From b5e783a6d5f2ea0a77f68fb646bfb1b2304e3996 Mon Sep 17 00:00:00 2001
From: securepeacock <92804416+securepeacock@users.noreply.github.com>
Date: Fri, 2 Dec 2022 13:44:44 -0500
Subject: [PATCH] =?UTF-8?q?Update=20and=20rename=20proc=5Fcreation=5Fwin?=
 =?UTF-8?q?=5Frundll32=5Fnot=5Ffrom=5Fc=5Fdrive.yml=20to=20=E2=80=A6=20(#3?=
 =?UTF-8?q?609)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
---
 ..._creation_win_lolbin_not_from_c_drive.yml} | 20 +++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)
 rename rules/windows/process_creation/{proc_creation_win_rundll32_not_from_c_drive.yml => proc_creation_win_lolbin_not_from_c_drive.yml} (57%)

diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_not_from_c_drive.yml b/rules/windows/process_creation/proc_creation_win_lolbin_not_from_c_drive.yml
similarity index 57%
rename from rules/windows/process_creation/proc_creation_win_rundll32_not_from_c_drive.yml
rename to rules/windows/process_creation/proc_creation_win_lolbin_not_from_c_drive.yml
index fdb843257..906b0a985 100644
--- a/rules/windows/process_creation/proc_creation_win_rundll32_not_from_c_drive.yml
+++ b/rules/windows/process_creation/proc_creation_win_lolbin_not_from_c_drive.yml
@@ -1,12 +1,13 @@
-title: Rundll32 From Abnormal Drive
+title: LOLBIN From Abnormal Drive
 id: d4ca7c59-e9e4-42d8-bf57-91a776efcb87
 status: experimental
-description: Detects rundll32.exe executing from an abnormal drive such as a mounted ISO.
-references:
-    - https://thedfirreport.com/2021/12/13/diavol-ransomware/
+description: Detects LOLBINs executing from an abnormal drive such as a mounted ISO.
 author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'
 date: 2022/01/25
 modified: 2022/02/14
+references: 
+    - https://thedfirreport.com/2021/12/13/diavol-ransomware/
+    - https://www.scythe.io/library/threat-emulation-qakbot
 tags:
     - attack.t1218.001
 logsource:
@@ -14,8 +15,15 @@ logsource:
     product: windows
 detection:
     selection:
-        Image|endswith: '\rundll32.exe'
-    filter:
+            - '\rundll32.exe'
+            - '\calc.exe'
+            - '\mshta.exe'
+            - '\cscript.exe'
+            - '\wscript.exe'
+            - '\regsvr32.exe'
+            - '\installutil.exe'
+            - '\cmstp.exe'
+    filter_currentdirectory:
         - CurrentDirectory|contains: 'C:\'
         - CurrentDirectory: ''
     filter_null: