From bd123536dfa3b646c8af8106e61b357adce28e31 Mon Sep 17 00:00:00 2001
From: frack113 <magicfrancois@gmail.com>
Date: Wed, 28 Jul 2021 18:19:23 +0200
Subject: [PATCH 1/3] fix duplicate UUID

---
 rules/cloud/aws_sts_assumedrole_misuse.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/cloud/aws_sts_assumedrole_misuse.yml b/rules/cloud/aws_sts_assumedrole_misuse.yml
index 869c4f2d0..75ecc2090 100644
--- a/rules/cloud/aws_sts_assumedrole_misuse.yml
+++ b/rules/cloud/aws_sts_assumedrole_misuse.yml
@@ -1,5 +1,5 @@
 title: AWS STS AssumedRole Misuse
-id: b45ab1d2-712f-4f01-a751-df3826969807
+id: 905d389b-b853-46d0-9d3d-dea0d3a3cd49
 description: Identifies the suspicious use of AssumedRole. Attackers could move laterally and escalate privileges.
 author: Austin Songer
 status: experimental

From e0d6856987e2c8f8e7b8373687c350c6329fe42d Mon Sep 17 00:00:00 2001
From: Wietze <wietze@users.noreply.github.com>
Date: Thu, 29 Jul 2021 13:57:58 +0100
Subject: [PATCH 2/3] [CarbonBlack] Adding extra escape character

Hyphens, especially when at the start of a query, need escaping since hyphens are also used to negate conditions
---
 tools/sigma/backends/carbonblack.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tools/sigma/backends/carbonblack.py b/tools/sigma/backends/carbonblack.py
index 1a1476290..cf5175777 100644
--- a/tools/sigma/backends/carbonblack.py
+++ b/tools/sigma/backends/carbonblack.py
@@ -81,6 +81,7 @@ class CarbonBlackQueryBackend(CarbonBlackWildcardHandlingMixin, SingleTextQueryB
         '|',
         ';',
         ':',
+        '-'
     ]
 
     def __init__(self, *args, **kwargs):

From 687631ee202351260f1f46485f7fdae5837cfca3 Mon Sep 17 00:00:00 2001
From: Wietze <wietze@users.noreply.github.com>
Date: Wed, 28 Jul 2021 17:24:26 +0100
Subject: [PATCH 3/3] Several updates to CarbonBlack EEDR config

---
 tools/config/carbon-black-eedr.yml | 54 +++++++-----------------------
 1 file changed, 13 insertions(+), 41 deletions(-)

diff --git a/tools/config/carbon-black-eedr.yml b/tools/config/carbon-black-eedr.yml
index dbdd9a215..0e7c4fff6 100644
--- a/tools/config/carbon-black-eedr.yml
+++ b/tools/config/carbon-black-eedr.yml
@@ -16,68 +16,56 @@ fieldmappings:
     - process_product_version
     - process_publisher
     - process_file_description
-  DestPort:
-    - netconn_port
-    - netconn_remote_port
+  DestPort: netconn_port
   Destination:
     - netconn_domain
   DestinationAddress:
     - netconn_domain
     - netconn_ipv4
     - netconn_ipv6
-    - netconn_remote_ipv4
-    - netconn_remote_ipv6
-  DestinationHostname: 
+  DestinationHostname:
     - netconn_domain
     - netconn_proxy_domain
   DestinationIp:
     - netconn_ipv4
     - netconn_ipv6
-    - netconn_remote_ipv4
-    - netconn_remote_ipv6
-  DestinationPort:
-    - netconn_port
-    - netconn_remote_port
+  DestinationPort: netconn_port
   Device: device_name
   FileName:
-    - process_internal_name
     - process_name
     - process_original_filename
   FileVersion: process_product_version
   Image:
     - process_name
-    - process_internal_name
   IntegrityLevel: process_integrity_level
   IpAddress:
     - netconn_ipv4
     - netconn_ipv6
     - netconn_local_ipv4
     - netconn_local_ipv6
-    - netconn_remote_ipv4
-    - netconn_remote_ipv6
   LogonId:
     - childproc_username
     - process_username
   md5: hash
-  NewName: regmod_new_name
+  NewName: regmod_name
   OriginalFileName: process_original_filename
   ParentCommandLine: parent_cmdline
   ParentImage: parent_name
   ParentIntegrityLevel: process_integrity_level
   ProcessCommandLine: process_cmdline
   ProcessName: process_name
-  Product: 
+  Product:
     - process_product_name
     - process_file_description
   RelativeTargetName: childproc_name
-  ScriptBlockText: 
+  ScriptBlockText:
     - childproc_cmdline
     - crossproc_cmdline
     - process_cmdline
   ServiceFileName: process_service_name
   ServiceName: process_service_name
   sha256: hash
-  Signature: 
+  Signature:
     - childproc_publisher
     - filemod_publisher
     - modload_publisher
@@ -98,27 +86,17 @@ fieldmappings:
     - netconn_local_port
     - netconn_port
   SourceWorkstation: device_name
-  TargetFilename: 
-    - filemod_name
-    - crossproc_name
-  TargetImage:
-    - filemod_name
-    - crossproc_name
-  TargetName:
-    - filemod_name
-    - crossproc_name
+  TargetFilename: filemod_name
+  TargetImage: filemod_name
+  TargetName: filemod_name
   TargetUserName:
     - childproc_username
     - process_username
-  TargetObject: 
-    - regmod_name
-    - regmod_new_name
+  TargetObject: regmod_name
   User:
     - childproc_username
     - process_username
-  Value:
-    - regmod_name
-    - regmod_new_name
+  Value: regmod_name
   Workstation: device_name
   WorkstationName: device_name
 
@@ -127,15 +105,9 @@ fieldmappings:
     - netconn_ipv6
     - netconn_local_ipv4
     - netconn_local_ipv6
-    - netconn_remote_ipv4
-    - netconn_remote_ipv6
-  dst_port:
-    - netconn_port
-    - netconn_remote_port
+  dst_port: netconn_port
   src_ip:
     - netconn_ipv4
     - netconn_ipv6
     - netconn_local_ipv4
     - netconn_local_ipv6
-    - netconn_remote_ipv4
-    - netconn_remote_ipv6
\ No newline at end of file