Merge pull request #2787 from frack113/refactor_regex

Refactor regex

rules-unsupported/driver_load_invoke_obfuscation_via_compress_services.yml

@@ -7,22 +7,27 @@ description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
 status: unsupported
 author: Timur Zinniatullin, oscd.community
 date: 2020/10/18
-modified: 2021/09/18
+modified: 2022/03/08
 references:
     - https://github.com/Neo23x0/sigma/issues/1009 #(Task 19)
+logsource:
+    product: windows
+    category: driver_load
+detection:
+    selection:
+        ImagePath|contains|all: 
+            - 'new-object'
+            - 'text.encoding]::ascii'
+        ImagePath|contains:
+            - 'system.io.compression.deflatestream'
+            - 'system.io.streamreader'
+        ImagePath|endswitch: 'readtoend'
+    condition: selection
+falsepositives:
+    - unknown
+level: medium
 tags:
     - attack.defense_evasion
     - attack.t1027
     - attack.execution
     - attack.t1059.001
-logsource:
-    product: windows
-    category: driver_load
-detection:
-
-    selection:
-        ImagePath|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend'
-    condition: selection
-falsepositives:
-    - unknown
-level: medium

rules-unsupported/driver_load_invoke_obfuscation_via_rundll_services.yml

@@ -7,21 +7,25 @@ description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
 status: unsupported
 author: Timur Zinniatullin, oscd.community
 date: 2020/10/18
-modified: 2021/09/18
+modified: 2022/03/08
 references:
     - https://github.com/Neo23x0/sigma/issues/1009 #(Task 23)
-tags:
-    - attack.defense_evasion
-    - attack.t1027
-    - attack.execution
-    - attack.t1059.001
 logsource:
     product: windows
     category: driver_load
 detection:
     selection:
-        ImagePath|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"'
+        ImagePath|contains|all:
+            - 'rundll32.exe'
+            - 'shell32.dll'
+            - 'shellexec_rundll'
+            - 'powershell'
     condition: selection 
 falsepositives:
     - Unknown
-level: medium
+level: medium
+tags:
+    - attack.defense_evasion
+    - attack.t1027
+    - attack.execution
+    - attack.t1059.001

rules-unsupported/driver_load_invoke_obfuscation_via_use_mshta_services.yml

@@ -7,21 +7,27 @@ description: Detects Obfuscated Powershell via use MSHTA in Scripts
 status: unsupported
 author: Nikita Nazarov, oscd.community
 date: 2020/10/09
-modified: 2021/09/18
+modified: 2022/03/08
 references:
     - https://github.com/Neo23x0/sigma/issues/1009 #(Task31)
-tags:
-    - attack.defense_evasion
-    - attack.t1027
-    - attack.execution
-    - attack.t1059.001
 logsource:
     product: windows
     category: driver_load
 detection:
     selection:
-        ImagePath|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"'
+        ImagePath|contains|all:
+            - 'set'
+            - '&&'
+            - 'mshta'
+            - 'vbscript:createobject'
+            - '.run'
+            - '(window.close)'
     condition: selection
 falsepositives:
     - Unknown
-level: high
+level: high
+tags:
+    - attack.defense_evasion
+    - attack.t1027
+    - attack.execution
+    - attack.t1059.001

rules-unsupported/driver_load_invoke_obfuscation_via_use_rundll32_services.yml

@@ -7,21 +7,30 @@ description: Detects Obfuscated Powershell via use Rundll32 in Scripts
 status: unsupported
 author: Nikita Nazarov, oscd.community
 date: 2020/10/09
-modified: 2021/09/18
+modified: 2022/03/08
 references:
     - https://github.com/Neo23x0/sigma/issues/1009 #(Task30)
-tags:
-    - attack.defense_evasion
-    - attack.t1027
-    - attack.execution
-    - attack.t1059.001
 logsource:
     product: windows
     category: driver_load
 detection:
     selection:
-        ImagePath|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"'
+        ImagePath|contains|all: 
+            - '&&'
+            - 'rundll32'
+            - 'shell32.dll'
+            - 'shellexec_rundll'
+        ImagePath|contains:     
+            - 'value'
+            - 'invoke'
+            - 'comspec'
+            - 'iex'
     condition: selection
 falsepositives:
     - Unknown
-level: high
+level: high
+tags:
+    - attack.defense_evasion
+    - attack.t1027
+    - attack.execution
+    - attack.t1059.001

rules/windows/builtin/security/win_asr_bypass_via_appvlp_re.yml

@@ -1,25 +1,49 @@
 title: Using AppVLP To Circumvent ASR File Path Rule
 id: 9c7e131a-0f2c-4ae0-9d43-b04f4e266d43
 status: experimental
-description: 'Application Virtualization Utility is included with Microsoft Office.We are able to abuse "AppVLP" to execute shell commands. Normally, this binary is used for Application Virtualization, but we can use it as an abuse binary to circumvent the ASR file path rule folder or to mark a file as a system file'
+description: |
+  Application Virtualization Utility is included with Microsoft Office. We are able to abuse "AppVLP" to execute shell commands.
+  Normally, this binary is used for Application Virtualization, but we can use it as an abuse binary to circumvent the ASR file path rule folder
+  or to mark a file as a system file.
 author: Sreeman
 date: 2020/03/13
-modified: 2021/06/11
-tags: 
-    - attack.t1218
-    - attack.defense_evasion
-    - attack.execution
+modified: 2022/03/08
 logsource: 
     product: windows
     service: security
 detection: 
-    selection:
-        CommandLine|re: '(?i).*appvlp.exe.*(cmd.exe|powershell.exe).*(.sh|.exe|.dll|.bin|.bat|.cmd|.js|.msh|.reg|.scr|.ps|.vb|.jar|.pl|.inf)'
-    condition: selection
+    selection_1:
+        CommandLine|contains: 'appvlp.exe'
+    selection_2:
+        CommandLine|contains:        
+            - 'cmd.exe'
+            - 'powershell.exe'
+    selection_3:
+        CommandLine|contains:        
+            - '.sh'
+            - '.exe'
+            - '.dll'
+            - '.bin'
+            - '.bat'
+            - '.cmd'
+            - '.js'
+            - '.msh'
+            - '.reg'
+            - '.scr'
+            - '.ps'
+            - '.vb'
+            - '.jar'
+            - '.pl'
+            - '.inf'
+    condition: all of selection_*
 falsepositives: 
     - unknown
 fields: 
     - ParentProcess
     - CommandLine
     - ParentCommandLine
-level: medium
+level: medium
+tags: 
+    - attack.t1218
+    - attack.defense_evasion
+    - attack.execution

rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_rundll.yml

@@ -7,22 +7,26 @@ description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
 status: experimental
 author: Timur Zinniatullin, oscd.community
 date: 2020/10/18
-modified: 2021/10/16
+modified: 2022/03/08
 references:
     - https://github.com/Neo23x0/sigma/issues/1009 #(Task 23)
-tags:
-    - attack.defense_evasion
-    - attack.t1027
-    - attack.execution
-    - attack.t1059.001
 logsource:
     product: windows
     category: ps_module
     definition: PowerShell Module Logging must be enabled
 detection:
     selection_4103:
-        Payload|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"'
+        Payload|contains|all: 
+            - 'rundll32.exe'
+            - 'shell32.dll'
+            - 'shellexec_rundll'
+            - 'powershell'
     condition: selection_4103
 falsepositives:
     - Unknown
 level: medium
+tags:
+    - attack.defense_evasion
+    - attack.t1027
+    - attack.execution
+    - attack.t1059.001 

rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_rundll32.yml

@@ -7,22 +7,31 @@ description: Detects Obfuscated Powershell via use Rundll32 in Scripts
 status: experimental
 author: Nikita Nazarov, oscd.community
 date: 2019/10/08
-modified: 2021/10/16
+modified: 2022/03/08
 references:
     - https://github.com/Neo23x0/sigma/issues/1009
-tags:
-    - attack.defense_evasion
-    - attack.t1027
-    - attack.execution
-    - attack.t1059.001
 logsource:
     product: windows
     category: ps_module
     definition: PowerShell Module Logging must be enabled
 detection:
     selection_4103:
-        Payload|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"'
+        Payload|contains|all:
+            - '&&'
+            - 'rundll32'
+            - 'shell32.dll'
+            - 'shellexec_rundll'
+        Payload|contains:    
+            - 'value'
+            - 'invoke'
+            - 'comspec'
+            - 'iex'
     condition: selection_4103
 falsepositives:
     - Unknown
 level: high
+tags:
+    - attack.defense_evasion
+    - attack.t1027
+    - attack.execution
+    - attack.t1059.001

rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml

@@ -4,22 +4,28 @@ description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
 status: experimental
 author: Timur Zinniatullin, oscd.community
 date: 2020/10/18
-modified: 2021/10/16
+modified: 2022/03/08
 references:
     - https://github.com/Neo23x0/sigma/issues/1009 #(Task 19)
-tags:
-    - attack.defense_evasion
-    - attack.t1027
-    - attack.execution
-    - attack.t1059.001
 logsource:
     product: windows
     category: ps_script
     definition: Script block logging must be enabled
 detection:
     selection_4104:
-        ScriptBlockText|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend'
+        ScriptBlockText|contains|all: 
+            - 'new-object'
+            - 'text.encoding]::ascii'
+        ScriptBlockText|contains: 
+            - 'system.io.compression.deflatestream'
+            - 'system.io.streamreader'
+        ScriptBlockText|endswith: 'readtoend'
     condition: selection_4104
 falsepositives:
     - unknown
-level: medium
+level: medium
+tags:
+    - attack.defense_evasion
+    - attack.t1027
+    - attack.execution
+    - attack.t1059.001

rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_rundll.yml

@@ -4,22 +4,26 @@ description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
 status: experimental
 author: Timur Zinniatullin, oscd.community
 date: 2020/10/18
-modified: 2021/10/16
+modified: 2022/03/08
 references:
     - https://github.com/Neo23x0/sigma/issues/1009 #(Task 23)
-tags:
-    - attack.defense_evasion
-    - attack.t1027
-    - attack.execution
-    - attack.t1059.001
 logsource:
     product: windows
     category: ps_script
     definition: Script block logging must be enabled
 detection:
     selection_4104:
-        ScriptBlockText|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"'
+        ScriptBlockText|contains|all:
+            - 'rundll32.exe'
+            - 'shell32.dll'
+            - 'shellexec_rundll'
+            - 'powershell'
     condition: selection_4104
 falsepositives:
     - Unknown
 level: medium
+tags:
+    - attack.defense_evasion
+    - attack.t1027
+    - attack.execution
+    - attack.t1059.001

rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_rundll32.yml

@@ -4,22 +4,31 @@ description: Detects Obfuscated Powershell via use Rundll32 in Scripts
 status: experimental
 author: Nikita Nazarov, oscd.community
 date: 2019/10/08
-modified: 2021/10/16
+modified: 2022/03/08
 references:
     - https://github.com/Neo23x0/sigma/issues/1009
-tags:
-    - attack.defense_evasion
-    - attack.t1027
-    - attack.execution
-    - attack.t1059.001
 logsource:
     product: windows
     category: ps_script
     definition: Script block logging must be enabled
 detection:
     selection_4104:
-        ScriptBlockText|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"'
+        ScriptBlockText|contains|all:
+            - '&&'
+            - 'rundll32'
+            - 'shell32.dll'
+            - 'shellexec_rundll'
+        ScriptBlockText|contains:
+            - 'value'
+            - 'invoke'
+            - 'comspec'
+            - 'iex'
     condition: selection_4104
 falsepositives:
     - Unknown
 level: high
+tags:
+    - attack.defense_evasion
+    - attack.t1027
+    - attack.execution
+    - attack.t1059.001

rules/windows/process_creation/proc_creation_win_hiding_malware_in_fonts_folder.yml

@@ -5,24 +5,52 @@ status: experimental
 references:
     - https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/
 date: 2020/21/04
-modified: 2021/06/11
+modified: 2022/03/08
 author: Sreeman
-tags:
-    - attack.t1211
-    - attack.t1059
-    - attack.defense_evasion
-    - attack.persistence
 logsource:
     product: windows
     category: process_creation
 detection:
-    selection1:
-        CommandLine|re: '(?i).*(echo|copy|type|file createnew|cacls).*C:\\\\Windows\\\\Fonts\\\\.*(.sh|.exe|.dll|.bin|.bat|.cmd|.js|.msh|.reg|.scr|.ps|.vb|.jar|.pl|.inf|.cpl|.hta|.msi|.vbs).*'
-    condition: selection1
+    selection_1:
+        CommandLine|contains: 
+            - 'echo'
+            - 'copy'
+            - 'type'
+            - 'file createnew'
+            - 'cacls'
+    selection_2:    
+        CommandLine|contains: 'C:\Windows\Fonts\'
+    selection_3:
+        CommandLine|contains:
+            - '.sh'
+            - '.exe'
+            - '.dll'
+            - '.bin'
+            - '.bat'
+            - '.cmd'
+            - '.js'
+            - '.msh'
+            - '.reg'
+            - '.scr'
+            - '.ps'
+            - '.vb'
+            - '.jar'
+            - '.pl'
+            - '.inf'
+            - '.cpl'
+            - '.hta'
+            - '.msi'
+            - '.vbs'
+    condition: all of selection_*
 fields:
     - CommandLine
     - ParentProcess
     - CommandLine
 falsepositives:
     - unknown
-level: medium
+level: medium
+tags:
+    - attack.t1211
+    - attack.t1059
+    - attack.defense_evasion
+    - attack.persistence

rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_use_mhsta.yml

@@ -6,13 +6,19 @@ author: Nikita Nazarov, oscd.community
 references:
   - https://github.com/Neo23x0/sigma/issues/1009   #(Task31)
 date: 2020/10/08
-modified: 2021/11/27
+modified: 2022/03/08
 logsource:
   category: process_creation
   product: windows
 detection:
   selection:
-    CommandLine|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"'
+    CommandLine|contains|all:
+      - 'set'
+      - '&&'
+      - 'mshta'
+      - 'vbscript:createobject'
+      - '.run'
+      - '(window.close)'
   condition: selection
 falsepositives:
   - Unknown

rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_use_rundll32.yml

@@ -6,13 +6,22 @@ author: Nikita Nazarov, oscd.community
 references:
   - https://github.com/Neo23x0/sigma/issues/1009
 date: 2019/10/08
-modified: 2021/11/27
+modified: 2022/03/08
 logsource:
   category: process_creation
   product: windows
 detection:
   selection:
-    CommandLine|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"'
+    CommandLine|contains|all:
+      - '&&'
+      - 'rundll32'
+      - 'shell32.dll'
+      - 'shellexec_rundll'
+    CommandLine|contains:  
+      - 'value'
+      - 'invoke'
+      - 'comspec'
+      - 'iex'
   condition: selection
 falsepositives:
   - Unknown