diff --git a/rules/windows/powershell/powershell_classic/posh_pc_delete_volume_shadow_copies.yml b/rules/windows/powershell/powershell_classic/posh_pc_delete_volume_shadow_copies.yml index 44b3956c8..bfa26c5d1 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_delete_volume_shadow_copies.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_delete_volume_shadow_copies.yml @@ -18,7 +18,7 @@ detection: selection: Data|contains|all: - 'Get-WmiObject' - - 'Win32_Shadowcopy' + - 'Win32_ShadowCopy' Data|contains: - 'Delete()' - 'Remove-WmiObject' diff --git a/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml b/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml index 543535e6b..6b7f3eb24 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml @@ -17,7 +17,7 @@ logsource: detection: selection: ScriptBlockText|contains|all: - - win32_shadowcopy + - Win32_ShadowCopy - ').Create(' - ClientAccessible condition: selection diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml index 7b53b258e..d5631ed9f 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml @@ -18,7 +18,7 @@ detection: selection: ScriptBlockText|contains|all: - 'Get-WmiObject' - - 'Win32_Shadowcopy' + - 'Win32_ShadowCopy' - '.Delete()' condition: selection falsepositives: diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy_deletion.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy_deletion.yml index 06705557a..ffc48d663 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy_deletion.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy_deletion.yml @@ -27,7 +27,7 @@ detection: - 'Get-CimInstance' - 'gcim' selection_shadowcopy: - ScriptBlockText|contains: 'Win32_Shadowcopy' + ScriptBlockText|contains: 'Win32_ShadowCopy' selection_delete: ScriptBlockText|contains: - '.Delete()' diff --git a/rules/windows/process_creation/proc_creation_win_powershell_base64_wmi_classes.yml b/rules/windows/process_creation/proc_creation_win_powershell_base64_wmi_classes.yml index 45295f7da..9e4af4680 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_base64_wmi_classes.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_base64_wmi_classes.yml @@ -4,7 +4,7 @@ related: - id: 47688f1b-9f51-4656-b013-3cc49a166a36 type: obsoletes status: test -description: Detects calls to base64 encoded WMI class such as "Win32_Shadowcopy", "Win32_ScheduledJob", etc. +description: Detects calls to base64 encoded WMI class such as "Win32_ShadowCopy", "Win32_ScheduledJob", etc. references: - https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar author: Christian Burkard (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) @@ -26,7 +26,7 @@ detection: - 'PowerShell.EXE' - 'pwsh.dll' selection_cli_shadowcopy: - # Win32_Shadowcopy + # Win32_ShadowCopy CommandLine|contains: - 'VwBpAG4AMwAyAF8AUwBoAGEAZABvAHcAYwBvAHAAeQ' - 'cAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkA' diff --git a/rules/windows/process_creation/proc_creation_win_powershell_shadowcopy_deletion.yml b/rules/windows/process_creation/proc_creation_win_powershell_shadowcopy_deletion.yml index 0685e8675..cdc762a40 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_shadowcopy_deletion.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_shadowcopy_deletion.yml @@ -27,7 +27,7 @@ detection: - 'Get-CimInstance' - 'gcim' selection_shadowcopy: - CommandLine|contains: 'Win32_Shadowcopy' + CommandLine|contains: 'Win32_ShadowCopy' selection_delete: CommandLine|contains: - '.Delete()'