Merge PR #4564 from @nasbench - Fix Further FPs Found In Testing

remove: Abusing Findstr for Defense Evasion - Deprecate in favour of 2 splitted rules. 587254ee-a24b-4335-b3cd-065c0f1f4baa and 04936b66-3915-43ad-a8e5-809eadfd1141 remove: Windows Update Client LOLBIN - Deprecate in favour of 52d097e2-063e-4c9c-8fbb-855c8948d135 fix: Remote Thread Creation By Uncommon Source Image - Enhance filters to avoid false positives fix: Suspicious Shim Database Installation via Sdbinst.EXE - Add "null" and "empty" filters to account for cases where the CLI is null or empty new: Insenstive Subfolder Search Via Findstr.EXE new: Remote File Download Via Findstr.EXE new: Windows Defender Exclusion Deleted new: Windows Defender Exclusion List Modified new: Windows Defender Exclusion Reigstry Key - Write Access Requested update: Renamed Office Binary Execution - Add new binaries and filters to increase coverage and tune FPs update: EVTX Created In Uncommon Location - Enhance filters to cover other drives other than "C:" update: Findstr GPP Passwords - Add "find.exe" binary to increase coverage update: Findstr Launching .lnk File - Add "find.exe" binary to increase coverage update: LSASS Process Reconnaissance Via Findstr.EXE - Add "find.exe" binary to increase coverage update: Non-DLL Extension File Renamed With DLL Extension - Update title and logic update: Permission Misconfiguration Reconnaissance Via Findstr.EXE - Add "find.exe" binary to increase coverage update: Potentially Suspicious Wuauclt Network Connection - Change the logic to use the "CommandLine" field in order to avoid false positives update: Proxy Execution Via Wuauclt.EXE - Update title and enhance filters update: Recon Command Output Piped To Findstr.EXE - Add "find.exe" binary to increase coverage update: Security Tools Keyword Lookup Via Findstr.EXE - Add "find.exe" binary to increase coverage update: Suspicious Appended Extension - Enhance list of extension update: Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE - Add "find.exe" binary to increase coverage fix: Uncommon Userinit Child Process - Add the citrix process cmstart to the filtered processes and make it more strict to avoid abuse. Also enhances the other filters by removing the C: notation. fix: Bad Opsec Defaults Sacrificial Processes With Improper Arguments - Add FP filter for chrome installer spawning rundll32 without arguments --------- Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> thanks: @vj-codes for #4554 thanks: @mezzofix for #4520 thanks: @rkmbaxed for #4566 and #4569 thanks: @celalettin-turgut for #4570
2023-11-15 15:35:43 +01:00
parent 8dbf7b9094
commit c125ae7e7d
27 changed files with 435 additions and 138 deletions
@@ -116,7 +116,7 @@ If you find a false positive or would like to propose a new detection rule idea

 ## Credits

-This project would've never reached this hight without the help of the hundreds of contributors. Thanks to all past and present contributors for their help.
+This project would've never reached this height without the help of the hundreds of contributors. Thanks to all past and present contributors for their help.

 ## Licenses

@@ -1,6 +1,6 @@
 title: Abusing Findstr for Defense Evasion
 id: bf6c39fc-e203-45b9-9538-05397c1b4f3f
-status: test
+status: deprecated
 description: Attackers can use findstr to hide their artifacts or search specific strings and evade defense mechanism
 references:
    - https://lolbas-project.github.io/lolbas/Binaries/Findstr/
@@ -8,7 +8,7 @@ references:
    - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
 author: 'Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali'
 date: 2020/10/05
-modified: 2022/10/11
+modified: 2022/10/12
 tags:
    - attack.defense_evasion
    - attack.t1218
@@ -1,12 +1,12 @@
 title: Windows Update Client LOLBIN
 id: d7825193-b70a-48a4-b992-8b5b3015cc11
-status: test
+status: deprecated
 description: Detects code execution via the Windows Update client (wuauclt)
 references:
    - https://dtm.uk/wuauclt/
 author: FPT.EagleEye Team
 date: 2020/10/17
-modified: 2022/05/13
+modified: 2023/11/11
 tags:
    - attack.command_and_control
    - attack.execution
@@ -0,0 +1,47 @@
+title: Non-DLL Extension File Renamed With DLL Extension
+id: bbfd974c-248e-4435-8de6-1e938c79c5c1
+status: experimental
+description: |
+    Detects rename operations of files with non-DLL extensions to files with a DLL extension. This is often performed by malware in order to avoid initial detections based on extensions.
+references:
+    - https://twitter.com/ffforward/status/1481672378639912960
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036/T1036.md#atomic-test-1---system-file-copied-to-unusual-location
+author: frack113
+date: 2022/02/19
+modified: 2023/11/11
+tags:
+    - attack.defense_evasion
+    - attack.t1036.008
+    - detection.threat_hunting
+logsource:
+    product: windows
+    category: file_rename
+    definition: 'Requirements: Microsoft-Windows-Kernel-File Provider with at least the KERNEL_FILE_KEYWORD_RENAME_SETLINK_PATH keyword'
+detection:
+    selection:
+        TargetFilename|endswith: '.dll'
+    filter_main_dll:
+        # Note: To avoid file renames
+        SourceFilename|endswith: '.dll'
+    filter_main_installers:
+        SourceFilename|endswith: '.tmp'
+    filter_main_empty_source:
+        SourceFilename: ''
+    filter_main_null_source:
+        SourceFilename: null
+    filter_main_tiworker:
+        Image|contains: ':\Windows\WinSxS\'
+        Image|endswith: '\TiWorker.exe'
+    filter_main_upgrade:
+        - Image|endswith: ':\Windows\System32\wuauclt.exe'
+        - TargetFilename|contains: ':\$WINDOWS.~BT\Sources\'
+    filter_main_generic:
+        Image|contains:
+            - ':\Program Files (x86)\'
+            - ':\Program Files\'
+    filter_optional_squirrel:
+        SourceFilename|contains: '\SquirrelTemp\temp'
+    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
+falsepositives:
+    - Likely from installers and temporary locations
+level: medium
@@ -0,0 +1,30 @@
+title: Windows Defender Exclusion List Modified
+id: 46a68649-f218-4f86-aea1-16a759d81820
+related:
+    - id: e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d
+      type: derived
+    - id: a33f8808-2812-4373-ae95-8cfb82134978
+      type: derived
+status: test
+description: |
+    Detects modifications to the Windows Defender exclusion registry key. This could indicate a potentially suspicious or even malicious activity by an attacker trying to add a new exclusion in order to bypass security.
+references:
+    - https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/
+author: '@BarryShooshooga'
+date: 2019/10/26
+modified: 2023/11/11
+tags:
+    - attack.defense_evasion
+    - attack.t1562.001
+logsource:
+    product: windows
+    service: security
+    definition: 'Requirements: Audit Policy : Security Settings/Local Policies/Audit Policy, Registry System Access Control (SACL): Auditing/User'
+detection:
+    selection:
+        EventID: 4657 # A registry value was modified.
+        ObjectName|contains: '\Microsoft\Windows Defender\Exclusions\'
+    condition: selection
+falsepositives:
+    - Intended exclusions by administrators
+level: medium
@@ -0,0 +1,35 @@
+title: Windows Defender Exclusion Reigstry Key - Write Access Requested
+id: e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d
+related:
+    - id: 46a68649-f218-4f86-aea1-16a759d81820
+      type: derived
+    - id: a33f8808-2812-4373-ae95-8cfb82134978
+      type: derived
+status: test
+description: |
+    Detects write access requests to the Windows Defender exclusions registry keys. This could be an indication of an attacker trying to request a handle or access the object to write new exclusions in order to bypass security.
+references:
+    - https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/
+author: '@BarryShooshooga, Nasreddine Bencherchali (Nextron Systems)'
+date: 2019/10/26
+modified: 2023/11/11
+tags:
+    - attack.defense_evasion
+    - attack.t1562.001
+logsource:
+    product: windows
+    service: security
+    definition: 'Requirements: Audit Policy : Security Settings/Local Policies/Audit Policy, Registry System Access Control (SACL): Auditing/User'
+detection:
+    selection:
+        AccessList|contains:
+            - '%%4417' # WriteData
+            - '%%4418' # AppendData
+        EventID:
+            - 4656 # A handle to an object was requested.
+            - 4663 # An attempt was made to access an object.
+        ObjectName|contains: '\Microsoft\Windows Defender\Exclusions\'
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium
@@ -1,12 +1,18 @@
-title: Windows Defender Exclusion Set
-id: e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d
+title: Windows Defender Exclusion Deleted
+id: a33f8808-2812-4373-ae95-8cfb82134978
+related:
+    - id: e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d
+      type: derived
+    - id: 46a68649-f218-4f86-aea1-16a759d81820
+      type: derived
 status: test
-description: Detects scenarios where an Windows Defender exclusion was added in registry where an entity would want to bypass antivirus scanning from Windows Defender
+description: |
+    Detects when a Windows Defender exclusion has been deleted. This could indicate an attacker trying to delete their tracks by removing the added exclusions
 references:
    - https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/
 author: '@BarryShooshooga'
 date: 2019/10/26
-modified: 2021/11/27
+modified: 2023/11/11
 tags:
    - attack.defense_evasion
    - attack.t1562.001
@@ -16,13 +22,9 @@ logsource:
    definition: 'Requirements: Audit Policy : Security Settings/Local Policies/Audit Policy, Registry System Access Control (SACL): Auditing/User'
 detection:
    selection:
-        EventID:
-            - 4657
-            - 4656
-            - 4660
-            - 4663
+        EventID: 4660 # An object was deleted.
