feat: update metadata and add more cases for rules

rules/windows/builtin/security/win_security_susp_codeintegrity_check_failure.yml

@@ -1,7 +1,7 @@
 title: Failed Code Integrity Checks
 id: 470ec5fa-7b4e-4071-b200-4c753100f49b
 status: stable
-description: Code integrity failures may indicate tampered executables.
+description: Detects Code integrity failures such as missing page hashes or corrupted drivers due unauthorized modification. This could be a signe of tampered binaries.
 author: Thomas Patzke
 date: 2019/12/03
 modified: 2020/08/23

rules/windows/file/file_event/file_event_win_susp_dropper.yml

@@ -80,5 +80,6 @@ detection:
 falsepositives:
     - Software installers
     - Update utilities
+    - 32bit applications launching their 64bit versions
 #Please contribute to FP to increase the level
 level: low

rules/windows/process_creation/proc_creation_win_chisel_usage.yml

@@ -8,8 +8,10 @@ description: Detects usage of the Chisel tunneling tool via the commandline argu
 references:
     - https://github.com/jpillora/chisel/
     - https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/
+    - https://blog.sekoia.io/lucky-mouse-incident-response-to-detection-engineering/
 author: Florian Roth
 date: 2022/09/13
+modified: 2022/12/07
 tags:
     - attack.command_and_control
     - attack.t1090.001
@@ -25,11 +27,11 @@ detection:
             - 'exe server '
     selection_param2:
         CommandLine|contains:
-            - ' --socks5'
-            - ' --reverse'
+            - '-socks5'
+            - '-reverse'
             - ' r:'
             - ':127.0.0.1:'
-            - ' --tls-skip-verify '
+            - '-tls-skip-verify '
             - ':socks'
     condition: selection_img or all of selection_param*
 falsepositives:

rules/windows/process_creation/proc_creation_win_sharp_chisel_usage.yml

@@ -18,22 +18,11 @@ logsource:
     category: process_creation
     product: windows
 detection:
-    selection_1_img:
-        Image|endswith: '\SharpChisel.exe'
-    selection_1_pe:
-        Product: 'SharpChisel'
-    # Covered by Chisel Rule
-    # selection_2_client_server:
-    #     CommandLine|contains:
-    #         - 'exe client '
-    #         - 'exe server '
-    # selection_2_flags:
-    #     CommandLine|contains:
-    #         - ' --socks5'
-    #         - ' --reverse'
-    #         - ' r:'
-    #         - ':127.0.0.1:'
-    condition: 1 of selection*
+    selection:
+        - Image|endswith: '\SharpChisel.exe'
+        - Product: 'SharpChisel'
+    # See rule 8b0e12da-d3c3-49db-bb4f-256703f380e5 for Chisel.exe coverage
+    condition: selection
 falsepositives:
-    - Some false positives may occure with other tools with similar commandlines
+    - Unlikely
 level: high

rules/windows/registry/registry_add/registry_add_renamed_sysinternals_eula_accepted.yml

@@ -6,11 +6,12 @@ related:
     - id: 8023f872-3f1d-4301-a384-801889917ab4
       type: similar
 status: experimental
-description: Detects the of the "accepteula" key related to sysinternals tools being created from non sysinternals tools
+description: Detects the "accepteula" key related to sysinternals tools being created from non sysinternals tools
 references:
     - Internal Research
 author: Nasreddine Bencherchali
 date: 2022/08/24
+modified: 2022/12/07
 tags:
     - attack.resource_development
     - attack.t1588.002
@@ -21,33 +22,44 @@ detection:
     selection:
         EventType: CreateKey
         TargetObject|contains:
-            - '\PsExec'
-            - '\ProcDump'
+            # Please add new values while respecting the alphabetical order
+            - '\Active Directory Explorer'
             - '\Handle'
             - '\LiveKd'
+            - '\ProcDump'
             - '\Process Explorer'
+            - '\PsExec'
+            - '\PsLoggedon'
             - '\PsLoglist'
             - '\PsPasswd'
-            - '\Active Directory Explorer'
+            - '\PsPing'
+            - '\PsService'
         TargetObject|endswith: '\EulaAccepted'
     filter:
         Image|endswith:
-            - '\PsExec.exe'
-            - '\PsExec64.exe'
-            - '\procdump.exe'
-            - '\procdump64.exe'
+            # Please add new values while respecting the alphabetical order
+            - '\ADExplorer.exe'
+            - '\ADExplorer64.exe'
             - '\handle.exe'
             - '\handle64.exe'
             - '\livekd.exe'
             - '\livekd64.exe'
+            - '\procdump.exe'
+            - '\procdump64.exe'
             - '\procexp.exe'
             - '\procexp64.exe'
+            - '\PsExec.exe'
+            - '\PsExec64.exe'
+            - '\PsLoggedon.exe'
+            - '\PsLoggedon64.exe'
             - '\psloglist.exe'
             - '\psloglist64.exe'
             - '\pspasswd.exe'
             - '\pspasswd64.exe'
-            - '\ADExplorer.exe'
-            - '\ADExplorer64.exe'
+            - '\PsPing.exe'
+            - '\PsPing64.exe'
+            - '\PsService.exe'
+            - '\PsService64.exe'
     condition: selection and not filter
 falsepositives:
     - Unlikely