feat: update metadata and add more cases for rules

rules/windows/process_creation/proc_creation_win_chisel_usage.yml

@@ -8,8 +8,10 @@ description: Detects usage of the Chisel tunneling tool via the commandline argu
 references:
     - https://github.com/jpillora/chisel/
     - https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/
+    - https://blog.sekoia.io/lucky-mouse-incident-response-to-detection-engineering/
 author: Florian Roth
 date: 2022/09/13
+modified: 2022/12/07
 tags:
     - attack.command_and_control
     - attack.t1090.001
@@ -25,11 +27,11 @@ detection:
             - 'exe server '
     selection_param2:
         CommandLine|contains:
-            - ' --socks5'
-            - ' --reverse'
+            - '-socks5'
+            - '-reverse'
             - ' r:'
             - ':127.0.0.1:'
-            - ' --tls-skip-verify '
+            - '-tls-skip-verify '
             - ':socks'
     condition: selection_img or all of selection_param*
 falsepositives:

rules/windows/process_creation/proc_creation_win_sharp_chisel_usage.yml

@@ -18,22 +18,11 @@ logsource:
     category: process_creation
     product: windows
 detection:
-    selection_1_img:
-        Image|endswith: '\SharpChisel.exe'
-    selection_1_pe:
-        Product: 'SharpChisel'
-    # Covered by Chisel Rule
-    # selection_2_client_server:
-    #     CommandLine|contains:
-    #         - 'exe client '
-    #         - 'exe server '
-    # selection_2_flags:
-    #     CommandLine|contains:
-    #         - ' --socks5'
-    #         - ' --reverse'
-    #         - ' r:'
-    #         - ':127.0.0.1:'
-    condition: 1 of selection*
+    selection:
+        - Image|endswith: '\SharpChisel.exe'
+        - Product: 'SharpChisel'
+    # See rule 8b0e12da-d3c3-49db-bb4f-256703f380e5 for Chisel.exe coverage
+    condition: selection
 falsepositives:
-    - Some false positives may occure with other tools with similar commandlines
+    - Unlikely
 level: high