        ObjectName|contains: '\Microsoft\Windows Defender\Exclusions\'
    condition: selection
 falsepositives:
-    - Intended inclusions by administrator
-level: high
+    - Unknown
+level: medium
@@ -7,7 +7,7 @@ references:
    - https://lolbas-project.github.io
 author: Perez Diego (@darkquassar), oscd.community
 date: 2019/10/27
-modified: 2023/09/06
+modified: 2023/11/11
 tags:
    - attack.privilege_escalation
    - attack.defense_evasion
@@ -72,9 +72,9 @@ detection:
            - ':\Windows\System32\services.exe' # happens on Windows 7
            - ':\Windows\System32\wininit.exe' # happens on Windows 7
            - ':\Windows\System32\csrss.exe' # multiple OS
+            - ':\Windows\System32\LogonUI.exe' # multiple OS
    filter_main_winlogon_2:
        SourceImage: 'C:\Windows\System32\winlogon.exe'
-        TargetParentImage: 'System'
        TargetParentProcessId: 4
    filter_main_schtasks_conhost:
        SourceImage|endswith:
@@ -84,10 +84,19 @@ detection:
    filter_main_explorer:
        SourceImage|endswith: ':\Windows\explorer.exe'
        TargetImage|endswith:
-            - ':\Windows\System32\mmc.exe'
-            - ':\Program Files\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA GeForce Experience.exe'
+            - ':\Program Files (x86)\'
+            - ':\Program Files\'
+            - ':\Windows\System32\'
+            - ':\Windows\SysWOW64\'
    filter_main_system:
        TargetImage: 'System'
+    filter_main_msiexec:
+        # Note: MSI installers will trigger this
+        SourceImage|endswith: '\msiexec.exe'
+        TargetImage|contains:
+            - '\AppData\Local\'
+            - ':\Program Files (x86)\'
+            - ':\Program Files\'
    filter_optional_powerpnt:
        # Raised by the following issue: https://github.com/SigmaHQ/sigma/issues/2479
        SourceImage|contains: '\Microsoft Office\'
@@ -18,14 +18,14 @@ detection:
    selection:
        TargetFilename|endswith: '.evtx'
    filter_main_path:
-        TargetFilename|startswith: 'C:\Windows\System32\winevt\Logs\'
+        TargetFilename|contains: ':\Windows\System32\winevt\Logs\'
    filter_main_baseimage:
-        TargetFilename|startswith: 'C:\ProgramData\Microsoft\Windows\Containers\BaseImages\'
+        TargetFilename|contains: ':\ProgramData\Microsoft\Windows\Containers\BaseImages\'
        TargetFilename|endswith: '\Windows\System32\winevt\Logs\'
    filter_main_generic_img:
-        Image:
-            - 'C:\Windows\explorer.exe'
-            - 'C:\Windows\system32\dllhost.exe'
+        Image|endswith:
+            - ':\Windows\explorer.exe'
+            - ':\Windows\system32\dllhost.exe'
    condition: selection and not 1 of filter_main_*
 falsepositives:
    - Administrator or backup activity
@@ -1,45 +0,0 @@
-title: Rename Common File to DLL File
-id: bbfd974c-248e-4435-8de6-1e938c79c5c1
-status: test
-description: Detects cases in which a file gets renamed to .dll, which often happens to bypass perimeter protection
-references:
-    - https://twitter.com/ffforward/status/1481672378639912960
-    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036/T1036.md#atomic-test-1---system-file-copied-to-unusual-location
-author: frack113
-date: 2022/02/19
-modified: 2023/01/02
-tags:
-    - attack.defense_evasion
-    - attack.t1036.008
-logsource:
-    product: windows
-    category: file_rename
-    definition: 'Requirements: Microsoft-Windows-Kernel-File Provider with at least the KERNEL_FILE_KEYWORD_RENAME_SETLINK_PATH keyword'
-detection:
-    to_dll:
-        TargetFilename|endswith: '.dll'
-    filter_from_dll:
-        - SourceFilename|endswith:
-              - '.dll'
-              - '.tmp'  # VSCode FP
-        - SourceFilename|contains:
-              - '.dll.'
-              - '\SquirrelTemp\temp'
-    filter_empty_source:
-        SourceFilename: ''
-    filter_non_existing_source:
-        SourceFilename: null
-    filter_tiworker:
-        Image|startswith: 'C:\Windows\WinSxS\'
-        Image|endswith: '\TiWorker.exe'
-    filter_upgrade:
-        - Image: 'C:\Windows\System32\wuauclt.exe'
-        - TargetFilename|startswith: 'C:\$WINDOWS.~BT\Sources\'
-    filter_program_files:
-        Image|startswith:
-            - 'C:\Program Files (x86)\'
-            - 'C:\Program Files\'
-    condition: to_dll and not 1 of filter*
-falsepositives:
-    - Application installation
-level: medium
@@ -7,7 +7,7 @@ references:
    - https://blog.cyble.com/2022/08/10/onyx-ransomware-renames-its-leak-site-to-vsop/
 author: frack113
 date: 2022/07/16
-modified: 2023/01/02
+modified: 2023/11/11
 tags:
    - attack.impact
    - attack.t1486
@@ -18,35 +18,40 @@ logsource:
 detection:
    selection:
        SourceFilename|endswith:
-            - '.lnk'
-            - '.rtf'
-            - '.pst'
+            - '.doc'
            - '.docx'
-            - '.xlsx'
-            - '.jpg'
            - '.jpeg'
-            - '.png'
+            - '.jpg'
+            - '.lnk'
            - '.pdf'
+            - '.png'
+            - '.pst'
+            - '.rtf'
+            - '.xls'
+            - '.xlsx'
        TargetFilename|contains:
-            - '.lnk.'
-            - '.rtf.'
-            - '.pst.'
+            - '.doc.'
            - '.docx.'
-            - '.xlsx.'
-            - '.jpg.'
            - '.jpeg.'
-            - '.png.'
+            - '.jpg.'
+            - '.lnk.'
            - '.pdf.'
+            - '.png.'
+            - '.pst.'
+            - '.rtf.'
+            - '.xls.'
+            - '.xlsx.'
    filter_main_generic:
        TargetFilename|endswith:
-            - '.tmp'
+            # Note: Please add more used extensions by backup or recovery software
+            - '.backup'
            - '.bak'
            - '.old'
            - '.orig'
-            - '.backup'
            - '.temp'
+            - '.tmp'
    filter_optional_anaconda:
-        TargetFilename|startswith: 'C:\ProgramData\Anaconda3\'
+        TargetFilename|contains: ':\ProgramData\Anaconda3\'
        TargetFilename|endswith: '.c~'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
@@ -1,27 +1,58 @@
-title: Wuauclt Network Connection
+title: Potentially Suspicious Wuauclt Network Connection
 id: c649a6c7-cd8c-4a78-9c04-000fc76df954
 status: test
 description: |
-  Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making a network connections.
-  One could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule.
+    Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making network connections.
+    One could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule.
 references:
    - https://dtm.uk/wuauclt/
 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 date: 2020/10/12
-modified: 2023/01/20
+modified: 2023/11/11
 tags:
    - attack.defense_evasion
    - attack.t1218
 logsource:
    category: network_connection
    product: windows
+    definition: 'Requirements: The CommandLine field enrichment is required in order for this rule to be used.'
 detection:
    selection:
        Image|contains: 'wuauclt'
+        CommandLine|contains: ' /RunHandlerComServer'
    # "C:\WINDOWS\uus\AMD64\wuauclt.exe" /DeploymentHandlerFullPath \\?\C:\Windows\UUS\AMD64\UpdateDeploy.dll /ClassId aaa256e1-5b21-4993-9188-18f07ccb3b98 /RunHandlerComServer
-    filter_msrange:  # Sysmon
+    filter_main_ipv4:
+        DestinationIp|startswith: # Ranges excluded based on https://github.com/SigmaHQ/sigma/blob/0f176092326ab9d1e19384d30224e5f29f760d82/rules/windows/network_connection/net_connection_win_dllhost_net_connections.yml
+            - '10.'
+            - '127.'
+            - '169.254.'  # link-local address
+            - '172.16'
+            - '172.17'
+            - '172.18'
+            - '172.19'
+            - '172.20'
+            - '172.21'
+            - '172.22'
+            - '172.23'
+            - '172.24'
+            - '172.25'
+            - '172.26'
+            - '172.27'
+            - '172.28'
+            - '172.29'
+            - '172.30'
+            - '172.31'
+            - '192.168'
+    filter_main_ipv6:
        DestinationIp|startswith:
-            # Subnet: 20.184.0.0/13
+            - '::1'
+            - '0:0:0:0:0:0:0:1'  # IPv6 loopback variant
+            - 'fe80:'  # link-local address
+            - 'fc'  # private address range fc00::/7
+            - 'fd'  # private address range fc00::/7
+    filter_main_msrange:  # Sysmon
+        DestinationIp|startswith:
+            # Subnet: 20.184.0.0/13, 51.103.210.0/23 and others
            - '20.184.'
            - '20.185.'
            - '20.186.'
@@ -30,16 +61,27 @@ detection:
            - '20.189.'
            - '20.190.'
            - '20.191.'
+            - '20.220.'
+            - '20.221.'
            - '23.79.'
            - '51.10.'
-            # Subnet: 51.103.210.0/23
            - '51.103.'
            - '51.104.'
            - '51.105.'
            - '52.239.'
-    filter_cmdline:
-        CommandLine|contains: '\UpdateDeploy.dll /ClassId '
-    condition: selection and not 1 of filter_*
+    filter_main_uus:
+        CommandLine|contains:
+            - ':\Windows\UUS\Packages\Preview\amd64\updatedeploy.dll /ClassId'
+            - ':\Windows\UUS\amd64\UpdateDeploy.dll /ClassId'
+    filter_main_winsxs|all:
+        CommandLine|contains:
+            - ':\Windows\WinSxS\'
+            - '\UpdateDeploy.dll /ClassId '
+    filter_main_cli_null:
+        CommandLine: null
+    filter_main_cli_empty:
+        CommandLine: ''
+    condition: selection and not 1 of filter_main_*
 falsepositives:
-    - Legitimate use of wuauclt.exe over the network.
+    - Unknown
 level: medium
@@ -0,0 +1,43 @@
+title: Remote File Download Via Findstr.EXE
+id: 587254ee-a24b-4335-b3cd-065c0f1f4baa
+related:
+    - id: bf6c39fc-e203-45b9-9538-05397c1b4f3f
+      type: obsoletes
+status: experimental
+description: |
+    Detects execution of "findstr" with specific flags and a remote share path. This specific set of CLI flags would allow "findstr" to download the content of the file located on the remote share as described in the LOLBAS entry.
+references:
+    - https://lolbas-project.github.io/lolbas/Binaries/Findstr/
+    - https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
+    - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
+author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems)
+date: 2020/10/05
+modified: 2023/11/12
+tags:
+    - attack.defense_evasion
+    - attack.t1218
+    - attack.t1564.004
+    - attack.t1552.001
+    - attack.t1105
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_findstr:
+        - CommandLine|contains: findstr
+        - Image|endswith: 'findstr.exe'
+        - OriginalFileName: 'FINDSTR.EXE'
+    selection_cli_download_1:
+        CommandLine|contains:
+            - ' /v '
+            - ' -v '
+    selection_cli_download_2:
+        CommandLine|contains:
+            - ' /l '
+            - ' -l '
+    selection_cli_download_3:
+        CommandLine|contains: '\\\\'
+    condition: selection_findstr and all of selection_cli_download_*
+falsepositives:
+    - Unknown
+level: medium
@@ -6,7 +6,7 @@ references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.006/T1552.006.md#atomic-test-1---gpp-passwords-findstr
 author: frack113
 date: 2021/12/27
-modified: 2023/03/06
+modified: 2023/11/11
 tags:
    - attack.credential_access
    - attack.t1552.006
@@ -15,8 +15,12 @@ logsource:
    product: windows
 detection:
    selection_img:
-        - Image|endswith: '\findstr.exe'
-        - OriginalFileName: 'FINDSTR.EXE'
+        - Image|endswith:
+              - '\find.exe'
+              - '\findstr.exe'
+        - OriginalFileName:
+              - 'FIND.EXE'
+              - 'FINDSTR.EXE'
    selection_cli:
        CommandLine|contains|all:
            - 'cpassword'
@@ -6,7 +6,7 @@ references:
    - https://www.bleepingcomputer.com/news/security/hhsgov-open-redirect-used-by-coronavirus-phishing-to-spread-malware/
 author: Trent Liffick
 date: 2020/05/01
-modified: 2023/03/06
+modified: 2023/11/11
 tags:
    - attack.defense_evasion
    - attack.t1036
@@ -17,8 +17,12 @@ logsource:
    product: windows
 detection:
    selection_img:
-        - Image|endswith: '\findstr.exe'
-        - OriginalFileName: 'FINDSTR.EXE'
+        - Image|endswith:
+              - '\find.exe'
+              - '\findstr.exe'
+        - OriginalFileName:
+              - 'FIND.EXE'
+              - 'FINDSTR.EXE'
    selection_cli:
        CommandLine|endswith: '.lnk'
    condition: all of selection_*
@@ -6,7 +6,7 @@ references:
    - https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1
 author: Florian Roth (Nextron Systems)
 date: 2022/08/12
-modified: 2023/07/13
+modified: 2023/11/11
 tags:
    - attack.credential_access
    - attack.t1552.006
@@ -15,8 +15,12 @@ logsource:
    product: windows
 detection:
    selection_findstr_img:
-        - Image|endswith: '\findstr.exe'
-        - OriginalFileName: 'FINDSTR.EXE'
+        - Image|endswith:
+              - '\find.exe'
+              - '\findstr.exe'
+        - OriginalFileName:
+              - 'FIND.EXE'
+              - 'FINDSTR.EXE'
    selection_findstr_cli:
        CommandLine|contains: 'lsass'
    selection_special:
@@ -6,7 +6,7 @@ references:
    - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/08/12
-modified: 2023/03/05
+modified: 2023/11/11
 tags:
    - attack.credential_access
    - attack.t1552.006
@@ -15,8 +15,12 @@ logsource:
    product: windows
 detection:
    selection_findstr_img:
-        - Image|endswith: '\findstr.exe'
-        - OriginalFileName: 'FINDSTR.EXE'
+        - Image|endswith:
+              - '\find.exe'
+              - '\findstr.exe'
+        - OriginalFileName:
+              - 'FIND.EXE'
+              - 'FINDSTR.EXE'
    selection_findstr_cli:
        CommandLine|contains:
            - '"Everyone"'
@@ -28,6 +32,7 @@ detection:
            # Example CLI would be: icacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "Everyone"
            # You could extend it for other groups and users
            #   Example: icacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users"
+            # Note: This selection only detects the command when executed from a handler such as a "cmd /c" or "powershell -c"
            - 'icacls '
            - 'findstr '
            - 'Everyone'
@@ -12,7 +12,7 @@ references:
    - https://www.trendmicro.com/en_us/research/22/d/spring4shell-exploited-to-deploy-cryptocurrency-miners.html
 author: Nasreddine Bencherchali (Nextron Systems), frack113
 date: 2023/07/06
-modified: 2023/10/20
+modified: 2023/11/11
 tags:
    - attack.discovery
    - attack.t1057
@@ -23,25 +23,45 @@ detection:
    selection:
        CommandLine|contains:
            # Note: Add additional CLI to increase and enhance coverage
+            - 'ipconfig /all | find '
            - 'ipconfig /all | findstr '
+            - 'ipconfig | find '
            - 'ipconfig | findstr '
+            - 'ipconfig.exe /all | find '
            - 'ipconfig.exe /all | findstr '
+            - 'ipconfig.exe | find '
            - 'ipconfig.exe | findstr '
+            - 'net start | find'
            - 'net start | findstr'
+            - 'net.exe start | find'
            - 'net.exe start | findstr'
+            - 'net1 start | find'
            - 'net1 start | findstr'
+            - 'net1.exe start | find'
            - 'net1.exe start | findstr'
+            - 'netstat -ano | find'
            - 'netstat -ano | findstr'
+            - 'netstat | find'
            - 'netstat | findstr'
+            - 'netstat.exe -ano | find'
            - 'netstat.exe -ano | findstr'
+            - 'netstat.exe | find'
            - 'netstat.exe | findstr'
+            - 'ping | find'
            - 'ping | findstr'
+            - 'ping.exe | find'
            - 'ping.exe | findstr'
+            - 'systeminfo | find '
            - 'systeminfo | findstr '
+            - 'systeminfo.exe | find '
            - 'systeminfo.exe | findstr '
+            - 'tasklist | find '
            - 'tasklist | findstr '
+            - 'tasklist.exe | find '
            - 'tasklist.exe | findstr '
+            - 'whoami /all | find '
            - 'whoami /all | findstr '
+            - 'whoami.exe /all | find '
            - 'whoami.exe /all | findstr '
    condition: selection
 falsepositives:
@@ -13,6 +13,7 @@ references:
    - https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf
 author: Nasreddine Bencherchali (Nextron Systems), frack113
 date: 2023/10/20
+modified: 2023/11/14
 tags:
    - attack.discovery
    - attack.t1518.001
@@ -21,8 +22,12 @@ logsource:
    product: windows
 detection:
    selection_img:
-        - Image|endswith: '\findstr.exe'
-        - OriginalFileName: 'FINDSTR.EXE'
+        - Image|endswith:
+              - '\find.exe'
+              - '\findstr.exe'
+        - OriginalFileName:
+              - 'FIND.EXE'
+              - 'FINDSTR.EXE'
    selection_cli:
        CommandLine|endswith:
            # Note: Add additional keywords to increase and enhance coverage
@@ -0,0 +1,41 @@
+title: Insensitive Subfolder Search Via Findstr.EXE
+id: 04936b66-3915-43ad-a8e5-809eadfd1141
+related:
+    - id: bf6c39fc-e203-45b9-9538-05397c1b4f3f
+      type: obsoletes
+status: experimental
+description: |
+    Detects execution of findstr with the "s" and "i" flags for a "subfolder" and "insensitive" search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands.
