From d6f3e7dacbbde484fa0b896a5f4fe8f4dfff9156 Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Date: Fri, 24 Feb 2023 19:33:24 +0100
Subject: [PATCH] feat: rename rules for conventions

---
 ...in_powershell_tamper_defender_remove_mppreference.yml} | 0
 .../process_creation/proc_creation_win_renamed_binary.yml | 1 -
 .../proc_creation_win_renamed_binary_highly_relevant.yml  | 1 +
 ... proc_creation_win_renamed_sysinternals_debugview.yml} | 0
 ...> proc_creation_win_renamed_sysinternals_procdump.yml} | 0
 ...=> proc_creation_win_renamed_sysinternals_sdelete.yml} | 0
 ...creation_win_sysinternal_suite_tools_masquerading.yml} | 0
 .../proc_creation_win_sysinternals_eula_accepted.yml      | 8 ++++----
 ...mp.yml => proc_creation_win_sysinternals_procdump.yml} | 0
 ...> proc_creation_win_sysinternals_procdump_evasion.yml} | 0
 ... => proc_creation_win_sysinternals_procdump_lsass.yml} | 0
 ...yml => proc_creation_win_sysinternals_psexec_eula.yml} | 0
 ...reation_win_sysinternals_psexec_service_execution.yml} | 0
 ...vc.yml => proc_creation_win_sysinternals_psexesvc.yml} | 0
 ...proc_creation_win_sysinternals_psexesvc_as_system.yml} | 0
 ...> proc_creation_win_sysinternals_psexesvc_renamed.yml} | 0
 ... => proc_creation_win_sysinternals_psexesvc_start.yml} | 0
 ...on_win_sysinternals_psexex_paexec_escalate_system.yml} | 0
 ...roc_creation_win_sysinternals_psexex_paexec_flags.yml} | 0
 ...t.yml => proc_creation_win_sysinternals_psloglist.yml} | 0
 .../proc_creation_win_sysinternals_psservice.yml          | 5 +++--
 ...ete.yml => proc_creation_win_sysinternals_sdelete.yml} | 0
 ...> proc_creation_win_uninstall_sysinternals_sysmon.yml} | 0
 23 files changed, 8 insertions(+), 7 deletions(-)
 rename rules/windows/process_creation/{proc_creation_win_tamper_defender_remove_mppreference.yml => proc_creation_win_powershell_tamper_defender_remove_mppreference.yml} (100%)
 rename rules/windows/process_creation/{proc_creation_win_renamed_debugview.yml => proc_creation_win_renamed_sysinternals_debugview.yml} (100%)
 rename rules/windows/process_creation/{proc_creation_win_renamed_procdump.yml => proc_creation_win_renamed_sysinternals_procdump.yml} (100%)
 rename rules/windows/process_creation/{proc_creation_win_renamed_sdelete.yml => proc_creation_win_renamed_sysinternals_sdelete.yml} (100%)
 rename rules/windows/process_creation/{proc_creation_win_susp_sysinternal_suite_tools_masquerading.yml => proc_creation_win_sysinternal_suite_tools_masquerading.yml} (100%)
 rename rules/windows/process_creation/{proc_creation_win_procdump.yml => proc_creation_win_sysinternals_procdump.yml} (100%)
 rename rules/windows/process_creation/{proc_creation_win_procdump_evasion.yml => proc_creation_win_sysinternals_procdump_evasion.yml} (100%)
 rename rules/windows/process_creation/{proc_creation_win_susp_procdump_lsass.yml => proc_creation_win_sysinternals_procdump_lsass.yml} (100%)
 rename rules/windows/process_creation/{proc_creation_win_susp_psexec_eula.yml => proc_creation_win_sysinternals_psexec_eula.yml} (100%)
 rename rules/windows/process_creation/{proc_creation_win_tool_psexec.yml => proc_creation_win_sysinternals_psexec_service_execution.yml} (100%)
 rename rules/windows/process_creation/{proc_creation_win_susp_psexesvc.yml => proc_creation_win_sysinternals_psexesvc.yml} (100%)
 rename rules/windows/process_creation/{proc_creation_win_susp_psexesvc_as_system.yml => proc_creation_win_sysinternals_psexesvc_as_system.yml} (100%)
 rename rules/windows/process_creation/{proc_creation_win_susp_psexesvc_renamed.yml => proc_creation_win_sysinternals_psexesvc_renamed.yml} (100%)
 rename rules/windows/process_creation/{proc_creation_win_psexesvc_start.yml => proc_creation_win_sysinternals_psexesvc_start.yml} (100%)
 rename rules/windows/process_creation/{proc_creation_win_susp_psexex_paexec_escalate_system.yml => proc_creation_win_sysinternals_psexex_paexec_escalate_system.yml} (100%)
 rename rules/windows/process_creation/{proc_creation_win_susp_psexex_paexec_flags.yml => proc_creation_win_sysinternals_psexex_paexec_flags.yml} (100%)
 rename rules/windows/process_creation/{proc_creation_win_susp_psloglist.yml => proc_creation_win_sysinternals_psloglist.yml} (100%)
 rename rules/windows/process_creation/{proc_creation_win_sdelete.yml => proc_creation_win_sysinternals_sdelete.yml} (100%)
 rename rules/windows/process_creation/{proc_creation_win_uninstall_sysmon.yml => proc_creation_win_uninstall_sysinternals_sysmon.yml} (100%)

diff --git a/rules/windows/process_creation/proc_creation_win_tamper_defender_remove_mppreference.yml b/rules/windows/process_creation/proc_creation_win_powershell_tamper_defender_remove_mppreference.yml
similarity index 100%
rename from rules/windows/process_creation/proc_creation_win_tamper_defender_remove_mppreference.yml
rename to rules/windows/process_creation/proc_creation_win_powershell_tamper_defender_remove_mppreference.yml
diff --git a/rules/windows/process_creation/proc_creation_win_renamed_binary.yml b/rules/windows/process_creation/proc_creation_win_renamed_binary.yml
index 7312f5f4c..82a6a4bfe 100644
--- a/rules/windows/process_creation/proc_creation_win_renamed_binary.yml
+++ b/rules/windows/process_creation/proc_creation_win_renamed_binary.yml
@@ -43,5 +43,4 @@ detection:
     condition: selection and not filter
 falsepositives:
     - Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist
-    - PsExec installed via Windows Store doesn't contain original filename field (False negative)
 level: medium
diff --git a/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml b/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml
index 54a382a8b..6ab610adc 100644
--- a/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml
+++ b/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml
@@ -72,4 +72,5 @@ detection:
     condition: selection and not filter
 falsepositives:
     - Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist
+    - PsExec installed via Windows Store doesn't contain original filename field (False negative)
 level: high
diff --git a/rules/windows/process_creation/proc_creation_win_renamed_debugview.yml b/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_debugview.yml
similarity index 100%
rename from rules/windows/process_creation/proc_creation_win_renamed_debugview.yml
rename to rules/windows/process_creation/proc_creation_win_renamed_sysinternals_debugview.yml
diff --git a/rules/windows/process_creation/proc_creation_win_renamed_procdump.yml b/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_procdump.yml
similarity index 100%
rename from rules/windows/process_creation/proc_creation_win_renamed_procdump.yml
rename to rules/windows/process_creation/proc_creation_win_renamed_sysinternals_procdump.yml
diff --git a/rules/windows/process_creation/proc_creation_win_renamed_sdelete.yml b/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_sdelete.yml
similarity index 100%
rename from rules/windows/process_creation/proc_creation_win_renamed_sdelete.yml
rename to rules/windows/process_creation/proc_creation_win_renamed_sysinternals_sdelete.yml
diff --git a/rules/windows/process_creation/proc_creation_win_susp_sysinternal_suite_tools_masquerading.yml b/rules/windows/process_creation/proc_creation_win_sysinternal_suite_tools_masquerading.yml
similarity index 100%
rename from rules/windows/process_creation/proc_creation_win_susp_sysinternal_suite_tools_masquerading.yml
rename to rules/windows/process_creation/proc_creation_win_sysinternal_suite_tools_masquerading.yml
diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_eula_accepted.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_eula_accepted.yml
index 5ee2f1216..634d3c79a 100644
--- a/rules/windows/process_creation/proc_creation_win_sysinternals_eula_accepted.yml
+++ b/rules/windows/process_creation/proc_creation_win_sysinternals_eula_accepted.yml
@@ -1,15 +1,15 @@
-title: Usage of Sysinternals Tools
+title: Potential Execution of Sysinternals Tools
 id: 7cccd811-7ae9-4ebe-9afd-cb5c406b824b
 related:
     - id: 25ffa65d-76d8-4da5-a832-3f2b0136e133
       type: derived
 status: experimental
-description: Detects the usage of Sysinternals Tools due to accepteula option being seen in the command line.
