diff --git a/rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec.yml b/rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec.yml index e09b1a744..687d2721a 100644 --- a/rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec.yml +++ b/rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec.yml @@ -4,7 +4,7 @@ related: - id: 5ce0f04e-3efc-42af-839d-5b3a543b76c0 type: derived status: experimental -description: Detects file write event from/to a fake recycle bin folder that's often used as a staging directory for malware +description: Detects file write event from/to a fake recycle bin folder that is often used as a staging directory for malware references: - https://www.mandiant.com/resources/blog/infected-usb-steal-secrets author: X__Junior (Nextron Systems) diff --git a/rules/windows/powershell/powershell_script/posh_ps_win32_nteventlogfile_usage.yml b/rules/windows/powershell/powershell_script/posh_ps_win32_nteventlogfile_usage.yml index 475f0df2d..db275c86f 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_win32_nteventlogfile_usage.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_win32_nteventlogfile_usage.yml @@ -1,4 +1,4 @@ -title: Potential Suspicious Call To Win32_NTEventlogFile Class - PSScript +title: Potentially Suspicious Call To Win32_NTEventlogFile Class - PSScript id: e2812b49-bae0-4b21-b366-7c142eafcde2 status: experimental description: Detects usage of the WMI class "Win32_NTEventlogFile" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script diff --git a/rules/windows/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml b/rules/windows/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml index 8c905459c..ce960abcb 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml @@ -1,7 +1,7 @@ title: Suspicious Ping/Copy Command Combination id: ded2b07a-d12f-4284-9b76-653e37b6c8b0 status: experimental -description: Detects uncommon one liner command having ping and copy at the same time usually used by malware. +description: Detects uncommon one-liner command having ping and copy at the same time, which is usually used by malware. references: - Internal Research author: X__Junior (Nextron Systems) diff --git a/rules/windows/process_creation/proc_creation_win_curl_insecure_connection.yml b/rules/windows/process_creation/proc_creation_win_curl_insecure_connection.yml index 8c1c4314e..b7363a7ec 100644 --- a/rules/windows/process_creation/proc_creation_win_curl_insecure_connection.yml +++ b/rules/windows/process_creation/proc_creation_win_curl_insecure_connection.yml @@ -20,5 +20,5 @@ detection: - CommandLine|contains: '--insecure' condition: all of selection_* falsepositives: - - Unknown + - Access to badly maintained internal or development systems level: medium diff --git a/rules/windows/process_creation/proc_creation_win_findstr_susp_parent.yml b/rules/windows/process_creation/proc_creation_win_findstr_susp_parent.yml index 7fcb19470..ee2b569a4 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_susp_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_susp_parent.yml @@ -1,10 +1,10 @@ -title: Potential Suspicious Findstr.EXE Execution +title: Potentially Suspicious Findstr.EXE Execution id: ccb5742c-c248-4982-8c5c-5571b9275ad3 related: - id: fe63010f-8823-4864-a96b-a7b4a0f7b929 type: derived status: experimental -description: Detects execution of "findstr" as a child process of potentially suspicious parent command line. This is often the case when "findstr" is used to filter out the results of certain recon commands such as "tasklist" or "ipconfig /all" +description: Detects execution of "findstr" as a child process of potentially suspicious parent command lines. This is often the case when "findstr" is used to filter out the results of certain reconnaissance commands such as "tasklist" or "ipconfig /all" references: - https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1057/T1057.md#atomic-test-6---discover-specific-process---tasklist author: frack113 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_decrypt_pattern.yml b/rules/windows/process_creation/proc_creation_win_powershell_decrypt_pattern.yml index 7c7e6f8ba..551845bcd 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_decrypt_pattern.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_decrypt_pattern.yml @@ -1,7 +1,7 @@ title: PowerShell Execution With Potential Decryption Capabilities id: 434c08ba-8406-4d15-8b24-782cb071a691 status: experimental -description: Detects powershell command that decrypts an ".LNK" "file to drop next stage of the malware. +description: Detects PowerShell commands that decrypt an ".LNK" "file to drop the next stage of the malware. references: - https://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/ author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) @@ -23,10 +23,14 @@ detection: CommandLine|contains: - "Get-ChildItem " - "dir " + - "gci " + - "ls " selection_cli_gc: CommandLine|contains: - "Get-Content " - "gc " + - 'cat ' + - 'type ' selection_cli_specific: CommandLine|contains|all: - ' ^| ' diff --git a/rules/windows/process_creation/proc_creation_win_susp_nteventlogfile_usage.yml b/rules/windows/process_creation/proc_creation_win_susp_nteventlogfile_usage.yml index f51203de9..7fef7623c 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_nteventlogfile_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_nteventlogfile_usage.yml @@ -1,4 +1,4 @@ -title: Potential Suspicious Call To Win32_NTEventlogFile Class +title: Potentially Suspicious Call To Win32_NTEventlogFile Class id: caf201a9-c2ce-4a26-9c3a-2b9525413711 related: - id: e2812b49-bae0-4b21-b366-7c142eafcde2 diff --git a/rules/windows/process_creation/proc_creation_win_werfault_reflect_debugger_exec.yml b/rules/windows/process_creation/proc_creation_win_werfault_reflect_debugger_exec.yml index 9dcdba70e..e0e058805 100644 --- a/rules/windows/process_creation/proc_creation_win_werfault_reflect_debugger_exec.yml +++ b/rules/windows/process_creation/proc_creation_win_werfault_reflect_debugger_exec.yml @@ -4,7 +4,7 @@ related: - id: 0cf2e1c6-8d10-4273-8059-738778f981ad type: derived status: experimental -description: Detects execution of "WerFault.exe" with the "-pr" commandline flag that is used to run files stored in ReflectDebugger key which could be store malware path +description: Detects execution of "WerFault.exe" with the "-pr" commandline flag that is used to run files stored in the ReflectDebugger key which could be used to store the path to the malware in order to masquerade the execution flow references: - https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html - https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/ @@ -12,6 +12,8 @@ author: X__Junior (Nextron Systems) date: 2023/06/30 tags: - attack.execution + - attack.defense_evasion + - attack.t1036 logsource: product: windows category: process_creation diff --git a/rules/windows/registry/registry_set/registry_set_persistence_reflectdebugger.yml b/rules/windows/registry/registry_set/registry_set_persistence_reflectdebugger.yml index a11cc6107..791736e43 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_reflectdebugger.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_reflectdebugger.yml @@ -4,7 +4,7 @@ related: - id: fabfb3a7-3ce1-4445-9c7c-3c27f1051cdd type: derived status: experimental -description: Detects Potential WerFault "ReflectDebugger" registry value abuse for persistence. +description: Detects potential WerFault "ReflectDebugger" registry value abuse for persistence. references: - https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html - https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/