Update selections and indentation

2022-07-07 20:13:45 +01:00
parent 49e389db5c
commit aec95b6d65
38 changed files with 368 additions and 366 deletions
@@ -36,7 +36,7 @@ detection:
            - forward
            - accept
            - 2
-    condition: selection1 and selection2
+    condition: all of selection*
 falsepositives:
    - Unknown
 level: low
@@ -4,22 +4,22 @@ status: test
 description: Detects suspicious change of file privileges with chown and chmod commands
 author: Ömer Günal
 references:
-  - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.001/T1548.001.md
-  - https://attack.mitre.org/techniques/T1548/001/
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.001/T1548.001.md
+    - https://attack.mitre.org/techniques/T1548/001/
 date: 2020/06/16
 modified: 2021/11/27
 logsource:
-  product: linux
+    product: linux
 detection:
-  selection1:
-    - '*chown root*'
-  selection2:
-    - '* chmod u+s*'
-  selection3:
-    - '* chmod g+s*'
-  condition: (selection1 and selection2) or (selection1 and selection3)
+    selection1:
+        - '*chown root*'
+    selection2:
+        - '* chmod u+s*'
+    selection3:
+        - '* chmod g+s*'
+    condition: (selection1 and selection2) or (selection1 and selection3)
 falsepositives:
-  - Legitimate administration activities
+    - Legitimate administration activities
 level: low
 tags:
-  - attack.persistence
+    - attack.persistence
@@ -14,7 +14,7 @@ detection:
    - 'echo "*" > * && chmod +x *'
  selection2:
    - 'mv * "* "'
-  condition: selection1 and selection2
+  condition: all of selection*
 falsepositives:
  - Typos
 level: low
@@ -6,7 +6,7 @@ author: Florian Roth
 references:
  - https://www.us-cert.gov/ncas/analysis-reports/AR18-312A
 date: 2017/08/24
-modified: 2021/11/27
+modified: 2022/07/07
 logsource:
  product: linux
 detection:
@@ -14,7 +14,7 @@ detection:
    - 'bash -c /bin/bash'
  selection2:
    - '&/dev/tcp/'
-  condition: selection1 and selection2
+  condition: all of selection*
 falsepositives:
  - Unknown
 level: high
@@ -26,7 +26,7 @@ detection:
            - 'clip'
    selection4:
        CommandLine|contains: '-o'
-    condition: selection1 and selection2 and selection3 and selection4
+    condition: all of selection*
 falsepositives:
    - Legitimate usage of xclip tools.
 level: low
@@ -3,6 +3,7 @@ id: 2953194b-e33c-4859-b9e8-05948c167447
 status: experimental
 description: Detects potential overwriting and deletion of a file using DD.
 date: 2021/10/15
+modified: 2022/07/07
 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
 tags:
    - attack.impact
@@ -23,7 +24,7 @@ detection:
        CommandLine|contains:
            - 'if=/dev/zero'
            - 'if=/dev/null'
-    condition: selection1 and selection2 and selection3
+    condition: all of selection*
 falsepositives:
    - Any user deleting files that way.
 level: low
@@ -19,7 +19,7 @@ detection:
      - '-acmr'
      - '-d'
      - '-r'
-  condition: selection1 and selection2
+  condition: all of selection*
 falsepositives:
  - Unknown
 level: medium
@@ -4,26 +4,26 @@ status: test
 description: Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688
 author: Florian Roth
 references:
-  - https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/
+    - https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/
 date: 2020/02/29
 modified: 2021/11/27
 logsource:
-  category: webserver
+    category: webserver
 detection:
-  selection1:
-    cs-method: 'GET'
-    c-uri|contains:
-      - '/ecp/'
-      - '/owa/'
-  selection2:
-    c-uri|contains: '__VIEWSTATE='
-  condition: selection1 and selection2
+    selection1:
+        cs-method: 'GET'
+        c-uri|contains:
+            - '/ecp/'
+            - '/owa/'
+    selection2:
+        c-uri|contains: '__VIEWSTATE='
+    condition: all of selection*
 fields:
-  - c-ip
-  - c-dns
+    - c-ip
+    - c-dns
 falsepositives:
-  - Unknown
+    - Unknown
 level: critical
 tags:
-  - attack.initial_access
-  - attack.t1190
+    - attack.initial_access
+    - attack.t1190
@@ -4,6 +4,7 @@ status: stable
 description: This rule detects exploitation attempts using Pulse Connect Secure(PCS) vulnerability (CVE-2021-22893)
 author: Sittikorn S
 date: 2021/06/29
+modified: 2022/07/07
 references:
    - https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html
    - https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784
@@ -28,7 +29,7 @@ detection:
            - 'smb'
            - 'namedusers'
            - 'metric'
-    condition: selection1 and selection2
+    condition: all of selection*
 falsepositives:
    - Vulnerability Scanning
 level: high
@@ -21,7 +21,7 @@ detection:
        Level: Error
    selection2:
        - '&__VIEWSTATE='
-    condition: selection1 and selection2
+    condition: all of selection*
 falsepositives:
    - Unknown
 level: high
@@ -4,19 +4,19 @@ status: experimental
 description: Detects a remote thread creation of Ttdinject.exe used as proxy
 author: frack113
 references:
-  - https://lolbas-project.github.io/lolbas/Binaries/Ttdinject/
+    - https://lolbas-project.github.io/lolbas/Binaries/Ttdinject/
 date: 2022/05/16
 modified: 2022/06/02
 logsource:
-  product: windows
-  category: create_remote_thread
+    product: windows
+    category: create_remote_thread
 detection:
-  selection:
-    SourceImage|endswith: '\ttdinject.exe'
-  condition: selection
+    selection:
+        SourceImage|endswith: '\ttdinject.exe'
+    condition: selection
 falsepositives:
-  - Unknown
+    - Unknown
 level: high
 tags:
-  - attack.defense_evasion
-  - attack.t1127
+    - attack.defense_evasion
+    - attack.t1127
@@ -4,20 +4,20 @@ status: test
 description: Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process
 author: Roberto Rodriguez @Cyb3rWard0g
 references:
-  - https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-180719170510.html
+    - https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-180719170510.html
 date: 2019/08/11
 modified: 2021/11/27
 logsource:
-  product: windows
-  category: create_remote_thread
+    product: windows
+    category: create_remote_thread
 detection:
-  selection:
-    StartModule|endswith: '\kernel32.dll'
-    StartFunction: 'LoadLibraryA'
-  condition: selection
+    selection:
+        StartModule|endswith: '\kernel32.dll'
+        StartFunction: 'LoadLibraryA'
+    condition: selection
 falsepositives:
-  - Unknown
+    - Unknown
 level: high
 tags:
-  - attack.defense_evasion
-  - attack.t1055.001
+    - attack.defense_evasion
+    - attack.t1055.001
@@ -4,20 +4,20 @@ status: test
 description: Detecting Code injection with PowerShell in another process
 author: Nikita Nazarov, oscd.community
 references:
-  - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
+    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
 date: 2020/10/06
 modified: 2021/11/27
 logsource:
-  product: windows
-  category: create_remote_thread
-  definition: 'Note that you have to configure logging for CreateRemoteThread in Symson config'
+    product: windows
+    category: create_remote_thread
+    definition: 'Note that you have to configure logging for CreateRemoteThread in Symson config'
 detection:
-  selection:
-    SourceImage|endswith: '\powershell.exe'
-  condition: selection
+    selection:
+        SourceImage|endswith: '\powershell.exe'
+    condition: selection
 falsepositives:
-  - Unknown
+    - Unknown
 level: high
 tags:
-  - attack.execution
-  - attack.t1059.001
+    - attack.execution
+    - attack.t1059.001
@@ -18,11 +18,11 @@ logsource:
 detection:
    selection:
        ScriptBlockText|contains:
-          - 'CL_Invocation.ps1'
-          - 'SyncInvoke'
+            - 'CL_Invocation.ps1'
+            - 'SyncInvoke'
    condition: selection | count(ScriptBlockText) by Computer > 2
-      # PS > Import-Module c:\Windows\diagnostics\system\Audio\CL_Invocation.ps1
-      # PS > SyncInvoke c:\Evil.exe
+    # PS > Import-Module c:\Windows\diagnostics\system\Audio\CL_Invocation.ps1
+    # PS > SyncInvoke c:\Evil.exe
 falsepositives:
    - Unknown
 level: high
@@ -18,11 +18,11 @@ logsource:
 detection:
    selection:
        ScriptBlockText|contains:
-          - 'CL_Mutexverifiers.ps1'
-          - 'runAfterCancelProcess'
+            - 'CL_Mutexverifiers.ps1'
+            - 'runAfterCancelProcess'
    condition: selection | count(ScriptBlockText) by Computer > 2
-      # PS > Import-Module c:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1
-      # PS > runAfterCancelProcess c:\Evil.exe
+    # PS > Import-Module c:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1
+    # PS > runAfterCancelProcess c:\Evil.exe
 falsepositives:
    - Unknown
 level: high
@@ -4,9 +4,9 @@ status: experimental
 description: Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[Wow6432Node]Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables.
 author: Timur Zinniatullin, oscd.community
 date: 2019/10/21
-modified: 2021/10/16
+modified: 2022/07/07
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.004/T1547.004.md
 logsource:
    product: windows
    category: ps_script
@@ -18,7 +18,7 @@ detection:
        ScriptBlockText|contains:
            - 'Set-ItemProperty'
            - 'New-Item'
-    condition: selection and selection2
+    condition: all of selection*
 falsepositives:
    - Unknown
 level: medium
@@ -3,7 +3,7 @@ id: ba778144-5e3d-40cf-8af9-e28fb1df1e20
 author: Florian Roth, Jonhnathan Ribeiro, oscd.community
 status: test
 date: 2018/03/01
-modified: 2021/12/08
+modified: 2022/07/07
 description: Detects Trojan loader activity as used by APT28
 references:
    - https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/
@@ -30,7 +30,7 @@ detection:
            - '.dll",#1'
            - '.dll #1'
            - '.dll" #1'
-    condition: selection1 and selection2
+    condition: all of selection*
 falsepositives:
    - Unknown
 level: high
@@ -20,12 +20,12 @@ logsource:
    category: process_creation
    product: windows
 detection:
-   selection:
-      CommandLine:
-         - 'net use \\%DomainController%\C$ "P@ssw0rd" *'
-         - 'dir c:\\*.doc* /s'
-         - 'dir %TEMP%\\*.exe'
-   condition: selection
+    selection:
+        CommandLine:
+            - 'net use \\%DomainController%\C$ "P@ssw0rd" *'
+            - 'dir c:\\*.doc* /s'
+            - 'dir %TEMP%\\*.exe'
+    condition: selection
 level: critical
 falsepositives:
-   - Unknown
+   - Unknown
@@ -4,32 +4,32 @@ status: stable
 description: Identifies use of the bcdedit command to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique.
 author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
 references:
-  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md
-  - https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md
+    - https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html
 date: 2019/10/24
-modified: 2021/11/27
+modified: 2022/07/07
 logsource:
-  category: process_creation
-  product: windows
+    category: process_creation
+    product: windows
 detection:
-  selection1:
-    Image|endswith: \bcdedit.exe
-    CommandLine|contains: set
-  selection2:
-    - CommandLine|contains|all:
-      - bootstatuspolicy
-      - ignoreallfailures
-    - CommandLine|contains|all:
-      - recoveryenabled
-      - 'no'
-  condition: selection1 and selection2
+    selection1:
+        Image|endswith: \bcdedit.exe
+        CommandLine|contains: set
+    selection2:
+        - CommandLine|contains|all:
+            - bootstatuspolicy
+            - ignoreallfailures
+        - CommandLine|contains|all:
+            - recoveryenabled
+            - 'no'
+    condition: all of selection*
 fields:
-  - ComputerName
-  - User
-  - CommandLine
+    - ComputerName
+    - User
+    - CommandLine
 falsepositives:
-  - Unlikely
+    - Unlikely
 level: high
 tags:
-  - attack.impact
-  - attack.t1490
+    - attack.impact
+    - attack.t1490
@@ -4,27 +4,27 @@ status: test
 description: Detects new commands that add new printer port which point to suspicious file
 author: EagleEye Team, Florian Roth
 references:
-  - https://windows-internals.com/printdemon-cve-2020-1048/
+    - https://windows-internals.com/printdemon-cve-2020-1048/
 date: 2020/05/13
 modified: 2021/11/27
 logsource:
-  category: process_creation
-  product: windows
+    category: process_creation
+    product: windows
 detection:
-  selection1:
-    CommandLine|contains: 'Add-PrinterPort -Name'
