diff --git a/rules/windows/powershell/powershell_script/posh_ps_win_api_susp_access.yml b/rules/windows/powershell/powershell_script/posh_ps_win_api_susp_access.yml index 11c3cc20f..00a190971 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_win_api_susp_access.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_win_api_susp_access.yml @@ -42,7 +42,7 @@ detection: - 'VirtualAlloc' - 'ReadProcessMemory' - 'VirtualFree' - condition: selection and not 1 of filter_optional_* + condition: 1 of selection_* falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_curl_insecure_porxy_or_doh.yml b/rules/windows/process_creation/proc_creation_win_curl_insecure_porxy_or_doh.yml index f22b2bfec..778a28b94 100644 --- a/rules/windows/process_creation/proc_creation_win_curl_insecure_porxy_or_doh.yml +++ b/rules/windows/process_creation/proc_creation_win_curl_insecure_porxy_or_doh.yml @@ -1,5 +1,5 @@ title: Insecure Proxy/DOH Transfer Via Curl.EXE -id: cb9cc1d1-e84e-4bdc-b7ad-c31b1b7908ec +id: 2c1486f5-02e8-4f86-9099-b97f2da4ed77 status: experimental description: Detects execution of "curl.exe" with the "insecure" flag over Proxy or DOH. references: diff --git a/rules/windows/process_creation/proc_creation_win_susp_data_exfiltration_via_cli.yml b/rules/windows/process_creation/proc_creation_win_susp_data_exfiltration_via_cli.yml index 154a573d4..658d7574b 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_data_exfiltration_via_cli.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_data_exfiltration_via_cli.yml @@ -61,7 +61,7 @@ detection: - 'type ' - ' > ' - ' C:\' - condition: (selection_iwr or all of selection_curl*) and payloads + condition: (selection_iwr or all of selection_curl* or selection_wget) and payloads falsepositives: - Unlikely level: high diff --git a/rules/windows/process_creation/proc_creation_win_vmware_vmtoolsd_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_vmware_vmtoolsd_susp_child_process.yml index 25782d68a..3d390c27b 100644 --- a/rules/windows/process_creation/proc_creation_win_vmware_vmtoolsd_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_vmware_vmtoolsd_susp_child_process.yml @@ -5,6 +5,7 @@ description: Detects suspicious child process creations of VMware Tools process references: - https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/ - https://user-images.githubusercontent.com/61026070/136518004-b68cce7d-f9b8-4e9a-9b7b-53b1568a9a94.png + - https://github.com/vmware/open-vm-tools/blob/master/open-vm-tools/tools.conf author: bohops, Bhabesh Raj date: 2021/10/08 modified: 2023/07/25 diff --git a/rules/windows/process_creation/proc_creation_win_wget_download_direct_ip.yml b/rules/windows/process_creation/proc_creation_win_wget_download_direct_ip.yml index b105a1462..bff4f5585 100644 --- a/rules/windows/process_creation/proc_creation_win_wget_download_direct_ip.yml +++ b/rules/windows/process_creation/proc_creation_win_wget_download_direct_ip.yml @@ -1,5 +1,5 @@ title: Suspicious File Download From Direct IP Via Wget.EXE -id: 5cb299fc-5fb1-4d07-b989-0644c68b6043 +id: 17f0c0a8-8bd5-4ee0-8c5f-a342c0199f35 status: experimental description: Detects potential suspicious file download from direct ip domains using Wget.exe references: diff --git a/rules/windows/process_creation/proc_creation_win_wget_download_susp_file_sharing_domains.yml b/rules/windows/process_creation/proc_creation_win_wget_download_susp_file_sharing_domains.yml index 800c4c584..2a6652f91 100644 --- a/rules/windows/process_creation/proc_creation_win_wget_download_susp_file_sharing_domains.yml +++ b/rules/windows/process_creation/proc_creation_win_wget_download_susp_file_sharing_domains.yml @@ -1,5 +1,5 @@ title: Suspicious File Download From File Sharing Domain Via Wget.EXE -id: 56454143-524f-49fb-b1c6-3fb8b1ad41fb +id: a0d7e4d2-bede-4141-8896-bc6e237e977c status: experimental description: Detects potential suspicious file download from file sharing domains using wget.exe references: