From e20d8be164d3cd0bde6fb51cdcde09c74884054c Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Sat, 18 Dec 2021 06:39:14 +0100
Subject: [PATCH] refactor: split rule up into two, more susp sub procs

---
 .../process_creation_shell_spawn_by_java.yml  | 24 +++++++++++
 ...cess_creation_susp_shell_spawn_by_java.yml | 42 +++++++++++++++++++
 ...ss_creation_susp_shell_spawn_from_java.yml | 30 -------------
 3 files changed, 66 insertions(+), 30 deletions(-)
 create mode 100644 rules/windows/process_creation/process_creation_shell_spawn_by_java.yml
 create mode 100644 rules/windows/process_creation/process_creation_susp_shell_spawn_by_java.yml
 delete mode 100644 rules/windows/process_creation/process_creation_susp_shell_spawn_from_java.yml

diff --git a/rules/windows/process_creation/process_creation_shell_spawn_by_java.yml b/rules/windows/process_creation/process_creation_shell_spawn_by_java.yml
new file mode 100644
index 000000000..9adb6d3c1
--- /dev/null
+++ b/rules/windows/process_creation/process_creation_shell_spawn_by_java.yml
@@ -0,0 +1,24 @@
+title: Shells Spawn by Java
+id: dff1e1cc-d3fd-47c8-bfc2-aeb878a754c0
+description: Detects shell spawn from Java host process, which could a maintenance task or some kind of exploitation (e.g. log4j exploitation)
+status: experimental
+author: Andreas Hunkeler (@Karneades)
+date: 2021/12/17
+modified: 2021/12/18
+tags:
+    - attack.initial_access
+    - attack.persistence
+    - attack.privilege_escalation
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        ParentImage|endswith: '\java.exe'
+        Image|endswith:
+            - '\cmd.exe'
+    condition: selection
+falsepositives:
+    - Legitimate calls to system binaries
+    - Company specific internal usage
+level: medium
diff --git a/rules/windows/process_creation/process_creation_susp_shell_spawn_by_java.yml b/rules/windows/process_creation/process_creation_susp_shell_spawn_by_java.yml
new file mode 100644
index 000000000..cdd6211d3
--- /dev/null
+++ b/rules/windows/process_creation/process_creation_susp_shell_spawn_by_java.yml
@@ -0,0 +1,42 @@
+title: Suspicious Shells Spawn by Java
+id: 0d34ed8b-1c12-4ff2-828c-16fc860b766d
+description: Detects suspicious shell spawn from Java host process (e.g. log4j exploitation)
+status: experimental
+author: Andreas Hunkeler (@Karneades), Florian Roth
+date: 2021/12/17
+modified: 2021/12/18
+tags:
+    - attack.initial_access
+    - attack.persistence
+    - attack.privilege_escalation
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        ParentImage|endswith: '\java.exe'
+        Image|endswith:
+            - '\sh.exe'
+            - '\bash.exe'
+            - '\powershell.exe'
+            - '\schtasks.exe'
+            - '\certutil.exe'
+            - '\whoami.exe'
+            - '\bitsadmin.exe'
+            - '\wscript.exe'
+            - '\cscript.exe'
+            - '\scrcons.exe'
+            - '\regsvr32.exe'
+            - '\hh.exe'
+            - '\wmic.exe'        # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/
+            - '\mshta.exe'
+            - '\rundll32.exe'
+            - '\forfiles.exe'
+            - '\scriptrunner.exe'
+            - '\mftrace.exe'
+            - '\AppVLP.exe'
+    condition: selection
+falsepositives:
+    - Legitimate calls to system binaries
+    - Company specific internal usage
+level: high
diff --git a/rules/windows/process_creation/process_creation_susp_shell_spawn_from_java.yml b/rules/windows/process_creation/process_creation_susp_shell_spawn_from_java.yml
deleted file mode 100644
index 5e3f3342d..000000000
--- a/rules/windows/process_creation/process_creation_susp_shell_spawn_from_java.yml
+++ /dev/null
@@ -1,30 +0,0 @@
-title: Suspicious Shells Spawn by Java
-id: 0d34ed8b-1c12-4ff2-828c-16fc860b766d
-description: Detects suspicious shell spawn from Java host process (e.g. log4j exploitation)
-status: experimental
-author: Andreas Hunkeler (@Karneades)
-date: 2021/12/17
-tags:
-    - attack.initial_access
-    - attack.persistence
-    - attack.privilege_escalation
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        ParentImage: '*\java.exe'
-        Image:
-            - '*\cmd.exe'
-            - '*\sh.exe'
-            - '*\bash.exe'
-            - '*\powershell.exe'
-            - '*\schtasks.exe'
-            - '*\certutil.exe'
-            - '*\whoami.exe'
-            - '*\bitsadmin.exe'
-    condition: selection
-falsepositives:
-    - Legitimate calls to system binaries
-    - Company specific internal usage
-level: high