More generic

rules/windows/registry/registry_event/registry_event_cve_2021_31979_cve_2021_33771_exploits.yml

@@ -1,10 +1,10 @@
-title: CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum
+title: CVE-2021-31979 CVE-2021-33771 Exploits
 id: 32b5db62-cb5f-4266-9639-0fa48376ac00
 status: experimental
 description: Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum
-author: Sittikorn S
+author: Sittikorn S, frack113
 date: 2021/07/16
-modified: 2021/09/09
+modified: 2022/06/29
 references:
     - https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/
     - https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/
@@ -20,12 +20,14 @@ logsource:
     category: registry_event
 detection:
     selection:
-        TargetObject|contains: 
-            - '\Software\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32'
-            - '\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32'
-    keywords:
-        - IMJPUEXP.DLL
-    condition: selection and keywords
+        TargetObject|endswith:
+            - CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32\(Default)
+            - CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\(Default)
+    filter:
+        Details|endswith:
+            - system32\wbem\wmiutils.dll
+            - system32\wbem\wbemsvc.dll
+    condition: selection and not filter
 falsepositives:
     - Unlikely
 level: critical