Merge pull request #4379 from swachchhanda000/lolbas_msedge_and_teams

feat: enhance ftp lolbin rule and fix fp with vsto rule

rules/windows/process_creation/proc_creation_win_lolbin_ftp.yml

@@ -1,12 +1,12 @@
 title: LOLBIN Execution Of The FTP.EXE Binary
 id: 06b401f4-107c-4ff9-947f-9ec1e7649f1e
 status: test
-description: Detects execution of ftp.exe script execution with the "-s" flag and any child processes ran by ftp.exe
+description: Detects execution of ftp.exe script execution with the "-s" or "/s" flag and any child processes ran by ftp.exe
 references:
     - https://lolbas-project.github.io/lolbas/Binaries/Ftp/
 author: Victor Sergeev, oscd.community
 date: 2020/10/09
-modified: 2022/11/10
+modified: 2023/08/11
 tags:
     - attack.execution
     - attack.t1059
@@ -22,11 +22,10 @@ detection:
         - Image|endswith: '\ftp.exe'
         - OriginalFileName: 'ftp.exe'
     selection_ftp_cli:
-        CommandLine|contains: '-s:'
+        CommandLine|contains:
+            - '-s:'
+            - '/s:'
     condition: selection_parent or all of selection_ftp_*
-fields:
-    - CommandLine
-    - ParentImage
 falsepositives:
     - Unknown
 level: medium

rules/windows/registry/registry_set/registry_set_persistence_office_vsto.yml

@@ -7,7 +7,7 @@ references:
     - https://vanmieghem.io/stealth-outlook-persistence/
 author: Bhabesh Raj
 date: 2021/01/10
-modified: 2023/06/28
+modified: 2023/08/11
 tags:
     - attack.t1137.006
     - attack.persistence
@@ -34,6 +34,8 @@ detection:
             - '\integrator.exe'
             - '\OfficeClickToRun.exe'
             - '\winword.exe'
+    filter_teams:
+        Image|endswith: '\Teams.exe'
     filter_avg:
         Image: 'C:\Program Files\AVG\Antivirus\RegSvr.exe'
         TargetObject|contains: '\Microsoft\Office\Outlook\Addins\Antivirus.AsOutExt\'