From e213252c4cb8a52d6946c617faf08ca75b6ef211 Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Date: Thu, 19 Jan 2023 16:37:10 +0100
Subject: [PATCH] feat: logic update to multiple rules

---
 .../powershell_script/posh_ps_xml_iex.yml     |  4 ++-
 ...eation_win_cmd_redirection_susp_folder.yml | 33 +++++++++++++------
 ..._creation_win_fsutil_symlinkevaluation.yml |  6 ++--
 .../proc_creation_win_query_session_exfil.yml |  3 +-
 ...sp_crackmapexec_powershell_obfuscation.yml |  2 +-
 .../proc_creation_win_susp_recon.yml          |  3 ++
 .../registry_set_powershell_in_run_keys.yml   |  4 ++-
 7 files changed, 39 insertions(+), 16 deletions(-)

diff --git a/rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml b/rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml
index dc27f6514..e8d5a41a7 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml
@@ -9,7 +9,7 @@ references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-8---powershell-xml-requests
 author: frack113
 date: 2022/01/19
-modified: 2023/01/02
+modified: 2023/01/19
 tags:
     - attack.execution
     - attack.t1059.001
@@ -27,6 +27,8 @@ detection:
         ScriptBlockText|contains:
             - 'IEX '
             - 'Invoke-Expression '
+            - 'Invoke-Command '
+            - 'ICM -'
     condition: all of selection_*
 falsepositives:
     - Legitimate administrative script
diff --git a/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml b/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml
index 47a9d2e8d..509f2f0bc 100644
--- a/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml
+++ b/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml
@@ -1,12 +1,15 @@
 title: Suspicious CMD Shell Redirect
 id: 8e0bb260-d4b2-4fff-bb8d-3f82118e6892
+related:
+    - id: aa2efee7-34dd-446e-8a37-40790a66efd7
+      type: derived
 status: experimental
 description: Detects inline windows shell commands redirecting output via the ">" symbol to a suspicious location
 references:
     - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/
 author: Nasreddine Bencherchali
 date: 2022/07/12
-modified: 2022/11/11
+modified: 2023/01/19
 tags:
     - attack.execution
     - attack.t1218
@@ -17,16 +20,26 @@ detection:
     selection_img:
         - Image|endswith: '\cmd.exe'
         - OriginalFileName: 'Cmd.Exe'
-    selection_cli:
-        CommandLine|contains|all:
+    selection_cli_1:
+        CommandLine|contains:
             # Add more suspicious locations as you find them
-            - ' > %USERPROFILE%\'
-            - ' > %APPDATA%\'
-            - ' > \Users\Public\'
-            - ' > C:\Users\Public\'
-            - ' > %TEMP%\'
-            - ' > %TMP%\'
-    condition: all of selection_*
+            # The space from the start is missing to cover append operations ">>"
+            - '> %USERPROFILE%\'
+            - '> %APPDATA%\'
+            - '> \Users\Public\'
+            - '> C:\Users\Public\'
+            - '> %TEMP%\'
+            - '> %TMP%\'
+            - '> C:\Windows\Temp\'
+            - '> C:\Temp\'
+    selection_cli_2:
+        CommandLine|contains:
+            - ' > '
+            - ' >> '
+        CommandLine|contains|all:
+            - 'C:\Users\'
+            - '\AppData\Local\'
+    condition: selection_img or 1 of selection_cli_*
 falsepositives:
     - Legitimate admin scripts
 level: medium
diff --git a/rules/windows/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml b/rules/windows/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml
index 14648f17b..5c8153dca 100644
--- a/rules/windows/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml
+++ b/rules/windows/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml
@@ -17,8 +17,10 @@ logsource:
     category: process_creation
     product: windows
 detection:
-    selection:
-        Image|endswith: '\fsutil.exe'
+    selection_img:
+        - Image|endswith: '\fsutil.exe'
+        - OriginalFileName: 'fsutil.exe'
+    selection_cli:
         CommandLine|contains|all:
             - 'behavior '
             - 'set '
diff --git a/rules/windows/process_creation/proc_creation_win_query_session_exfil.yml b/rules/windows/process_creation/proc_creation_win_query_session_exfil.yml
index 5d45d2f03..6ad785f4a 100644
--- a/rules/windows/process_creation/proc_creation_win_query_session_exfil.yml
+++ b/rules/windows/process_creation/proc_creation_win_query_session_exfil.yml
@@ -6,6 +6,7 @@ references:
     - https://twitter.com/MichalKoczwara/status/1553634816016498688
 author: Nasreddine Bencherchali
 date: 2022/08/01
+modified: 2023/01/19
 tags:
     - attack.execution
 logsource:
@@ -13,7 +14,7 @@ logsource:
     product: windows
 detection:
     selection:
-        Image|endswith: '\Windows\System32\query.exe'
+        Image|endswith: ':\Windows\System32\query.exe'
         CommandLine|contains:
             - 'session >'
             - 'process >'
diff --git a/rules/windows/process_creation/proc_creation_win_susp_crackmapexec_powershell_obfuscation.yml b/rules/windows/process_creation/proc_creation_win_susp_crackmapexec_powershell_obfuscation.yml
index b320cf125..8d2d372b0 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_crackmapexec_powershell_obfuscation.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_crackmapexec_powershell_obfuscation.yml
@@ -24,7 +24,7 @@ detection:
     snippets:
         CommandLine|contains:
             - 'join*split'
-                  # Line 343ff
+            # Line 343ff
             - '( $ShellId[1]+$ShellId[13]+''x'')'
             - '( $PSHome[*]+$PSHOME[*]+'
             - '( $env:Public[13]+$env:Public[5]+''x'')'
diff --git a/rules/windows/process_creation/proc_creation_win_susp_recon.yml b/rules/windows/process_creation/proc_creation_win_susp_recon.yml
index 4f64ed379..420b09eda 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_recon.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_recon.yml
@@ -1,5 +1,8 @@
 title: Recon Information for Export with Command Prompt
 id: aa2efee7-34dd-446e-8a37-40790a66efd7
+related:
+    - id: 8e0bb260-d4b2-4fff-bb8d-3f82118e6892
+      type: similar
 status: experimental
 description: Once established within a system or network, an adversary may use automated techniques for collecting internal data.
 references:
diff --git a/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml b/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml
index e935c2e0b..bdd8742e8 100644
--- a/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml
+++ b/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml
@@ -7,7 +7,7 @@ references:
     - https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html
 author: frack113, Florian Roth
 date: 2022/03/17
-modified: 2023/01/10
+modified: 2023/01/19
 tags:
     - attack.persistence
     - attack.t1547.001
@@ -32,6 +32,8 @@ detection:
             - ' -encodedcommand '
             - '-ExecutionPolicy Bypass'
             - 'Invoke-Expression'
+            - 'Invoke-Command'
+            - 'ICM -'
             - 'IEX ('
             - 'Invoke-WebRequest'
             - 'IWR '