-  selection2:
-    CommandLine|contains:
-      - '.exe'
-      - '.dll'
-      - '.bat'
-  selection3:
-    CommandLine|contains: 'Generic / Text Only'
-  condition: ( selection1 and selection2 ) or selection3
+    selection1:
+        CommandLine|contains: 'Add-PrinterPort -Name'
+    selection2:
+        CommandLine|contains:
+            - '.exe'
+            - '.dll'
+            - '.bat'
+    selection3:
+        CommandLine|contains: 'Generic / Text Only'
+    condition: ( * ) or selection3
 falsepositives:
-  - New printer port install on host
+    - New printer port install on host
 level: high
 tags:
-  - attack.persistence
-  - attack.execution
-  - attack.t1059.001
+    - attack.persistence
+    - attack.execution
+    - attack.t1059.001
@@ -4,27 +4,27 @@ status: test
 description: Detects command line parameters used by Hydra password guessing hack tool
 author: Vasiliy Burov
 references:
-  - https://github.com/vanhauser-thc/thc-hydra
-  - https://attack.mitre.org/techniques/T1110/001/
+    - https://github.com/vanhauser-thc/thc-hydra
+    - https://attack.mitre.org/techniques/T1110/001/
 date: 2020/10/05
 modified: 2021/11/27
 logsource:
-  category: process_creation
-  product: windows
+    category: process_creation
+    product: windows
 detection:
-  selection1:
-    CommandLine|contains|all:
-      - '-u '
-      - '-p '
-  selection2:
-    CommandLine|contains:
-      - '^USER^'
-      - '^PASS^'
-  condition: selection1 and selection2
+    selection1:
+        CommandLine|contains|all:
+            - '-u '
+            - '-p '
+    selection2:
+        CommandLine|contains:
+            - '^USER^'
+            - '^PASS^'
+    condition: all of selection*
 falsepositives:
-  - Software that uses the caret encased keywords PASS and USER in its command line
+    - Software that uses the caret encased keywords PASS and USER in its command line
 level: high
 tags:
-  - attack.credential_access
-  - attack.t1110
-  - attack.t1110.001
+    - attack.credential_access
+    - attack.t1110
+    - attack.t1110.001
@@ -16,11 +16,11 @@ logsource:
    product: windows
 detection:
    selection:
-      CommandLine|contains|all: 
-        - 'CL_Invocation.ps1'
-        - 'SyncInvoke'
-      # Example Commandline: "powershell Import-Module c:\Windows\diagnostics\system\Audio\CL_Invocation.ps1; SyncInvoke c:\Evil.exe"
+        CommandLine|contains|all:
+            - 'CL_Invocation.ps1'
+            - 'SyncInvoke'
+        # Example Commandline: "powershell Import-Module c:\Windows\diagnostics\system\Audio\CL_Invocation.ps1; SyncInvoke c:\Evil.exe"
    condition: selection
-falsepositives: 
- - Unknown
+falsepositives:
+    - Unknown
 level: high
@@ -18,7 +18,7 @@ detection:
        CommandLine|contains|all:
            - 'DownloadFile'
            - 'url'
-    condition: selection1 and selection2
+    condition: all of selection*
 fields:
    - CommandLine
 falsepositives:
@@ -15,20 +15,20 @@ status: experimental
 date: 2021/08/23
 modified: 2022/06/02
 logsource:
-  product: windows
-  category: process_creation
+    product: windows
+    category: process_creation
 detection:
-  #useful_information: add more LOLBins to the rules logic of your choice.
-  selection1:
-    Image|endswith:
-      - '\regsvr32'
-      - '\rundll32'
-      - '\msiexec'
-      - '\mshta'
-      - '\verclsid'
-  selection2:
-    ParentImage|endswith: \wbem\WmiPrvSE.exe
-  condition: selection1 and selection2
+    #useful_information: add more LOLBins to the rules logic of your choice.
