Merge pull request #2545 from frack113/quote

Simple Quote in detection

rules/linux/builtin/lnx_shell_susp_rev_shells.yml

@@ -27,10 +27,10 @@ detection:
     - '/bin/sh -i <&3 >&3 2>&3'
     - 'uname -a; w; id; /bin/bash -i'
     - '$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()};'
-    - ";os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);os.putenv('HISTFILE','/dev/null');"
+    - ';os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);os.putenv(''HISTFILE'',''/dev/null'');'
     - '.to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
     - ';while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print'
-    - "socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:"
+    - 'socat exec:''bash -li'',pty,stderr,setsid,sigint,sane tcp:'
     - 'rm -f /tmp/p; mknod /tmp/p p &&'
     - ' | /bin/bash | telnet '
     - ',echo=0,raw tcp-listen:'

rules/linux/macos/process_creation/macos_local_account.yml

@@ -25,7 +25,7 @@ detection:
       - 'user'
   selection_3:
     CommandLine|contains:
-      - "'x:0:'"
+      - '''x:0:'''
   selection_4:
     Image|endswith:
       - '/cat'

rules/linux/other/lnx_susp_vsftp.yml

@@ -22,7 +22,7 @@ detection:
     - 'bug: pid active in ptrace_sandbox_free'
     - 'PTRACE_SETOPTIONS failure'
     - 'weird status:'
-    - "couldn't handle sandbox event"
+    - 'couldn''t handle sandbox event'
     - 'syscall * out of bounds'
     - 'syscall not permitted:'
     - 'syscall validate failed:'

rules/linux/process_creation/lnx_local_account.yml

@@ -16,7 +16,7 @@ detection:
       - '/lastlog'
   selection_2:
     CommandLine|contains:
-      - "'x:0:'"
+      - '''x:0:'''
   selection_3:
     Image|endswith:
       - '/cat'

rules/network/zeek/zeek_dce_rpc_domain_user_enumeration.yml

@@ -2,8 +2,8 @@ title: Domain User Enumeration Network Recon 01
 description: Domain user and group enumeration via network reconnaissance. Seen in APT 29 and other common tactics and actors. Detects a set of RPC (remote procedure calls) used to enumerate a domain controller. The rule was created based off the datasets and hackathon from https://github.com/OTRF/detection-hackathon-apt29
 id: 66a0bdc6-ee04-441a-9125-99d2eb547942
 references:
-    - "https://github.com/OTRF/detection-hackathon-apt29"
-    - "https://github.com/OTRF/detection-hackathon-apt29/issues/37"
+    - https://github.com/OTRF/detection-hackathon-apt29
+    - https://github.com/OTRF/detection-hackathon-apt29/issues/37
 author: 'Nate Guagenti (@neu5ron), Open Threat Research (OTR)'
 date: 2020/05/03
 modified: 2021/11/14

rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml

@@ -25,12 +25,12 @@ logsource:
 detection:
     printer_operation:
         operation:
-            - "RpcAsyncInstallPrinterDriverFromPackage" # "76f03f96-cdfd-44fc-a22c-64950a001209",0x3e
-            - "RpcAsyncAddPrintProcessor" # "76f03f96-cdfd-44fc-a22c-64950a001209",0x2c
-            - "RpcAddPrintProcessor" # "12345678-1234-abcd-ef00-0123456789ab",0x0e
-            - "RpcAddPrinterDriverEx" # "12345678-1234-abcd-ef00-0123456789ab",0x59
-            - "RpcAddPrinterDriver" # "12345678-1234-abcd-ef00-0123456789ab",0x09
-            - "RpcAsyncAddPrinterDriver" # "76f03f96-cdfd-44fc-a22c-64950a001209",0x27
+            - 'RpcAsyncInstallPrinterDriverFromPackage' # "76f03f96-cdfd-44fc-a22c-64950a001209",0x3e
+            - 'RpcAsyncAddPrintProcessor' # "76f03f96-cdfd-44fc-a22c-64950a001209",0x2c
+            - 'RpcAddPrintProcessor' # "12345678-1234-abcd-ef00-0123456789ab",0x0e
+            - 'RpcAddPrinterDriverEx' # "12345678-1234-abcd-ef00-0123456789ab",0x59
+            - 'RpcAddPrinterDriver' # "12345678-1234-abcd-ef00-0123456789ab",0x09
+            - 'RpcAsyncAddPrinterDriver' # "76f03f96-cdfd-44fc-a22c-64950a001209",0x27
     condition: printer_operation
 falsepositives:
     - Legitimate remote alteration of a printer driver.

