Merge branch 'master' into rule-devel

2023-01-09 09:56:21 +01:00
parent 0a9be5922c 679c2a0500
commit bcce3a85aa
300 changed files with 1505 additions and 527 deletions
@@ -1,6 +1,6 @@
 title: Suspicious CLR Logs Creation
 id: e4b63079-6198-405c-abd7-3fe8b0ce3263
-status: experimental
+status: deprecated
 description: Detects suspicious .NET assembly executions. Could detect using Cobalt Strike's command execute-assembly.
 references:
    - https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html
@@ -8,7 +8,7 @@ references:
    - https://github.com/olafhartong/sysmon-modular/blob/5e5f6d90819a7f35eec0aba08021d0d201bb9055/11_file_create/include_dotnet.xml
 author: omkar72, oscd.community, Wojciech Lesicki
 date: 2020/10/12
-modified: 2022/06/24
+modified: 2023/01/05
 tags:
    - attack.execution
    - attack.defense_evasion
@@ -1,13 +1,13 @@
 title: Indirect Command Execution
 id: fa47597e-90e9-41cd-ab72-c3b74cfb0d02
-status: test
+status: deprecated
 description: Detect indirect command execution via Program Compatibility Assistant (pcalua.exe or forfiles.exe).
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1202/T1202.md
    - https://eqllib.readthedocs.io/en/latest/analytics/884a7ccd-7305-4130-82d0-d4f90bc118b6.html
 author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
 date: 2019/10/24
-modified: 2021/11/27
+modified: 2023/01/04
 tags:
    - attack.defense_evasion
    - attack.t1202
@@ -1,12 +1,16 @@
 title: Indirect Command Exectuion via Forfiles
 id: a85cf4e3-56ee-4e79-adeb-789f8fb209a8
-status: experimental
-description: Detects the use of native Windows tool, forfiles to execute a file. Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
+related:
+    - id: fa47597e-90e9-41cd-ab72-c3b74cfb0d02
+      type: obsoletes
+status: deprecated
+description: Detects execition of commands and binaries from the context of "forfiles.exe". This can be used as a LOLBIN in order to bypass application whitelisting.
 references:
    - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-73d61931b2c77fde294189ce5d62323b416296a7c23ea98a608f425566538d1a
    - https://lolbas-project.github.io/lolbas/Binaries/Forfiles/
-author: Tim Rauch (rule), Elastic (idea)
+author: Tim Rauch (rule), Elastic (idea), E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
 date: 2022/10/17
+modified: 2023/01/04
 tags:
    - attack.defense_evasion
    - attack.t1202
@@ -0,0 +1,29 @@
+title: Potential Bucket Enumeration on AWS
+id: f305fd62-beca-47da-ad95-7690a0620084
+related:
+    - id: 4723218f-2048-41f6-bcb0-417f2d784f61
+      type: similar
+status: experimental
+description: Looks for potential enumeration of AWS buckets via ListBuckets.
+references:
+    - https://github.com/Lifka/hacking-resources/blob/c2ae355d381bd0c9f0b32c4ead049f44e5b1573f/cloud-hacking-cheat-sheets.md
+    - https://jamesonhacking.blogspot.com/2020/12/pivoting-to-private-aws-s3-buckets.html
+    - https://securitycafe.ro/2022/12/14/aws-enumeration-part-ii-practical-enumeration/
+author: 'Christopher Peacock @securepeacock, SCYTHE @scythe_io'
+date: 2023/01/06
+tags:
+    - attack.discovery
+    - attack.t1580
+logsource:
+    product: aws
+    service: cloudtrail
+detection:
+    selection:
+        eventSource: 'ec2.amazonaws.com'
+        eventName: 'ListBuckets'
+    filter:
+        type: 'AssumedRole'
+    condition: selection and not filter
+falsepositives:
+    - Administrators listing buckets, it may be necessary to filter out users who commonly conduct this activity.
+level: low
@@ -1,5 +1,8 @@
 title: Potential Storage Enumeration on AWS
 id: 4723218f-2048-41f6-bcb0-417f2d784f61
+related:
+    - id: f305fd62-beca-47da-ad95-7690a0620084
+      type: similar
 status: experimental
 description: Detects potential enumeration activity targeting AWS storage
 references:
@@ -9,8 +9,8 @@ date: 2022/07/28
 tags:
    - attack.privilege_escalation
 logsource:
-    product: microsoft365portal
-    service: auditlogs
+    product: azure
+    service: microsoft365portal
 detection:
    selection:
        properties.message: Add app role assignment to service principal
@@ -2,13 +2,13 @@ title: Binary Padding - Linux
 id: c52a914f-3d8b-4b2a-bb75-b3991e75f8ba
 status: test
 description: |
-  Adversaries may use binary padding to add junk data and change the on-disk representation of malware.
-  This rule detect using dd and truncate to add a junk data to file.
+    Adversaries may use binary padding to add junk data and change the on-disk representation of malware.
+    This rule detect using dd and truncate to add a junk data to file.
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md
 author: 'Igor Fits, oscd.community'
 date: 2020/10/13
-modified: 2022/11/26
+modified: 2023/01/06
 tags:
    - attack.defense_evasion
    - attack.t1027.001
@@ -16,17 +16,17 @@ logsource:
    product: linux
    service: auditd
 detection:
-    execve:
+    selection_execve:
        type: 'EXECVE'
-    truncate:
+    keywords_truncate:
        - 'truncate'
        - '-s'
-    dd:
+    keywords_dd:
        - 'dd'
        - 'if='
-    filter:
+    keywords_filter:
        - 'of='
-    condition: execve and (all of truncate or (all of dd and not filter))
+    condition: selection_execve and (all of keywords_truncate or (all of keywords_dd and not keywords_filter))
 falsepositives:
-    - Legitimate script work
+    - Unknown
 level: high
@@ -6,7 +6,7 @@ references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md
 author: 'Igor Fits, oscd.community'
 date: 2020/10/15
-modified: 2022/11/28
+modified: 2023/01/06
 tags:
    - attack.credential_access
    - attack.t1552.001
@@ -14,12 +14,12 @@ logsource:
    product: linux
    service: auditd
 detection:
-    execve:
+    selection:
        type: 'EXECVE'
-    passwordgrep:
+    keywords:
        - 'grep'
        - 'password'
-    condition: execve and all of passwordgrep
+    condition: selection and all of keywords
 falsepositives:
    - Unknown
 level: high
@@ -6,6 +6,7 @@ references:
    - https://twitter.com/wdormann/status/1486161836961579020
 author: Sreeman
 date: 2022/01/26
+modified: 2023/01/06
 tags:
    - attack.privilege_escalation
    - attack.t1548.001
@@ -13,11 +14,11 @@ logsource:
    product: linux
    service: auth
 detection:
-    keyword:
+    keywords:
        - 'pkexec'
        - 'The value for environment variable XAUTHORITY contains suscipious content'
        - '[USER=root] [TTY=/dev/pts/0]'
-    condition: all of keyword
+    condition: all of keywords
 falsepositives:
    - Unknown
 level: high
@@ -7,17 +7,18 @@ references:
    - https://github.com/Immersive-Labs-Sec/nimbuspwn
 author: Bhabesh Raj
 date: 2022/05/04
+modified: 2023/01/06
 tags:
    - attack.privilege_escalation
    - attack.t1068
 logsource:
    product: linux
 detection:
-    keyword:
+    keywords:
        - 'networkd-dispatcher'
        - 'Error handling notification for interface'
        - '../../'
-    condition: all of keyword
+    condition: all of keywords
 falsepositives:
    - Unknown
 level: high
@@ -8,13 +8,13 @@ references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-1---port-scan
 author: frack113
 date: 2021/12/10
-modified: 2022/01/10
+modified: 2023/01/06
 tags:
    - attack.reconnaissance
 logsource:
    product: linux
 detection:
-    keyword:
+    keywords:
        - 'cat </dev/tcp/'
        - 'exec 3<>/dev/tcp/'
        - 'echo >/dev/tcp/'
@@ -25,7 +25,7 @@ detection:
        - '(sh)0>/dev/tcp/'
        - 'bash -c ''bash -i >& /dev/tcp/'
        - 'echo -e ''#!/bin/bash\nbash -i >& /dev/tcp/'
-    condition: 1 of keyword
+    condition: keywords
 falsepositives:
    - Unknown
 level: medium
@@ -0,0 +1,29 @@
+title: HackTool Execution
+id: a015e032-146d-4717-8944-7a1884122111
+status: experimental
+description: Detects known hacktool execution based on image name
+references:
+    - Internal Research
+author: Nasreddine Bencherchali
+date: 2023/01/03
+tags:
+    - attack.execution
+logsource:
+    product: linux
+    category: process_creation
+detection:
+    selection:
+        Image|endswith:
+            # Add more as you see fit
+            - '/sqlmap'
+            - '/teamserver'
+            - '/aircrack-ng'
+            - '/john'
+            - '/setoolkit'
+            - '/wpscan'
+            - '/hydra'
+            - '/nikto'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
@@ -0,0 +1,47 @@
+title: Suspicious Package Installed - Linux
+id: 700fb7e8-2981-401c-8430-be58e189e741
+status: experimental
+description: Detects installation of suspicious packages using system installation utilities
+references:
+    - https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt
+author: Nasreddine Bencherchali
+date: 2023/01/03
+tags:
+    - attack.defense_evasion
+    - attack.t1553.004
+logsource:
+    product: linux
+    category: process_creation
+detection:
+    selection_tool_apt:
+        Image|endswith:
+            - '/apt'
+            - '/apt-get'
+        CommandLine|contains: 'install'
+    selection_tool_yum:
+        Image|endswith: '/yum'
+        CommandLine|contains:
+            - 'localinstall'
+            - 'install'
+    selection_tool_rpm:
+        Image|endswith: '/rpm'
+        CommandLine|contains: '-i'
+    selection_tool_dpkg:
+        Image|endswith: '/dpkg'
+        CommandLine|contains:
+            - '--install'
+            - '-i'
+    selection_keyword:
+        CommandLine|contains:
+            # Add more suspicious packages
+            - 'nmap'
+            - ' nc'
+            - 'netcat'
+            - 'wireshark'
+            - 'tshark'
+            - 'openconnect'
+            - 'proxychains'
+    condition: 1 of selection_tool_* and selection_keyword
+falsepositives:
+    - Legitimate administration activities
+level: medium
@@ -0,0 +1,41 @@
+title: Suspicious Git Clone - Linux
+id: cfec9d29-64ec-4a0f-9ffe-0fdb856d5446
+status: experimental
+description: Detects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious
+references:
+    - https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt
+author: Nasreddine Bencherchali
+date: 2023/01/03
+modified: 2023/01/05
+tags:
+    - attack.reconnaissance
+    - attack.t1593.003