+    selection1:
+        Image|endswith:
+            - '\regsvr32'
+            - '\rundll32'
+            - '\msiexec'
+            - '\mshta'
+            - '\verclsid'
+    selection2:
+        ParentImage|endswith: \wbem\WmiPrvSE.exe
+    condition: all of selection*
 falsepositives:
  - Unknown
 level: high
@@ -4,28 +4,28 @@ status: test
 description: Allow Incoming Connections by Port or Application on Windows Firewall
 author: Markus Neis, Sander Wiebing
 references:
-  - https://attack.mitre.org/software/S0246/ (Lazarus HARDRAIN)
-  - https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf
+    - https://attack.mitre.org/software/S0246/ (Lazarus HARDRAIN)
+    - https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf
 date: 2019/01/29
 modified: 2022/02/10
 logsource:
-  category: process_creation
-  product: windows
+    category: process_creation
+    product: windows
 detection:
-  selection1:
-    Image|endswith: '\netsh.exe'
-  selection2:
-    CommandLine|contains|all:
-      - 'firewall'
-      - 'add'
-  filter_dropbox:
-    CommandLine|contains:
-      - '\netsh.exe advfirewall firewall add rule name=Dropbox dir=in action=allow "program=C:\Program Files (x86)\Dropbox\Client\Dropbox.exe" enable=yes profile=Any'
-      - '\netsh.exe advfirewall firewall add rule name=Dropbox dir=in action=allow "program=C:\Program Files\Dropbox\Client\Dropbox.exe" enable=yes profile=Any'
-  condition: selection1 and selection2 and not 1 of filter_*
+    selection1:
+        Image|endswith: '\netsh.exe'
+    selection2:
+        CommandLine|contains|all:
+            - 'firewall'
+            - 'add'
+    filter_dropbox:
+        CommandLine|contains:
+            - '\netsh.exe advfirewall firewall add rule name=Dropbox dir=in action=allow "program=C:\Program Files (x86)\Dropbox\Client\Dropbox.exe" enable=yes profile=Any'
+            - '\netsh.exe advfirewall firewall add rule name=Dropbox dir=in action=allow "program=C:\Program Files\Dropbox\Client\Dropbox.exe" enable=yes profile=Any'
+    condition: all of selection* and not 1 of filter_*
 falsepositives:
-  - Legitimate administration
+    - Legitimate administration
 level: medium
 tags:
-  - attack.defense_evasion
-  - attack.t1562.004
+    - attack.defense_evasion
+    - attack.t1562.004
@@ -4,43 +4,43 @@ status: test
 description: Search for usage of reg or Powershell by non-priveleged users to modify service configuration in registry
 author: Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community
 references:
-  - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-20-638.jpg
+    - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-20-638.jpg
 date: 2020/10/05
 modified: 2021/11/27
 logsource:
-  category: process_creation
-  product: windows
+    category: process_creation
+    product: windows
 detection:
-  integrity_level:
-    IntegrityLevel: 'Medium'
-  reg:
-    CommandLine|contains|all:
-      - 'reg'
-      - 'add'
-  powershell_1:
-    CommandLine|contains: 'powershell'
-  powershell_2:
-    CommandLine|contains:
-      - 'set-itemproperty'
-      - ' sp '
-      - 'new-itemproperty'
-  registry_folder:
-    CommandLine|contains|all:
-      - 'ControlSet'
-      - 'Services'
-  registry_key:
-    CommandLine|contains:
-      - 'ImagePath'
-      - 'FailureCommand'
-      - 'ServiceDLL'
-  condition: integrity_level and (reg or powershell_1 and powershell_2) and registry_folder and registry_key
+    integrity_level:
+        IntegrityLevel: 'Medium'
+    reg:
+        CommandLine|contains|all:
+            - 'reg'
+            - 'add'
+    powershell_1:
+        CommandLine|contains: 'powershell'
+    powershell_2:
+        CommandLine|contains:
+            - 'set-itemproperty'
+            - ' sp '
+            - 'new-itemproperty'
+    registry_folder:
+        CommandLine|contains|all:
+            - 'ControlSet'
+            - 'Services'
+    registry_key:
+        CommandLine|contains:
+            - 'ImagePath'
+            - 'FailureCommand'
+            - 'ServiceDLL'
+    condition: integrity_level and (reg or powershell_1 and powershell_2) and registry_folder and registry_key
 fields:
-  - EventID
-  - IntegrityLevel
