXE'
+    selection_cli:
        CommandLine|contains: ' +s'
    selection_paths:
        CommandLine|contains:
@@ -7,7 +7,7 @@ references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md
 author: frack113
 date: 2021/07/28
-modified: 2022/10/09
+modified: 2022/11/11
 tags:
    - attack.collection
    - attack.t1119
@@ -28,17 +28,17 @@ detection:
            - '.rtf'
            - '.pdf'
            - '.txt'
-    selection_dir:
+    selection_other_dir:
        CommandLine|contains|all:
            - 'dir '
            - ' /b '
            - ' /s '
-    selection_findstr:
-        OriginalFileName: FINDSTR.EXE
+    selection_other_findstr:
+        OriginalFileName: 'FINDSTR.EXE'
        CommandLine|contains:
            - ' /e '
            - ' /si '
-    condition: selection_ext and (selection_dir or selection_findstr)
+    condition: selection_ext and 1 of selection_other_*
 falsepositives:
    - Unknown
 level: medium
@@ -8,7 +8,7 @@ references:
    - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
 author: Michael Haag, FPT.EagleEye
 date: 2017/03/09
-modified: 2022/10/09
+modified: 2022/11/11
 tags:
    - attack.defense_evasion
    - attack.persistence
@@ -20,7 +20,8 @@ logsource:
    product: windows
 detection:
    selection1:
-        Image|endswith: '\bitsadmin.exe'
+        - Image|endswith: '\bitsadmin.exe'
+        - OriginalFileName: 'bitsadmin.exe'
    susp_flag_1:
        CommandLine|contains: ' /transfer '
    susp_flag_2:
@@ -9,7 +9,7 @@ references:
    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker
 author: Florian Roth
 date: 2022/06/28
-modified: 2022/08/09
+modified: 2022/11/11
 tags:
    - attack.defense_evasion
    - attack.persistence
@@ -20,8 +20,10 @@ logsource:
    category: process_creation
    product: windows
 detection:
-    selection:
-        Image|endswith: '\bitsadmin.exe'
+    selection_img:
+        - Image|endswith: '\bitsadmin.exe'
+        - OriginalFileName: 'bitsadmin.exe'
+    selection_flags:
        CommandLine|contains:
            - ' /transfer '
            - ' /create '
@@ -43,7 +45,7 @@ detection:
            - 'anonfiles.com'
            - 'send.exploit.in'
            - 'transfer.sh'
-    condition: all of selection*
+    condition: all of selection_*
 fields:
    - CommandLine
    - ParentCommandLine
@@ -8,6 +8,7 @@ references:
    - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
 author: Florian Roth
 date: 2022/06/28
+modified: 2022/11/11
 tags:
    - attack.defense_evasion
    - attack.persistence
@@ -18,8 +19,10 @@ logsource:
    category: process_creation
    product: windows
 detection:
-    selection:
-        Image|endswith: '\bitsadmin.exe'
+    selection_img:
+        - Image|endswith: '\bitsadmin.exe'
+        - OriginalFileName: 'bitsadmin.exe'
+    selection_flags:
        CommandLine|contains:
            - ' /transfer '
            - ' /create '
@@ -55,7 +58,7 @@ detection:
            - '.zip'
            - '.rar'
            - '.dll'
-    condition: all of selection*
+    condition: all of selection_*
 fields:
    - CommandLine
    - ParentCommandLine
@@ -8,6 +8,7 @@ references:
    - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
 author: Florian Roth
 date: 2022/06/28
+modified: 2022/11/11
 tags:
    - attack.defense_evasion
    - attack.persistence
@@ -18,8 +19,10 @@ logsource:
    category: process_creation
    product: windows
 detection:
-    selection:
-        Image|endswith: '\bitsadmin.exe'
+    selection_img:
+        - Image|endswith: '\bitsadmin.exe'
+        - OriginalFileName: 'bitsadmin.exe'
+    selection_flags:
        CommandLine|contains:
            - ' /transfer '
            - ' /create '
@@ -44,7 +47,7 @@ detection:
            - 'https://7'
            - 'https://8'
            - 'https://9'
-    condition: all of selection*
+    condition: all of selection_*
 fields:
    - CommandLine
    - ParentCommandLine
@@ -8,6 +8,7 @@ references:
    - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
 author: Florian Roth
 date: 2022/06/28
+modified: 2022/11/11
 tags:
    - attack.defense_evasion
    - attack.persistence
@@ -18,8 +19,10 @@ logsource:
    category: process_creation
    product: windows
 detection:
-    selection:
-        Image|endswith: '\bitsadmin.exe'
+    selection_img:
+        - Image|endswith: '\bitsadmin.exe'
+        - OriginalFileName: 'bitsadmin.exe'
+    selection_flags:
        CommandLine|contains:
            - ' /transfer '
            - ' /create '
@@ -29,7 +32,7 @@ detection:
            - 'C:\Users\Public\'
            - '%public%'
            - '\Desktop\'
-    condition: all of selection*
+    condition: all of selection_*
 fields:
    - CommandLine
    - ParentCommandLine
@@ -8,7 +8,7 @@ references:
    - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
 author: Florian Roth
 date: 2022/06/28
-modified: 2022/09/13
+modified: 2022/11/11
 tags:
    - attack.defense_evasion
    - attack.persistence
@@ -19,8 +19,10 @@ logsource:
    category: process_creation
    product: windows
 detection:
-    selection:
-        Image|endswith: '\bitsadmin.exe'
+    selection_img:
+        - Image|endswith: '\bitsadmin.exe'
+        - OriginalFileName: 'bitsadmin.exe'
+    selection_flags:
        CommandLine|contains:
            - ' /transfer '
            - ' /create '
@@ -34,7 +36,7 @@ detection:
            - '%ProgramData%'
            - '\AppData\Local\'
            - '%AppData%'
-    condition: all of selection*
+    condition: all of selection_*
 fields:
    - CommandLine
    - ParentCommandLine
@@ -7,7 +7,7 @@ references:
    - https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html
 author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
 date: 2019/10/24
-modified: 2022/07/07
+modified: 2022/11/11
 tags:
    - attack.impact
    - attack.t1490
@@ -16,9 +16,11 @@ logsource:
    product: windows
 detection:
    selection1:
-        Image|endswith: '\bcdedit.exe'
-        CommandLine|contains: 'set'
+        - Image|endswith: '\bcdedit.exe'
+        - OriginalFileName: 'bcdedit.exe'
    selection2:
+        CommandLine|contains: 'set'
+    selection3:
        - CommandLine|contains|all:
            - 'bootstatuspolicy'
            - 'ignoreallfailures'
@@ -7,7 +7,7 @@ references:
    - https://twitter.com/mattifestation/status/986280382042595328
 author: Markus Neis, Florian Roth
 date: 2019/01/16
-modified: 2022/03/21
+modified: 2022/11/11
 tags:
    - attack.defense_evasion
    - attack.t1047
@@ -19,8 +19,10 @@ logsource:
    category: process_creation
    product: windows
 detection:
-    selection_org:
-        Image|endswith: '\wmic.exe'
+    selection_org_img:
+        - Image|endswith: '\wmic.exe'
+        - OriginalFileName: 'wmic.exe'
+    selection_org_cli:
        CommandLine|contains|all:
            - wmic
            - format
@@ -38,7 +40,7 @@ detection:
        CommandLine|contains|all:
            - 'format:'
            - 'http'
-    condition: selection_org or all of selection_renamed_*
+    condition: all of selection_org_* or all of selection_renamed_*
 falsepositives:
    - Unknown
 level: medium
@@ -6,6 +6,7 @@ references:
    - https://ss64.com/nt/syntax-redirection.html
 author: frack113
 date: 2022/01/22
+modified: 2022/11/11
 tags:
    - attack.discovery
    - attack.t1082
@@ -13,10 +14,12 @@ logsource:
    category: process_creation
    product: windows
 detection:
-    selection:
-        Image|endswith: '\cmd.exe'
+    selection_cmd:
+        - OriginalFileName: 'Cmd.Exe'
+        - Image|endswith: '\cmd.exe'
+    selection_cli:
        CommandLine|contains: '>'
-    condition: selection
+    condition: all of selection_*
 falsepositives:
    - Unknown
 level: low
@@ -6,7 +6,7 @@ references:
    - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/
 author: Nasreddine Bencherchali
 date: 2022/07/12
-modified: 2022/09/14
+modified: 2022/11/11
 tags:
    - attack.execution
    - attack.t1218
@@ -14,8 +14,10 @@ logsource:
    category: process_creation
    product: windows
 detection:
-    selection:
-        Image|endswith: '\cmd.exe'
+    selection_img:
+        - Image|endswith: '\cmd.exe'
+        - OriginalFileName: 'Cmd.Exe'
+    selection_cli:
        CommandLine|contains|all:
            # Add more suspicious locations as you find them
            - ' > %USERPROFILE%\'
@@ -24,7 +26,7 @@ detection:
            - ' > C:\Users\Public\'
            - ' > %TEMP%\'
            - ' > %TMP%\'
-    condition: selection
+    condition: all of selection_*
 falsepositives:
    - Legitimate admin scripts
 level: medium
@@ -8,7 +8,7 @@ references:
    - https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/
 author: _pete_0, TheDFIRReport
 date: 2022/05/06
-modified: 2022/10/07
+modified: 2022/11/11
 tags:
    - attack.execution
    - attack.t1059.003
@@ -16,7 +16,10 @@ logsource:
    category: process_creation
    product: windows
 detection:
-    selection:
+    selection_img:
+        - OriginalFileName: 'Cmd.Exe'
+        - Image|endswith: '\cmd.exe'
+    selection_cli:
        CommandLine|startswith:
            - 'cmd.exe'
            - 'c:\windows\system32\cmd.exe'
@@ -30,14 +33,13 @@ detection:
            - logonpasswords
            - execute-assembly
            - getsystem
-        Image|endswith: '\cmd.exe'
    filter_vscode:
        # This FP could occure when VSCode is installed and a search/or string selection is made to look for one of these detections mentioned above
        ParentImage|endswith: \AppData\Local\Programs\Microsoft VS Code\Code.exe # This is the default install location please add your custom one to avoid FP
        CommandLine|contains|all:
            - '/d /s /c '
            - 'checkfilenameiocs --ioc-path '
-    condition: selection and not 1 of filter_*
+    condition: all of selection_* and not 1 of filter_*
 fields:
    - CommandLine
 falsepositives:
@@ -8,7 +8,7 @@ references:
    - https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/
 author: _pete_0, TheDFIRReport
 date: 2022/05/06
-modified: 2022/05/06
+modified: 2022/11/11
 tags:
    - attack.execution
    - attack.t1059.003
@@ -16,8 +16,10 @@ logsource:
    category: process_creation
    product: windows
 detection:
-    selection:
-        Image|endswith: '\cmd.exe'
+    selection_img:
+        - OriginalFileName: 'Cmd.Exe'
+        - Image|endswith: '\cmd.exe'
+    selection_cli:
        CommandLine|startswith:
            - 'cmd.exe'
            - 'c:\windows\system32\cmd.exe'
@@ -29,7 +31,7 @@ detection:
            - Invoke-Nightmare
            - zerologon
            - av_query
-    condition: selection
+    condition: all of selection_*
 fields:
    - CommandLine
 falsepositives:
@@ -7,7 +7,7 @@ references:
    - https://ired.team/offensive-security/code-execution/code-execution-through-control-panel-add-ins
 author: Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_)
 date: 2020/06/22
-modified: 2022/08/11
+modified: 2022/11/11
 tags:
    - attack.execution
    - attack.defense_evasion
@@ -18,8 +18,10 @@ logsource:
    product: windows
    category: process_creation
 detection:
-    selection_reg:
-        Image|endswith: '\reg.exe'
+    selection_reg_img:
+        - Image|endswith: '\reg.exe'
+        - OriginalFileName: 'reg.exe'
+    selection_reg_cli:
        CommandLine|contains|all:
            - 'add'
            - 'CurrentVersion\Control Panel\CPLs'
@@ -34,7 +36,7 @@ detection:
            - 'regsvr32 '
            - ' /s '
            - 'igfxCPL.cpl'
-    condition: selection_reg or (selection_cpl and not 1 of filter_cpl_*)
+    condition: all of selection_reg_* or (selection_cpl and not 1 of filter_cpl_*)
 falsepositives:
    - Unknown
 level: high
@@ -8,7 +8,7 @@ references:
    - https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/
 author: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
 date: 2019/10/22
-modified: 2021/11/27
+modified: 2022/11/11
 tags:
    - attack.credential_access
    - attack.t1003.002
@@ -20,7 +20,9 @@ logsource:
    product: windows
 detection:
    selection_esent:
-        Image|endswith: '\esentutl.exe'
+        - Image|endswith: '\esentutl.exe'
+        - OriginalFileName: '\esentutl.exe'
+    selection_cli:
        CommandLine|contains:
            - 'vss'
            - ' /m '
@@ -6,6 +6,7 @@ references:
    - https://www.elastic.co/guide/en/security/current/credential-acquisition-via-registry-hive-dumping.html
 author: Tim Rauch
 date: 2022/10/04
+modified: 2022/11/11
 tags:
    - attack.credential_access
    - attack.t1003
@@ -14,11 +15,13 @@ logsource:
    product: windows
 detection:
    selection_1:
-        Image|endswith: '\reg.exe'
+        - Image|endswith: '\reg.exe'
+        - OriginalFileName: 'reg.exe'
+    selection_2:
        CommandLine|contains:
            - ' save '
            - ' export '
-    selection_2:
+    selection_3:
        CommandLine|contains:
            - 'hklm\sam'
            - 'hklm\security'