+logsource:
+    category: process_creation
+    product: linux
+detection:
+    selection_img:
+        Image|endswith: '/git'
+        CommandLine|contains: ' clone '
+    selection_keyword:
+        CommandLine|contains:
+            # Add more suspicious keywords
+            - 'exploit'
+            - 'Vulns'
+            - 'vulnerability'
+            - 'RCE'
+            - 'RemoteCodeExecution'
+            - 'Invoke-'
+            - 'CVE-'
+            - 'poc-'
+            - 'ProofOfConcept'
+            # Add more vuln names
+            - 'proxyshell'
+            - 'log4shell'
+            - 'eternalblue'
+            - 'eternal-blue'
+            - 'MS17-'
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: medium
@@ -6,7 +6,7 @@ references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036.006/T1036.006.md
 author: remotephone
 date: 2021/11/20
-modified: 2022/12/25
+modified: 2023/01/04
 tags:
    - attack.defense_evasion
    - attack.t1036.006
@@ -17,7 +17,7 @@ detection:
    selection1:
        CommandLine|endswith: ' '
    selection2:
-        ImageName|endswith: ' '
+        Image|endswith: ' '
    condition: 1 of selection*
 falsepositives:
    - Mistyped commands or legitimate binaries named to match the pattern
@@ -4,7 +4,7 @@ status: test
 description: Collect pertinent data from the configuration files
 author: Austin Clark
 date: 2019/08/11
-modified: 2021/11/27
+modified: 2023/01/04
 tags:
    - attack.discovery
    - attack.credential_access
@@ -15,7 +15,6 @@ tags:
 logsource:
    product: cisco
    service: aaa
-    category: accounting
 detection:
    keywords:
        - 'show running-config'
@@ -4,7 +4,7 @@ status: test
 description: Show when private keys are being exported from the device, or when new certificates are installed
 author: Austin Clark
 date: 2019/08/12
-modified: 2021/11/27
+modified: 2023/01/04
 tags:
    - attack.credential_access
    - attack.defense_evasion
@@ -13,7 +13,6 @@ tags:
 logsource:
    product: cisco
    service: aaa
-    category: accounting
 detection:
    keywords:
        - 'crypto pki export'
@@ -4,14 +4,13 @@ status: test
 description: Turn off logging locally or remote
 author: Austin Clark
 date: 2019/08/11
-modified: 2021/11/27
+modified: 2023/01/04
 tags:
    - attack.defense_evasion
    - attack.t1562.001
 logsource:
    product: cisco
    service: aaa
-    category: accounting
 detection:
    keywords:
        - 'no logging'
@@ -4,7 +4,7 @@ status: test
 description: Find information about network devices that is not stored in config files
 author: Austin Clark
 date: 2019/08/12
-modified: 2021/11/27
+modified: 2023/01/04
 tags:
    - attack.discovery
    - attack.t1083
@@ -19,7 +19,6 @@ tags:
 logsource:
    product: cisco
    service: aaa
-    category: accounting
 detection:
    keywords:
        - 'dir'
@@ -4,7 +4,7 @@ status: test
 description: Detect a system being shutdown or put into different boot mode
 author: Austin Clark
 date: 2019/08/15
-modified: 2021/11/27
+modified: 2023/01/04
 tags:
    - attack.impact
    - attack.t1495
@@ -13,7 +13,6 @@ tags:
 logsource:
    product: cisco
    service: aaa
-    category: accounting
 detection:
    keywords:
        - 'shutdown'
@@ -4,7 +4,7 @@ status: test
 description: See what files are being deleted from flash file systems
 author: Austin Clark
 date: 2019/08/12
-modified: 2021/11/27
+modified: 2023/01/04
 tags:
    - attack.defense_evasion
    - attack.impact
@@ -14,7 +14,6 @@ tags:
 logsource:
    product: cisco
    service: aaa
-    category: accounting
 detection:
    keywords:
        - 'erase'
@@ -4,14 +4,13 @@ status: test
 description: See what commands are being input into the device by other people, full credentials can be in the history
 author: Austin Clark
 date: 2019/08/11
-modified: 2021/11/27
+modified: 2023/01/04
 tags:
    - attack.credential_access
    - attack.t1552.003
 logsource:
    product: cisco
    service: aaa
-    category: accounting
 detection:
    keywords:
        - 'show history'
@@ -4,7 +4,7 @@ status: test
 description: Find local accounts being created or modified as well as remote authentication configurations
 author: Austin Clark
 date: 2019/08/12
-modified: 2021/11/27
+modified: 2023/01/04
 tags:
    - attack.persistence
    - attack.t1136.001
@@ -12,7 +12,6 @@ tags:
 logsource:
    product: cisco
    service: aaa
-    category: accounting
 detection:
    keywords:
        - 'username'
@@ -4,7 +4,7 @@ status: test
 description: Modifications to a config that will serve an adversary's impacts or persistence
 author: Austin Clark
 date: 2019/08/12
-modified: 2021/11/27
+modified: 2023/01/04
 tags:
    - attack.persistence
    - attack.impact
@@ -15,7 +15,6 @@ tags:
 logsource:
    product: cisco
    service: aaa
-    category: accounting
 detection:
    keywords:
        - 'ip http server'
@@ -4,7 +4,7 @@ status: test
 description: Various protocols maybe used to put data on the device for exfil or infil
 author: Austin Clark
 date: 2019/08/12
-modified: 2021/11/27
+modified: 2023/01/04
 tags:
    - attack.collection
    - attack.lateral_movement
@@ -16,7 +16,6 @@ tags:
 logsource:
    product: cisco
    service: aaa
-    category: accounting
 detection:
    keywords:
        - 'tftp'
@@ -4,7 +4,7 @@ status: test
 description: Show when a monitor or a span/rspan is setup or modified
 author: Austin Clark
 date: 2019/08/11
-modified: 2021/11/27
+modified: 2023/01/04
 tags:
    - attack.credential_access
    - attack.discovery
@@ -12,7 +12,6 @@ tags:
 logsource:
    product: cisco
    service: aaa
-    category: accounting
 detection:
    keywords:
        - 'monitor capture point'
@@ -4,12 +4,12 @@ status: stable
 description: Detects multiple blocks by the mod_security module (Web Application Firewall)
 author: Florian Roth
 date: 2017/02/28
+modified: 2023/01/07
 tags:
    - attack.impact
    - attack.t1499
 logsource:
-    product: linux
-    service: modsecurity
+    product: modsecurity
 detection:
    selection:
        - 'mod_security: Access denied'
@@ -6,10 +6,10 @@ references:
    - https://bi-zone.medium.com/hunting-down-ms-exchange-attacks-part-1-proxylogon-cve-2021-26855-26858-27065-26857-6e885c5f197c
 author: frack113
 date: 2021/08/10
-modified: 2022/10/09
+modified: 2023/01/04
 logsource:
    product: windows
-    category: webserver
+    service: iis
    definition: w3c-logging must be enabled https://docs.microsoft.com/en-us/windows/win32/http/w3c-logging
 detection:
    selection:
@@ -6,7 +6,7 @@ references:
    - https://bi-zone.medium.com/hunting-down-ms-exchange-attacks-part-1-proxylogon-cve-2021-26855-26858-27065-26857-6e885c5f197c
 author: Florian Roth
 date: 2021/08/09
-modified: 2022/10/09
+modified: 2023/01/06
 tags:
    - attack.t1587.001
    - attack.resource_development
@@ -14,15 +14,15 @@ logsource:
    product: windows
    service: msexchange-management
 detection:
-    selection_cmdlet:
+    keywords_cmdlet:
        - 'OabVirtualDirectory'
        - ' -ExternalUrl '
-    selection_params:
+    keywords_params:
        - 'eval(request'
        - 'http://f/<script'
        - '"unsafe"};'
        - 'function Page_Load()'
-    condition: all of selection_cmdlet and selection_params
+    condition: all of keywords_cmdlet and keywords_params
 falsepositives:
    - Unlikely
 level: critical
@@ -6,7 +6,7 @@ references:
    - https://twitter.com/GossiTheDog/status/1429175908905127938
 author: Max Altgelt
 date: 2021/08/23
-modified: 2022/10/09
+modified: 2023/01/06
 tags:
    - attack.persistence
    - attack.t1505.003
@@ -14,17 +14,17 @@ logsource:
    service: msexchange-management
    product: windows
 detection:
-    export_command:
+    keywords_export_command:
        - 'New-ExchangeCertificate'
        - ' -GenerateRequest'
        - ' -BinaryEncoded'
        - ' -RequestFile'
-    export_params:
+    keywords_export_params:
        - '\\\\localhost\\C$'
        - '\\\\127.0.0.1\\C$'
        - 'C:\\inetpub'
        - '.aspx'
-    condition: all of export_command and export_params
+    condition: all of keywords_export_command and keywords_export_params
 falsepositives:
    - Unlikely
 level: critical
@@ -6,7 +6,7 @@ references:
    - https://github.com/rapid7/metasploit-framework/blob/1416b5776d963f21b7b5b45d19f3e961201e0aed/modules/exploits/windows/http/exchange_proxyshell_rce.rb#L430
 author: Christian Burkard
 date: 2021/08/27
-modified: 2022/10/09
+modified: 2023/01/06
 tags:
    - attack.defense_evasion
    - attack.t1070
@@ -14,11 +14,11 @@ logsource:
    service: msexchange-management
    product: windows
 detection:
-    command:
+    keywords:
        - 'Remove-MailboxExportRequest'
        - ' -Identity '
        - ' -Confirm "False"'
-    condition: all of command
+    condition: all of keywords
 falsepositives:
    - Unknown
 level: high
@@ -6,7 +6,7 @@ references:
    - https://twitter.com/OTR_Community/status/1371053369071132675
 author: Jose Rodriguez @Cyb3rPandaH
 date: 2021/03/15
-modified: 2022/12/25
+modified: 2023/01/06
 tags:
    - attack.persistence
    - attack.t1505.003
@@ -14,12 +14,12 @@ logsource:
    product: windows
    service: msexchange-management
 detection:
-    selection:
+    keywords:
        - 'Set-OabVirtualDirectory'
        - 'ExternalUrl'
        - 'Page_Load'
        - 'script'
-    condition: all of selection
+    condition: all of keywords
 falsepositives:
    - Unknown
 level: high
@@ -10,12 +10,12 @@ references:
    - https://twitter.com/SBousseaden/status/1490608838701166596
 author: Tim Rauch
 date: 2022/09/15
-modified: 2022/12/04
+modified: 2023/01/04
 tags:
    - attack.privilege_escalation
    - attack.t1543
 logsource:
-    category: security
+    service: security
    product: windows
    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
 detection:
@@ -8,6 +8,7 @@ references:
    - https://github.com/helloexp/0day/blob/614227a7b9beb0e91e7e2c6a5e532e6f7a8e883c/00-CVE_EXP/CVE-2021-42287/sam-the-admin/sam_the_admin.py
 author: elhoim
 date: 2022/09/09
+modified: 2023/01/04
 tags:
    - cve.2021.42278
    - cve.2021.42287
@@ -15,7 +16,7 @@ tags:
    - attack.privilege_escalation
    - attack.t1078
 logsource:
-    category: security
+    service: security
    product: windows
 detection:
    # Not adding an EventID on purpose to try to match on any event in security (including use of account), not just 4741 (computer account created)
@@ -9,13 +9,13 @@ references:
    - https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html
 author: Tim Rauch
 date: 2022/09/15
-modified: 2022/12/04
+modified: 2023/01/04
 tags:
    - attack.privilege_escalation
    - attack.t1543
 logsource:
-    category: system
    product: windows
+    service: system
 detection:
    selection:
        Provider_Name: 'Service Control Manager'
@@ -1,29 +1,41 @@
 title: NET CLR Binary Execution Usage Log Artifact
 id: e0b06658-7d1d-4cd3-bf15-03467507ff7c
+related:
+    - id: 4508a70e-97ef-4300-b62b-ff27992990ea
+      type: derived
+    - id: e4b63079-6198-405c-abd7-3fe8b0ce3263
+      type: obsoletes
 status: experimental
-description: Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context
+description: Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context.
