From cb09f9d522576dabfc2af60e4919bee331ce610b Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Tue, 20 Sep 2022 17:44:56 +0200
Subject: [PATCH] Update proc_creation_win_winpeas_tool.yml

---
 .../proc_creation_win_winpeas_tool.yml        | 27 ++++++-------------
 1 file changed, 8 insertions(+), 19 deletions(-)

diff --git a/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml b/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml
index 9696b83b3..0b34ea85c 100644
--- a/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml
+++ b/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml
@@ -16,7 +16,7 @@ logsource:
     category: process_creation
     product: windows
 detection:
-    winpeas_basic:
+    selection_basic:
         Image|endswith:
             - '\winPEASany.exe'
             - '\winPEASany_ofs.exe'
@@ -24,28 +24,17 @@ detection:
             - '\winPEASx64_ofs.exe'
             - '\winPEASx86.exe'
             - '\winPEASx86_ofs.exe'
-    winpeas_option:
-        CommandLine|contains:
-            - 'systeminfo'     # Search system information
-            - 'userinfo'       # Search user information
-            - 'processinfo'    # Search processes information
+    selection_pe:
+        	OriginalFileName: 'winPEAS.exe'
+    selection_option:
+        - CommandLine|endswith:
             - 'serviceinfo'    # Search services information
             - 'applicationsinfo' # Search installed applications information
-            - 'networkinfo'   # Search network information
             - 'windowscreds'  # Search windows credentials
             - 'browserinfo '  # Search browser information
-            - 'filesinfo '    # Search generic files that can contains credentials
             - 'fileanalysis'  # Search specific files that can contains credentials and for regexes inside files
-            - 'eventsinfo'    # Display interesting events information
-    filter_sysinfo:
-        Image|endswith: '\systeminfo.exe' # due to option "systeminfo" via winPEAS
-    condition: 1 of winpeas_* and not filter_sysinfo
-fields:
-    - Image
-    - User
-    - CommandLine
-    - ParentCommandLine
-    - CurrentDirectory
+        - CommandLine|contains: '.exe browserinfo '  # Search browser information
+    condition: 1 of selection*
 falsepositives:
-    - Unlikely
+    - Other programs that use the same command line flags
 level: high