-  - CommandLine
+    - EventID
+    - IntegrityLevel
+    - CommandLine
 falsepositives:
-  - Unknown
+    - Unknown
 level: high
 tags:
-  - attack.defense_evasion
-  - attack.t1112
+    - attack.defense_evasion
+    - attack.t1112
@@ -13,7 +13,7 @@ tags:
    - attack.defense_evasion
 status: experimental
 date: 2021/08/23
-modified: 2022/06/02
+modified: 2022/07/07
 logsource:
  product: windows
  category: process_creation
@@ -39,7 +39,7 @@ detection:
      - 'process'
      - 'create'
      - 'call'
-  condition: selection1 and selection2 and selection3 and selection4
+  condition: all of selection*
 falsepositives:
 - Unknown
 level: high
@@ -15,23 +15,23 @@ status: experimental
 date: 2021/08/23
 modified: 2022/06/16
 logsource:
-  product: windows
-  category: process_creation
+    product: windows
+    category: process_creation
 detection:
- #useful_information: Add more office applications to the rule logic of choice
-  selection1:
-    - Image|endswith: '\wbem\WMIC.exe'
-    - CommandLine|contains: 'wmic '
-  selection2:
-    ParentImage|endswith:
-      - '\winword.exe'
-      - '\excel.exe'
-      - '\powerpnt.exe'
-      - '\msaccess.exe'
-      - '\mspub.exe'
-      - '\eqnedt32.exe'
-      - '\visio.exe'
-  condition: selection1 and selection2
+    #useful_information: Add more office applications to the rule logic of choice
+    selection1:
+        - Image|endswith: '\wbem\WMIC.exe'
+        - CommandLine|contains: 'wmic '
+    selection2:
+        ParentImage|endswith:
+            - '\winword.exe'
+            - '\excel.exe'
+            - '\powerpnt.exe'
+            - '\msaccess.exe'
+            - '\mspub.exe'
+            - '\eqnedt32.exe'
+            - '\visio.exe'
+    condition: all of selection*
 falsepositives:
- Unknown
+    - Unknown
 level: high
@@ -4,22 +4,22 @@ status: test
 description: Detects Request to amsiInitFailed that can be used to disable AMSI Scanning
 author: Markus Neis
 references:
-  - https://twitter.com/mattifestation/status/735261176745988096
-  - https://www.hybrid-analysis.com/sample/0ced17419e01663a0cd836c9c2eb925e3031ffb5b18ccf35f4dea5d586d0203e?environmentId=120
+    - https://twitter.com/mattifestation/status/735261176745988096
+    - https://www.hybrid-analysis.com/sample/0ced17419e01663a0cd836c9c2eb925e3031ffb5b18ccf35f4dea5d586d0203e?environmentId=120
 date: 2018/08/17
 modified: 2021/11/27
 logsource:
-  category: process_creation
-  product: windows
+    category: process_creation
+    product: windows
 detection:
-  selection1:
-    CommandLine|contains: 'System.Management.Automation.AmsiUtils'
-  selection2:
-    CommandLine|contains: 'amsiInitFailed'
-  condition: selection1 and selection2
+    selection1:
+        CommandLine|contains: 'System.Management.Automation.AmsiUtils'
+    selection2:
+        CommandLine|contains: 'amsiInitFailed'
+    condition: all of selection*
 falsepositives:
-  - Potential Admin Activity
+    - Potential Admin Activity
 level: high
 tags:
-  - attack.defense_evasion
-  - attack.t1562.001
+    - attack.defense_evasion
+    - attack.t1562.001
@@ -4,23 +4,23 @@ status: stable
 description: Detects Base64 encoded Shellcode
 author: Florian Roth
 references:
-  - https://twitter.com/cyb3rops/status/1063072865992523776
+    - https://twitter.com/cyb3rops/status/1063072865992523776
 date: 2018/11/17
-modified: 2021/11/27
+modified: 2022/07/07
 logsource:
-  category: process_creation
-  product: windows
+    category: process_creation
+    product: windows
 detection:
-  selection1:
-    CommandLine|contains: 'AAAAYInlM'
-  selection2:
-    CommandLine|contains:
-      - 'OiCAAAAYInlM'
-      - 'OiJAAAAYInlM'
-  condition: selection1 and selection2
+    selection1:
+        CommandLine|contains: 'AAAAYInlM'
+    selection2:
+        CommandLine|contains:
+            - 'OiCAAAAYInlM'
+            - 'OiJAAAAYInlM'
+    condition: all of selection*
 falsepositives:
-  - Unknown
+    - Unknown
 level: critical
 tags:
-  - attack.defense_evasion
-  - attack.t1027
+    - attack.defense_evasion
+    - attack.t1027
@@ -4,43 +4,43 @@ status: test
 description: Detects the creation of a schtask via PowerSploit or Empire Default Configuration.