 references:
    - https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/
    - https://github.com/olafhartong/sysmon-modular/blob/fa1ae53132403d262be2bbd7f17ceea7e15e8c78/11_file_create/include_dotnet.xml
-author: frack113
+    - https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008
+    - https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html
+    - https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/
+author: frack113, omkar72, oscd.community, Wojciech Lesicki
 date: 2022/11/18
+modified: 2023/01/05
 tags:
    - attack.defense_evasion
    - attack.t1218
 logsource:
    category: file_event
    product: windows
+    definition: 'Requirements: UsageLogs folder must be monitored by sysmon configuration'
 detection:
    selection:
        TargetFilename|endswith:
+            - '\UsageLogs\cmstp.exe.log'
            - '\UsageLogs\cscript.exe.log'
-            - '\UsageLogs\wscript.exe.log'
-            - '\UsageLogs\wmic.exe.log'
            - '\UsageLogs\mshta.exe.log'
-            - '\UsageLogs\svchost.exe.log'
+            - '\UsageLogs\msxsl.exe.log'
            - '\UsageLogs\regsvr32.exe.log'
            - '\UsageLogs\rundll32.exe.log'
+            - '\UsageLogs\svchost.exe.log'
+            - '\UsageLogs\wscript.exe.log'
+            - '\UsageLogs\wmic.exe.log'
    condition: selection
 falsepositives:
-    - Legitimate use
-level: medium
+    - Rundll32.exe with zzzzInvokeManagedCustomActionOutOfProc in command line and msiexec.exe as parent process - https://twitter.com/SBousseaden/status/1388064061087260675
+level: high
@@ -1,4 +1,4 @@
-title: Persistence Via Notepad++ Plugins
+title: Potential Persistence Via Notepad++ Plugins
 id: 54127bd4-f541-4ac3-afdb-ea073f63f692
 status: experimental
 description: Detects creation of new ".dll" files inside the plugins directory of a notepad++ installation by a process other than "gup.exe". Which could indicates possible persistence
@@ -6,7 +6,7 @@ references:
    - https://pentestlab.blog/2022/02/14/persistence-notepad-plugins/
 author: Nasreddine Bencherchali
 date: 2022/06/10
-modified: 2022/09/20
+modified: 2023/01/05
 tags:
    - attack.persistence
 logsource:
@@ -9,7 +9,7 @@ references:
    - https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1
 author: Florian Roth
 date: 2022/03/11
-modified: 2022/07/14
+modified: 2023/01/05
 tags:
    - attack.credential_access
    - attack.t1003.003
@@ -19,8 +19,8 @@ logsource:
 detection:
    selection_file:
        TargetFilename|endswith: '\ntds.dit'
-    selection_process:
-        - ParentImage|endswith:
+    selection_process_parent:
+        ParentImage|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\wscript.exe'
@@ -29,19 +29,21 @@ detection:
            - '\php-cgi.exe'
            - '\nginx.exe'
            - '\httpd.exe'
-        - ParentImage|contains:
+    selection_process_parent_path:
+        ParentImage|contains:
            - '\apache'
            - '\tomcat'
            - '\AppData\'
            - '\Temp\'
            - '\Public\'
            - '\PerfLogs\'
-        - Image|contains:
+    selection_process_child:
+        Image|contains:
            - '\AppData\'
            - '\Temp\'
            - '\Public\'
            - '\PerfLogs\'
-    condition: selection_file and 1 of selection_process*
+    condition: selection_file and 1 of selection_process_*
 falsepositives:
    - Unknown
 level: high
@@ -2,9 +2,9 @@ title: Outlook C2 Macro Creation
 id: 8c31f563-f9a7-450c-bfa8-35f8f32f1f61
 status: test
 description: |
-  Detects the creation of a macro file for Outlook.
-  Goes with win_outlook_c2_registry_key. VbaProject.OTM is explicitly mentioned in T1137.
-  Particularly interesting if both events Registry & File Creation happens at the same time.
+    Detects the creation of a macro file for Outlook.
+    Goes with win_outlook_c2_registry_key. VbaProject.OTM is explicitly mentioned in T1137.
+    Particularly interesting if both events Registry & File Creation happens at the same time.
 references:
    - https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/
 author: '@ScoubiMtl'
@@ -24,5 +24,5 @@ detection:
        TargetFilename|endswith: '\Microsoft\Outlook\VbaProject.OTM'
    condition: selection
 falsepositives:
-    - User genuinly creates a VB Macro for their email
+    - User genuinely creates a VB Macro for their email
 level: medium
@@ -18,8 +18,6 @@ detection:
        Image|endswith: '\outlook.exe'
        TargetFilename|contains: '\appdata\local\microsoft\FORMS\'
    condition: selection
-fields:
-    - TargetFilename
 falsepositives:
    - Unknown
 level: high
@@ -19,9 +19,10 @@ references:
    - https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1
    - https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/ # Invoke-TotalExec
    - https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ # Invoke-TotalExec
+    - https://github.com/HarmJ0y/DAMP
 author: Markus Neis, Nasreddine Bencherchali, Mustafa Kaan Demir, Georg Lauenstein
 date: 2018/04/07
-modified: 2023/01/02
+modified: 2023/01/05
 tags:
    - attack.execution
    - attack.t1059.001
@@ -34,6 +35,7 @@ detection:
            - '\Add-Exfiltration.ps1'
            - '\Add-Persistence.ps1'
            - '\Add-RegBackdoor.ps1'
+            - '\Add-RemoteRegBackdoor.ps1'
            - '\Add-ScrnSaveBackdoor.ps1'
            - '\Check-VM.ps1'
            - '\Do-Exfiltration.ps1'
@@ -217,6 +219,7 @@ detection:
            - '\PowerUpSQL.ps1'
            - '\PowerView.ps1'
            - '\PSAsyncShell.ps1'
+            - '\RemoteHashRetrieval.ps1'
            - '\Remove-Update.ps1'
            - '\Set-MacAttribute.ps1'
            - '\Set-Wallpaper.ps1'
@@ -2,10 +2,10 @@ title: PowerShell Writing Startup Shortcuts
 id: 92fa78e7-4d39-45f1-91a3-8b23f3f1088d
 status: experimental
 description: |
-  Attempts to detect PowerShell writing startup shortcuts.
-  This procedure was highlighted in Red Canary Intel Insights Oct. 2021, "We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence.
-  Accordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats.
-  In the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL"
+    Attempts to detect PowerShell writing startup shortcuts.
+    This procedure was highlighted in Red Canary Intel Insights Oct. 2021, "We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence.
+    Accordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats.
