Update procdump rules

rules/windows/process_creation/proc_creation_win_procdump.yml

@@ -1,11 +1,12 @@
 title: Procdump Usage
 id: 2e65275c-8288-4ab4-aeb7-6274f58b6b20
-description: Detects uses of the SysInternals Procdump utility
+description: Detects usage of the SysInternals Procdump utility
 status: experimental
 references:
     - Internal Research
 author: Florian Roth
 date: 2021/08/16
+modified: 2022/08/11
 tags:
     - attack.defense_evasion
     - attack.t1036
@@ -14,15 +15,11 @@ logsource:
     category: process_creation
     product: windows
 detection:
-    selection1:
+    selection:
         Image|endswith:
             - '\procdump.exe'
             - '\procdump64.exe'
-    selection2:
-        CommandLine|contains|all:
-            - ' -ma '
-            - '.exe'
-    condition: selection1 or selection2
+    condition: selection
 falsepositives:
     - Legitimate use of procdump by a developer or administrator
 level: medium

rules/windows/process_creation/proc_creation_win_renamed_procdump.yml

@@ -1,12 +1,15 @@
 title: Renamed ProcDump
 id: 4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67
+related:
+    - id: 03795938-1387-481b-9f4c-3f6241e604fe
+      type: obsoletes
 status: test
 description: Detects the execution of a renamed ProcDump executable often used by attackers or malware
 references:
     - https://docs.microsoft.com/en-us/sysinternals/downloads/procdump
 author: Florian Roth
 date: 2019/11/18
-modified: 2021/08/16
+modified: 2022/08/12
 tags:
     - attack.defense_evasion
     - attack.t1036.003
@@ -14,22 +17,22 @@ logsource:
     product: windows
     category: process_creation
 detection:
-    selection1:
+    original_file_name:
         OriginalFileName: 'procdump'
-    selection2:
-        CommandLine|contains|all:
+    selection_ma:
+        CommandLine|contains:
             - ' -ma '
+            - ' /ma '
+    selection_other:
+        CommandLine|contains:
             - ' -accepteula '
-    selection3:
-        CommandLine|contains|all:
-            - ' -ma '
-            - '.dmp'
+            - ' /accepteula '
     filter:
         Image|endswith:
             - '\procdump.exe'
             - '\procdump64.exe'
-    condition: ( selection1 or selection2 or selection3 ) and not filter
+    condition: (original_file_name or all of selection_*) and not filter
 falsepositives:
     - Procdump illegaly bundled with legitimate software
-    - Weird admins who renamed binaries
+    - Weird admins who renamed binaries (and should be investigated)
 level: high

rules/windows/process_creation/proc_creation_win_susp_procdump.yml

@@ -1,26 +0,0 @@
-title: Suspicious Use of Procdump
-id: 03795938-1387-481b-9f4c-3f6241e604fe
-description: Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter ' -ma ' and ' -accepteula' in a single step. This way we're also able to catch cases in which the attacker has renamed the procdump executable.
-status: experimental
-references:
-    - Internal Research
-author: Florian Roth
-date: 2021/02/02
-modified: 2021/08/16
-tags:
-    - attack.defense_evasion
-    - attack.t1036
-    - attack.t1003.001
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        CommandLine|contains|all:
-            - ' -ma '
-            - ' -accepteula '
-    condition: selection
-falsepositives:
-    - Another tool that uses the command line switches of Procdump
-    - Legitimate use of procdump by a developer or administrator
-level: high

rules/windows/process_creation/proc_creation_win_susp_procdump_lsass.yml

@@ -6,7 +6,7 @@ references:
     - Internal Research
 author: Florian Roth
 date: 2018/10/30
-modified: 2021/02/02
+modified: 2022/08/12
 tags:
     - attack.defense_evasion
     - attack.t1036
@@ -18,14 +18,12 @@ logsource:
     product: windows
 detection:
     selection1:
-        CommandLine|contains: ' -ma '
-    selection2:
-        CommandLine|contains: ' lsass'
-    selection3:
-        CommandLine|contains|all:
+        CommandLine|contains:
             - ' -ma '
-            - ' ls'
-    condition: ( selection1 and selection2 ) or selection3
+            - ' /ma '
+    selection2:
+        CommandLine|contains: ' ls' # Short for lsass
+    condition: all of selection*
 falsepositives:
     - Unlikely, because no one should dump an lsass process memory
     - Another tool that uses the command line switches of Procdump