 author: Markus Neis, @Karneades
 references:
-  - https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1
-  - https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/persistence/userland/schtasks.py
-  - https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/persistence/elevated/schtasks.py
+    - https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1
+    - https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/persistence/userland/schtasks.py
+    - https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/persistence/elevated/schtasks.py
 date: 2018/03/06
 modified: 2021/11/27
 logsource:
-  product: windows
-  category: process_creation
+    product: windows
+    category: process_creation
 detection:
-  selection1:
-    ParentImage|endswith: '\powershell.exe'
-    Image|endswith: '\schtasks.exe'
-    CommandLine|contains|all:
-      - '/Create'
-      - '/SC'
-  selection2:
-    CommandLine|contains:
-      - 'ONLOGON'
-      - 'DAILY'
-      - 'ONIDLE'
-      - 'Updater'
-    CommandLine|contains|all:
-      - '/TN'
-      - 'Updater'
-      - '/TR'
-      - 'powershell'
-  condition: selection1 and selection2
+    selection1:
+        ParentImage|endswith: '\powershell.exe'
+        Image|endswith: '\schtasks.exe'
+        CommandLine|contains|all:
+            - '/Create'
+            - '/SC'
+    selection2:
+        CommandLine|contains:
+            - 'ONLOGON'
+            - 'DAILY'
+            - 'ONIDLE'
+            - 'Updater'
+        CommandLine|contains|all:
+            - '/TN'
+            - 'Updater'
+            - '/TR'
+            - 'powershell'
+    condition: all of selection*
 falsepositives:
-  - False positives are possible, depends on organisation and processes
+    - False positives are possible, depends on organisation and processes
 level: high
 tags:
-  - attack.execution
-  - attack.persistence
-  - attack.privilege_escalation
-  - attack.s0111
-  - attack.g0022
-  - attack.g0060
-  - car.2013-08-001
-  - attack.t1053.005
-  - attack.t1059.001
+    - attack.execution
+    - attack.persistence
+    - attack.privilege_escalation
+    - attack.s0111
+    - attack.g0022
+    - attack.g0060
+    - car.2013-08-001
+    - attack.t1053.005
+    - attack.t1059.001
@@ -4,35 +4,35 @@ status: test
 description: Detects execution of renamed paexec via imphash and executable product string
 author: Jason Lynch
 references:
-  - sha256=01a461ad68d11b5b5096f45eb54df9ba62c5af413fa9eb544eacb598373a26bc
-  - https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf
+    - sha256=01a461ad68d11b5b5096f45eb54df9ba62c5af413fa9eb544eacb598373a26bc
+    - https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf
 date: 2019/04/17
 modified: 2022/03/04
 logsource:
-  category: process_creation
-  product: windows
+    category: process_creation
+    product: windows
 detection:
-  selection1:
-    Product|contains: 'PAExec'
-  selection2:
-    - Imphash:
-      - 11D40A7B7876288F919AB819CC2D9802
-      - 6444f8a34e99b8f7d9647de66aabe516
-      - dfd6aa3f7b2b1035b76b718f1ddc689f
-      - 1a6cca4d5460b1710a12dea39e4a592c
-    - Hashes|contains:
-      - IMPHASH=11D40A7B7876288F919AB819CC2D9802
-      - IMPHASH=6444f8a34e99b8f7d9647de66aabe516
-      - IMPHASH=dfd6aa3f7b2b1035b76b718f1ddc689f
-      - IMPHASH=1a6cca4d5460b1710a12dea39e4a592c
-  filter1:
-    Image|contains: 'paexec'
-  condition: (selection1 and selection2) and not filter1
+    selection1:
+        Product|contains: 'PAExec'
+    selection2:
+        - Imphash:
+            - 11D40A7B7876288F919AB819CC2D9802
+            - 6444f8a34e99b8f7d9647de66aabe516
+            - dfd6aa3f7b2b1035b76b718f1ddc689f
+            - 1a6cca4d5460b1710a12dea39e4a592c
+        - Hashes|contains:
+            - IMPHASH=11D40A7B7876288F919AB819CC2D9802
+            - IMPHASH=6444f8a34e99b8f7d9647de66aabe516
+            - IMPHASH=dfd6aa3f7b2b1035b76b718f1ddc689f
+            - IMPHASH=1a6cca4d5460b1710a12dea39e4a592c
+    filter1:
+        Image|contains: 'paexec'
+    condition: all of selection* and not filter1
 falsepositives:
-  - Unknown imphashes
+    - Unknown imphashes
 level: medium
 tags:
-  - attack.defense_evasion
-  - attack.t1036.003
-  - attack.g0046
-  - car.2013-05-009
+    - attack.defense_evasion
+    - attack.t1036.003
+    - attack.g0046
+    - car.2013-05-009
@@ -3,33 +3,33 @@ id: c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78
 status: experimental
 description: Detects the creation of a schtask that executes a base64 encoded payload stored in the Windows Registry using PowerShell.
 author: '@Kostastsale, @TheDFIRReport, slightly modified by pH-T'
-references: 
-  - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
+references:
+    - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
 date: 2022/02/12
 modified: 2022/03/15
 logsource:
-  product: windows
-  category: process_creation
+    product: windows
+    category: process_creation
 detection:
-  selection1:
-    Image|endswith: '\schtasks.exe'
-    CommandLine|contains|all:
-      - '/Create'
-      - '/SC'
-      - 'FromBase64String'
-      - 'Get-ItemProperty'
-  selection2:
-    CommandLine|contains:
-      - 'HKCU:'
-      - 'HKLM:'
-      - 'registry::'
-      - 'HKEY_'
-  condition: selection1 and selection2
+    selection1:
+        Image|endswith: '\schtasks.exe'
+        CommandLine|contains|all:
+            - '/Create'
+            - '/SC'
+            - 'FromBase64String'
+            - 'Get-ItemProperty'
+    selection2:
+        CommandLine|contains:
+            - 'HKCU:'
+            - 'HKLM:'
+            - 'registry::'
+            - 'HKEY_'
+    condition: all of selection*
 falsepositives:
-  - Unknown
+    - Unknown
 level: high
 tags:
-  - attack.execution
-  - attack.persistence
-  - attack.t1053.005
-  - attack.t1059.001
+    - attack.execution
+    - attack.persistence
+    - attack.t1053.005
+    - attack.t1059.001
@@ -4,27 +4,27 @@ status: test
 description: Attackers can use print.exe for remote file copy
 author: 'Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative'
 references:
-  - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Print.yml
-  - https://twitter.com/Oddvarmoe/status/985518877076541440
+    - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Print.yml
+    - https://twitter.com/Oddvarmoe/status/985518877076541440
 date: 2020/10/05
 modified: 2021/11/27
 logsource:
-  category: process_creation
-  product: windows
+    category: process_creation
+    product: windows
 detection:
-  selection1:
-    Image|endswith: \print.exe
-    CommandLine|startswith: print
-  selection2:
-    CommandLine|contains: /D
-  exeCondition:
-    CommandLine|contains: .exe
-  cmdExclude:
-    CommandLine|contains: print.exe
-  condition: selection1 and selection2 and exeCondition and not cmdExclude
+    selection1:
+        Image|endswith: \print.exe
+        CommandLine|startswith: print
+    selection2:
+        CommandLine|contains: /D
+    exeCondition:
+        CommandLine|contains: .exe
+    cmdExclude:
+        CommandLine|contains: print.exe
+    condition: selection1 and selection2 and exeCondition and not cmdExclude
 falsepositives:
-  - Unknown
+    - Unknown
 level: medium
 tags:
-  - attack.defense_evasion
-  - attack.t1218
+    - attack.defense_evasion
+    - attack.t1218
@@ -26,7 +26,7 @@ detection:
        CommandLine|contains:
            - 'Local\'
            - 'Roaming\'
-    condition: selection1 and selection2
+    condition: all of selection*
 falsepositives:
    - Administrative scripts
 level: medium
@@ -4,9 +4,10 @@ description: Detects when the registration of a VSS/VDS Provider as a COM+ appli
 status: experimental
 author: Austin Songer @austinsonger
 date: 2021/11/05
+modified: 2022/07/07
 references:
- https://twitter.com/sblmsrsn/status/1456613494783160325?s=20
- https://ss64.com/vb/cscript.html
+    - https://twitter.com/sblmsrsn/status/1456613494783160325?s=20
+    - https://ss64.com/vb/cscript.html
 logsource:
    category: process_creation
    product: windows
@@ -19,14 +20,13 @@ detection:
            - '\Windows Kits\10\bin\10.0.22000.0\x64'
            - '\Windows Kits\10\bin\10.0.19041.0\x64'
            - '\Windows Kits\10\bin\10.0.17763.0\x64'
-    condition:
-        selection1 and selection2
+    condition: all of selection*
 fields:
    - CommandLine
    - ParentCommandLine
-tags:
- attack.defense_evasion
- attack.t1218
-level: medium
 falsepositives:
- Unknown
+    - Unknown
+level: medium
+tags:
+    - attack.defense_evasion
+    - attack.t1218
@@ -19,7 +19,7 @@ detection:
        CommandLine|contains:
            - '.sys,'
            - '.sys '
-    condition: selection1 and selection2
+    condition: all of selection*
 falsepositives:
    - Unknown
 level: high
@@ -27,7 +27,7 @@ detection:
        CommandLine|contains:
            - ' C:\Windows\System32\Tasks\'
            - ' C:\Windows\SysWow64\Tasks\'
-    condition: selection1 and selection2
+    condition: all of selection*
 fields:
    - CommandLine
    - ParentProcess