Merge PR #4674 from @Neo23x0 - Increase hack tool coverage

update: Hacktool Execution - Imphash - Add additional imphash values to increase coverage
update: Findstr Launching .lnk File - Increase coverage by adding cases where the commandline ends with a double or a single quote.
---------

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>

rules/windows/create_stream_hash/create_stream_hash_hktl_generic_download.yml

@@ -1,4 +1,4 @@
-title: Hacktool Named File Stream Created
+title: HackTool Named File Stream Created
 id: 19b041f6-e583-40dc-b842-d6fa8011493f
 status: experimental
 description: Detects the creation of a named file stream with the imphash of a well-known hack tool

rules/windows/process_creation/proc_creation_win_findstr_lnk.yml

@@ -6,7 +6,7 @@ references:
     - https://www.bleepingcomputer.com/news/security/hhsgov-open-redirect-used-by-coronavirus-phishing-to-spread-malware/
 author: Trent Liffick
 date: 2020/05/01
-modified: 2023/11/11
+modified: 2024/01/15
 tags:
     - attack.defense_evasion
     - attack.t1036
@@ -24,7 +24,10 @@ detection:
               - 'FIND.EXE'
               - 'FINDSTR.EXE'
     selection_cli:
-        CommandLine|endswith: '.lnk'
+        CommandLine|endswith:
+            - '.lnk'
+            - '.lnk"'
+            - ".lnk'"
     condition: all of selection_*
 falsepositives:
     - Unknown

rules/windows/process_creation/proc_creation_win_hktl_execution_via_imphashes.yml

@@ -1,4 +1,4 @@
-title: Suspicious Hacktool Execution - Imphash
+title: Hacktool Execution - Imphash
 id: 24e3e58a-646b-4b50-adef-02ef935b9fc8
 status: test
 description: Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed
@@ -6,7 +6,7 @@ references:
     - Internal Research
 author: Florian Roth (Nextron Systems)
 date: 2022/03/04
-modified: 2023/02/04
+modified: 2024/01/15
 tags:
     - attack.credential_access
     - attack.t1588.002
@@ -20,21 +20,6 @@ detection:
               - bcca3c247b619dcd13c8cdff5f123932 # PetitPotam
               - 3a19059bd7688cb88e70005f18efc439 # PetitPotam
               - bf6223a49e45d99094406777eb6004ba # PetitPotam
-              - 0c106686a31bfe2ba931ae1cf6e9dbc6 # Mimikatz
-              - 0d1447d4b3259b3c2a1d4cfb7ece13c3 # Mimikatz
-              - 1b0369a1e06271833f78ffa70ffb4eaf # Mimikatz
-              - 4c1b52a19748428e51b14c278d0f58e3 # Mimikatz
-              - 4d927a711f77d62cebd4f322cb57ec6f # Mimikatz
-              - 66ee036df5fc1004d9ed5e9a94a1086a # Mimikatz
-              - 672b13f4a0b6f27d29065123fe882dfc # Mimikatz
-              - 6bbd59cea665c4afcc2814c1327ec91f # Mimikatz
-              - 725bb81dc24214f6ecacc0cfb36ad30d # Mimikatz
-              - 9528a0e91e28fbb88ad433feabca2456 # Mimikatz
-              - 9da6d5d77be11712527dcab86df449a3 # Mimikatz
-              - a6e01bc1ab89f8d91d9eab72032aae88 # Mimikatz
-              - b24c5eddaea4fe50c6a96a2a133521e4 # Mimikatz
-              - d21bbc50dcc169d7b4d0f01962793154 # Mimikatz
-              - fcc251cceae90d22c392215cc9a2d5d6 # Mimikatz
               - 23867a89c2b8fc733be6cf5ef902f2d1 # JuicyPotato
               - a37ff327f8d48e8a4d2f757e1b6e70bc # JuicyPotato
               - f9a28c458284584a93b14216308d31bd # JuicyPotatoNG
@@ -104,25 +89,25 @@ detection:
               - 84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte
               - 19584675d94829987952432e018d5056 # SysmonQuiet
               - 330768a4f172e10acb6287b87289d83b # ShaprEvtMute Hook
+              - 885c99ccfbe77d1cbfcb9c4e7c1a3313 # Forkatz
+              - 22a22bc9e4e0d2f189f1ea01748816ac # PPLKiller
+              - 7fa30e6bb7e8e8a69155636e50bf1b28 # PPLKiller
+              - 96df3a3731912449521f6f8d183279b1 # Backstab
+              - 7e6cf3ff4576581271ac8a313b2aab46 # Backstab
+              - 51791678f351c03a0eb4e2a7b05c6e17 # Backstab
+              - 25ce42b079282632708fc846129e98a5 # Forensia
+              - 021bcca20ba3381b11bdde26b4e62f20 # EDRSandBlast
+              - 59223b5f52d8799d38e0754855cbdf42 # EDRSandBlast
+              - 81e75d8f1d276c156653d3d8813e4a43 # EDRSandBlast
+              - 17244e8b6b8227e57fe709ccad421420 # EDRSandBlast
+              - 5b76da3acdedc8a5cdf23a798b5936b4 # EDRSandBlast
+              - cb2b65bb77d995cc1c0e5df1c860133c # EDRSandBlast
+              - 40445337761d80cf465136fafb1f63e6 # EDRSandBlast
+              - 8a790f401b29fa87bc1e56f7272b3aa6 # EDRSilencer
         - Hashes|contains: # Sysmon field hashes contains all types
               - IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932 # PetitPotam
               - IMPHASH=3A19059BD7688CB88E70005F18EFC439 # PetitPotam
               - IMPHASH=bf6223a49e45d99094406777eb6004ba # PetitPotam
-              - IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6 # Mimikatz
-              - IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3 # Mimikatz
-              - IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF # Mimikatz
-              - IMPHASH=4C1B52A19748428E51B14C278D0F58E3 # Mimikatz
-              - IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F # Mimikatz
-              - IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A # Mimikatz
-              - IMPHASH=672B13F4A0B6F27D29065123FE882DFC # Mimikatz
-              - IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F # Mimikatz
-              - IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D # Mimikatz
-              - IMPHASH=9528A0E91E28FBB88AD433FEABCA2456 # Mimikatz
-              - IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3 # Mimikatz
-              - IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88 # Mimikatz
-              - IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4 # Mimikatz
-              - IMPHASH=D21BBC50DCC169D7B4D0F01962793154 # Mimikatz
-              - IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6 # Mimikatz
               - IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1 # JuicyPotato
               - IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC # JuicyPotato
               - IMPHASH=F9A28C458284584A93B14216308D31BD # JuicyPotatoNG
@@ -192,6 +177,21 @@ detection:
               - IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte
               - IMPHASH=19584675D94829987952432E018D5056 # SysmonQuiet
               - IMPHASH=330768A4F172E10ACB6287B87289D83B # ShaprEvtMute Hook
+              - IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313 # Forkatz
+              - IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC # PPLKiller
+              - IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28 # PPLKiller
+              - IMPHASH=96DF3A3731912449521F6F8D183279B1 # Backstab
+              - IMPHASH=7E6CF3FF4576581271AC8A313B2AAB46 # Backstab
+              - IMPHASH=51791678F351C03A0EB4E2A7B05C6E17 # Backstab
+              - IMPHASH=25CE42B079282632708FC846129E98A5 # Forensia
+              - IMPHASH=021BCCA20BA3381B11BDDE26B4E62F20 # EDRSandBlast
+              - IMPHASH=59223B5F52D8799D38E0754855CBDF42 # EDRSandBlast
+              - IMPHASH=81E75D8F1D276C156653D3D8813E4A43 # EDRSandBlast
+              - IMPHASH=17244E8B6B8227E57FE709CCAD421420 # EDRSandBlast
+              - IMPHASH=5B76DA3ACDEDC8A5CDF23A798B5936B4 # EDRSandBlast
+              - IMPHASH=CB2B65BB77D995CC1C0E5DF1C860133C # EDRSandBlast
+              - IMPHASH=40445337761D80CF465136FAFB1F63E6 # EDRSandBlast
+              - IMPHASH=8A790F401B29FA87BC1E56F7272B3AA6 # EDRSilencer
     condition: selection
 falsepositives:
     - Legitimate use of one of these tools

rules/windows/process_creation/proc_creation_win_hktl_execution_via_pe_metadata.yml

@@ -1,4 +1,4 @@
-title: Suspicious Hacktool Execution - PE Metadata
+title: Hacktool Execution - PE Metadata
 id: 37c1333a-a0db-48be-b64b-7393b2386e3b
 status: test
 description: Detects the execution of different Windows based hacktools via PE metadata (company, product, etc.) even if the files have been renamed
@@ -7,7 +7,7 @@ references:
     - https://www.virustotal.com/gui/search/metadata%253ACube0x0/files
 author: Florian Roth (Nextron Systems)
 date: 2022/04/27
-modified: 2023/02/04
+modified: 2024/01/15
 tags:
     - attack.credential_access
     - attack.t1588.002