+    In the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL"
 references:
    - https://redcanary.com/blog/intelligence-insights-october-2021/
    - https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1547.001/T1547.001.md#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder
@@ -15,7 +15,6 @@ logsource:
    product: windows
 detection:
    selection:
-        # Sysmon: File Creation (ID 11)
        TargetFilename|contains|all:
            - '\AppData\Local\Temp\SAM-'
            - '.dmp'
@@ -1,12 +1,12 @@
-title: RedMimicry Winnti Playbook Dropped File
+title: Potential Winnti Dropper Activity
 id: 130c9e58-28ac-4f83-8574-0a4cc913b97e
 status: test
-description: Detects actions caused by the RedMimicry Winnti playbook
+description: Detects files dropped by Winnti as described in RedMimicry Winnti playbook
 references:
-    - https://redmimicry.com
+    - https://redmimicry.com/posts/redmimicry-winnti/#dropper
 author: Alexander Rausch
 date: 2020/06/24
-modified: 2021/11/27
+modified: 2023/01/05
 tags:
    - attack.defense_evasion
    - attack.t1027
@@ -15,10 +15,10 @@ logsource:
    category: file_event
 detection:
    selection:
-        TargetFilename|contains:
-            - gthread-3.6.dll
-            - sigcmm-2.4.dll
-            - \Windows\Temp\tmp.bat
+        TargetFilename|endswith:
+            - '\gthread-3.6.dll'
+            - '\sigcmm-2.4.dll'
+            - '\Windows\Temp\tmp.bat'
    condition: selection
 falsepositives:
    - Unknown
@@ -1,4 +1,4 @@
-title: Remote Credential Dump
+title: Potential Remote Credential Dumping Activity
 id: 6e2a900a-ced9-4e4a-a9c2-13e706f9518a
 status: experimental
 description: Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint.
@@ -7,7 +7,7 @@ references:
    - https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py
 author: SecurityAura
 date: 2022/11/16
-modified: 2022/11/29
+modified: 2023/01/05
 tags:
    - attack.credential_access
    - attack.t1003
@@ -1,15 +1,18 @@
-title: RipZip Attack on Startup Folder
+title: Potential RipZip Attack on Startup Folder
 id: a6976974-ea6f-4e97-818e-ea08625c52cb
 status: experimental
-description: Detects a phishing attack which expands a ZIP file containing a malicious shortcut. If the victim expands the ZIP file via the explorer process, then the explorer process expands the malicious ZIP file and drops a malicious shortcut redirected to a backdoor into the Startup folder. Additionally, the file name of the malicious shortcut in Startup folder contains {0AFACED1-E828-11D1-9187-B532F1E9575D} meaning the folder shortcut operation.
+description: |
+    Detects a phishing attack which expands a ZIP file containing a malicious shortcut.
+    If the victim expands the ZIP file via the explorer process, then the explorer process expands the malicious ZIP file and drops a malicious shortcut redirected to a backdoor into the Startup folder.
+    Additionally, the file name of the malicious shortcut in Startup folder contains {0AFACED1-E828-11D1-9187-B532F1E9575D} meaning the folder shortcut operation.
 references:
    - https://twitter.com/jonasLyk/status/1549338335243534336?t=CrmPocBGLbDyE4p6zTX1cg&s=19
 author: Greg (rule)
 date: 2022/07/21
-modified: 2022/09/27
+modified: 2023/01/05
 tags:
-    - attack.t1547
    - attack.persistence
+    - attack.t1547
 logsource:
    category: file_event
    product: windows
@@ -20,4 +23,6 @@ detection:
            - '.lnk.{0AFACED1-E828-11D1-9187-B532F1E9575D}'
        Image|endswith: '\explorer.exe'
    condition: selection
+falsepositives:
+    - Unknown
 level: high
@@ -1,4 +1,4 @@
-title: SAM Dump File Creation
+title: Potential SAM Database Dump
 id: 4e87b8e2-2ee9-4b2a-a715-4727d297ece0
 status: experimental
 description: Detects the creation of files that look like exports of the local SAM (Security Account Manager)
@@ -10,6 +10,7 @@ references:
    - https://github.com/FireFart/hivenightmare
 author: Florian Roth
 date: 2022/02/11
+modified: 2023/01/05
 tags:
    - attack.credential_access
    - attack.t1003.002
@@ -30,7 +31,7 @@ detection:
            - '\AppData\Roaming\sam'
            - '_ShadowSteal.zip'       # https://github.com/HuskyHacks/ShadowSteal
            - '\Documents\SAM.export'  # https://github.com/n3tsurge/CVE-2021-36934/
-        - TargetFilename: 'c:\sam'
+            - ':\sam'
        - TargetFilename|contains:
            - '\hive_sam_'             # https://github.com/FireFart/hivenightmare
            - '\sam.save'
@@ -6,7 +6,7 @@ references:
    - Internal Research
 author: Florian Roth
 date: 2021/11/20
-modified: 2022/07/14
+modified: 2023/01/05
 logsource:
    category: file_event
    product: windows
@@ -21,8 +21,7 @@ detection:
            - '\sh.exe'
            - '\bash.exe'
            - '\msbuild.exe'  # https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
-            - '\certutil.exe'
-        TargetFilename|contains:
+        TargetFilename|startswith:
            - 'C:\Users\Public'
            - 'C:\PerfLogs'
    selection_program:
@@ -40,9 +39,6 @@ detection:
            - '\AppData\'
            - 'C:\Windows\Temp'
    condition: 1 of selection*
-fields:
-    - CommandLine
-    - ParentCommandLine
 falsepositives:
    - Unknown
 level: high
@@ -1,5 +1,8 @@
 title: Startup Folder File Write
 id: 2aa0a6b4-a865-495b-ab51-c28249537b75
+related:
+    - id: 28208707-fe31-437f-9a7f-4b1108b94d2e
+      type: similar
 status: test
 description: A General detection for files being created in the Windows startup directory. This could be an indicator of persistence.