+references:
+    - https://lolbas-project.github.io/lolbas/Binaries/Findstr/
+    - https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
+    - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
+author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems)
+date: 2020/10/05
+modified: 2023/11/12
+tags:
+    - attack.defense_evasion
+    - attack.t1218
+    - attack.t1564.004
+    - attack.t1552.001
+    - attack.t1105
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_findstr:
+        - CommandLine|contains: findstr
+        - Image|endswith: 'findstr.exe'
+        - OriginalFileName: 'FINDSTR.EXE'
+    selection_cli_search_subfolder:
+        CommandLine|contains:
+            - ' /s '
+            - ' -s '
+    selection_cli_search_insensitive:
+        CommandLine|contains:
+            - ' /i '
+            - ' -i '
+    condition: selection_findstr and all of selection_cli_search_*
+falsepositives:
+    - Administrative or software activity
+level: low
@@ -6,7 +6,7 @@ references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md#atomic-test-5---security-software-discovery---sysmon-service
 author: frack113
 date: 2021/12/16
-modified: 2023/03/06
+modified: 2023/11/14
 tags:
    - attack.discovery
    - attack.t1518.001
@@ -15,8 +15,12 @@ logsource:
    product: windows
 detection:
    selection_img:
-        - Image|endswith: '\findstr.exe'
-        - OriginalFileName: 'FINDSTR.EXE'
+        - Image|endswith:
+              - '\find.exe'
+              - '\findstr.exe'
+        - OriginalFileName:
+              - 'FIND.EXE'
+              - 'FINDSTR.EXE'
    selection_cli:
        CommandLine|contains: ' 385201' # Sysmon driver default altitude
    condition: all of selection_*
@@ -6,6 +6,7 @@ references:
    - https://infosec.exchange/@sbousseaden/109542254124022664
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/12/20
+modified: 2023/11/13
 tags:
    - attack.defense_evasion
 logsource:
@@ -16,23 +17,33 @@ detection:
        - OriginalFileName:
              - 'Excel.exe'
              - 'MSACCESS.EXE'
+              - 'MSPUB.EXE'
              - 'OneNote.exe'
+              - 'OneNoteM.exe'
+              - 'OUTLOOK.EXE'
              - 'POWERPNT.EXE'
              - 'WinWord.exe'
        - Description:
              - 'Microsoft Access'
              - 'Microsoft Excel'
              - 'Microsoft OneNote'
+              - 'Microsoft Outlook'
              - 'Microsoft PowerPoint'
+              - 'Microsoft Publisher'
              - 'Microsoft Word'
-    filter:
+              - 'Sent to OneNote Tool'
+    filter_main_legit_names:
        Image|endswith:
            - '\EXCEL.exe'
+            - '\excelcnv.exe'
            - '\MSACCESS.exe'
+            - '\MSPUB.EXE'
            - '\ONENOTE.EXE'
+            - '\ONENOTEM.EXE'
+            - '\OUTLOOK.EXE'
            - '\POWERPNT.EXE'
            - '\WINWORD.exe'
-    condition: selection and not filter
+    condition: selection and not 1 of filter_main_*
 falsepositives:
    - Unknown
 level: high
@@ -11,7 +11,7 @@ references:
    - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/08/01
-modified: 2023/10/17
+modified: 2023/11/11
 tags:
    - attack.persistence
    - attack.privilege_escalation
@@ -33,6 +33,10 @@ detection:
        ParentImage|endswith: ':\Windows\System32\svchost.exe'
        Image|endswith: ':\Windows\System32\sdbinst.exe'
        CommandLine|endswith: ' -mm'
+    filter_main_null:
+        CommandLine: null
+    filter_main_empty:
+        CommandLine: ''
    condition: selection and not 1 of filter_main_*
 falsepositives:
    - Unknown
@@ -18,7 +18,7 @@ references:
    - https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback
 author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems)
 date: 2020/10/23
-modified: 2023/11/10
+modified: 2023/11/14
 tags:
    - attack.defense_evasion
    - attack.t1218.011
@@ -45,8 +45,16 @@ detection:
        ParentImage|contains|all:
            - ':\Users\'
            - '\AppData\Local\Microsoft\EdgeUpdate\Install\{'
-        ParentImage|endswith: '\setup.exe'
-    condition: 1 of selection_* and not 1 of filter_main_*
+    filter_optional_chrome_installer:
+        # As reported in https://github.com/SigmaHQ/sigma/issues/4570
+        ParentImage|contains|all:
+            - ':\Users\'
+            - '\AppData\Local\Google\Chrome\Application\'
+        ParentImage|endswith: '\Installer\setup.exe'
+        ParentCommandLine|contains: '--uninstall --channel=stable'
+        Image|endswith: '\rundll32.exe'
+        CommandLine|endswith: 'rundll32.exe'
+    condition: 1 of selection_* and not 1 of filter_main_* and 1 of filter_optional_*
 falsepositives:
    - Unlikely
 level: high
@@ -10,7 +10,7 @@ references:
    - https://learn.microsoft.com/en-us/windows-server/administration/server-core/server-core-sconfig#powershell-is-the-default-shell-on-server-core
 author: Tom Ueltschi (@c_APT_ure), Tim Shelton
 date: 2019/01/12
-modified: 2023/06/21
+modified: 2023/11/14
 tags:
    - attack.t1037.001
    - attack.persistence
@@ -21,7 +21,7 @@ detection:
    selection:
        ParentImage|endswith: '\userinit.exe'
    filter_main_explorer:
-        Image: 'C:\WINDOWS\explorer.exe'
+        Image|endswith: ':\WINDOWS\explorer.exe'
    filter_optional_logonscripts:
        CommandLine|contains:
            - 'netlogon.bat'
@@ -31,11 +31,18 @@ detection:
        # https://learn.microsoft.com/en-us/windows-server/administration/server-core/server-core-sconfig#powershell-is-the-default-shell-on-server-core
        CommandLine: 'PowerShell.exe'
    filter_optional_proquota:
-        Image:
-            - 'C:\Windows\System32\proquota.exe'
-            - 'C:\Windows\SysWOW64\proquota.exe'
+        Image|endswith:
+            - ':\Windows\System32\proquota.exe'
+            - ':\Windows\SysWOW64\proquota.exe'
    filter_optional_citrix:
-        Image|endswith: '\Citrix\System32\icast.exe'
+        Image|endswith:
+            # As reported by https://github.com/SigmaHQ/sigma/issues/4569
+            - ':\Program Files (x86)\Citrix\HDX\bin\cmstart.exe' # https://support.citrix.com/article/CTX983798/purpose-of-cmstart-command
+            - ':\Program Files (x86)\Citrix\HDX\bin\icast.exe' # https://support.citrix.com/article/CTX983798/purpose-of-cmstart-command
+            - ':\Program Files (x86)\Citrix\System32\icast.exe'
+            - ':\Program Files\Citrix\HDX\bin\cmstart.exe' # https://support.citrix.com/article/CTX983798/purpose-of-cmstart-command
+            - ':\Program Files\Citrix\HDX\bin\icast.exe' # https://support.citrix.com/article/CTX983798/purpose-of-cmstart-command
+            - ':\Program Files\Citrix\System32\icast.exe'
    filter_optional_image_null:
        Image: null
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
@@ -1,4 +1,4 @@
-title: Proxy Execution via Wuauclt
+title: Proxy Execution Via Wuauclt.EXE
 id: af77cf95-c469-471c-b6a0-946c685c4798
 related:
    - id: ba1bb0cb-73da-42de-ad3a-de10c643a5d0
@@ -6,13 +6,13 @@ related:
    - id: d7825193-b70a-48a4-b992-8b5b3015cc11
      type: obsoletes
 status: test
-description: Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code.
+description: Detects the use of the Windows Update Client binary (wuauclt.exe) for proxy execution.
 references:
    - https://dtm.uk/wuauclt/
    - https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/
 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth (Nextron Systems), Sreeman, FPT.EagleEye Team
 date: 2020/10/12
-modified: 2023/02/13
+modified: 2023/11/11
 tags:
    - attack.defense_evasion
    - attack.t1218
@@ -27,13 +27,22 @@ detection:
    selection_cli:
        CommandLine|contains|all:
            - 'UpdateDeploymentProvider'
-            - '.dll'
            - 'RunHandlerComServer'
-    filter:
+    filter_main_generic:
+        # Note: Please enhance this if you find the full path
+        CommandLine|contains: ' /UpdateDeploymentProvider UpdateDeploymentProvider.dll '
+    filter_main_wuaueng:
+        # Note: Please enhance this if you find the full path
+        CommandLine|contains: ' wuaueng.dll '
+    filter_main_uus:
        CommandLine|contains:
-            - ' /UpdateDeploymentProvider UpdateDeploymentProvider.dll '
-            - ' wuaueng.dll '
-    condition: all of selection_* and not filter
+            - ':\Windows\UUS\Packages\Preview\amd64\updatedeploy.dll /ClassId'
+            - ':\Windows\UUS\amd64\UpdateDeploy.dll /ClassId'
+    filter_main_winsxs:
+        CommandLine|contains|all:
+            - ':\Windows\WinSxS\'
+            - '\UpdateDeploy.dll /ClassId '
+    condition: all of selection_* and not 1 of filter_main_*
 falsepositives:
    - Unknown
 level: high
@@ -1,12 +1,13 @@
 title: Suspicious Windows Update Agent Empty Cmdline
 id: 52d097e2-063e-4c9c-8fbb-855c8948d135
 status: test
-description: Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags
+description: |
+    Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags
 references:
    - https://redcanary.com/blog/blackbyte-ransomware/
 author: Florian Roth (Nextron Systems)
 date: 2022/02/26
-modified: 2022/05/13
+modified: 2023/11/11
 tags:
    - attack.defense_evasion
    - attack.t1036
@@ -18,7 +19,9 @@ detection:
        - Image|endswith: '\Wuauclt.exe'
        - OriginalFileName: 'Wuauclt.exe'
    selection_cli:
-        CommandLine|endswith: '\Wuauclt.exe'
+        CommandLine|endswith:
+            - 'Wuauclt'
+            - 'Wuauclt.exe'
    condition: all of selection*
 falsepositives:
    - Unknown