Merge branch 'master' into rule-devel

2022-01-14 10:16:56 +01:00
parent 14ccd6ca8c f4c6871b50
commit cb73718684
126 changed files with 420 additions and 207 deletions
@@ -27,7 +27,7 @@ detection:
        a6|startswith: '--cpu-priority'
    cmd7:
        a7|startswith: '--cpu-priority'
-    condition: 1 of them
+    condition: 1 of cmd*
 falsepositives:
    - Other tools that use a --cpu-priority flag
 level: critical
@@ -27,7 +27,7 @@ detection:
    type: 'EXECVE'
    a0: 'cp'
    a1: '/bin/sh'
-  condition: 1 of them
+  condition: 1 of cmd*
 falsepositives:
  - Admin activity
 level: medium
@@ -22,7 +22,7 @@ detection:
    type: 'execve'
    a0: 'tar'
    a1|contains: '-c'
-  condition: 1 of them
+  condition: 1 of selection*
 falsepositives:
  - Legitimate use of archiving tools by legitimate user.
 level: low
@@ -27,10 +27,10 @@ detection:
    - '/bin/sh -i <&3 >&3 2>&3'
    - 'uname -a; w; id; /bin/bash -i'
    - '$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()};'
-    - ";os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);os.putenv('HISTFILE','/dev/null');"
+    - ';os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);os.putenv(''HISTFILE'',''/dev/null'');'
    - '.to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
    - ';while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print'
-    - "socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:"
+    - 'socat exec:''bash -li'',pty,stderr,setsid,sigint,sane tcp:'
    - 'rm -f /tmp/p; mknod /tmp/p p &&'
    - ' | /bin/bash | telnet '
    - ',echo=0,raw tcp-listen:'
@@ -21,7 +21,7 @@ detection:
    CommandLine|contains:
      - ' dump-keychain '
      - ' login-keychain '
-  condition: 1 of them
+  condition: 1 of selection*
 falsepositives:
  - Legitimate administration activities
 level: medium
@@ -11,19 +11,19 @@ logsource:
  category: process_creation
  product: macos
 detection:
-  file_with_asterisk:
+  select_file_with_asterisk:
    Image: '/usr/bin/file'
    CommandLine|re: '(.){200,}' # execution of the 'file */* *>> /tmp/output.txt' will produce huge commandline
-  recursive_ls:
+  select_recursive_ls:
    Image: '/bin/ls'
    CommandLine|contains: '-R'
-  find_execution:
+  select_find_execution:
    Image: '/usr/bin/find'
-  mdfind_execution:
+  select_mdfind_execution:
    Image: '/usr/bin/mdfind'
-  tree_execution|endswith:
+  select_tree_execution|endswith:
    Image: '/tree'
-  condition: 1 of them
+  condition: 1 of select*
 falsepositives:
  - Legitimate activities
 level: informational
@@ -25,7 +25,7 @@ detection:
      - 'user'
  selection_3:
    CommandLine|contains:
-      - "'x:0:'"
+      - '''x:0:'''
  selection_4:
    Image|endswith:
      - '/cat'
@@ -40,7 +40,7 @@ detection:
      - '/lsof'
    CommandLine|contains:
      - '-u'
-  condition: 1 of them
+  condition: 1 of selection*
 falsepositives:
  - Legitimate administration activities
 level: low
@@ -28,7 +28,7 @@ detection:
    CommandLine|contains|all:
      - '-list'
      - '/groups'
-  condition: 1 of them
+  condition: 1 of selection*
 falsepositives:
  - Legitimate administration activities
 level: informational
@@ -40,7 +40,7 @@ detection:
      - ' 172.31.'
      - ' 127.' #127.0.0.0/8
      - ' 169.254.' #169.254.0.0/16
-  condition: 1 of them
+  condition: 1 of selection*
 falsepositives:
  - Legitimate administration activities
 level: informational
@@ -22,7 +22,7 @@ detection:
    - 'bug: pid active in ptrace_sandbox_free'
    - 'PTRACE_SETOPTIONS failure'
    - 'weird status:'
-    - "couldn't handle sandbox event"
+    - 'couldn''t handle sandbox event'
    - 'syscall * out of bounds'
    - 'syscall not permitted:'
    - 'syscall validate failed:'
@@ -11,17 +11,17 @@ logsource:
  category: process_creation
  product: linux
 detection:
-  file_with_asterisk:
+  select_file_with_asterisk:
    Image|endswith: '/file'
    CommandLine|re: '(.){200,}' # execution of the 'file */* *>> /tmp/output.txt' will produce huge commandline
-  recursive_ls:
+  select_recursive_ls:
    Image|endswith: '/ls'
    CommandLine|contains: '-R'
-  find_execution:
+  select_find_execution:
    Image|endswith: '/find'
-  tree_execution:
+  select_tree_execution:
    Image|endswith: '/tree'
-  condition: 1 of them
+  condition: 1 of select*
 falsepositives:
  - Legitimate activities
 level: informational
@@ -16,7 +16,7 @@ detection:
      - '/lastlog'
  selection_2:
    CommandLine|contains:
-      - "'x:0:'"
+      - '''x:0:'''
  selection_3:
    Image|endswith:
      - '/cat'
@@ -31,7 +31,7 @@ detection:
      - '/lsof'
    CommandLine|contains:
      - '-u'
-  condition: 1 of them
+  condition: 1 of selection*
 falsepositives:
  - Legitimate administration activities
 level: low
@@ -19,7 +19,7 @@ detection:
      - '/cat'
    CommandLine|contains:
      - '/etc/group'
-  condition: 1 of them
+  condition: 1 of selection*
 falsepositives:
  - Legitimate administration activities
 level: low
@@ -37,7 +37,7 @@ detection:
      - ' 172.31.'
      - ' 127.' #127.0.0.0/8
      - ' 169.254.' #169.254.0.0/16
-  condition: 1 of them
+  condition: 1 of selection*
 falsepositives:
  - Legitimate administration activities
 level: low
@@ -15,70 +15,70 @@ logsource:
    category: process_creation
    product: linux
 detection:
-    iptables_1:
+    selection_iptables_1:
        Image|endswith: '/service'
        CommandLine|contains|all:
          - 'iptables'
          - 'stop'
-    iptables_2:
+    selection_iptables_2:
        Image|endswith: '/service'
        CommandLine|contains|all:
          - 'ip6tables'
          - 'stop'
-    iptables_3:
+    selection_iptables_3:
        Image|endswith: '/chkconfig'
        CommandLine|contains|all:
          - 'iptables'
          - 'stop'
-    iptables_4:
+    selection_iptables_4:
        Image|endswith: '/chkconfig'
        CommandLine|contains|all:
          - 'ip6tables'
          - 'stop'
-    firewall_1:
+    selection_firewall_1:
        Image|endswith: '/systemctl'
        CommandLine|contains|all:
          - 'firewalld'
          - 'stop'
-    firewall_2:
+    selection_firewall_2:
        Image|endswith: '/systemctl'
        CommandLine|contains|all:
          - 'firewalld'
          - 'disable'
-    carbonblack_1:
+    selection_carbonblack_1:
        Image|endswith: '/service'
        CommandLine|contains|all:
          - 'cbdaemon'
          - 'stop'
-    carbonblack_2:
+    selection_carbonblack_2:
        Image|endswith: '/chkconfig'
        CommandLine|contains|all:
          - 'cbdaemon'
          - 'off'
-    carbonblack_3:
+    selection_carbonblack_3:
        Image|endswith: '/systemctl'
        CommandLine|contains|all:
          - 'cbdaemon'
          - 'stop'
-    carbonblack_4:
+    selection_carbonblack_4:
        Image|endswith: '/systemctl'
        CommandLine|contains|all:
          - 'cbdaemon'
          - 'disable'
-    selinux:
+    selection_selinux:
        Image|endswith: '/setenforce'
        CommandLine|contains: '0'
-    crowdstrike_1:
+    selection_crowdstrike_1:
        Image|endswith: '/systemctl'
        CommandLine|contains|all:
          - 'stop'
          - 'falcon-sensor'
-    crowdstrike_2:
+    selection_crowdstrike_2:
        Image|endswith: '/systemctl'
        CommandLine|contains|all:
          - 'disable'
          - 'falcon-sensor'
-    condition: 1 of them
+    condition: 1 of selection*
 falsepositives:
    - Legitimate administration activities
 level: medium
@@ -11,15 +11,15 @@ modified: 2021/11/27
 logsource:
  category: firewall
 detection:
-  outgoing:
+  select_outgoing:
    dst_ip:
      - '69.42.98.86'
      - '89.185.234.145'
-  incoming:
+  select_incoming:
    src_ip:
      - '69.42.98.86'
      - '89.185.234.145'
-  condition: 1 of them
+  condition: 1 of select*
 falsepositives:
  - Unknown
 level: high
@@ -17,7 +17,7 @@ detection:
            - 'post.1'
    selection2:
        query|contains: '.stage.123456.'
-    condition: 1 of them
+    condition: 1 of selection*
 falsepositives:
    - Unknown
 level: critical
@@ -2,8 +2,8 @@ title: Domain User Enumeration Network Recon 01
 description: Domain user and group enumeration via network reconnaissance. Seen in APT 29 and other common tactics and actors. Detects a set of RPC (remote procedure calls) used to enumerate a domain controller. The rule was created based off the datasets and hackathon from https://github.com/OTRF/detection-hackathon-apt29
 id: 66a0bdc6-ee04-441a-9125-99d2eb547942
 references:
-    - "https://github.com/OTRF/detection-hackathon-apt29"
-    - "https://github.com/OTRF/detection-hackathon-apt29/issues/37"
+    - https://github.com/OTRF/detection-hackathon-apt29
+    - https://github.com/OTRF/detection-hackathon-apt29/issues/37
 author: 'Nate Guagenti (@neu5ron), Open Threat Research (OTR)'
 date: 2020/05/03
 modified: 2021/11/14
@@ -41,7 +41,7 @@ detection:
  op10:
    endpoint: 'svcctl'
    operation: 'StartServiceW'
-  condition: 1 of them
+  condition: 1 of op*
 falsepositives:
  - 'Windows administrator tasks or troubleshooting'
  - 'Windows management scripts or software'
@@ -29,7 +29,7 @@ detection:
  op6:
    endpoint: 'ISecLogon'
    operation: 'SeclCreateProcessWithLogonExW'
-  condition: 1 of them
+  condition: 1 of op*
 falsepositives:
  - 'Windows administrator tasks or troubleshooting'
  - 'Windows management scripts or software'
@@ -25,12 +25,12 @@ logsource:
 detection:
    printer_operation:
        operation:
-            - "RpcAsyncInstallPrinterDriverFromPackage" # "76f03f96-cdfd-44fc-a22c-64950a001209",0x3e
-            - "RpcAsyncAddPrintProcessor" # "76f03f96-cdfd-44fc-a22c-64950a001209",0x2c
-            - "RpcAddPrintProcessor" # "12345678-1234-abcd-ef00-0123456789ab",0x0e
-            - "RpcAddPrinterDriverEx" # "12345678-1234-abcd-ef00-0123456789ab",0x59
-            - "RpcAddPrinterDriver" # "12345678-1234-abcd-ef00-0123456789ab",0x09
-            - "RpcAsyncAddPrinterDriver" # "76f03f96-cdfd-44fc-a22c-64950a001209",0x27
+            - 'RpcAsyncInstallPrinterDriverFromPackage' # "76f03f96-cdfd-44fc-a22c-64950a001209",0x3e
+            - 'RpcAsyncAddPrintProcessor' # "76f03f96-cdfd-44fc-a22c-64950a001209",0x2c
+            - 'RpcAddPrintProcessor' # "12345678-1234-abcd-ef00-0123456789ab",0x0e
+            - 'RpcAddPrinterDriverEx' # "12345678-1234-abcd-ef00-0123456789ab",0x59
+            - 'RpcAddPrinterDriver' # "12345678-1234-abcd-ef00-0123456789ab",0x09
+            - 'RpcAsyncAddPrinterDriver' # "76f03f96-cdfd-44fc-a22c-64950a001209",0x27
    condition: printer_operation
 falsepositives:
    - Legitimate remote alteration of a printer driver.
@@ -12,12 +12,12 @@ logsource:
 detection:
  selection1:
    c-useragent: 
-      - "Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)"
-      - "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E )"
-      - "Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08"
+      - 'Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)'
+      - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E )'
+      - 'Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08'
  selection2:
    c-useragent|endswith: '; MANM; MANM)'
-  condition: 1 of them
+  condition: 1 of selection*
 falsepositives:
  - Unknown
 level: critical
@@ -12,12 +12,12 @@ logsource:
 detection:
  b64encoding:
    c-uri|contains:
-      - "_2f"
-      - "_2b"
+      - '_2f'
+      - '_2b'
  urlpatterns:
    c-uri|contains|all:
-      - ".avi"
-      - "/images/"
+      - '.avi'
+      - '/images/'
  condition: b64encoding and urlpatterns
 fields:
  - c-ip
@@ -19,7 +19,7 @@ detection:
            - '/pcidss/report'
            - 'type=all_signatures'
            - 'sig_name=_default_signature_'
-    condition: 1 of them
+    condition: 1 of selection*
 fields:
    - client_ip
    - vhost
@@ -12,9 +12,9 @@ logsource:
 detection:
  selection:
    c-uri|contains|all:
-      - "/ecp/default.aspx"
-      - "__VIEWSTATEGENERATOR="
-      - "__VIEWSTATE="
+      - '/ecp/default.aspx'
+      - '__VIEWSTATEGENERATOR='
+      - '__VIEWSTATE='
  condition: selection
 falsepositives:
  - Unknown
@@ -56,7 +56,7 @@ detection:
    c-uri|contains|all:
      - '/ecp/'
      - '.js'   
-  condition: 1 of them
+  condition: 1 of selection*
 falsepositives:
  - Legitimate access to other web applications that use the same folder names as Exchange (e.g. owa, ecp) but are not Microsoft Exchange related
 level: high
@@ -22,7 +22,7 @@ detection:
            - '&dwn='
            - '?fn='
            - '.html?'
-    condition: 1 of them
+    condition: 1 of selection*
 fields:
    - client_ip
    - response
@@ -20,8 +20,8 @@ detection:
        EventID: 4624
        LogonType: 10
        IpAddress:
-            - "::1"
-            - "127.0.0.1"
+            - '::1'
+            - '127.0.0.1'
    condition: selection
 falsepositives:
    - Unknown
@@ -43,4 +43,4 @@ detection:
            - '--auto-confirm'
            - '--transfers'
            - '--multi-thread-streams'
-    condition: 1 of them
+    condition: 1 of selection*
@@ -21,7 +21,7 @@ detection:
            - 'post.1'
    selection2:
        QueryName|contains: '.stage.123456.'
-    condition: 1 of them
+    condition: 1 of selection*
 fields:
    - Image
    - CommandLine
@@ -1,11 +1,12 @@
-title: Suspicious Scheduled Task Writ to System32 Tasks
+title: Suspicious Scheduled Task Write to System32 Tasks
 id: 80e1f67a-4596-4351-98f5-a9c3efabac95
 status: experimental
-description: 
+description: Detects the creation of tasks from processes executed from suspicious locations
 references:
-    - https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/
+    - Internal Research
 author: Florian Roth
 date: 2021/11/16
+modified: 2022/01/12
 tags:
    - attack.persistence
    - attack.execution
@@ -0,0 +1,36 @@
+title: WScript or CScript Dropper
+id: 002bdb95-0cf1-46a6-9e08-d38c128a6127
+status: experimental
+description: Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe
+related: 
+    - id: cea72823-df4d-4567-950c-0b579eaf0846
+      type: derived
+references:
+    - WScript or CScript Dropper (cea72823-df4d-4567-950c-0b579eaf0846)
+author: Tim Shelton
+date: 2022/01/10
+modified: 2022/01/11
+logsource:
+    category: file_event
+    product: windows
+detection:
+    selection:
+        Image|endswith:
+            - '\wscript.exe'
+            - '\cscript.exe'
+        TargetFilename|startswith: 
+            - 'C:\Users\'
+            - 'C:\ProgramData'
+        TargetFilename|endswith: 
+            - '.jse'
+            - '.vbe'
+            - '.js'
+            - '.vba'
+            - '.vbs'
+    condition: selection
+fields:
+    - Image
+    - TargetFilename
+falsepositives:
+    - Unknown
+level: high
@@ -38,7 +38,7 @@ detection:
            - 'C:\PerfLogs'
            - '\AppData\'
            - 'C:\Windows\Temp'
-    condition: 1 of them
+    condition: 1 of selection*
 fields:
    - CommandLine
    - ParentCommandLine
@@ -3,7 +3,7 @@ id: 671bb7e3-a020-4824-a00e-2ee5b55f385e
 description: Detects non wmiprvse loading WMI modules
 status: experimental
 date: 2019/08/10
-modified: 2021/11/25
+modified: 2022/01/12
 author: Roberto Rodriguez @Cyb3rWard0g
 references:
    - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190811201010.html
@@ -48,6 +48,8 @@ detection:
            - '\explorer.exe'
            - '\opera_autoupdate.exe'
            - '\MsMpEng.exe'
+            - '\thor64.exe'
+            - '\thor.exe'
    filter_generic:             # rule caused many false positives in different productive environments - using this filter to exclude all programs that run from folders that only the administrative groups should have access to
        Image|startswith:
            - 'C:\Program Files\'
@@ -14,14 +14,12 @@ logsource:
 detection:
    selection1:
        CommandLine|contains: 
-            - "=[char][byte]('0x'+"
+            - '=[char][byte](''0x''+'
            - ' -work worker0 -path '
    selection2:
-        ParentCommandLine|contains:
-            - 'DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}'
-        Image|contains:
-            - '\AppData\Local\Temp\'
-    condition: 1 of them
+        ParentCommandLine|contains: 'DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}'
+        Image|contains: '\AppData\Local\Temp\'
+    condition: 1 of selection*
 falsepositives:
    - Unknown
    - UAC bypass method used by other malware
@@ -30,7 +30,7 @@ detection:
      PipeName|startswith: '\status_'
   selection_msagent:
      PipeName|startswith: '\msagent_'
-   condition: 1 of them
+   condition: 1 of selection*
 falsepositives:
   - Unknown
 level: critical
@@ -17,14 +17,14 @@ logsource:
    category: ps_module
    definition: Script block logging must be enabled
 detection:
-    convert_b64:
+    selection_convert_b64:
        ContextInfo|contains|all:
            - '-nop'
            - ' -w '
            - 'hidden'
            - ' -c '
            - '[Convert]::FromBase64String'
-    iex_selection:
+    selection_iex:
        ContextInfo|contains|all:
            - ' -w '
            - 'hidden'
@@ -33,20 +33,20 @@ detection:
            - ' -c '
            - 'iex'
            - 'New-Object'
-    enc_selection:
+    selection_enc:
        ContextInfo|contains|all:
            - ' -w '
            - 'hidden'
            - '-ep'
            - 'bypass'
            - '-Enc'
-    reg_selection:
+    selection_reg:
        ContextInfo|contains|all:
            - 'powershell'
            - 'reg'
            - 'add'
            - 'HKCU\software\microsoft\windows\currentversion\run'
-    webclient_selection:
+    selection_webclient:
        ContextInfo|contains|all:
            - 'bypass'
            - '-noprofile'
@@ -55,13 +55,13 @@ detection:
            - 'new-object'
            - 'system.net.webclient'
            - '.download'
-    iex_webclient:
+    selection_iex_webclient:
        ContextInfo|contains|all:
            - 'iex'
            - 'New-Object'
            - 'Net.WebClient'
            - '.Download'
-    condition: 1 of them
+    condition: 1 of selection*
 falsepositives:
    - Penetration tests
 level: high
@@ -0,0 +1,26 @@
+title: Create Volume Shadow Copy with Powershell
+id: afd12fed-b0ec-45c9-a13d-aa86625dac81
+status: experimental
+description: Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information
+date: 2022/01/12
+author: frack113
+references:
+    - https://attack.mitre.org/datasources/DS0005/
+    - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7
+logsource:
+    product: windows
+    category: ps_script
+    definition: Script block logging must be enabled
+detection:
+    selection:
+        ScriptBlockText|contains|all:
+            - win32_shadowcopy
+            - ').Create('
+            - ClientAccessible
+    condition: selection
+falsepositives:
+    - Legitimate PowerShell scripts
+level: high
+tags:
+    - attack.credential_access
+    - attack.t1003.003 
@@ -0,0 +1,25 @@
+title: Suspicious Get-WmiObject
+id: 0332a266-b584-47b4-933d-a00b103e1b37
+status: experimental
+description: The infrastructure for management data and operations that enables local and remote management of Windows personal computers and servers
+date: 2022/01/12
+author: frack113
+references:
+    - https://attack.mitre.org/datasources/DS0005/
+    - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7
+logsource:
+    product: windows
+    category: ps_script
+    definition: Script block logging must be enabled
+detection:
+    selection:
+        ScriptBlockText|contains:
+            - Get-WmiObject
+            - gwmi
+    condition: selection
+falsepositives:
+    - Legitimate PowerShell scripts
+level: low
+tags:
+    - attack.persistence
+    - attack.t1546
@@ -1,20 +1,20 @@
 title: AzureHound PowerShell Commands
 id: 83083ac6-1816-4e76-97d7-59af9a9ae46e
 status: experimental
-description: 
+description: Detects the execution of AzureHound in PowerShell, a tool to gather data from Azure for BloodHound
 references:
    - https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/AzureHound.ps1
    - https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html
 author: Austin Songer (@austinsonger)
 date: 2021/10/23
+modified: 2022/01/12
 logsource:
    product: windows
    category: ps_script
-    definition: Script Block Logging must be enable
+    definition: Script Block Logging must be enabled
 detection:
    selection:
-        ScriptBlockText|contains:
-            - "Invoke-AzureHound"
+        ScriptBlockText|contains: Invoke-AzureHound
    condition: selection
 tags:
    - attack.discovery
@@ -22,11 +22,10 @@ logsource:
 detection:
    selection_content:
        ScriptBlockText|contains:
-            - "set-content"
-            - "add-content"
+            - set-content
+            - add-content
    selection_stream:
-        ScriptBlockText|contains:
-            - "-stream"
+        ScriptBlockText|contains: '-stream'
    condition: all of selection*
 falsepositives:
    - unknown
@@ -17,14 +17,14 @@ logsource:
    category: ps_script
    definition: Script block logging must be enabled
 detection:
-    convert_b64:
+    select_convert_b64:
        ScriptBlockText|contains|all:
            - '-nop'
            - ' -w '
            - 'hidden'
            - ' -c '
            - '[Convert]::FromBase64String'
-    iex_selection:
+    select_iex_selection:
        ScriptBlockText|contains|all:
            - ' -w '
            - 'hidden'
@@ -33,20 +33,20 @@ detection:
            - ' -c '
            - 'iex'
            - 'New-Object'
-    enc_selection:
+    select_enc_selection:
        ScriptBlockText|contains|all:
            - ' -w '
            - 'hidden'
            - '-ep'
            - 'bypass'
            - '-Enc'
-    reg_selection:
+    select_reg_selection:
        ScriptBlockText|contains|all:
            - 'powershell'
            - 'reg'
            - 'add'
            - 'HKCU\software\microsoft\windows\currentversion\run'
-    webclient_selection:
+    select_webclient_selection:
        ScriptBlockText|contains|all:
            - 'bypass'
            - '-noprofile'
@@ -55,13 +55,13 @@ detection:
            - 'new-object'
            - 'system.net.webclient'
            - '.download'
-    iex_webclient:
+    select_iex_webclient:
        ScriptBlockText|contains|all:
            - 'iex'
            - 'New-Object'
            - 'Net.WebClient'
            - '.Download'
-    condition: 1 of them
+    condition: 1 of select*
 falsepositives:
    - Penetration tests
 level: high
@@ -5,7 +5,7 @@ description: Detects process access LSASS memory which is typical for credential
 author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov,
    oscd.community (update)
 date: 2017/02/16
-modified: 2021/12/10
+modified: 2022/01/12
 references:
    - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
    - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
@@ -82,6 +82,14 @@ detection:
    filter9:
        SourceImage|endswith: '\explorer.exe'
        GrantedAccess: '0x401'
+    filter10:
+        SourceImage: 'C:\Windows\system32\wininit.exe'
+        GrantedAccess: '0x1000000'
+    filter11:
+        SourceImage: 'C:\Windows\system32\MRT.exe' # Windows Malicious Software Removal Tool
+        GrantedAccess: 
+            - '0x1410'
+            - '0x1418'
    filter_generic:
        SourceImage|startswith: 
            - 'C:\Program Files\'
@@ -7,7 +7,7 @@ status: experimental
 description: Detects process access to LSASS memory with suspicious access flags
 author: Florian Roth
 date: 2021/11/22
-modified: 2022/01/08
+modified: 2022/01/13
 references:
    - https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights
    - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
@@ -62,6 +62,7 @@ detection:
            - 'C:\Program Files\Windows Defender\MsMpEng.exe'
            - 'C:\Windows\SysWOW64\msiexec.exe'
            - 'C:\Windows\System32\msiexec.exe'
+            - 'C:\Windows\System32\lsass.exe'
    # Windows Defender
    filter2:
        SourceImage|startswith: 'C:\ProgramData\Microsoft\Windows Defender\'
@@ -4,7 +4,7 @@ description: Detects shell spawn from Java host process, which could a maintenan
 status: experimental
 author: Andreas Hunkeler (@Karneades)
 date: 2021/12/17
-modified: 2021/12/18
+modified: 2022/01/12
 tags:
    - attack.initial_access
    - attack.persistence
@@ -17,7 +17,10 @@ detection:
        ParentImage|endswith: '\java.exe'
        Image|endswith:
            - '\cmd.exe'
-    condition: selection
+    filter:
+        ParentImage|contains: 'build'  # excluding CI build agents
+        CommandLine|contains: 'build'  # excluding CI build agents
+    condition: selection and not filter
 falsepositives:
    - Legitimate calls to system binaries
    - Company specific internal usage
@@ -35,6 +35,9 @@ detection:
    filter_nvidia:
        Image|contains: 'NVIDIA\NvBackend\'
        Image|endswith: '.dat'
+    filter_com:
+        Image|startswith: 'C:\Windows\System32\'
+        Image|endswith: '.com'
    condition: not image_exe and not 1 of filter*
 falsepositives:
    - unknown
@@ -43,7 +43,7 @@ detection:
            - '\nslookup.exe'
            - '-q=TXT'
        ParentImage|contains: '\Autoit'
-    condition: 1 of them
+    condition: 1 of selection*
 falsepositives:
    - Unknown
 level: critical
@@ -16,7 +16,7 @@ detection:
    CommandLine|contains: '\Windows\Caches\NavShExt.dll '
  selection2:
    CommandLine|endswith: '\AppData\Roaming\MICROS~1\Windows\Caches\NavShExt.dll,Setting'
-  condition: 1 of them
+  condition: 1 of selection*
 falsepositives:
  - Unknown
 level: critical
@@ -17,7 +17,7 @@ detection:
  selection_regsvr32:
    CommandLine|endswith: '/i:%APPDATA%\logs.txt scrobj.dll'
    Description: 'Microsoft(C) Registerserver'
-  condition: 1 of them
+  condition: 1 of selection*
 falsepositives:
  - Very Unlikely
 level: critical
@@ -18,7 +18,7 @@ detection:
    CommandLine|endswith: ',dll_u'
  selection2:
    CommandLine|contains: ' -export dll_u '
-  condition: 1 of them
+  condition: 1 of selection*
 falsepositives:
  - Unknown
 level: critical
@@ -50,7 +50,7 @@ detection:
            - '\programdata\oracle\java.exe'
            - 'CSIDL_COMMON_APPDATA\comms\comms.exe'
            - '\Programdata\VMware\Vmware.exe'
-    condition: 1 of them
+    condition: 1 of selection*
 falsepositives:
    - Unknown
 level: critical
@@ -66,7 +66,7 @@ detection:
            - 'dsquery'
            - ' -uco '
            - '\inetpub\wwwroot'
-    condition: 1 of them
+    condition: 1 of selection*
 falsepositives:
    - Unknown
 level: high
@@ -29,7 +29,7 @@ detection:
            - ':\Users\Public\'
        Image:
            - 'C:\Windows\System32\rundll32.exe'
-    condition: 1 of them
+    condition: 1 of selection*
 falsepositives:
    - Should not be any false positives
 level: critical
@@ -34,7 +34,7 @@ detection:
    selection4:
        CommandLine|contains:
            - '.255 10 C:\ProgramData\'
-    condition: 1 of them
+    condition: 1 of selection*
 falsepositives:
    - Overlap with legitimate process activity in some cases (especially selection 3 and 4)
 level: critical
@@ -26,7 +26,7 @@ detection:
      - '/F'
  selection2:
    Image|endswith: 'Temp\winwsh.exe'
-  condition: 1 of them
+  condition: 1 of selection*
 fields:
  - CommandLine
  - ParentCommandLine
@@ -20,7 +20,7 @@ detection:
    CommandLine|contains|all:
      - 'net use https://docs.live.net'
      - '@aol.co.uk'
-  condition: 1 of them
+  condition: 1 of selection*
 falsepositives:
  - Unknown
 level: critical
@@ -27,7 +27,7 @@ detection:
  selection5:
    ParentImage|startswith: 'C:\ProgramData\DRM\Windows'
    Image|endswith: '\SearchFilterHost.exe'
-  condition: 1 of them
+  condition: 1 of selection*
 falsepositives:
  - Unlikely
 level: critical
@@ -21,7 +21,7 @@ detection:
      - '-x:0'
      - '-x:1'
      - '-x:2'
-  condition: 1 of them
+  condition: 1 of selection*
 falsepositives:
  - Legitimate setups that use similar flags
 level: critical
@@ -27,7 +27,7 @@ detection:
    CommandLine|contains|all:
      - 'format:'
      - 'http'
-  condition: 1 of them
+  condition: 1 of selection*
 falsepositives:
  - Unknown
 level: medium
@@ -34,7 +34,7 @@ detection:
        Image|endswith: '\cmd.exe'
        ParentImage|endswith: '\runonce.exe'
        ParentCommandLine|endswith: '\runonce.exe'
-    condition: 1 of them
+    condition: 1 of selection*
 falsepositives:
    - Other programs that cause these patterns (please report)
 level: high
@@ -22,7 +22,7 @@ detection:
            - '\..\..\'
    selection2:
        CommandLine|contains: '.exe\..\'
-    condition: 1 of them
+    condition: 1 of selection*
 falsepositives:
    - Unknown
 level: high
@@ -35,7 +35,7 @@ detection:
    selection3: 
        CommandLine|endswith: 'shadowcopy delete'
        CommandLine|contains: '\..\..\system32'
-    condition: 1 of them
+    condition: 1 of selection*
 fields:
    - ComputerName
    - User
@@ -47,7 +47,7 @@ detection:
      - 'trace'
      - '--p'
      - '-ets'
-  condition: 1 of them
+  condition: 1 of selection*
 falsepositives:
  - Unknown
 level: high
@@ -30,7 +30,7 @@ detection:
    CommandLine|contains|all:
      - ' DCOnly '
      - ' --NoSaveCache '
-  condition: 1 of them
+  condition: 1 of selection*
 falsepositives:
  - Other programs that use these command line option and accepts an 'All' parameter
 level: high
@@ -23,7 +23,7 @@ detection:
        Image|endswith: 'PasswordDump.exe'
    selection3:
        OriginalFileName|endswith: 'PasswordDump.exe'
-    condition: 1 of them
+    condition: 1 of selection*
 falsepositives:
    - unlikely
 level: critical
@@ -19,7 +19,7 @@ detection:
        Image|contains: '\CreateMiniDump.exe'
    selection2:
        Imphash: '4a07f944a83e8a7c2525efa35dd30e2f'
-    condition: 1 of them
+    condition: 1 of selection*
 falsepositives:
    - Unknown
 level: high
@@ -5,7 +5,7 @@ status: experimental
 references: 
    - https://docs.microsoft.com/en-us/windows/package-manager/winget/install#local-install
 author: Sreeman, Florian Roth, Frack113
-date: 2020/21/04
+date: 2020/04/21
 modified: 2022/01/11
 tags:
    - attack.defense_evasion
@@ -27,4 +27,4 @@ falsepositives:
    - Admin activity installing packages not in the official Microsoft repo. Winget probably won't be used by most users.
 fields:
    - CommandLine
-level: medium
+level: medium
@@ -12,18 +12,18 @@ logsource:
  category: process_creation
  product: windows
 detection:
-  pipe_com:
+  select_pipe_com:
    CommandLine|contains|all:
      - '\AppData\Local\Temp\'
      - '\\.\pipe\\'
-  rundll32_dash1:
+  select_rundll32_dash1:
    Image|endswith: '\rundll32.exe'
    CommandLine|endswith: 
      - '.dat,#1'
      - '.dat #1' # Sysmon removes comma
-  perfc_keyword:
+  select_perfc_keyword:
    - '\perfc.dat'
-  condition: 1 of them
+  condition: 1 of select*
 fields:
  - CommandLine
  - ParentCommandLine
@@ -44,7 +44,7 @@ detection:
      - 'catalog'
      - '-quiet'
    - CommandLine|contains: '@Please_Read_Me@.txt'
-  condition: 1 of them
+  condition: 1 of selection*
 fields:
  - CommandLine
  - ParentCommandLine
@@ -23,7 +23,7 @@ detection:
      - action=allow
      - protocol=TCP
      - localport=3389
-  condition: 1 of them
+  condition: 1 of selection*
 falsepositives:
  - Legitimate administration
 level: high
@@ -0,0 +1,24 @@
+title: Uninstall Sysinternals Sysmon 
+id: 6a5f68d1-c4b5-46b9-94ee-5324892ea939
+status: experimental
+description: Detects the uninstallation of Sysinternals Sysmon, which could be the result of legitimate administration or a manipulation for defense evasion
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md#atomic-test-11---uninstall-sysmon
+author: frack113
+date: 2022/01/12
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    sysmon:
+        Image|endswith: 
+            - \Sysmon64.exe
+            - \Sysmon.exe
+        CommandLine|contains: '-u'
+    condition: sysmon
+falsepositives:
+    - unknown
+level: high
+tags:
+    - attack.defense_evasion
+    - attack.t1562.001
@@ -22,18 +22,18 @@ detection:
        CommandLine|contains:
            - '-DisableBehaviorMonitoring $true'
            - '-DisableRuntimeMonitoring $true'
-    tamper_cmd_stop:
+    selection_tamper_cmd_stop:
        CommandLine|contains|all:
            - sc
            - stop
            - WinDefend
-    tamper_cmd_disabled:
+    selection_tamper_cmd_disabled:
        CommandLine|contains|all:
            - sc
            - config
            - WinDefend
            - 'start=disabled'
-    condition: 1 of them
+    condition: 1 of selection*
 falsepositives:
    - 'Minimal, for some older versions of dev tools, such as pycharm, developers were known to sometimes disable Windows Defender to improve performance, but this generally is not considered a good security practice.'
 level: high
@@ -16,7 +16,7 @@ detection:
    CommandLine|contains:
      - 'bxor'
      - '-join '
-      - "-join'"
+      - '-join'''
      - '-join"'
      - '-join`'
      - 'char'
@@ -1,10 +1,10 @@
 title: PurpleSharp Indicator
 id: ff23ffbc-3378-435e-992f-0624dcf93ab4
 status: experimental
-description: Detect
+description: Detects the execution of the PurpleSharp adversary simulation tool
 author: Florian Roth
 date: 2021/06/18
-modified: 2021/07/06
+modified: 2022/01/12
 references:
    - https://github.com/mvelazc0/PurpleSharp
 logsource:
@@ -16,8 +16,7 @@ detection:
            - xyz123456.exe
            - PurpleSharp
    selection2:
-        OriginalFileName: 
-            - 'PurpleSharp.exe'
+        OriginalFileName: 'PurpleSharp.exe'
    condition: selection1 or selection2
 falsepositives:
    - Unlikely
@@ -6,7 +6,7 @@ references:
    - https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf
 status: experimental
 date: 2020/02/18
-modified: 2021/06/11
+modified: 2022/01/11
 author: Sreeman
 tags:
    - attack.t1015 # an old one
@@ -17,8 +17,7 @@ logsource:
    category: process_creation
 detection:
    selection:
-        CommandLine:
-            - "copy /y C:\\windows\\system32\\cmd.exe C:\\windows\\system32\\sethc.exe"
+        CommandLine: 'copy /y C:\windows\system32\cmd.exe C:\windows\system32\sethc.exe'
    condition: selection
 fields:
    - CommandLine
@@ -18,11 +18,11 @@ detection:
    CommandLine|contains:
      - 'join*split'
            # Line 343ff
-      - "( $ShellId[1]+$ShellId[13]+'x')"
+      - '( $ShellId[1]+$ShellId[13]+''x'')'
      - '( $PSHome[*]+$PSHOME[*]+'
-      - "( $env:Public[13]+$env:Public[5]+'x')"
-      - "( $env:ComSpec[4,*,25]-Join'')"
-      - "[1,3]+'x'-Join'')"
+      - '( $env:Public[13]+$env:Public[5]+''x'')'
+      - '( $env:ComSpec[4,*,25]-Join'''')'
+      - '[1,3]+''x''-Join'''')'
  condition: powershell_execution and snippets
 fields:
  - ComputerName
@@ -23,7 +23,7 @@ detection:
    CommandLine|contains|all:
      - ' -name DisableFirstRunCustomize '
      - ' -value 2 '
-  condition: 1 of them
+  condition: 1 of selection*
 falsepositives:
  - Unknown, maybe some security software installer disables these features temporarily
 level: high
@@ -28,7 +28,7 @@ detection:
            - 'schtasks'
            - '/DELETE'
            - 'Raccine Rules Updater'
-    condition: 1 of them
+    condition: 1 of selection*
 falsepositives:
    - Legitimate deinstallation by administrative staff
 level: high
@@ -26,7 +26,7 @@ detection:
        CommandLine|endswith:
          - '.dll,Control_RunDLL'
          - '.dll",Control_RunDLL'
-          - ".dll',Control_RunDLL"
+          - '.dll'',Control_RunDLL'
    filter_ide:
        ParentImage|endswith:
            - '\tracker.exe' #When Visual Studio compile NodeJS program, it might use MSBuild to create tracker.exe and then, the tracker.exe fork rundll32.exe
@@ -38,7 +38,7 @@ detection:
            - ' tcp '
            - ' http '
            - ' authtoken '
-    condition: 1 of them
+    condition: 1 of selection*
 falsepositives:
    - Another tool that uses the command line switches of Ngrok
    - ngrok http 3978 (https://docs.microsoft.com/en-us/azure/bot-service/bot-service-debug-channel-ngrok?view=azure-bot-service-4.0)
@@ -50,7 +50,7 @@ detection:
        CommandLine|contains: 
            - '\AppData\Local'
            - 'C:\Users\Public'
-    condition: 1 of them
+    condition: 1 of selection*
 fields:
    - CommandLine
    - ParentCommandLine
@@ -55,8 +55,8 @@ detection:
        Image|endswith: \netsh.exe
    suspicious_netsh_filter:
        CommandLine|contains:
-            - "add portopening"
-            - "rule name"
+            - 'add portopening'
+            - 'rule name'
    suspicious_powershell:
        Image|endswith: \powershell.exe
    suspicious_powershell_filter:
@@ -11,7 +11,7 @@ tags:
    - attack.t1218
 author: Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community
 date: 2019/11/12
-modified: 2021/12/07
+modified: 2022/01/12
 logsource:
    category: process_creation
    product: windows
@@ -24,10 +24,11 @@ detection:
            - '--createShortcut'
        CommandLine|contains|all:
            - '.exe'
-    filter:
+    filter1:
        CommandLine|contains|all:
-            - 'C:\\Users\\'
-            - '\\AppData\\Local\\Discord\\Update.exe\" --processStart Discord.exe'
+            - 'C:\Users\'
+            - '\AppData\Local\Discord\Update.exe'
+            - ' --processStart Discord.exe'
    condition: selection and not 1 of filter*
 falsepositives:
    - 1Clipboard
@@ -36,7 +36,7 @@ detection:
        CommandLine|contains|all:
            - '-filter'
            - 'trustedDomain'
-    condition: 1 of them
+    condition: 1 of selection*
 falsepositives:
    - Legitimate use of the utilities by legitimate user for legitimate reason
 level: medium
@@ -11,7 +11,7 @@ tags:
    - attack.t1053
 author: Sreeman
 date: 2020/09/29
-modified: 2021/09/24
+modified: 2022/01/13
 fields:
    - EventID
    - CommandLine
@@ -22,6 +22,7 @@ logsource:
    category: registry_event
 detection:
    selection:
+        EventType: SetValue
        TargetObject|contains: 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\'
        Details|endswith: 
            - .sh
@@ -5,7 +5,7 @@ related:
      type: derived
 description: Detects disabling Windows Defender threat protection
 date: 2020/07/28
-modified: 2021/10/18
+modified: 2022/01/13
 author: Ján Trenčanský, frack113, AlertIQ
 references:
    - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus
@@ -27,6 +27,7 @@ detection:
            - 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiVirus'
        Details: 'DWORD (0x00000001)'
    selection2:
+        EventType: SetValue
        TargetObject:
            - 'HKLM\SYSTEM\CurrentControlSet\Services\WinDefend'
            - 'HKLM\SOFTWARE\Microsoft\Windows Defender'
@@ -10,7 +10,7 @@ references:
    - https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf
 author: Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community
 date: 2017/11/10
-modified: 2021/09/19
+modified: 2022/01/13
 tags:
    - attack.execution
    - attack.t1059.005
@@ -21,6 +21,7 @@ logsource:
    product: windows
 detection:
    selection:
+        EventType: SetValue
        TargetObject|startswith: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        Details|startswith: '%AppData%\Roaming\Oracle\bin\'
    condition: selection
@@ -21,7 +21,7 @@ detection:
    selection2:
        EventType: DeleteKey
        TargetObject|contains: '\Microsoft\Terminal Server Client\Servers\'
-    condition: 1 of them
+    condition: 1 of selection*
 falsepositives:
    - unknown
 level: high
@@ -3,6 +3,7 @@ id: 6597be7b-ac61-4ac8-bef4-d3ec88174853
 description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)
 author: Christian Burkard
 date: 2021/08/30
+modified: 2022/01/13
 status: experimental
 references:
    - https://github.com/hfiref0x/UACME
@@ -15,6 +16,7 @@ logsource:
    product: windows
 detection:
    selection:
+        EventType: SetValue
        TargetObject|contains: '\Root\InventoryApplicationFile\winsat.exe|'
        TargetObject|endswith: '\LowerCaseLongPath'
        Details|startswith: 'c:\users\'
@@ -3,6 +3,7 @@ id: 5f9db380-ea57-4d1e-beab-8a2d33397e93
 description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
 author: Christian Burkard
 date: 2021/08/23
+modified: 2022/01/13
 status: experimental
 references:
    - https://github.com/hfiref0x/UACME
@@ -15,6 +16,7 @@ logsource:
    product: windows
 detection:
    selection:
+        EventType: SetValue
        TargetObject|endswith: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Program Files\Windows Media Player\osk.exe'
        Details: 'Binary Data'
    condition: selection
@@ -11,12 +11,13 @@ references:
    - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
 date: 2019/10/25
-modified: 2021/12/05
+modified: 2022/01/13
 logsource:
    category: registry_event
    product: windows
 detection:
    classes_base:
+        EventType: SetValue
        TargetObject|contains: '\Software\Classes'
    classes:
        TargetObject|contains:
@@ -11,12 +11,13 @@ references:
    - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
 date: 2019/10/25
-modified: 2021/12/05
+modified: 2022/01/13
 logsource:
    category: registry_event
    product: windows
 detection:
    main_selection:
+        EventType: SetValue
        TargetObject|contains:
            - '\SOFTWARE\Wow6432Node\Microsoft\Windows CE Services\AutoStart'
            - '\Software\Wow6432Node\Microsoft\Command Processor\Autorun'
@@ -11,12 +11,13 @@ references:
    - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
 date: 2019/10/25
-modified: 2021/12/05
+modified: 2022/01/13
 logsource:
    category: registry_event
    product: windows
 detection:
    system_control_base:
+        EventType: SetValue
        TargetObject|contains: '\SYSTEM\CurrentControlSet\Control'
    system_control:
        TargetObject|contains:
@@ -11,12 +11,13 @@ references:
    - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
 date: 2019/10/25
-modified: 2021/12/27
+modified: 2022/01/13
 logsource:
    category: registry_event
    product: windows
 detection:
    current_version_base:
+        EventType: SetValue
        TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion'
    current_version:
        TargetObject|contains:
@@ -11,12 +11,13 @@ references:
    - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
 date: 2019/10/25
-modified: 2021/12/05
+modified: 2022/01/13
 logsource:
    category: registry_event
    product: windows
 detection:
    nt_current_version_base:
+        EventType: SetValue
        TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion'
    nt_current_version:
        TargetObject|contains:
@@ -11,12 +11,13 @@ references:
    - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
 date: 2019/10/25
-modified: 2021/12/05
+modified: 2022/01/13
 logsource:
    category: registry_event
    product: windows
 detection:
    ie:
+        EventType: SetValue
        TargetObject|contains:
            - '\Software\Wow6432Node\Microsoft\Internet Explorer'
            - '\Software\Microsoft\Internet Explorer'
@@ -11,12 +11,13 @@ references:
    - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
 date: 2019/10/25
-modified: 2021/12/05
+modified: 2022/01/13
 logsource:
    category: registry_event
    product: windows
 detection:
    office:
+        EventType: SetValue
        TargetObject|contains:
            - '\Software\Wow6432Node\Microsoft\Office'
            - '\Software\Microsoft\Office'
@@ -11,12 +11,13 @@ references:
    - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
 date: 2019/10/25
-modified: 2021/12/05
+modified: 2022/01/13
 logsource:
    category: registry_event
    product: windows
 detection:
    session_manager_base:
+        EventType: SetValue
        TargetObject|contains: '\System\CurrentControlSet\Control\Session Manager'
    session_manager:
        TargetObject|contains:
@@ -11,12 +11,13 @@ references:
    - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
 date: 2019/10/25
-modified: 2021/12/05
+modified: 2022/01/13
 logsource:
    category: registry_event
    product: windows
 detection:
    scripts_base:
+        EventType: SetValue
        TargetObject|contains: '\Software\Policies\Microsoft\Windows\System\Scripts'
    scripts:
        TargetObject|contains:
@@ -11,12 +11,13 @@ references:
    - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
 date: 2019/10/25
-modified: 2022/01/08
+modified: 2022/01/13
 logsource:
    category: registry_event
    product: windows
 detection:
    winsock_parameters_base:
+        EventType: SetValue
        TargetObject|contains: '\System\CurrentControlSet\Services\WinSock2\Parameters'
    winsock_parameters:
        TargetObject|contains:
--- a/Show More
+++ b/Show More