 references:
@@ -22,5 +25,5 @@ detection:
        - TargetFilename|startswith: 'C:\$WINDOWS.~BT\NewOS\'
    condition: selection and not filter_update
 falsepositives:
-    - An FP could be caused by legitimate application writing shortcuts for example. This folder should always be inspected to make sure that all the files in there are legitimate
+    - FP could be caused by legitimate application writing shortcuts for example. This folder should always be inspected to make sure that all the files in there are legitimate
 level: medium
@@ -6,6 +6,7 @@ references:
    - https://twitter.com/eral4m/status/1480468728324231172?s=20
 author: frack113
 date: 2022/01/21
+modified: 2023/01/05
 tags:
    - attack.defense_evasion
    - attack.t1564
@@ -15,13 +16,13 @@ logsource:
 detection:
    selection:
        Image|endswith: '\colorcpl.exe'
-    valid_ext:
+    filter_ext:
        TargetFilename|endswith:
            - '.icm'
            - '.gmmp'
            - '.cdmp'
            - '.camp'
-    condition: selection and not valid_ext
+    condition: selection and not 1 of filter_*
 falsepositives:
    - Unknown
 level: high
@@ -1,11 +1,15 @@
 title: Suspicious Startup Folder Persistence
 id: 28208707-fe31-437f-9a7f-4b1108b94d2e
+related:
+    - id: 2aa0a6b4-a865-495b-ab51-c28249537b75
+      type: similar
 status: experimental
 description: Detects when a file with a suspicious extension is created in the startup folder
 references:
    - https://github.com/last-byte/PersistenceSniper
 author: Nasreddine Bencherchali
 date: 2022/08/10
+modified: 2023/01/06
 tags:
    - attack.persistence
    - attack.t1547.001
@@ -23,6 +27,10 @@ detection:
            - '.ps1'
            - '.hta'
            - '.dll'
+            - '.jar'
+            - '.msi'
+            - '.scr'
+            - '.cmd'
    condition: selection
 falsepositives:
    - Rare legitimate usage of some of the extensions mentioned in the rule
@@ -9,6 +9,7 @@ references:
    - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-7.2
 author: Nasreddine Bencherchali
 date: 2022/08/24
+modified: 2023/01/06
 tags:
    - attack.persistence
    - attack.privilege_escalation
@@ -22,4 +23,4 @@ detection:
    condition: selection
 falsepositives:
    - Legitimate use of the profile by developers or administrators
-level: high
+level: medium
@@ -4,6 +4,8 @@ status: experimental
 description: Detects the creation of an file in user Word Startup
 references:
    - Malware Sandbox https://app.any.run/tasks/d6fe6624-6ef8-485d-aa75-3d1bdda2a08c/
+    - http://addbalance.com/word/startup.htm
+    - https://answers.microsoft.com/en-us/msoffice/forum/all/document-in-word-startup-folder-doesnt-open-when/44ab0932-2917-4150-8cdc-2f2cf39e86f3
 author: frack113
 date: 2022/06/05
 tags:
@@ -1,14 +1,15 @@
 title: CLR DLL Loaded Via Scripting Applications
 id: 4508a70e-97ef-4300-b62b-ff27992990ea
 status: test
-description: Detects CLR DLL being loaded by an scripting applications
+description: Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript
 references:
    - https://github.com/tyranid/DotNetToJScript
    - https://thewover.github.io/Introducing-Donut/
    - https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html
+    - https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008
 author: omkar72, oscd.community
 date: 2020/10/14
-modified: 2021/11/27
+modified: 2023/01/06
 tags:
    - attack.execution
    - attack.privilege_escalation
@@ -22,6 +23,8 @@ detection:
            - '\wscript.exe'
            - '\cscript.exe'
            - '\mshta.exe'
+            - '\cmstp.exe'
+            - '\msxsl.exe'
        ImageLoaded|endswith:
            - '\clr.dll'
            - '\mscoree.dll'
@@ -1,12 +1,12 @@
-title: VBA DLL Loaded Via Microsoft Word
+title: VBA DLL Loaded Via Office Application
 id: e6ce8457-68b1-485b-9bdd-3c2b5d679aa9
 status: test
-description: Detects DLL's Loaded Via Word Containing VBA Macros
+description: Detects VB DLL's loaded by an office application. Which could indicate the presence of VBA Macros.
 references:
    - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
 author: Antonlovesdnb
 date: 2020/02/19
-modified: 2021/11/27
+modified: 2023/01/06
 tags:
    - attack.execution
    - attack.t1204.002
@@ -13,7 +13,7 @@ tags:
 logsource:
    product: windows
    category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
    selection:
        ContextInfo|contains: '*'
@@ -21,7 +21,7 @@ tags:
 logsource:
    product: windows
    category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
    selection_4103:
        Payload|contains:
@@ -16,7 +16,7 @@ tags:
 logsource:
    product: windows
    category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
    selection_1a_payload:
        Payload|contains:
@@ -17,7 +17,7 @@ tags:
 logsource:
    product: windows
    category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
    selection_4103:
        Payload|contains: 'Expand-Archive'
@@ -13,7 +13,7 @@ tags:
 logsource:
    product: windows
    category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
    selection:
        Payload|contains|all:
@@ -7,18 +7,18 @@ references:
    - https://threathunterplaybook.com/evals/apt29/detections/7.A.2_F4609F7E-C4DB-4327-91D4-59A58C962A02.html
 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 date: 2020/05/02
-modified: 2022/06/20
+modified: 2023/01/04
 tags:
    - attack.collection
    - attack.t1115
 logsource:
    product: windows
    category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
-    selection_4103:
+    selection:
        Payload|contains: 'Get-Clipboard'
-    condition: selection_4103
+    condition: selection
 falsepositives:
    - Unknown
 level: medium
@@ -18,7 +18,7 @@ tags:
 logsource:
    product: windows
    category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
    selection_4103:
        Payload|re: '.*cmd.{0,5}(?:/c|/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\"\{\d\}.+-f.+"'
@@ -18,7 +18,7 @@ tags:
 logsource:
    product: windows
    category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
    selection_payload:
        - Payload|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\['
@@ -18,7 +18,7 @@ tags:
 logsource:
    product: windows
    category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
    selection_4103:
        Payload|re: '.*cmd.{0,5}(?:/c|/r).+powershell.+(?:\$\{?input\}?|noexit).+"'
@@ -18,7 +18,7 @@ tags:
 logsource:
    product: windows
    category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
    selection_4103:
        Payload|re: '.*cmd.{0,5}(?:/c|/r)(?:\s|)"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\"\s+?-f(?:.*\)){1,}.*"'
@@ -18,7 +18,7 @@ tags:
 logsource:
    product: windows
    category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
    selection_4103:
        Payload|contains|all:
@@ -18,7 +18,7 @@ tags:
 logsource:
    product: windows
    category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
    selection_4103:
        Payload|contains|all:
@@ -18,7 +18,7 @@ tags:
 logsource:
    product: windows
    category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
    selection_4103:
        Payload|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\$?\{?input).*&&.*"'
@@ -18,7 +18,7 @@ tags:
 logsource:
    product: windows
    category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
    selection_4103:
        Payload|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*'
@@ -9,7 +9,7 @@ references:
    - https://github.com/SigmaHQ/sigma/issues/1009 #(Task31)
 author: Nikita Nazarov, oscd.community
 date: 2020/10/08
-modified: 2022/11/29
+modified: 2023/01/04
 tags:
    - attack.defense_evasion
    - attack.t1027
@@ -18,9 +18,9 @@ tags:
 logsource:
    product: windows
    category: ps_module
-    definition: PowerShell Module Logging must be enabledd
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
-    selection_4103:
+    selection:
        Payload|contains|all:
            - 'set'
            - '&&'
@@ -28,7 +28,7 @@ detection:
            - 'vbscript:createobject'
            - '.run'
            - '(window.close)'
-    condition: selection_4103
+    condition: selection
 falsepositives:
    - Unknown
 level: high
@@ -18,7 +18,7 @@ tags:
 logsource:
    product: windows
    category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
    selection_4103:
        Payload|contains|all:
@@ -18,7 +18,7 @@ tags:
 logsource:
    product: windows
    category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
    selection_4103:
        Payload|re: '(?i).*&&set.*(\{\d\}){2,}\\"\s+?-f.*&&.*cmd.*/c' # FPs with |\/r
@@ -15,7 +15,7 @@ tags:
 logsource:
    product: windows
    category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
    selection:
        ContextInfo|contains:
@@ -15,7 +15,7 @@ tags:
 logsource:
    product: windows
    category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
    selection:
        ContextInfo|contains|all:
@@ -16,7 +16,7 @@ tags:
 logsource:
    product: windows
    category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
    test_2:
        - Payload|contains: get-ADPrincipalGroupMembership
@@ -7,14 +7,14 @@ references:
    - https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1
 author: frack113
 date: 2021/07/13
-modified: 2022/12/02
+modified: 2023/01/04
 tags:
    - attack.defense_evasion
    - attack.t1218
 logsource:
    product: windows
    category: ps_module
-    definition: PowerShell Module Logging must be enabledd
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
    selection_cmd:
        ContextInfo|contains: 'Invoke-ATHRemoteFXvGPUDisablementCommand '
@@ -24,12 +24,7 @@ detection:
            - '-ModulePath '
            - '-ScriptBlock '
            - '-RemoteFXvGPUDisablementFilePath'
-    condition: selection_cmd and selection_opt
-fields:
-    - ComputerName
-    - User
-    - CommandLine
-    - ParentCommandLine
+    condition: all of selection_*
 falsepositives:
    - Unknown
 level: medium
@@ -13,7 +13,7 @@ tags:
 logsource:
    product: windows
    category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
    selection:
        ContextInfo|contains: 'Get-NetTCPConnection'
@@ -3,28 +3,32 @@ id: bbb80e91-5746-4fbe-8898-122e2cafdbf4
 related:
    - id: 3d304fda-78aa-43ed-975c-d740798a49c1
      type: derived
+    - id: ed965133-513f-41d9-a441-e38076a0798f
+      type: similar
 status: experimental
 description: Detects suspicious PowerShell invocation command parameters
 author: Florian Roth (rule)
 date: 2017/03/12
-modified: 2022/12/02
+modified: 2023/01/03
 tags:
    - attack.execution
    - attack.t1059.001
 logsource:
    product: windows
    category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
    selection_encoded:
        ContextInfo|contains:
            - ' -enc '
            - ' -EncodedCommand '
+            - ' -ec '
    selection_hidden:
        ContextInfo|contains:
            - ' -w hidden '
            - ' -window hidden '
            - ' -windowstyle hidden '
+            - ' -w 1 '
    selection_noninteractive:
        ContextInfo|contains:
            - ' -noni '
@@ -3,18 +3,22 @@ id: 8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090
 related:
    - id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c
      type: derived
+    - id: ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71
+      type: similar
+    - id: 536e2947-3729-478c-9903-745aaffe60d2
+      type: similar
 status: experimental
 description: Detects suspicious PowerShell invocation command parameters
 author: Florian Roth (rule), Jonhnathan Ribeiro
 date: 2017/03/05
-modified: 2022/12/02
+modified: 2023/01/05
 tags:
    - attack.execution
    - attack.t1059.001
 logsource:
    product: windows
    category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
    selection_convert_b64:
        ContextInfo|contains|all:
@@ -64,7 +68,7 @@ detection:
        ContextInfo|contains:
            - "(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1"
            - 'Write-ChocolateyWarning'
-    condition: 1 of selection* and not 1 of filter*
+    condition: 1 of selection_* and not 1 of filter_*
 falsepositives:
    - Unknown
 level: high
@@ -16,7 +16,7 @@ tags:
 logsource:
    product: windows
    category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
    test_3:
        - Payload|contains:
@@ -15,7 +15,7 @@ tags:
 logsource:
    product: windows
    category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
    selection:
        ContextInfo|contains: 'Reset-ComputerMachinePassword'
@@ -16,7 +16,7 @@ tags:
 logsource:
    product: windows
    category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
    selection:
        - Payload|contains: get-smbshare
@@ -16,7 +16,7 @@ tags:
 logsource:
    product: windows
    category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
    selection_4103:
        ContextInfo|contains|all:
@@ -18,7 +18,7 @@ tags:
 logsource:
    product: windows
    category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
    selection:
        ContextInfo|contains: 'SyncAppvPublishingServer.exe'
@@ -20,7 +20,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection_cmd:
        ScriptBlockText|contains|all:
@@ -14,7 +14,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains:
@@ -16,7 +16,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script Block Logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains|all:
@@ -15,7 +15,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains:
@@ -14,7 +14,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains|all:
--- a/Show More
+++ b/Show More