+description: Detects commandline flags that contain the 'accepteula' flag which could be a sign of execution of one of the Sysinternals Tools
 references:
     - https://twitter.com/Moti_B/status/1008587936735035392
 author: Markus Neis
 date: 2017/08/28
-modified: 2022/08/02
+modified: 2023/02/24
 tags:
     - attack.resource_development
     - attack.t1588.002
@@ -24,5 +24,5 @@ detection:
     condition: selection
 falsepositives:
     - Legitimate use of SysInternals tools
-    - Programs that use the same Registry Key
+    - Programs that use the same commandline
 level: low
diff --git a/rules/windows/process_creation/proc_creation_win_procdump.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_procdump.yml
similarity index 100%
rename from rules/windows/process_creation/proc_creation_win_procdump.yml
rename to rules/windows/process_creation/proc_creation_win_sysinternals_procdump.yml
diff --git a/rules/windows/process_creation/proc_creation_win_procdump_evasion.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_procdump_evasion.yml
similarity index 100%
rename from rules/windows/process_creation/proc_creation_win_procdump_evasion.yml
rename to rules/windows/process_creation/proc_creation_win_sysinternals_procdump_evasion.yml
diff --git a/rules/windows/process_creation/proc_creation_win_susp_procdump_lsass.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_procdump_lsass.yml
similarity index 100%
rename from rules/windows/process_creation/proc_creation_win_susp_procdump_lsass.yml
rename to rules/windows/process_creation/proc_creation_win_sysinternals_procdump_lsass.yml
diff --git a/rules/windows/process_creation/proc_creation_win_susp_psexec_eula.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_eula.yml
similarity index 100%
rename from rules/windows/process_creation/proc_creation_win_susp_psexec_eula.yml
rename to rules/windows/process_creation/proc_creation_win_sysinternals_psexec_eula.yml
diff --git a/rules/windows/process_creation/proc_creation_win_tool_psexec.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_service_execution.yml
similarity index 100%
rename from rules/windows/process_creation/proc_creation_win_tool_psexec.yml
rename to rules/windows/process_creation/proc_creation_win_sysinternals_psexec_service_execution.yml
diff --git a/rules/windows/process_creation/proc_creation_win_susp_psexesvc.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc.yml
similarity index 100%
rename from rules/windows/process_creation/proc_creation_win_susp_psexesvc.yml
rename to rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc.yml
diff --git a/rules/windows/process_creation/proc_creation_win_susp_psexesvc_as_system.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc_as_system.yml
similarity index 100%
rename from rules/windows/process_creation/proc_creation_win_susp_psexesvc_as_system.yml
rename to rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc_as_system.yml
diff --git a/rules/windows/process_creation/proc_creation_win_susp_psexesvc_renamed.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc_renamed.yml
similarity index 100%
rename from rules/windows/process_creation/proc_creation_win_susp_psexesvc_renamed.yml
rename to rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc_renamed.yml
diff --git a/rules/windows/process_creation/proc_creation_win_psexesvc_start.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc_start.yml
similarity index 100%
rename from rules/windows/process_creation/proc_creation_win_psexesvc_start.yml
rename to rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc_start.yml
diff --git a/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_escalate_system.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_psexex_paexec_escalate_system.yml
similarity index 100%
rename from rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_escalate_system.yml
rename to rules/windows/process_creation/proc_creation_win_sysinternals_psexex_paexec_escalate_system.yml
diff --git a/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_flags.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_psexex_paexec_flags.yml
similarity index 100%
rename from rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_flags.yml
rename to rules/windows/process_creation/proc_creation_win_sysinternals_psexex_paexec_flags.yml
diff --git a/rules/windows/process_creation/proc_creation_win_susp_psloglist.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_psloglist.yml
similarity index 100%
rename from rules/windows/process_creation/proc_creation_win_susp_psloglist.yml
rename to rules/windows/process_creation/proc_creation_win_sysinternals_psloglist.yml
diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_psservice.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_psservice.yml
index aba0b3254..07113a876 100644
--- a/rules/windows/process_creation/proc_creation_win_sysinternals_psservice.yml
+++ b/rules/windows/process_creation/proc_creation_win_sysinternals_psservice.yml
@@ -1,11 +1,12 @@
-title: Use of Sysinternals PsService
+title: Sysinternals PsService Execution
 id: 3371f518-5fe3-4cf6-a14b-2a0ae3fd8a4f
 status: experimental
-description: Detects usage of Sysinternals PsService for service reconnaissance or tamper
+description: Detects usage of Sysinternals PsService which can be abused for service reconnaissance and tampering
 references:
     - https://docs.microsoft.com/en-us/sysinternals/downloads/psservice
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/06/16
+modified: 2023/02/24
 tags:
     - attack.discovery
     - attack.persistence
diff --git a/rules/windows/process_creation/proc_creation_win_sdelete.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_sdelete.yml
similarity index 100%
rename from rules/windows/process_creation/proc_creation_win_sdelete.yml
rename to rules/windows/process_creation/proc_creation_win_sysinternals_sdelete.yml
diff --git a/rules/windows/process_creation/proc_creation_win_uninstall_sysmon.yml b/rules/windows/process_creation/proc_creation_win_uninstall_sysinternals_sysmon.yml
similarity index 100%
rename from rules/windows/process_creation/proc_creation_win_uninstall_sysmon.yml
rename to rules/windows/process_creation/proc_creation_win_uninstall_sysinternals_sysmon.yml