rules/proxy/proxy_cobalt_malformed_uas.yml

@@ -12,9 +12,9 @@ logsource:
 detection:
   selection1:
     c-useragent: 
-      - "Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)"
-      - "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E )"
-      - "Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08"
+      - 'Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)'
+      - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E )'
+      - 'Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08'
   selection2:
     c-useragent|endswith: '; MANM; MANM)'
   condition: 1 of selection*

rules/proxy/proxy_ursnif_malware_c2_url.yml

@@ -12,12 +12,12 @@ logsource:
 detection:
   b64encoding:
     c-uri|contains:
-      - "_2f"
-      - "_2b"
+      - '_2f'
+      - '_2b'
   urlpatterns:
     c-uri|contains|all:
-      - ".avi"
-      - "/images/"
+      - '.avi'
+      - '/images/'
   condition: b64encoding and urlpatterns
 fields:
   - c-ip

rules/web/web_exchange_cve_2020_0688_exploit.yml

@@ -12,9 +12,9 @@ logsource:
 detection:
   selection:
     c-uri|contains|all:
-      - "/ecp/default.aspx"
-      - "__VIEWSTATEGENERATOR="
-      - "__VIEWSTATE="
+      - '/ecp/default.aspx'
+      - '__VIEWSTATEGENERATOR='
+      - '__VIEWSTATE='
   condition: selection
 falsepositives:
   - Unknown

rules/windows/builtin/security/win_rdp_localhost_login.yml

@@ -20,8 +20,8 @@ detection:
         EventID: 4624
         LogonType: 10
         IpAddress:
-            - "::1"
-            - "127.0.0.1"
+            - '::1'
+            - '127.0.0.1'
     condition: selection
 falsepositives:
     - Unknown

rules/windows/malware/process_creation_mal_darkside_ransomware.yml

@@ -14,13 +14,11 @@ logsource:
 detection:
     selection1:
         CommandLine|contains: 
-            - "=[char][byte]('0x'+"
+            - '=[char][byte](''0x''+'
             - ' -work worker0 -path '
     selection2:
-        ParentCommandLine|contains:
-            - 'DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}'
-        Image|contains:
-            - '\AppData\Local\Temp\'
+        ParentCommandLine|contains: 'DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}'
+        Image|contains: '\AppData\Local\Temp\'
     condition: 1 of selection*
 falsepositives:
     - Unknown

rules/windows/powershell/powershell_script/powershell_azurehound_commands.yml

@@ -13,8 +13,7 @@ logsource:
     definition: Script Block Logging must be enable
 detection:
     selection:
-        ScriptBlockText|contains:
-            - "Invoke-AzureHound"
+        ScriptBlockText|contains: Invoke-AzureHound
     condition: selection
 tags:
     - attack.discovery

rules/windows/powershell/powershell_script/powershell_ntfs_ads_access.yml

@@ -22,11 +22,10 @@ logsource:
 detection:
     selection_content:
         ScriptBlockText|contains:
-            - "set-content"
-            - "add-content"
+            - set-content
+            - add-content
     selection_stream:
-        ScriptBlockText|contains:
-            - "-stream"
+        ScriptBlockText|contains: '-stream'
     condition: all of selection*
 falsepositives:
     - unknown

rules/windows/process_creation/win_powershell_xor_commandline.yml

@@ -16,7 +16,7 @@ detection:
     CommandLine|contains:
       - 'bxor'
       - '-join '
-      - "-join'"
+      - '-join'''
       - '-join"'
       - '-join`'
       - 'char'

rules/windows/process_creation/win_sticky_keys_unauthenticated_privileged_console_access.yml

@@ -6,7 +6,7 @@ references:
     - https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf
 status: experimental
 date: 2020/02/18
-modified: 2021/06/11
+modified: 2022/01/11
 author: Sreeman
 tags:
     - attack.t1015 # an old one
@@ -17,8 +17,7 @@ logsource:
     category: process_creation
 detection:
     selection:
-        CommandLine:
-            - "copy /y C:\\windows\\system32\\cmd.exe C:\\windows\\system32\\sethc.exe"
+        CommandLine: 'copy /y C:\windows\system32\cmd.exe C:\windows\system32\sethc.exe'
     condition: selection
 fields:
     - CommandLine

rules/windows/process_creation/win_susp_crackmapexec_powershell_obfuscation.yml

@@ -18,11 +18,11 @@ detection:
     CommandLine|contains:
       - 'join*split'
             # Line 343ff
-      - "( $ShellId[1]+$ShellId[13]+'x')"
+      - '( $ShellId[1]+$ShellId[13]+''x'')'
       - '( $PSHome[*]+$PSHOME[*]+'
-      - "( $env:Public[13]+$env:Public[5]+'x')"
-      - "( $env:ComSpec[4,*,25]-Join'')"
-      - "[1,3]+'x'-Join'')"
+      - '( $env:Public[13]+$env:Public[5]+''x'')'
+      - '( $env:ComSpec[4,*,25]-Join'''')'
+      - '[1,3]+''x''-Join'''')'
   condition: powershell_execution and snippets
 fields:
   - ComputerName

rules/windows/process_creation/win_susp_emotet_rundll32_execution.yml

@@ -26,7 +26,7 @@ detection:
         CommandLine|endswith:
           - '.dll,Control_RunDLL'
           - '.dll",Control_RunDLL'
-          - ".dll',Control_RunDLL"
+          - '.dll'',Control_RunDLL'
     filter_ide:
         ParentImage|endswith:
             - '\tracker.exe' #When Visual Studio compile NodeJS program, it might use MSBuild to create tracker.exe and then, the tracker.exe fork rundll32.exe

rules/windows/process_creation/win_susp_spoolsv_child_processes.yml

@@ -55,8 +55,8 @@ detection:
         Image|endswith: \netsh.exe
     suspicious_netsh_filter:
         CommandLine|contains:
-            - "add portopening"
-            - "rule name"
+            - 'add portopening'
+            - 'rule name'
     suspicious_powershell:
         Image|endswith: \powershell.exe
     suspicious_powershell_filter: