From 81b277ba1a6f4c7a8ca7ebb376630014869ef245 Mon Sep 17 00:00:00 2001
From: Harish SEGAR <segharish@gmail.com>
Date: Sat, 21 Mar 2020 00:26:30 +0100
Subject: [PATCH 1/4] suspicious powershell parent process...

---
 .../win_susp_powershell_parent_process.yml    | 64 +++++++++++++++++++
 1 file changed, 64 insertions(+)
 create mode 100644 rules/windows/process_creation/win_susp_powershell_parent_process.yml

diff --git a/rules/windows/process_creation/win_susp_powershell_parent_process.yml b/rules/windows/process_creation/win_susp_powershell_parent_process.yml
new file mode 100644
index 000000000..aa774aa19
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_powershell_parent_process.yml
@@ -0,0 +1,64 @@
+title: Suspicious PowerShell parent process
+id: 754ed792-634f-40ae-b3bc-e0448d33f695
+description: Detects a suspicious parent of csc.exe, which could by a sign of payload delivery
+status: experimental
+references:
+    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=26
+author: Teymur Kheirkhabarov, Harish Segar (rule)
+date: 2020/03/20
+tags:
+    - attack.defense_evasion
+    - attack.t1036
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+
+    selection_image1:
+        ParentImage|endswith:
+            - '\mshta.exe'
+            - '\rundll32.exe'
+            - '\regsvr32.exe'
+            - '\services.exe'
+            - '\winword.exe'
+            - '\wmiprvse.exe'
+            - '\powerpnt.exe'
+            - '\excel.exe'
+            - '\msaccess.exe'
+            - '\mspub.exe'
+            - '\visio.exe'
+            - '\outlook.exe'
+            - '\amigo.exe'
+            - '\chrome.exe'
+            - '\firefox.exe'
+            - '\iexplore.exe'
+            - '\microsoftedgecp.exe'
+            - '\microsoftedge.exe'
+            - '\browser.exe'
+            - '\vivaldi.exe'
+            - '\safari.exe'
+            - '\sqlagent.exe'
+            - '\sqlserver.exe'
+            - '\sqlservr.exe'
+            - '\w3wp.exe'
+            - '\httpd.exe'
+            - '\nginx.exe'
+            - '\php-cgi.exe'
+            - '\jbosssvc.exe'
+            - 'MicrosoftEdgeSH.exe'
+    selection_image2:
+        ParentImage|contains: 'tomcat'
+
+    filters:
+        CommandLine|contains:
+            - 'powershell'
+            - 'pwsh'
+        Description: 'Windows PowerShell'
+        Product: 'PowerShell Core 6'
+
+    condition: selection and (1 of selection_image*) and (1 of filters)
+falsepositives:
+    - Unkown
+level: high
\ No newline at end of file

From ba3994f319fe2f6c9e929656106ea55a8364f924 Mon Sep 17 00:00:00 2001
From: Harish SEGAR <segharish@gmail.com>
Date: Sat, 21 Mar 2020 12:19:01 +0100
Subject: [PATCH 2/4] Fix of '1 of x' condition

---
 .../win_susp_powershell_parent_process.yml    | 24 +++++++++----------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/rules/windows/process_creation/win_susp_powershell_parent_process.yml b/rules/windows/process_creation/win_susp_powershell_parent_process.yml
index aa774aa19..94e2b87de 100644
--- a/rules/windows/process_creation/win_susp_powershell_parent_process.yml
+++ b/rules/windows/process_creation/win_susp_powershell_parent_process.yml
@@ -1,14 +1,14 @@
 title: Suspicious PowerShell parent process
 id: 754ed792-634f-40ae-b3bc-e0448d33f695
-description: Detects a suspicious parent of csc.exe, which could by a sign of payload delivery
+description: Detects a suspicious parents of powershell.exe
 status: experimental
 references:
     - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=26
 author: Teymur Kheirkhabarov, Harish Segar (rule)
 date: 2020/03/20
 tags:
-    - attack.defense_evasion
-    - attack.t1036
+    - attack.execution
+    - attack.t1086
 logsource:
     product: windows
     service: sysmon
@@ -47,18 +47,18 @@ detection:
             - '\nginx.exe'
             - '\php-cgi.exe'
             - '\jbosssvc.exe'
-            - 'MicrosoftEdgeSH.exe'
+            - "MicrosoftEdgeSH.exe"
     selection_image2:
-        ParentImage|contains: 'tomcat'
+        ParentImage|contains: "tomcat"
 
     filters:
-        CommandLine|contains:
-            - 'powershell'
-            - 'pwsh'
-        Description: 'Windows PowerShell'
-        Product: 'PowerShell Core 6'
+        - CommandLine|contains:
+              - "powershell"
+              - "pwsh"
+        - Description: "Windows PowerShell"
+        - Product: "PowerShell Core 6"
 
     condition: selection and (1 of selection_image*) and (1 of filters)
 falsepositives:
-    - Unkown
-level: high
\ No newline at end of file
+    - Other scripts
+level: medium

From 1a088425f9b54f5990e891dea859f145de67307c Mon Sep 17 00:00:00 2001
From: Harish SEGAR <segharish@gmail.com>
Date: Mon, 29 Jun 2020 20:42:35 +0200
Subject: [PATCH 3/4] Fix rules.

---
 .../win_susp_powershell_parent_process.yml               | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/rules/windows/process_creation/win_susp_powershell_parent_process.yml b/rules/windows/process_creation/win_susp_powershell_parent_process.yml
index 94e2b87de..e25b102ed 100644
--- a/rules/windows/process_creation/win_susp_powershell_parent_process.yml
+++ b/rules/windows/process_creation/win_susp_powershell_parent_process.yml
@@ -1,4 +1,4 @@
-title: Suspicious PowerShell parent process
+title: Suspicious PowerShell Parent Process
 id: 754ed792-634f-40ae-b3bc-e0448d33f695
 description: Detects a suspicious parents of powershell.exe
 status: experimental
@@ -10,12 +10,9 @@ tags:
     - attack.execution
     - attack.t1086
 logsource:
+    category: process_creation
     product: windows
-    service: sysmon
 detection:
-    selection:
-        EventID: 1
-
     selection_image1:
         ParentImage|endswith:
             - '\mshta.exe'
@@ -58,7 +55,7 @@ detection:
         - Description: "Windows PowerShell"
         - Product: "PowerShell Core 6"
 
-    condition: selection and (1 of selection_image*) and (1 of filters)
+    condition: (1 of selection_image*) and (1 of filters)
 falsepositives:
     - Other scripts
 level: medium

From 5a11ef90d0e41eb51720668aafc166564985b8d5 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Mon, 29 Jun 2020 21:24:47 +0200
Subject: [PATCH 4/4] rule reorganized

---
 .../win_susp_powershell_parent_process.yml            | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/rules/windows/process_creation/win_susp_powershell_parent_process.yml b/rules/windows/process_creation/win_susp_powershell_parent_process.yml
index e25b102ed..5c79b2b62 100644
--- a/rules/windows/process_creation/win_susp_powershell_parent_process.yml
+++ b/rules/windows/process_creation/win_susp_powershell_parent_process.yml
@@ -14,7 +14,7 @@ logsource:
     product: windows
 detection:
     selection_image1:
-        ParentImage|endswith:
+        - ParentImage|endswith:
             - '\mshta.exe'
             - '\rundll32.exe'
             - '\regsvr32.exe'
@@ -45,17 +45,14 @@ detection:
             - '\php-cgi.exe'
             - '\jbosssvc.exe'
             - "MicrosoftEdgeSH.exe"
-    selection_image2:
-        ParentImage|contains: "tomcat"
-
-    filters:
+        - ParentImage|contains: "tomcat"
+    selection_powershell:
         - CommandLine|contains:
               - "powershell"
               - "pwsh"
         - Description: "Windows PowerShell"
         - Product: "PowerShell Core 6"
-
-    condition: (1 of selection_image*) and (1 of filters)
+    condition: all of them
 falsepositives:
     - Other scripts
 level: medium