Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing

CHANGELOG.md

@@ -6,6 +6,34 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html)
 from version 0.14.0.
 
+## 0.22.1 - 2022-09-09
+
+### Fixed
+
+* Replaced generic fix for Splunk AND/OR precedence issue with a specific one because the initial fix broke too many
+  backends. Splunk queries now have generally parentheses around AND expressions, sometimes more. Use sigma-cli/pySigma
+  for cleaner Splunk queries.
+
+## 0.22 - 2022-09-08
+
+### Added
+
+* 'windash' modifier
+* DNIF backend
+* Hedera backend
+* StreamAlert backend
+* SQLite backend can handle null values.
+* Support for different Windows log sources.
+
+### Changed
+
+* Various config improvements.
+
+### Fixed
+
+* Wrapping expressions from expanding modifiers into ORed subexpressions.
+* Various mapping fixes.
+
 ## 0.21 - 2022-04-08
 
 ### Added

Pipfile

@@ -21,6 +21,7 @@ progressbar2 = "~=3.47"
 pymisp = "~=2.4.123"
 PyYAML = "~=5.1"
 "ruamel.yaml" = "*"
+termcolor = "*"
 
 [requires]
 python_version = "3.8"

rules/windows/builtin/security/win_susp_computer_name.yml

@@ -0,0 +1,36 @@
+title: Win Susp Computer Name Containing Samtheadmin
+id: 39698b3f-da92-4bc6-bfb5-645a98386e45
+status: experimental
+description: Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool
+author: elhoim
+date: 2022/09/09
+references:
+    - https://twitter.com/malmoeb/status/1511760068743766026
+    - https://github.com/WazeHell/sam-theadmin/blob/main/sam_the_admin.py
+    - https://github.com/helloexp/0day/blob/614227a7b9beb0e91e7e2c6a5e532e6f7a8e883c/00-CVE_EXP/CVE-2021-42287/sam-the-admin/sam_the_admin.py
+tags:
+    - cve.2021.42278
+    - cve.2021.42287
+    - attack.persistence
+    - attack.privilege_escalation
+    - attack.t1078
+logsource:
+    category: security
+    product: windows
+detection:
+    # Not adding an EventID on purpose to try to match on any event in security (including use of account), not just 4741 (computer account created)
+    selection1:
+        SamAccountName|startswith: 'SAMTHEADMIN-'
+        SamAccountName|endswith: '$'
+    selection2:
+        TargetUserName|startswith: 'SAMTHEADMIN-'
+        TargetUserName|endswith: '$'
+    condition: 1 of selection*
+fields:
+    - EventID
+    - SamAccountName
+    - SubjectUserName
+    - TargetUserName
+falsepositives:
+    - Unknown
+level: critical

rules/windows/create_stream_hash/create_stream_hash_hacktool_download.yml

@@ -4,154 +4,197 @@ status: experimental
 description: Detects the creation of a file on disk that has an imphash of a well-known hack tool
 author: Florian Roth
 references:
-  - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015
+   - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015
 date: 2022/08/24
-logsource:
-  product: windows
-  category: create_stream_hash
-  definition: 'Requirements: Sysmon config with Imphash logging activated'
-detection:
-    selection:
-        - Imphash:
-            - bcca3c247b619dcd13c8cdff5f123932 # PetitPotam
-            - 3a19059bd7688cb88e70005f18efc439 # PetitPotam
-            - bf6223a49e45d99094406777eb6004ba # PetitPotam
-            - 0c106686a31bfe2ba931ae1cf6e9dbc6 # Mimikatz
-            - 0d1447d4b3259b3c2a1d4cfb7ece13c3 # Mimikatz
-            - 1b0369a1e06271833f78ffa70ffb4eaf # Mimikatz
-            - 4c1b52a19748428e51b14c278d0f58e3 # Mimikatz
-            - 4d927a711f77d62cebd4f322cb57ec6f # Mimikatz
-            - 66ee036df5fc1004d9ed5e9a94a1086a # Mimikatz
-            - 672b13f4a0b6f27d29065123fe882dfc # Mimikatz
-            - 6bbd59cea665c4afcc2814c1327ec91f # Mimikatz
-            - 725bb81dc24214f6ecacc0cfb36ad30d # Mimikatz
-            - 9528a0e91e28fbb88ad433feabca2456 # Mimikatz
-            - 9da6d5d77be11712527dcab86df449a3 # Mimikatz
-            - a6e01bc1ab89f8d91d9eab72032aae88 # Mimikatz
-            - b24c5eddaea4fe50c6a96a2a133521e4 # Mimikatz
-            - d21bbc50dcc169d7b4d0f01962793154 # Mimikatz
-            - fcc251cceae90d22c392215cc9a2d5d6 # Mimikatz
-            - 23867a89c2b8fc733be6cf5ef902f2d1 # JuicyPotato 
-            - a37ff327f8d48e8a4d2f757e1b6e70bc # JuicyPotato 
-            - 6118619783fc175bc7ebecff0769b46e # RoguePotato
-            - 959a83047e80ab68b368fdb3f4c6e4ea # RoguePotato
-            - 563233bfa169acc7892451f71ad5850a # RoguePotato
-            - 87575cb7a0e0700eb37f2e3668671a08 # RoguePotato
-            - 13f08707f759af6003837a150a371ba1 # Pwdump
-            - 1781f06048a7e58b323f0b9259be798b # Pwdump
-            - 233f85f2d4bc9d6521a6caae11a1e7f5 # Pwdump
-            - 24af2584cbf4d60bbe5c6d1b31b3be6d # Pwdump
-            - 632969ddf6dbf4e0f53424b75e4b91f2 # Pwdump
-            - 713c29b396b907ed71a72482759ed757 # Pwdump
-            - 749a7bb1f0b4c4455949c0b2bf7f9e9f # Pwdump
-            - 8628b2608957a6b0c6330ac3de28ce2e # Pwdump
-            - 8b114550386e31895dfab371e741123d # Pwdump
-            - 94cb940a1a6b65bed4d5a8f849ce9793 # PwDumpX
-            - 9d68781980370e00e0bd939ee5e6c141 # Pwdump
-            - b18a1401ff8f444056d29450fbc0a6ce # Pwdump
-            - cb567f9498452721d77a451374955f5f # Pwdump
-            - 730073214094cd328547bf1f72289752 # Htran
-            - 17b461a082950fc6332228572138b80c # Cobalt Strike beacons
-            - dc25ee78e2ef4d36faa0badf1e7461c9 # Cobalt Strike beacons
-            - 819b19d53ca6736448f9325a85736792 # Cobalt Strike beacons
-            - 829da329ce140d873b4a8bde2cbfaa7e # Cobalt Strike beacons
-            - c547f2e66061a8dffb6f5a3ff63c0a74 # PPLDump
-            - 0588081ab0e63ba785938467e1b10cca # PPLDump
-            - 0d9ec08bac6c07d9987dfd0f1506587c # NanoDump
-            - bc129092b71c89b4d4c8cdf8ea590b29 # NanoDump
-            - 4da924cf622d039d58bce71cdf05d242 # NanoDump
-            - e7a3a5c377e2d29324093377d7db1c66 # NanoDump
-            - 9a9dbec5c62f0380b4fa5fd31deffedf # NanoDump
-            - af8a3976ad71e5d5fdfb67ddb8dadfce # NanoDump
-            - 0c477898bbf137bbd6f2a54e3b805ff4 # NanoDump
-            - 0ca9f02b537bcea20d4ea5eb1a9fe338 # NanoDump
-            - 3ab3655e5a14d4eefc547f4781bf7f9e # NanoDump
-            - e6f9d5152da699934b30daab206471f6 # NanoDump
-            - 3ad59991ccf1d67339b319b15a41b35d # NanoDump
-            - ffdd59e0318b85a3e480874d9796d872 # NanoDump
-            - 0cf479628d7cc1ea25ec7998a92f5051 # NanoDump
-            - 07a2d4dcbd6cb2c6a45e6b101f0b6d51 # NanoDump
-            - d6d0f80386e1380d05cb78e871bc72b1 # NanoDump
-            - 38d9e015591bbfd4929e0d0f47fa0055 # HandleKatz
-            - 0e2216679ca6e1094d63322e3412d650 # HandleKatz
-            - ada161bf41b8e5e9132858cb54cab5fb # DripLoader
-            - 2a1bc4913cd5ecb0434df07cb675b798 # DripLoader
-            - 11083e75553baae21dc89ce8f9a195e4 # DripLoader
-            - a23d29c9e566f2fa8ffbb79267f5df80 # DripLoader
-        - Hashes|contains:  # Sysmon field hashes contains all types
-            - IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932 # PetitPotam
-            - IMPHASH=3A19059BD7688CB88E70005F18EFC439 # PetitPotam
-            - IMPHASH=bf6223a49e45d99094406777eb6004ba # PetitPotam
-            - IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6 # Mimikatz
-            - IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3 # Mimikatz
-            - IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF # Mimikatz
-            - IMPHASH=4C1B52A19748428E51B14C278D0F58E3 # Mimikatz
-            - IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F # Mimikatz
-            - IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A # Mimikatz
-            - IMPHASH=672B13F4A0B6F27D29065123FE882DFC # Mimikatz
-            - IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F # Mimikatz
-            - IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D # Mimikatz
-            - IMPHASH=9528A0E91E28FBB88AD433FEABCA2456 # Mimikatz
-            - IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3 # Mimikatz
-            - IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88 # Mimikatz
-            - IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4 # Mimikatz
-            - IMPHASH=D21BBC50DCC169D7B4D0F01962793154 # Mimikatz
-            - IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6 # Mimikatz
-            - IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1 # JuicyPotato 
-            - IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC # JuicyPotato 
-            - IMPHASH=6118619783FC175BC7EBECFF0769B46E # RoguePotato
-            - IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA # RoguePotato
-            - IMPHASH=563233BFA169ACC7892451F71AD5850A # RoguePotato
-            - IMPHASH=87575CB7A0E0700EB37F2E3668671A08 # RoguePotato
-            - IMPHASH=13F08707F759AF6003837A150A371BA1 # Pwdump
-            - IMPHASH=1781F06048A7E58B323F0B9259BE798B # Pwdump
-            - IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5 # Pwdump
-            - IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D # Pwdump
-            - IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2 # Pwdump
-            - IMPHASH=713C29B396B907ED71A72482759ED757 # Pwdump
-            - IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F # Pwdump
-            - IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E # Pwdump
-            - IMPHASH=8B114550386E31895DFAB371E741123D # Pwdump
-            - IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793 # PwDumpX
-            - IMPHASH=9D68781980370E00E0BD939EE5E6C141 # Pwdump
-            - IMPHASH=B18A1401FF8F444056D29450FBC0A6CE # Pwdump
-            - IMPHASH=CB567F9498452721D77A451374955F5F # Pwdump
-            - IMPHASH=730073214094CD328547BF1F72289752 # Htran
-            - IMPHASH=17B461A082950FC6332228572138B80C # Cobalt Strike beacons
-            - IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9 # Cobalt Strike beacons
-            - IMPHASH=819B19D53CA6736448F9325A85736792 # Cobalt Strike beacons
-            - IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E # Cobalt Strike beacons
-            - IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74 # PPLDump
-            - IMPHASH=0588081AB0E63BA785938467E1B10CCA # PPLDump
-            - IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C # NanoDump
-            - IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29 # NanoDump
-            - IMPHASH=4DA924CF622D039D58BCE71CDF05D242 # NanoDump
-            - IMPHASH=E7A3A5C377E2D29324093377D7DB1C66 # NanoDump
-            - IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF # NanoDump
-            - IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE # NanoDump
-            - IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4 # NanoDump
-            - IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338 # NanoDump
-            - IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E # NanoDump
-            - IMPHASH=E6F9D5152DA699934B30DAAB206471F6 # NanoDump
-            - IMPHASH=3AD59991CCF1D67339B319B15A41B35D # NanoDump
-            - IMPHASH=FFDD59E0318B85A3E480874D9796D872 # NanoDump
-            - IMPHASH=0CF479628D7CC1EA25EC7998A92F5051 # NanoDump
-            - IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51 # NanoDump
-            - IMPHASH=D6D0F80386E1380D05CB78E871BC72B1 # NanoDump
-            - IMPHASH=38D9E015591BBFD4929E0D0F47FA0055 # HandleKatz
-            - IMPHASH=0E2216679CA6E1094D63322E3412D650 # HandleKatz
-            - IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB # DripLoader
-            - IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798 # DripLoader
-            - IMPHASH=11083E75553BAAE21DC89CE8F9A195E4 # DripLoader
-            - IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80 # DripLoader
-    condition: selection
-fields:
-  - TargetFilename
-  - Image
-falsepositives:
-  - Unknown
-level: high
+modified: 2022/09/07
 tags:
-  - attack.defense_evasion
-  - attack.s0139
-  - attack.t1564.004
+   - attack.defense_evasion
+   - attack.s0139
+   - attack.t1564.004
+logsource:
+   product: windows
+   category: create_stream_hash
+definition: 'Requirements: Sysmon config with Imphash logging activated'
+detection:
+   selection:
+      - Imphash:
+         - bcca3c247b619dcd13c8cdff5f123932 # PetitPotam
+         - 3a19059bd7688cb88e70005f18efc439 # PetitPotam
+         - bf6223a49e45d99094406777eb6004ba # PetitPotam
+         - 0c106686a31bfe2ba931ae1cf6e9dbc6 # Mimikatz
+         - 0d1447d4b3259b3c2a1d4cfb7ece13c3 # Mimikatz
+         - 1b0369a1e06271833f78ffa70ffb4eaf # Mimikatz
+         - 4c1b52a19748428e51b14c278d0f58e3 # Mimikatz
+         - 4d927a711f77d62cebd4f322cb57ec6f # Mimikatz
+         - 66ee036df5fc1004d9ed5e9a94a1086a # Mimikatz
+         - 672b13f4a0b6f27d29065123fe882dfc # Mimikatz
+         - 6bbd59cea665c4afcc2814c1327ec91f # Mimikatz
+         - 725bb81dc24214f6ecacc0cfb36ad30d # Mimikatz
+         - 9528a0e91e28fbb88ad433feabca2456 # Mimikatz
+         - 9da6d5d77be11712527dcab86df449a3 # Mimikatz
+         - a6e01bc1ab89f8d91d9eab72032aae88 # Mimikatz
+         - b24c5eddaea4fe50c6a96a2a133521e4 # Mimikatz
+         - d21bbc50dcc169d7b4d0f01962793154 # Mimikatz
+         - fcc251cceae90d22c392215cc9a2d5d6 # Mimikatz
+         - 23867a89c2b8fc733be6cf5ef902f2d1 # JuicyPotato 
+         - a37ff327f8d48e8a4d2f757e1b6e70bc # JuicyPotato 
+         - 6118619783fc175bc7ebecff0769b46e # RoguePotato
+         - 959a83047e80ab68b368fdb3f4c6e4ea # RoguePotato
+         - 563233bfa169acc7892451f71ad5850a # RoguePotato
+         - 87575cb7a0e0700eb37f2e3668671a08 # RoguePotato
+         - 13f08707f759af6003837a150a371ba1 # Pwdump
+         - 1781f06048a7e58b323f0b9259be798b # Pwdump
+         - 233f85f2d4bc9d6521a6caae11a1e7f5 # Pwdump
+         - 24af2584cbf4d60bbe5c6d1b31b3be6d # Pwdump
+         - 632969ddf6dbf4e0f53424b75e4b91f2 # Pwdump
+         - 713c29b396b907ed71a72482759ed757 # Pwdump
+         - 749a7bb1f0b4c4455949c0b2bf7f9e9f # Pwdump
+         - 8628b2608957a6b0c6330ac3de28ce2e # Pwdump
+         - 8b114550386e31895dfab371e741123d # Pwdump
+         - 94cb940a1a6b65bed4d5a8f849ce9793 # PwDumpX
+         - 9d68781980370e00e0bd939ee5e6c141 # Pwdump
+         - b18a1401ff8f444056d29450fbc0a6ce # Pwdump
+         - cb567f9498452721d77a451374955f5f # Pwdump
+         - 730073214094cd328547bf1f72289752 # Htran
+         - 17b461a082950fc6332228572138b80c # Cobalt Strike beacons
+         - dc25ee78e2ef4d36faa0badf1e7461c9 # Cobalt Strike beacons
+         - 819b19d53ca6736448f9325a85736792 # Cobalt Strike beacons
+         - 829da329ce140d873b4a8bde2cbfaa7e # Cobalt Strike beacons
+         - c547f2e66061a8dffb6f5a3ff63c0a74 # PPLDump
+         - 0588081ab0e63ba785938467e1b10cca # PPLDump
+         - 0d9ec08bac6c07d9987dfd0f1506587c # NanoDump
+         - bc129092b71c89b4d4c8cdf8ea590b29 # NanoDump
+         - 4da924cf622d039d58bce71cdf05d242 # NanoDump
+         - e7a3a5c377e2d29324093377d7db1c66 # NanoDump
+         - 9a9dbec5c62f0380b4fa5fd31deffedf # NanoDump
+         - af8a3976ad71e5d5fdfb67ddb8dadfce # NanoDump
+         - 0c477898bbf137bbd6f2a54e3b805ff4 # NanoDump
+         - 0ca9f02b537bcea20d4ea5eb1a9fe338 # NanoDump
+         - 3ab3655e5a14d4eefc547f4781bf7f9e # NanoDump
+         - e6f9d5152da699934b30daab206471f6 # NanoDump
+         - 3ad59991ccf1d67339b319b15a41b35d # NanoDump
+         - ffdd59e0318b85a3e480874d9796d872 # NanoDump
+         - 0cf479628d7cc1ea25ec7998a92f5051 # NanoDump
+         - 07a2d4dcbd6cb2c6a45e6b101f0b6d51 # NanoDump
+         - d6d0f80386e1380d05cb78e871bc72b1 # NanoDump
+         - 38d9e015591bbfd4929e0d0f47fa0055 # HandleKatz
+         - 0e2216679ca6e1094d63322e3412d650 # HandleKatz
+         - ada161bf41b8e5e9132858cb54cab5fb # DripLoader
+         - 2a1bc4913cd5ecb0434df07cb675b798 # DripLoader
+         - 11083e75553baae21dc89ce8f9a195e4 # DripLoader
+         - a23d29c9e566f2fa8ffbb79267f5df80 # DripLoader
+         - 4a07f944a83e8a7c2525efa35dd30e2f # CreateMiniDump
+         - 767637c23bb42cd5d7397cf58b0be688 # UACMe Akagi
+         - 14c4e4c72ba075e9069ee67f39188ad8 # UACMe Akagi
+         - 3c782813d4afce07bbfc5a9772acdbdc # UACMe Akagi
+         - 7d010c6bb6a3726f327f7e239166d127 # UACMe Akagi
+         - 89159ba4dd04e4ce5559f132a9964eb3 # UACMe Akagi
+         - 6f33f4a5fc42b8cec7314947bd13f30f # UACMe Akagi
+         - 5834ed4291bdeb928270428ebbaf7604 # UACMe Akagi
+         - 5a8a8a43f25485e7ee1b201edcbc7a38 # UACMe Akagi
+         - dc7d30b90b2d8abf664fbed2b1b59894 # UACMe Akagi
+         - 41923ea1f824fe63ea5beb84db7a3e74 # UACMe Akagi
+         - 3de09703c8e79ed2ca3f01074719906b # UACMe Akagi
+         - a53a02b997935fd8eedcb5f7abab9b9f # WCE
+         - e96a73c7bf33a464c510ede582318bf2 # WCE
+         - 32089b8851bbf8bc2d014e9f37288c83 # Sliver Stagers
+         - 09D278F9DE118EF09163C6140255C690 # Dumpert
+         - 03866661686829d806989e2fc5a72606 # Dumpert
+         - e57401fbdadcd4571ff385ab82bd5d6d # Dumpert
+         - 84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte
+         - 19584675d94829987952432e018d5056 # SysmonQuiet
+         - 330768a4f172e10acb6287b87289d83b # ShaprEvtMute Hook
+      - Hashes|contains:  # Sysmon field hashes contains all types
+         - IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932 # PetitPotam
+         - IMPHASH=3A19059BD7688CB88E70005F18EFC439 # PetitPotam
+         - IMPHASH=bf6223a49e45d99094406777eb6004ba # PetitPotam
+         - IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6 # Mimikatz
+         - IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3 # Mimikatz
+         - IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF # Mimikatz
+         - IMPHASH=4C1B52A19748428E51B14C278D0F58E3 # Mimikatz
+         - IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F # Mimikatz
+         - IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A # Mimikatz
+         - IMPHASH=672B13F4A0B6F27D29065123FE882DFC # Mimikatz
+         - IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F # Mimikatz
+         - IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D # Mimikatz
+         - IMPHASH=9528A0E91E28FBB88AD433FEABCA2456 # Mimikatz
+         - IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3 # Mimikatz
+         - IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88 # Mimikatz
+         - IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4 # Mimikatz
+         - IMPHASH=D21BBC50DCC169D7B4D0F01962793154 # Mimikatz
+         - IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6 # Mimikatz
+         - IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1 # JuicyPotato 
+         - IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC # JuicyPotato 
+         - IMPHASH=6118619783FC175BC7EBECFF0769B46E # RoguePotato
+         - IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA # RoguePotato
+         - IMPHASH=563233BFA169ACC7892451F71AD5850A # RoguePotato
+         - IMPHASH=87575CB7A0E0700EB37F2E3668671A08 # RoguePotato
+         - IMPHASH=13F08707F759AF6003837A150A371BA1 # Pwdump
+         - IMPHASH=1781F06048A7E58B323F0B9259BE798B # Pwdump
+         - IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5 # Pwdump
+         - IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D # Pwdump
+         - IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2 # Pwdump
+         - IMPHASH=713C29B396B907ED71A72482759ED757 # Pwdump
+         - IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F # Pwdump
+         - IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E # Pwdump
+         - IMPHASH=8B114550386E31895DFAB371E741123D # Pwdump
+         - IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793 # PwDumpX
+         - IMPHASH=9D68781980370E00E0BD939EE5E6C141 # Pwdump
+         - IMPHASH=B18A1401FF8F444056D29450FBC0A6CE # Pwdump
+         - IMPHASH=CB567F9498452721D77A451374955F5F # Pwdump
+         - IMPHASH=730073214094CD328547BF1F72289752 # Htran
+         - IMPHASH=17B461A082950FC6332228572138B80C # Cobalt Strike beacons
+         - IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9 # Cobalt Strike beacons
+         - IMPHASH=819B19D53CA6736448F9325A85736792 # Cobalt Strike beacons
+         - IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E # Cobalt Strike beacons
+         - IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74 # PPLDump
+         - IMPHASH=0588081AB0E63BA785938467E1B10CCA # PPLDump
+         - IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C # NanoDump
+         - IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29 # NanoDump
+         - IMPHASH=4DA924CF622D039D58BCE71CDF05D242 # NanoDump
+         - IMPHASH=E7A3A5C377E2D29324093377D7DB1C66 # NanoDump
+         - IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF # NanoDump
+         - IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE # NanoDump
+         - IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4 # NanoDump
+         - IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338 # NanoDump
+         - IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E # NanoDump
+         - IMPHASH=E6F9D5152DA699934B30DAAB206471F6 # NanoDump
+         - IMPHASH=3AD59991CCF1D67339B319B15A41B35D # NanoDump
+         - IMPHASH=FFDD59E0318B85A3E480874D9796D872 # NanoDump
+         - IMPHASH=0CF479628D7CC1EA25EC7998A92F5051 # NanoDump
+         - IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51 # NanoDump
+         - IMPHASH=D6D0F80386E1380D05CB78E871BC72B1 # NanoDump
+         - IMPHASH=38D9E015591BBFD4929E0D0F47FA0055 # HandleKatz
+         - IMPHASH=0E2216679CA6E1094D63322E3412D650 # HandleKatz
+         - IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB # DripLoader
+         - IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798 # DripLoader
+         - IMPHASH=11083E75553BAAE21DC89CE8F9A195E4 # DripLoader
+         - IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80 # DripLoader
+         - IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F # CreateMiniDump
+         - IMPHASH=767637C23BB42CD5D7397CF58B0BE688 # UACMe Akagi
+         - IMPHASH=14C4E4C72BA075E9069EE67F39188AD8 # UACMe Akagi
+         - IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC # UACMe Akagi
+         - IMPHASH=7D010C6BB6A3726F327F7E239166D127 # UACMe Akagi
+         - IMPHASH=89159BA4DD04E4CE5559F132A9964EB3 # UACMe Akagi
+         - IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F # UACMe Akagi
+         - IMPHASH=5834ED4291BDEB928270428EBBAF7604 # UACMe Akagi
+         - IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38 # UACMe Akagi
+         - IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894 # UACMe Akagi
+         - IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74 # UACMe Akagi
+         - IMPHASH=3DE09703C8E79ED2CA3F01074719906B # UACMe Akagi
+         - IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F # WCE
+         - IMPHASH=E96A73C7BF33A464C510EDE582318BF2 # WCE
+         - IMPHASH=32089B8851BBF8BC2D014E9F37288C83 # Sliver Stagers
+         - IMPHASH=09D278F9DE118EF09163C6140255C690 # Dumpert
+         - IMPHASH=03866661686829d806989e2fc5a72606 # Dumpert
+         - IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d # Dumpert
+         - IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte
+         - IMPHASH=19584675D94829987952432E018D5056 # SysmonQuiet
+         - IMPHASH=330768A4F172E10ACB6287B87289D83B # ShaprEvtMute Hook
+   condition: selection
+fields:
+   - TargetFilename
+   - Image
+falsepositives:
+   - Unknown
+level: high

rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml

@@ -0,0 +1,38 @@
+title: Unusual File Download from Direct IP Address
+id: 025bd229-fd1f-4fdb-97ab-20006e1a5368
+status: experimental
+description: Detects the download of suspicious file type from URLs with IP
+author: Nasreddine Bencherchali
+references:
+    - https://github.com/trustedsec/SysmonCommunityGuide/blob/adcdfee20999f422b974c8d4149bf4c361237db7/chapters/file-stream-creation-hash.md
+date: 2022/09/07
+logsource:
+    product: windows
+    category: create_stream_hash
+detection:
+    selection_domain:
+        Contents|contains:
+            - '://1'
+            - '://2'
+            - '://3'
+            - '://4'
+            - '://5'
+            - '://6'
+            - '://7'
+            - '://8'
+            - '://9'
+    selection_extension:
+        TargetFilename|contains:
+            - '.ps1:Zone'
+            - '.bat:Zone'
+            - '.exe:Zone'
+            - '.vbe:Zone'
+            - '.vbs:Zone'
+            - '.dll:Zone'
+    condition: all of selection*
+falsepositives:
+    - Unknown
+level: high
+tags:
+    - attack.defense_evasion
+    - attack.t1564.004

rules/windows/dns_query/dns_query_win_susp_ldap.yml

@@ -3,6 +3,7 @@ id: a21bcd7e-38ec-49ad-b69a-9ea17e69509e
 description: Detect suspicious ldap request from non Windows application
 status: experimental
 date: 2022/08/20
+modified: 2022/09/08
 author: frack113
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1482/T1482.md
@@ -17,6 +18,8 @@ detection:
     filter_defender:
         Image|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
         Image|endswith: '\MsMpEng.exe'
+    filter_unknown:
+        Image: '<unknown process>'
     condition: dns_request and not 1 of filter_*
 falsepositives:
     - Programs that also lookup the observed domain

rules/windows/file_change/file_change_win_2022_timestomping.yml

@@ -23,7 +23,7 @@ detection:
     selection2:
         PreviousCreationUtcTime|startswith: '202'
     filter2:
-        CreationUtcTime|startswith: 202
+        CreationUtcTime|startswith: '202'
     gen_filter_updates:
         - Image:
             - 'C:\Windows\system32\ProvTool.exe'

rules/windows/file_event/file_event_win_bloodhound_collection.yml

@@ -8,20 +8,20 @@ references:
 date: 2022/08/09
 modified: 2022/08/09
 tags:
-  - attack.discovery
-  - attack.t1087.001
-  - attack.t1087.002
-  - attack.t1482
-  - attack.t1069.001
-  - attack.t1069.002
-  - attack.execution
-  - attack.t1059.001
+    - attack.discovery
+    - attack.t1087.001
+    - attack.t1087.002
+    - attack.t1482
+    - attack.t1069.001
+    - attack.t1069.002
+    - attack.execution
+    - attack.t1059.001
 logsource:
     product: windows
     category: file_event
 detection:
     selection1:
-        TargetFilename|endswith: 
+        TargetFilename|endswith:
             - '_BloodHound.zip'
             - '_computers.json'
             - '_containers.json'

rules/windows/file_event/file_event_win_creation_system_file.yml

@@ -4,7 +4,7 @@ status: test
 description: Detects the creation of an executable with a system process name in a suspicious folder
 author: Sander Wiebing, Tim Shelton
 date: 2020/05/26
-modified: 2022/07/27
+modified: 2022/09/07
 tags:
     - attack.defense_evasion
     - attack.t1036.005
@@ -31,10 +31,8 @@ detection:
             - '\explorer.exe'
             - '\taskhost.exe'
             - '\Taskmgr.exe'
-            - '\taskmgr.exe'
             - '\sihost.exe'
             - '\RuntimeBroker.exe'
-            - '\runtimebroker.exe'
             - '\smartscreen.exe'
             - '\dllhost.exe'
             - '\audiodg.exe'
@@ -42,13 +40,10 @@ detection:
     filter1:
         TargetFilename|startswith:
             - 'C:\Windows\System32\'
-            - 'C:\Windows\system32\'
-            - 'C:\Windows\SysWow64\'
             - 'C:\Windows\SysWOW64\'
-            - 'C:\Windows\winsxs\'
             - 'C:\Windows\WinSxS\'
             - '\SystemRoot\System32\'
-        Image|endswith: 
+        Image|endswith:
             - '\Windows\System32\dism.exe'
             - '\TiWorker.exe'
     filter2:
@@ -67,5 +62,6 @@ detection:
 fields:
     - Image
 falsepositives:
-    - System processes copied outside the default folder
+    - System processes copied outside their default folders for testing purposes
+    - Third party software naming their software with the same names as the processes mentioned here
 level: high

rules/windows/file_event/file_event_win_legitimate_app_dropping_archive.yml

@@ -48,5 +48,5 @@ falsepositives:
     - Unknown
 level: high
 tags:
-  - attack.defense_evasion
-  - attack.t1218
+    - attack.defense_evasion
+    - attack.t1218

rules/windows/file_event/file_event_win_legitimate_app_dropping_exe.yml

@@ -46,5 +46,5 @@ falsepositives:
     - Unknown
 level: high
 tags:
-  - attack.defense_evasion
-  - attack.t1218
+    - attack.defense_evasion
+    - attack.t1218

rules/windows/file_event/file_event_win_legitimate_app_dropping_script.yml

@@ -48,5 +48,5 @@ falsepositives:
     - Unknown
 level: high
 tags:
-  - attack.defense_evasion
-  - attack.t1218
+    - attack.defense_evasion
+    - attack.t1218

rules/windows/file_event/file_event_win_susp_executable_creation.yml

@@ -0,0 +1,31 @@
+title: Suspicious Executable File Creation
+id: 74babdd6-a758-4549-9632-26535279e654
+status: experimental
+description: Detect creation of suspicious executable file name. Some strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths.
+author: frack113
+references:
+  - https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae
+  - https://app.any.run/tasks/76c69e2d-01e8-49d9-9aea-fb7cc0c4d3ad/
+date: 2022/09/05
+logsource:
+  product: windows
+  category: file_event
+detection:
+  selection_double:
+    TargetFilename|endswith: 
+        - '.bat.exe'
+        - '.sys.exe'
+  selection_folder:
+    TargetFilename:
+        - 'C:\$Recycle.Bin.exe'
+        - 'C:\Documents and Settings.exe'
+        - 'C:\MSOCache.exe'
+        - 'C:\Recovery.exe'
+        - 'C:\PerfLogs.exe'
+  condition: 1 of selection_*
+falsepositives:
+  - Unknown
+level: high
+tags:
+  - attack.defense_evasion
+  - attack.t1564

rules/windows/file_event/file_event_win_wmiexec_default_filename.yml

@@ -0,0 +1,21 @@
+title: Wmiexec Default Output File
+id: 8d5aca11-22b3-4f22-b7ba-90e60533e1fb
+status: experimental
+description: Detects the creation of the default output filename used by the wmicexec tool
+author: Nasreddine Bencherchali
+date: 2022/06/02
+references:
+    - https://www.crowdstrike.com/blog/how-to-detect-and-prevent-impackets-wmiexec/
+tags:
+    - attack.lateral_movement
+    - attack.t1047
+logsource:
+    category: file_event
+    product: windows
+detection:
+    selection:
+        TargetFilename|re: '\\Windows\\__1\d{9}\.\d{1,7}$'
+    condition: selection
+falsepositives:
+    - Unlikely
+level: critical

rules/windows/file_event/file_event_win_writing_local_admin_share.yml

@@ -2,8 +2,8 @@ title: Writing Local Admin Share
 id: 4aafb0fa-bff5-4b9d-b99e-8093e659c65f
 status: experimental
 description: |
-  Aversaries may use to interact with a remote network share using Server Message Block (SMB).
-  This technique is used by post-exploitation frameworks.
+    Aversaries may use to interact with a remote network share using Server Message Block (SMB).
+    This technique is used by post-exploitation frameworks.
 author: frack113
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-4---execute-command-writing-output-to-local-admin-share

rules/windows/image_load/image_load_sysmon_disable_sharpevtmute.yml

@@ -0,0 +1,22 @@
+title: SharpEvtMute EvtMuteHook Load
+id: 49329257-089d-46e6-af37-4afce4290685
+status: experimental
+description: Detects the load of EvtMuteHook.dll, a key component of SharpEvtHook, a tool to tamper with Windows event logs
+references:
+    - https://github.com/bats3c/EvtMute
+tags:
+   - attack.defense_evasion
+   - attack.t1562.002
+author: Florian Roth
+date: 2022/09/07
+logsource:
+    category: image_load
+    product: windows
+detection:
+    selection:
+        - Hashes|contains: 'IMPHASH=330768A4F172E10ACB6287B87289D83B'
+        - Imphash: '330768a4f172e10acb6287b87289d83b'
+    condition: selection
+falsepositives:
+    - Other DLLs with that import hash
+level: high

rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml

@@ -1,9 +1,9 @@
 title: PowerShell ADRecon Execution
 id: bf72941a-cba0-41ea-b18c-9aca3925690d
 status: experimental
-description: Detects execution of ADRecon.ps1 for AD reconnaissance which has been reported to be actively used by FIN7 
+description: Detects execution of ADRecon.ps1 for AD reconnaissance which has been reported to be actively used by FIN7
 references:
-    - https://github.com/sense-of-security/ADRecon
+    - https://github.com/sense-of-security/ADRecon/blob/11881a24e9c8b207f31b56846809ce1fb189bcc9/ADRecon.ps1
     - https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319
 tags:
     - attack.discovery
@@ -11,7 +11,7 @@ tags:
     - attack.t1059.001
 author: Bhabesh Raj
 date: 2021/07/16
-modified: 2021/10/16
+modified: 2022/09/06
 logsource:
     product: windows
     category: ps_script
@@ -20,6 +20,8 @@ detection:
     selection:
         ScriptBlockText|contains:
             - 'Function Get-ADRExcelComOb'
+            - 'Get-ADRGPO'
+            - 'Get-ADRDomainController'
             - 'ADRecon-Report.xlsx' #Default
     condition: selection
 falsepositives:

rules/windows/powershell/powershell_script/posh_ps_root_certificate_installed.yml

@@ -17,12 +17,12 @@ logsource:
 detection:
     selection1:
         ScriptBlockText|contains|all:
-          - 'Move-Item'
-          - 'Cert:\LocalMachine\Root'
+            - 'Move-Item'
+            - 'Cert:\LocalMachine\Root'
     selection2:
         ScriptBlockText|contains|all:
-          - 'Import-Certificate'
-          - 'Cert:\LocalMachine\Root'
+            - 'Import-Certificate'
+            - 'Cert:\LocalMachine\Root'
     condition: 1 of selection*
 falsepositives:
     - Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP

rules/windows/process_access/proc_access_win_hack_sysmonente.yml

@@ -0,0 +1,34 @@
+title: SysmonEnte Usage
+id: d29ada0f-af45-4f27-8f32-f7b77c3dbc4e
+status: experimental
+description: Detects the use of SysmonEnte, a tool to attack the integrity of Sysmon
+author: Florian Roth
+references:
+   - https://codewhitesec.blogspot.com/2022/09/attacks-on-sysmon-revisited-sysmonente.html
+   - https://github.com/codewhitesec/SysmonEnte/
+   - https://github.com/codewhitesec/SysmonEnte/blob/main/screens/1.png
+date: 2022/09/07
+modified: 2022/09/09
+tags:
+   - attack.defense_evasion
+   - attack.t1562.002
+logsource:
+   category: process_access
+   product: windows
+detection:
+   selection_1:
+      TargetImage: 'C:\Windows\Sysmon64.exe'
+      GrantedAccess: '0x1400'
+   filter_1:
+      SourceImage|startswith:
+         - 'C:\Program Files'
+         - 'C:\Windows\System32\'
+   filter_msdefender:
+      SourceImage|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
+      SourceImage|endswith: '\MsMpEng.exe'
+   selection_calltrace:
+      CallTrace: 'Ente'
+   condition: ( selection_1 and not 1 of filter_* ) or selection_calltrace
+falsepositives:
+   - Unknown
+level: high

rules/windows/process_creation/proc_creation_win_apt_cloudhopper.yml

@@ -1,29 +1,31 @@
 title: WMIExec VBS Script
 id: 966e4016-627f-44f7-8341-f394905c361f
 status: test
-description: Detects suspicious file execution by wscript and cscript
+description: Detects wmiexec vbs version execution by wscript or cscript
 author: Florian Roth
 references:
-  - https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
+    - https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
 date: 2017/04/07
-modified: 2021/11/27
+modified: 2022/09/08
 logsource:
-  category: process_creation
-  product: windows
+    category: process_creation
+    product: windows
 detection:
-  selection:
-    Image|endswith: '\cscript.exe'
-    CommandLine|contains|all:
-      - '.vbs'
-      - '/shell'
-  condition: selection
+    selection:
+        Image|endswith:
+            - '\cscript.exe'
+            - '\wscript.exe'
+        CommandLine|contains|all:
+            - '.vbs'
+            - '/shell'
+    condition: selection
 fields:
-  - CommandLine
-  - ParentCommandLine
+    - CommandLine
+    - ParentCommandLine
 falsepositives:
-  - Unlikely
+    - Unlikely
 level: high
 tags:
-  - attack.execution
-  - attack.g0045
-  - attack.t1059.005
+    - attack.execution
+    - attack.g0045
+    - attack.t1059.005

rules/windows/process_creation/proc_creation_win_apt_hurricane_panda.yml

@@ -4,25 +4,25 @@ status: test
 description: Detects Hurricane Panda Activity
 author: Florian Roth
 references:
-  - https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/
+    - https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/
 date: 2019/03/04
 modified: 2021/11/27
 logsource:
-  category: process_creation
-  product: windows
+    category: process_creation
+    product: windows
 detection:
-  selection:
-    - CommandLine|contains|all:
-      - 'localgroup'
-      - 'admin'
-      - '/add'
-    - CommandLine|contains:
-      - '\Win64.exe'
-  condition: selection
+    selection:
+        - CommandLine|contains|all:
+            - 'localgroup'
+            - 'admin'
+            - '/add'
+        - CommandLine|contains:
+            - '\Win64.exe'
+    condition: selection
 falsepositives:
-  - Unknown
+    - Unknown
 level: high
 tags:
-  - attack.privilege_escalation
-  - attack.g0009
-  - attack.t1068
+    - attack.privilege_escalation
+    - attack.g0009
+    - attack.t1068

rules/windows/process_creation/proc_creation_win_apt_mercury.yml

@@ -6,10 +6,12 @@ references:
     - https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/
 author: Florian Roth
 date: 2022/08/26
+modified: 2022/09/12
 logsource:
     category: process_creation
     product: windows
 tags:
+    - attack.execution
     - attack.t1059.001
     - attack.g0069
 detection:

rules/windows/process_creation/proc_creation_win_apt_wocao.yml

@@ -10,7 +10,7 @@ references:
     - https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/
     - https://twitter.com/SBousseaden/status/1207671369963646976
 tags:
-    - attack.discovery 
+    - attack.discovery
     - attack.t1012
     - attack.defense_evasion
     - attack.t1036.004
@@ -25,7 +25,7 @@ logsource:
     product: windows
 detection:
     selection:
-        CommandLine|contains: 
+        CommandLine|contains:
             - 'checkadmin.exe 127.0.0.1 -all'
             - 'netsh advfirewall firewall add rule name=powershell dir=in'
             - 'cmd /c powershell.exe -ep bypass -file c:\s.ps1'
@@ -39,4 +39,4 @@ detection:
     condition: selection
 falsepositives:
     - Administrators that use checkadmin.exe tool to enumerate local administrators
-level: high
+level: high

rules/windows/process_creation/proc_creation_win_bad_opsec_sacrificial_processes.yml

@@ -7,7 +7,7 @@ related:
 description: 'Detects attackers using tooling with bad opsec defaults e.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run, one trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.'
 author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard
 date: 2020/10/23
-modified: 2021/09/01
+modified: 2022/09/07
 references:
     - https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/
     - https://www.cobaltstrike.com/help-opsec
@@ -25,19 +25,19 @@ logsource:
 detection:
     selection1:
         Image|endswith: '\WerFault.exe'
-        CommandLine|endswith: '\WerFault.exe'
+        CommandLine|endswith: 'WerFault.exe'
     selection2:
         Image|endswith: '\rundll32.exe'
-        CommandLine|endswith: '\rundll32.exe'
+        CommandLine|endswith: 'rundll32.exe'
     selection3:
         Image|endswith: '\regsvcs.exe'
-        CommandLine|endswith: '\regsvcs.exe'
+        CommandLine|endswith: 'regsvcs.exe'
     selection4:
         Image|endswith: '\regasm.exe'
-        CommandLine|endswith: '\regasm.exe'
+        CommandLine|endswith: 'regasm.exe'
     selection5:
         Image|endswith: '\regsvr32.exe'
-        CommandLine|endswith: '\regsvr32.exe'
+        CommandLine|endswith: 'regsvr32.exe'
     condition: 1 of selection*
 fields:
     - ParentImage

rules/windows/process_creation/proc_creation_win_base64_invoke_susp_cmdlets.yml

@@ -4,8 +4,8 @@ status: test
 description: Detects base64 encoded powershell cmdlet invocation of known suspicious cmdlets
 author: pH-T
 related:
-  - id: 6385697e-9f1b-40bd-8817-f4a91f40508e
-    type: similar
+    - id: 6385697e-9f1b-40bd-8817-f4a91f40508e
+      type: similar
 date: 2022/05/31
 tags:
     - attack.execution
@@ -15,26 +15,26 @@ tags:
 references:
     - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
 logsource:
-  category: process_creation
-  product: windows
+    category: process_creation
+    product: windows
 detection:
-  selection:
-    CommandLine|contains:
-      # Invoke-BloodHound
-      - 'SQBuAHYAbwBrAGUALQBCAGwAbwBvAGQASABvAHUAbgBkA'
-      - 'kAbgB2AG8AawBlAC0AQgBsAG8AbwBkAEgAbwB1AG4AZA'
-      - 'JAG4AdgBvAGsAZQAtAEIAbABvAG8AZABIAG8AdQBuAGQA'
-      # Invoke-Mimikatz
-      - 'SQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoA'
-      - 'kAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6A'
-      - 'JAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAeg'
-      # Invoke-WMIExec
-      - 'SQBuAHYAbwBrAGUALQBXAE0ASQBFAHgAZQBjA'
-      - 'kAbgB2AG8AawBlAC0AVwBNAEkARQB4AGUAYw'
-      - 'JAG4AdgBvAGsAZQAtAFcATQBJAEUAeABlAGMA'
-  condition: selection
+    selection:
+        CommandLine|contains:
+            # Invoke-BloodHound
+            - 'SQBuAHYAbwBrAGUALQBCAGwAbwBvAGQASABvAHUAbgBkA'
+            - 'kAbgB2AG8AawBlAC0AQgBsAG8AbwBkAEgAbwB1AG4AZA'
+            - 'JAG4AdgBvAGsAZQAtAEIAbABvAG8AZABIAG8AdQBuAGQA'
+            # Invoke-Mimikatz
+            - 'SQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoA'
+            - 'kAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6A'
+            - 'JAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAeg'
+            # Invoke-WMIExec
+            - 'SQBuAHYAbwBrAGUALQBXAE0ASQBFAHgAZQBjA'
+            - 'kAbgB2AG8AawBlAC0AVwBNAEkARQB4AGUAYw'
+            - 'JAG4AdgBvAGsAZQAtAFcATQBJAEUAeABlAGMA'
+    condition: selection
 fields:
-  - CommandLine
+    - CommandLine
 falsepositives:
-  - Unlikely
-level: high
+    - Unlikely
+level: high

rules/windows/process_creation/proc_creation_win_creation_mavinject_process_injection.yml

@@ -1,40 +1,45 @@
 title: Mavinject Inject DLL Into Running Process
 id: 4f73421b-5a0b-4bbf-a892-5a7fb99bea66
+related:
+    - id: 17eb8e57-9983-420d-ad8a-2c4976c22eb8
+      type: obsoletes
 status: experimental
-author: frack113
+author: frack113, Florian Roth
 date: 2021/07/12
-modified: 2022/07/11
-description: Injects arbitrary DLL into running process specified by process ID. Requires Windows 10.
+modified: 2022/09/07
+description: Detects process injection using the signed Windows tool "Mavinject" via the "INJECTRUNNING" flag or a renamed execution of the tool
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md
     - https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e
+    - https://twitter.com/gN3mes1s/status/941315826107510784
+    - https://reaqta.com/2017/12/mavinject-microsoft-injector/
+    - https://twitter.com/Hexacorn/status/776122138063409152  # Deleted tweet
 tags:
     - attack.defense_evasion
-    - attack.collection
+    - attack.privilege_escalation
+    - attack.t1055.001
     - attack.t1218.013
-    - attack.t1056.004
 logsource:
     category: process_creation
     product: windows
 detection:
-    selection_cli:
-        CommandLine|contains|all:
-            - ' /INJECTRUNNING'
-            - '.dll' # space some time in the end
-    selection_img:
-        - OriginalFileName:
+    selection_flag:
+        CommandLine|contains: ' /INJECTRUNNING '
+    selection_renamed:
+        OriginalFileName:
             - 'mavinject32.exe'
             - 'mavinject64.exe'
-        - Image|endswith:  # Event 4688 doesn't have the OriginalFileName field
+    filter_renamed:
+        Image|endswith:
             - '\mavinject32.exe'
             - '\mavinject64.exe'
-    condition: all of selection_*
+    condition: selection_flag or (selection_renamed and not filter_renamed)
 fields:
     - ComputerName
     - User
     - CommandLine
     - ParentCommandLine
 falsepositives:
-    - Unknown
-level: medium
+    - Unlikely
+level: high

rules/windows/process_creation/proc_creation_win_email_exfil_via_powershell.yml

@@ -0,0 +1,30 @@
+title: Email Exifiltration Via Powershell
+id: 312d0384-401c-4b8b-abdf-685ffba9a332
+status: experimental
+description: Detects email exfiltration via powershell cmdlets
+author: Nasreddine Bencherchali (rule),  Azure-Sentinel (idea)
+references:
+    - https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/
+    - https://github.com/Azure/Azure-Sentinel/blob/7e6aa438e254d468feec061618a7877aa528ee9f/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DEV-0270/Email%20data%20exfiltration%20via%20PowerShell.yaml
+date: 2022/09/09
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith:
+            - '\powershell.exe'
+            - '\pwsh.exe'
+        CommandLine|contains|all:
+            - 'Add-PSSnapin'
+            - 'Get-Recipient'
+            - '-ExpandProperty'
+            - 'EmailAddresses'
+            - 'SmtpAddress'
+            - '-hidetableheaders'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
+tags:
+    - attack.exfiltration

rules/windows/process_creation/proc_creation_win_hacktool_imphashes.yml

@@ -4,183 +4,189 @@ description: Detects the use of Windows hacktools based on their import hash (im
 status: experimental
 author: Florian Roth
 references:
-    - Internal Research
+   - Internal Research
 date: 2022/03/04
-modified: 2022/08/20
+modified: 2022/09/07
 logsource:
-    category: process_creation
-    product: windows
+   category: process_creation
+   product: windows
 detection:
-    selection:
-        - Imphash:
-            - bcca3c247b619dcd13c8cdff5f123932 # PetitPotam
-            - 3a19059bd7688cb88e70005f18efc439 # PetitPotam
-            - bf6223a49e45d99094406777eb6004ba # PetitPotam
-            - 0c106686a31bfe2ba931ae1cf6e9dbc6 # Mimikatz
-            - 0d1447d4b3259b3c2a1d4cfb7ece13c3 # Mimikatz
-            - 1b0369a1e06271833f78ffa70ffb4eaf # Mimikatz
-            - 4c1b52a19748428e51b14c278d0f58e3 # Mimikatz
-            - 4d927a711f77d62cebd4f322cb57ec6f # Mimikatz
-            - 66ee036df5fc1004d9ed5e9a94a1086a # Mimikatz
-            - 672b13f4a0b6f27d29065123fe882dfc # Mimikatz
-            - 6bbd59cea665c4afcc2814c1327ec91f # Mimikatz
-            - 725bb81dc24214f6ecacc0cfb36ad30d # Mimikatz
-            - 9528a0e91e28fbb88ad433feabca2456 # Mimikatz
-            - 9da6d5d77be11712527dcab86df449a3 # Mimikatz
-            - a6e01bc1ab89f8d91d9eab72032aae88 # Mimikatz
-            - b24c5eddaea4fe50c6a96a2a133521e4 # Mimikatz
-            - d21bbc50dcc169d7b4d0f01962793154 # Mimikatz
-            - fcc251cceae90d22c392215cc9a2d5d6 # Mimikatz
-            - 23867a89c2b8fc733be6cf5ef902f2d1 # JuicyPotato 
-            - a37ff327f8d48e8a4d2f757e1b6e70bc # JuicyPotato 
-            - 6118619783fc175bc7ebecff0769b46e # RoguePotato
-            - 959a83047e80ab68b368fdb3f4c6e4ea # RoguePotato
-            - 563233bfa169acc7892451f71ad5850a # RoguePotato
-            - 87575cb7a0e0700eb37f2e3668671a08 # RoguePotato
-            - 13f08707f759af6003837a150a371ba1 # Pwdump
-            - 1781f06048a7e58b323f0b9259be798b # Pwdump
-            - 233f85f2d4bc9d6521a6caae11a1e7f5 # Pwdump
-            - 24af2584cbf4d60bbe5c6d1b31b3be6d # Pwdump
-            - 632969ddf6dbf4e0f53424b75e4b91f2 # Pwdump
-            - 713c29b396b907ed71a72482759ed757 # Pwdump
-            - 749a7bb1f0b4c4455949c0b2bf7f9e9f # Pwdump
-            - 8628b2608957a6b0c6330ac3de28ce2e # Pwdump
-            - 8b114550386e31895dfab371e741123d # Pwdump
-            - 94cb940a1a6b65bed4d5a8f849ce9793 # PwDumpX
-            - 9d68781980370e00e0bd939ee5e6c141 # Pwdump
-            - b18a1401ff8f444056d29450fbc0a6ce # Pwdump
-            - cb567f9498452721d77a451374955f5f # Pwdump
-            - 730073214094cd328547bf1f72289752 # Htran
-            - 17b461a082950fc6332228572138b80c # Cobalt Strike beacons
-            - dc25ee78e2ef4d36faa0badf1e7461c9 # Cobalt Strike beacons
-            - 819b19d53ca6736448f9325a85736792 # Cobalt Strike beacons
-            - 829da329ce140d873b4a8bde2cbfaa7e # Cobalt Strike beacons
-            - c547f2e66061a8dffb6f5a3ff63c0a74 # PPLDump
-            - 0588081ab0e63ba785938467e1b10cca # PPLDump
-            - 0d9ec08bac6c07d9987dfd0f1506587c # NanoDump
-            - bc129092b71c89b4d4c8cdf8ea590b29 # NanoDump
-            - 4da924cf622d039d58bce71cdf05d242 # NanoDump
-            - e7a3a5c377e2d29324093377d7db1c66 # NanoDump
-            - 9a9dbec5c62f0380b4fa5fd31deffedf # NanoDump
-            - af8a3976ad71e5d5fdfb67ddb8dadfce # NanoDump
-            - 0c477898bbf137bbd6f2a54e3b805ff4 # NanoDump
-            - 0ca9f02b537bcea20d4ea5eb1a9fe338 # NanoDump
-            - 3ab3655e5a14d4eefc547f4781bf7f9e # NanoDump
-            - e6f9d5152da699934b30daab206471f6 # NanoDump
-            - 3ad59991ccf1d67339b319b15a41b35d # NanoDump
-            - ffdd59e0318b85a3e480874d9796d872 # NanoDump
-            - 0cf479628d7cc1ea25ec7998a92f5051 # NanoDump
-            - 07a2d4dcbd6cb2c6a45e6b101f0b6d51 # NanoDump
-            - d6d0f80386e1380d05cb78e871bc72b1 # NanoDump
-            - 38d9e015591bbfd4929e0d0f47fa0055 # HandleKatz
-            - 0e2216679ca6e1094d63322e3412d650 # HandleKatz
-            - ada161bf41b8e5e9132858cb54cab5fb # DripLoader
-            - 2a1bc4913cd5ecb0434df07cb675b798 # DripLoader
-            - 11083e75553baae21dc89ce8f9a195e4 # DripLoader
-            - a23d29c9e566f2fa8ffbb79267f5df80 # DripLoader
-            - 4a07f944a83e8a7c2525efa35dd30e2f # CreateMiniDump
-            - 767637c23bb42cd5d7397cf58b0be688 # UACMe Akagi
-            - 14c4e4c72ba075e9069ee67f39188ad8 # UACMe Akagi
-            - 3c782813d4afce07bbfc5a9772acdbdc # UACMe Akagi
-            - 7d010c6bb6a3726f327f7e239166d127 # UACMe Akagi
-            - 89159ba4dd04e4ce5559f132a9964eb3 # UACMe Akagi
-            - 6f33f4a5fc42b8cec7314947bd13f30f # UACMe Akagi
-            - 5834ed4291bdeb928270428ebbaf7604 # UACMe Akagi
-            - 5a8a8a43f25485e7ee1b201edcbc7a38 # UACMe Akagi
-            - dc7d30b90b2d8abf664fbed2b1b59894 # UACMe Akagi
-            - 41923ea1f824fe63ea5beb84db7a3e74 # UACMe Akagi
-            - 3de09703c8e79ed2ca3f01074719906b # UACMe Akagi
-            - a53a02b997935fd8eedcb5f7abab9b9f # WCE
-            - e96a73c7bf33a464c510ede582318bf2 # WCE
-            - 32089b8851bbf8bc2d014e9f37288c83 # Sliver Stagers
-            - 09D278F9DE118EF09163C6140255C690 # Dumpert
-            - 03866661686829d806989e2fc5a72606 # Dumpert
-            - e57401fbdadcd4571ff385ab82bd5d6d # Dumpert
-        - Hashes|contains:  # Sysmon field hashes contains all types
-            - IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932 # PetitPotam
-            - IMPHASH=3A19059BD7688CB88E70005F18EFC439 # PetitPotam
-            - IMPHASH=bf6223a49e45d99094406777eb6004ba # PetitPotam
-            - IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6 # Mimikatz
-            - IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3 # Mimikatz
-            - IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF # Mimikatz
-            - IMPHASH=4C1B52A19748428E51B14C278D0F58E3 # Mimikatz
-            - IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F # Mimikatz
-            - IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A # Mimikatz
-            - IMPHASH=672B13F4A0B6F27D29065123FE882DFC # Mimikatz
-            - IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F # Mimikatz
-            - IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D # Mimikatz
-            - IMPHASH=9528A0E91E28FBB88AD433FEABCA2456 # Mimikatz
-            - IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3 # Mimikatz
-            - IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88 # Mimikatz
-            - IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4 # Mimikatz
-            - IMPHASH=D21BBC50DCC169D7B4D0F01962793154 # Mimikatz
-            - IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6 # Mimikatz
-            - IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1 # JuicyPotato 
-            - IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC # JuicyPotato 
-            - IMPHASH=6118619783FC175BC7EBECFF0769B46E # RoguePotato
-            - IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA # RoguePotato
-            - IMPHASH=563233BFA169ACC7892451F71AD5850A # RoguePotato
-            - IMPHASH=87575CB7A0E0700EB37F2E3668671A08 # RoguePotato
-            - IMPHASH=13F08707F759AF6003837A150A371BA1 # Pwdump
-            - IMPHASH=1781F06048A7E58B323F0B9259BE798B # Pwdump
-            - IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5 # Pwdump
-            - IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D # Pwdump
-            - IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2 # Pwdump
-            - IMPHASH=713C29B396B907ED71A72482759ED757 # Pwdump
-            - IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F # Pwdump
-            - IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E # Pwdump
-            - IMPHASH=8B114550386E31895DFAB371E741123D # Pwdump
-            - IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793 # PwDumpX
-            - IMPHASH=9D68781980370E00E0BD939EE5E6C141 # Pwdump
-            - IMPHASH=B18A1401FF8F444056D29450FBC0A6CE # Pwdump
-            - IMPHASH=CB567F9498452721D77A451374955F5F # Pwdump
-            - IMPHASH=730073214094CD328547BF1F72289752 # Htran
-            - IMPHASH=17B461A082950FC6332228572138B80C # Cobalt Strike beacons
-            - IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9 # Cobalt Strike beacons
-            - IMPHASH=819B19D53CA6736448F9325A85736792 # Cobalt Strike beacons
-            - IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E # Cobalt Strike beacons
-            - IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74 # PPLDump
-            - IMPHASH=0588081AB0E63BA785938467E1B10CCA # PPLDump
-            - IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C # NanoDump
-            - IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29 # NanoDump
-            - IMPHASH=4DA924CF622D039D58BCE71CDF05D242 # NanoDump
-            - IMPHASH=E7A3A5C377E2D29324093377D7DB1C66 # NanoDump
-            - IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF # NanoDump
-            - IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE # NanoDump
-            - IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4 # NanoDump
-            - IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338 # NanoDump
-            - IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E # NanoDump
-            - IMPHASH=E6F9D5152DA699934B30DAAB206471F6 # NanoDump
-            - IMPHASH=3AD59991CCF1D67339B319B15A41B35D # NanoDump
-            - IMPHASH=FFDD59E0318B85A3E480874D9796D872 # NanoDump
-            - IMPHASH=0CF479628D7CC1EA25EC7998A92F5051 # NanoDump
-            - IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51 # NanoDump
-            - IMPHASH=D6D0F80386E1380D05CB78E871BC72B1 # NanoDump
-            - IMPHASH=38D9E015591BBFD4929E0D0F47FA0055 # HandleKatz
-            - IMPHASH=0E2216679CA6E1094D63322E3412D650 # HandleKatz
-            - IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB # DripLoader
-            - IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798 # DripLoader
-            - IMPHASH=11083E75553BAAE21DC89CE8F9A195E4 # DripLoader
-            - IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80 # DripLoader
-            - IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F # CreateMiniDump
-            - IMPHASH=767637C23BB42CD5D7397CF58B0BE688 # UACMe Akagi
-            - IMPHASH=14C4E4C72BA075E9069EE67F39188AD8 # UACMe Akagi
-            - IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC # UACMe Akagi
-            - IMPHASH=7D010C6BB6A3726F327F7E239166D127 # UACMe Akagi
-            - IMPHASH=89159BA4DD04E4CE5559F132A9964EB3 # UACMe Akagi
-            - IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F # UACMe Akagi
-            - IMPHASH=5834ED4291BDEB928270428EBBAF7604 # UACMe Akagi
-            - IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38 # UACMe Akagi
-            - IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894 # UACMe Akagi
-            - IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74 # UACMe Akagi
-            - IMPHASH=3DE09703C8E79ED2CA3F01074719906B # UACMe Akagi
-            - IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F # WCE
-            - IMPHASH=E96A73C7BF33A464C510EDE582318BF2 # WCE
-            - IMPHASH=32089B8851BBF8BC2D014E9F37288C83 # Sliver Stagers
-            - IMPHASH=09D278F9DE118EF09163C6140255C690 # Dumpert
-            - IMPHASH=03866661686829d806989e2fc5a72606 # Dumpert
-            - IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d # Dumpert
-    condition: selection
+   selection:
+      - Imphash:
+         - bcca3c247b619dcd13c8cdff5f123932 # PetitPotam
+         - 3a19059bd7688cb88e70005f18efc439 # PetitPotam
+         - bf6223a49e45d99094406777eb6004ba # PetitPotam
+         - 0c106686a31bfe2ba931ae1cf6e9dbc6 # Mimikatz
+         - 0d1447d4b3259b3c2a1d4cfb7ece13c3 # Mimikatz
+         - 1b0369a1e06271833f78ffa70ffb4eaf # Mimikatz
+         - 4c1b52a19748428e51b14c278d0f58e3 # Mimikatz
+         - 4d927a711f77d62cebd4f322cb57ec6f # Mimikatz
+         - 66ee036df5fc1004d9ed5e9a94a1086a # Mimikatz
+         - 672b13f4a0b6f27d29065123fe882dfc # Mimikatz
+         - 6bbd59cea665c4afcc2814c1327ec91f # Mimikatz
+         - 725bb81dc24214f6ecacc0cfb36ad30d # Mimikatz
+         - 9528a0e91e28fbb88ad433feabca2456 # Mimikatz
+         - 9da6d5d77be11712527dcab86df449a3 # Mimikatz
+         - a6e01bc1ab89f8d91d9eab72032aae88 # Mimikatz
+         - b24c5eddaea4fe50c6a96a2a133521e4 # Mimikatz
+         - d21bbc50dcc169d7b4d0f01962793154 # Mimikatz
+         - fcc251cceae90d22c392215cc9a2d5d6 # Mimikatz
+         - 23867a89c2b8fc733be6cf5ef902f2d1 # JuicyPotato 
+         - a37ff327f8d48e8a4d2f757e1b6e70bc # JuicyPotato 
+         - 6118619783fc175bc7ebecff0769b46e # RoguePotato
+         - 959a83047e80ab68b368fdb3f4c6e4ea # RoguePotato
+         - 563233bfa169acc7892451f71ad5850a # RoguePotato
+         - 87575cb7a0e0700eb37f2e3668671a08 # RoguePotato
+         - 13f08707f759af6003837a150a371ba1 # Pwdump
+         - 1781f06048a7e58b323f0b9259be798b # Pwdump
+         - 233f85f2d4bc9d6521a6caae11a1e7f5 # Pwdump
+         - 24af2584cbf4d60bbe5c6d1b31b3be6d # Pwdump
+         - 632969ddf6dbf4e0f53424b75e4b91f2 # Pwdump
+         - 713c29b396b907ed71a72482759ed757 # Pwdump
+         - 749a7bb1f0b4c4455949c0b2bf7f9e9f # Pwdump
+         - 8628b2608957a6b0c6330ac3de28ce2e # Pwdump
+         - 8b114550386e31895dfab371e741123d # Pwdump
+         - 94cb940a1a6b65bed4d5a8f849ce9793 # PwDumpX
+         - 9d68781980370e00e0bd939ee5e6c141 # Pwdump
+         - b18a1401ff8f444056d29450fbc0a6ce # Pwdump
+         - cb567f9498452721d77a451374955f5f # Pwdump
+         - 730073214094cd328547bf1f72289752 # Htran
+         - 17b461a082950fc6332228572138b80c # Cobalt Strike beacons
+         - dc25ee78e2ef4d36faa0badf1e7461c9 # Cobalt Strike beacons
+         - 819b19d53ca6736448f9325a85736792 # Cobalt Strike beacons
+         - 829da329ce140d873b4a8bde2cbfaa7e # Cobalt Strike beacons
+         - c547f2e66061a8dffb6f5a3ff63c0a74 # PPLDump
+         - 0588081ab0e63ba785938467e1b10cca # PPLDump
+         - 0d9ec08bac6c07d9987dfd0f1506587c # NanoDump
+         - bc129092b71c89b4d4c8cdf8ea590b29 # NanoDump
+         - 4da924cf622d039d58bce71cdf05d242 # NanoDump
+         - e7a3a5c377e2d29324093377d7db1c66 # NanoDump
+         - 9a9dbec5c62f0380b4fa5fd31deffedf # NanoDump
+         - af8a3976ad71e5d5fdfb67ddb8dadfce # NanoDump
+         - 0c477898bbf137bbd6f2a54e3b805ff4 # NanoDump
+         - 0ca9f02b537bcea20d4ea5eb1a9fe338 # NanoDump
+         - 3ab3655e5a14d4eefc547f4781bf7f9e # NanoDump
+         - e6f9d5152da699934b30daab206471f6 # NanoDump
+         - 3ad59991ccf1d67339b319b15a41b35d # NanoDump
+         - ffdd59e0318b85a3e480874d9796d872 # NanoDump
+         - 0cf479628d7cc1ea25ec7998a92f5051 # NanoDump
+         - 07a2d4dcbd6cb2c6a45e6b101f0b6d51 # NanoDump
+         - d6d0f80386e1380d05cb78e871bc72b1 # NanoDump
+         - 38d9e015591bbfd4929e0d0f47fa0055 # HandleKatz
+         - 0e2216679ca6e1094d63322e3412d650 # HandleKatz
+         - ada161bf41b8e5e9132858cb54cab5fb # DripLoader
+         - 2a1bc4913cd5ecb0434df07cb675b798 # DripLoader
+         - 11083e75553baae21dc89ce8f9a195e4 # DripLoader
+         - a23d29c9e566f2fa8ffbb79267f5df80 # DripLoader
+         - 4a07f944a83e8a7c2525efa35dd30e2f # CreateMiniDump
+         - 767637c23bb42cd5d7397cf58b0be688 # UACMe Akagi
+         - 14c4e4c72ba075e9069ee67f39188ad8 # UACMe Akagi
+         - 3c782813d4afce07bbfc5a9772acdbdc # UACMe Akagi
+         - 7d010c6bb6a3726f327f7e239166d127 # UACMe Akagi
+         - 89159ba4dd04e4ce5559f132a9964eb3 # UACMe Akagi
+         - 6f33f4a5fc42b8cec7314947bd13f30f # UACMe Akagi
+         - 5834ed4291bdeb928270428ebbaf7604 # UACMe Akagi
+         - 5a8a8a43f25485e7ee1b201edcbc7a38 # UACMe Akagi
+         - dc7d30b90b2d8abf664fbed2b1b59894 # UACMe Akagi
+         - 41923ea1f824fe63ea5beb84db7a3e74 # UACMe Akagi
+         - 3de09703c8e79ed2ca3f01074719906b # UACMe Akagi
+         - a53a02b997935fd8eedcb5f7abab9b9f # WCE
+         - e96a73c7bf33a464c510ede582318bf2 # WCE
+         - 32089b8851bbf8bc2d014e9f37288c83 # Sliver Stagers
+         - 09D278F9DE118EF09163C6140255C690 # Dumpert
+         - 03866661686829d806989e2fc5a72606 # Dumpert
+         - e57401fbdadcd4571ff385ab82bd5d6d # Dumpert
+         - 84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte
+         - 19584675d94829987952432e018d5056 # SysmonQuiet
+         - 330768a4f172e10acb6287b87289d83b # ShaprEvtMute Hook
+      - Hashes|contains:  # Sysmon field hashes contains all types
+         - IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932 # PetitPotam
+         - IMPHASH=3A19059BD7688CB88E70005F18EFC439 # PetitPotam
+         - IMPHASH=bf6223a49e45d99094406777eb6004ba # PetitPotam
+         - IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6 # Mimikatz
+         - IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3 # Mimikatz
+         - IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF # Mimikatz
+         - IMPHASH=4C1B52A19748428E51B14C278D0F58E3 # Mimikatz
+         - IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F # Mimikatz
+         - IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A # Mimikatz
+         - IMPHASH=672B13F4A0B6F27D29065123FE882DFC # Mimikatz
+         - IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F # Mimikatz
+         - IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D # Mimikatz
+         - IMPHASH=9528A0E91E28FBB88AD433FEABCA2456 # Mimikatz
+         - IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3 # Mimikatz
+         - IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88 # Mimikatz
+         - IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4 # Mimikatz
+         - IMPHASH=D21BBC50DCC169D7B4D0F01962793154 # Mimikatz
+         - IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6 # Mimikatz
+         - IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1 # JuicyPotato 
+         - IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC # JuicyPotato 
+         - IMPHASH=6118619783FC175BC7EBECFF0769B46E # RoguePotato
+         - IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA # RoguePotato
+         - IMPHASH=563233BFA169ACC7892451F71AD5850A # RoguePotato
+         - IMPHASH=87575CB7A0E0700EB37F2E3668671A08 # RoguePotato
+         - IMPHASH=13F08707F759AF6003837A150A371BA1 # Pwdump
+         - IMPHASH=1781F06048A7E58B323F0B9259BE798B # Pwdump
+         - IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5 # Pwdump
+         - IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D # Pwdump
+         - IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2 # Pwdump
+         - IMPHASH=713C29B396B907ED71A72482759ED757 # Pwdump
+         - IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F # Pwdump
+         - IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E # Pwdump
+         - IMPHASH=8B114550386E31895DFAB371E741123D # Pwdump
+         - IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793 # PwDumpX
+         - IMPHASH=9D68781980370E00E0BD939EE5E6C141 # Pwdump
+         - IMPHASH=B18A1401FF8F444056D29450FBC0A6CE # Pwdump
+         - IMPHASH=CB567F9498452721D77A451374955F5F # Pwdump
+         - IMPHASH=730073214094CD328547BF1F72289752 # Htran
+         - IMPHASH=17B461A082950FC6332228572138B80C # Cobalt Strike beacons
+         - IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9 # Cobalt Strike beacons
+         - IMPHASH=819B19D53CA6736448F9325A85736792 # Cobalt Strike beacons
+         - IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E # Cobalt Strike beacons
+         - IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74 # PPLDump
+         - IMPHASH=0588081AB0E63BA785938467E1B10CCA # PPLDump
+         - IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C # NanoDump
+         - IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29 # NanoDump
+         - IMPHASH=4DA924CF622D039D58BCE71CDF05D242 # NanoDump
+         - IMPHASH=E7A3A5C377E2D29324093377D7DB1C66 # NanoDump
+         - IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF # NanoDump
+         - IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE # NanoDump
+         - IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4 # NanoDump
+         - IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338 # NanoDump
+         - IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E # NanoDump
+         - IMPHASH=E6F9D5152DA699934B30DAAB206471F6 # NanoDump
+         - IMPHASH=3AD59991CCF1D67339B319B15A41B35D # NanoDump
+         - IMPHASH=FFDD59E0318B85A3E480874D9796D872 # NanoDump
+         - IMPHASH=0CF479628D7CC1EA25EC7998A92F5051 # NanoDump
+         - IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51 # NanoDump
+         - IMPHASH=D6D0F80386E1380D05CB78E871BC72B1 # NanoDump
+         - IMPHASH=38D9E015591BBFD4929E0D0F47FA0055 # HandleKatz
+         - IMPHASH=0E2216679CA6E1094D63322E3412D650 # HandleKatz
+         - IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB # DripLoader
+         - IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798 # DripLoader
+         - IMPHASH=11083E75553BAAE21DC89CE8F9A195E4 # DripLoader
+         - IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80 # DripLoader
+         - IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F # CreateMiniDump
+         - IMPHASH=767637C23BB42CD5D7397CF58B0BE688 # UACMe Akagi
+         - IMPHASH=14C4E4C72BA075E9069EE67F39188AD8 # UACMe Akagi
+         - IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC # UACMe Akagi
+         - IMPHASH=7D010C6BB6A3726F327F7E239166D127 # UACMe Akagi
+         - IMPHASH=89159BA4DD04E4CE5559F132A9964EB3 # UACMe Akagi
+         - IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F # UACMe Akagi
+         - IMPHASH=5834ED4291BDEB928270428EBBAF7604 # UACMe Akagi
+         - IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38 # UACMe Akagi
+         - IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894 # UACMe Akagi
+         - IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74 # UACMe Akagi
+         - IMPHASH=3DE09703C8E79ED2CA3F01074719906B # UACMe Akagi
+         - IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F # WCE
+         - IMPHASH=E96A73C7BF33A464C510EDE582318BF2 # WCE
+         - IMPHASH=32089B8851BBF8BC2D014E9F37288C83 # Sliver Stagers
+         - IMPHASH=09D278F9DE118EF09163C6140255C690 # Dumpert
+         - IMPHASH=03866661686829d806989e2fc5a72606 # Dumpert
+         - IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d # Dumpert
+         - IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte
+         - IMPHASH=19584675D94829987952432E018D5056 # SysmonQuiet
+         - IMPHASH=330768A4F172E10ACB6287B87289D83B # ShaprEvtMute Hook
+   condition: selection
 falsepositives:
-    - Legitimate use of one of these tools
-level: high
+   - Legitimate use of one of these tools
+level: high

rules/windows/process_creation/proc_creation_win_import_cert_susp_locations.yml

@@ -0,0 +1,32 @@
+title: Root Certificate Installed From Susp Locations
+id: 5f6a601c-2ecb-498b-9c33-660362323afa
+status: experimental
+description: Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
+references:
+    - https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/
+    - https://docs.microsoft.com/en-us/powershell/module/pki/import-certificate?view=windowsserver2022-ps
+author: Nasreddine Bencherchali
+date: 2022/09/09
+tags:
+    - attack.defense_evasion
+    - attack.t1553.004
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine|contains|all:
+            - 'Import-Certificate'
+            - ' -File-Path '
+            - 'Cert:\LocalMachine\Root'
+        CommandLine|contains:
+            - '\AppData\Local\Temp\'
+            - 'C:\Windows\TEMP\'
+            - '\Desktop\'
+            - '\Downloads\'
+            - '\Perflogs\'
+            - 'C:\Users\Public\'
+    condition: selection
+falsepositives:
+    - Unlikely
+level: high

rules/windows/process_creation/proc_creation_win_inline_win_api_access.yml

@@ -0,0 +1,70 @@
+title: Accessing WinAPI Via CommandLine
+id: ba3f5c1b-6272-4119-9dbd-0bc8d21c2702
+related:
+    - id: 03d83090-8cba-44a0-b02f-0b756a050306
+      type: derived
+status: experimental
+description: Detects the use of WinAPI Functions via the commandline as seen used by threat actors via the tool winapiexec
+author: Nasreddine Bencherchali
+date: 2022/09/06
+references:
+    - https://twitter.com/m417z/status/1566674631788007425
+tags:
+    - attack.execution
+    - attack.t1106
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine|contains:
+            - ' WaitForSingleObject '
+            - ' QueueUserApc '
+            - ' RtlCreateUserThread '
+            - ' OpenProcess '
+            - ' VirtualAlloc '
+            - ' VirtualFree '
+            - ' WriteProcessMemory '
+            - ' CreateUserThread '
+            - ' CloseHandle '
+            - ' GetDelegateForFunctionPointer '
+            - ' CreateThread '
+            - ' memcpy '
+            - ' LoadLibrary '
+            - ' GetModuleHandle '
+            - ' GetProcAddress '
+            - ' VirtualProtect '
+            - ' FreeLibrary '
+            - ' ReadProcessMemory '
+            - ' CreateRemoteThread '
+            - ' AdjustTokenPrivileges '
+            - ' WriteInt32 '
+            - ' OpenThreadToken '
+            - ' PtrToString '
+            - ' FreeHGlobal '
+            - ' ZeroFreeGlobalAllocUnicode '
+            - ' OpenProcessToken '
+            - ' GetTokenInformation '
+            - ' SetThreadToken '
+            - ' ImpersonateLoggedOnUser '
+            - ' RevertToSelf '
+            - ' GetLogonSessionData '
+            - ' CreateProcessWithToken '
+            - ' DuplicateTokenEx '
+            - ' OpenWindowStation '
+            - ' OpenDesktop '
+            - ' MiniDumpWriteDump '
+            - ' AddSecurityPackage '
+            - ' EnumerateSecurityPackages '
+            - ' GetProcessHandle '
+            - ' DangerousGetHandle '
+            - ' kernel32 '
+            - ' Advapi32 '
+            - ' msvcrt '
+            - ' ntdll '
+            - ' user32 '  # FP with chocolatey
+            - ' secur32 '
+    condition: selection
+falsepositives:
+    - Unknown
+level: high

rules/windows/process_creation/proc_creation_win_mal_hermetic_wiper_activity.yml

@@ -1,27 +1,31 @@
 title: Hermetic Wiper TG Process Patterns
 id: 2f974656-6d83-4059-bbdf-68ac5403422f
 status: experimental
-description: This rule detects process execution patterns found in intrusions related to the Hermetic Wiper malware attacks against Ukraine in February 2022
+description: Detects process execution patterns found in intrusions related to the Hermetic Wiper malware attacks against Ukraine in February 2022
 author: Florian Roth
 references:
-   - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia
+    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia
 date: 2022/02/25
-modified: 2022/08/13
+modified: 2022/09/09
+tags:
+    - attack.execution
+    - attack.lateral_movement
+    - attack.t1021.001
 logsource:
-   category: process_creation
-   product: windows
+    category: process_creation
+    product: windows
 detection:
-   selection1:
-      Image|endswith: '\policydefinitions\postgresql.exe'
-   selection2:
-      - CommandLine|contains:
-         - 'CSIDL_SYSTEM_DRIVE\temp\sys.tmp'
-         - ' 1> \\\\127.0.0.1\ADMIN$\__16'
-      - CommandLine|contains|all:
-         - 'powershell -c '
-         - '\comsvcs.dll MiniDump '
-         - '\winupd.log full'
-   condition: 1 of selection*
+    selection1:
+        Image|endswith: '\policydefinitions\postgresql.exe'
+    selection2:
+        - CommandLine|contains:
+            - 'CSIDL_SYSTEM_DRIVE\temp\sys.tmp'
+            - ' 1> \\\\127.0.0.1\ADMIN$\__16'
+        - CommandLine|contains|all:
+            - 'powershell -c '
+            - '\comsvcs.dll MiniDump '
+            - '\winupd.log full'
+    condition: 1 of selection*
 falsepositives:
-   - Unknown
+    - Unknown
 level: high

rules/windows/process_creation/proc_creation_win_malware_conti_shadowcopy.yml

@@ -3,7 +3,7 @@ id: f57f8d16-1f39-4dcb-a604-6c73d9b54b3d
 description: Detects a command that accesses password storing registry hives via volume shadow backups
 author: Max Altgelt, Tobias Michalski
 date: 2021/08/09
-modified: 2022/08/13
+modified: 2022/09/09
 status: experimental
 references:
     - https://twitter.com/vxunderground/status/1423336151860002816?s=20
@@ -25,7 +25,7 @@ detection:
     condition: all of selection*
 falsepositives:
     - Some rare backup scenarios
-level: medium
+level: high
 tags:
     - attack.impact
-    - attack.t1490
+    - attack.t1490

rules/windows/process_creation/proc_creation_win_malware_notpetya.yml

@@ -4,36 +4,36 @@ status: test
 description: Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and windows eventlogs are cleared using wevtutil
 author: Florian Roth, Tom Ueltschi
 references:
-  - https://securelist.com/schroedingers-petya/78870/
-  - https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100
+    - https://securelist.com/schroedingers-petya/78870/
+    - https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100
 date: 2019/01/16
 modified: 2022/03/05
 logsource:
-  category: process_creation
-  product: windows
+    category: process_creation
+    product: windows
 detection:
-  select_pipe_com:
-    CommandLine|contains|all:
-      - '\AppData\Local\Temp\'
-      - '\\\\.\\pipe\\'
-  select_rundll32_dash1:
-    Image|endswith: '\rundll32.exe'
-    CommandLine|endswith: 
-      - '.dat,#1'
-      - '.dat #1' # Sysmon removes comma
-  select_perfc_keyword:
-    - '\perfc.dat'
-  condition: 1 of select*
+    select_pipe_com:
+        CommandLine|contains|all:
+            - '\AppData\Local\Temp\'
+            - '\\\\.\\pipe\\'
+    select_rundll32_dash1:
+        Image|endswith: '\rundll32.exe'
+        CommandLine|endswith:
+            - '.dat,#1'
+            - '.dat #1' # Sysmon removes comma
+    select_perfc_keyword:
+        - '\perfc.dat'
+    condition: 1 of select*
 fields:
-  - CommandLine
-  - ParentCommandLine
+    - CommandLine
+    - ParentCommandLine
 falsepositives:
-  - Admin activity
+    - Admin activity
 level: critical
 tags:
-  - attack.defense_evasion
-  - attack.t1218.011
-  - attack.t1070.001
-  - attack.credential_access
-  - attack.t1003.001
-  - car.2016-04-002
+    - attack.defense_evasion
+    - attack.t1218.011
+    - attack.t1070.001
+    - attack.credential_access
+    - attack.t1003.001
+    - car.2016-04-002

rules/windows/process_creation/proc_creation_win_mavinject_proc_inj.yml

@@ -1,24 +0,0 @@
-title: MavInject Process Injection
-id: 17eb8e57-9983-420d-ad8a-2c4976c22eb8
-status: stable
-description: Detects process injection using the signed Windows tool Mavinject32.exe
-author: Florian Roth
-references:
-  - https://twitter.com/gN3mes1s/status/941315826107510784
-  - https://reaqta.com/2017/12/mavinject-microsoft-injector/
-  - https://twitter.com/Hexacorn/status/776122138063409152
-date: 2018/12/12
-modified: 2021/11/27
-logsource:
-  category: process_creation
-  product: windows
-detection:
-  selection:
-    CommandLine|contains: ' /INJECTRUNNING '
-  condition: selection
-falsepositives:
-  - Unknown
-level: high
-tags:
-  - attack.t1055.001
-  - attack.t1218

rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml

@@ -6,7 +6,9 @@ author: Nasreddine Bencherchali
 references:
     - https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html
     - https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/
+    - https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/
 date: 2022/09/01
+modified: 2022/09/09
 logsource:
     category: process_creation
     product: windows
@@ -28,6 +30,7 @@ detection:
             - ' Administratör ' # Swedish
             - ' Administrator ' # English
             - ' guest '
+            - ' DefaultAccount '
             # The cases below are for when an attacker requests the net command via 'cmd /c....'
             # First in double quotes
             - ' "Järjestelmänvalvoja" ' # Finish
@@ -38,6 +41,7 @@ detection:
             - ' "Administratör" ' # Swedish
             - ' "Administrator" ' # English
             - ' "guest" '
+            - ' "DefaultAccount" '
             # Second in single quotes
             - " 'Järjestelmänvalvoja' " # Finish
             - " 'Rendszergazda' " # Hungarian
@@ -47,6 +51,7 @@ detection:
             - " 'Administratör' " # Swedish
             - " 'Administrator' " # English
             - " 'guest' "
+            - " 'DefaultAccount' "
     filter:
         CommandLine|contains|all:
             - 'guest'

rules/windows/process_creation/proc_creation_win_net_recon.yml

@@ -4,7 +4,7 @@ status: experimental
 description: Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE
 author: Florian Roth, omkar72, @svch0st, Nasreddine Bencherchali
 date: 2019/01/16
-modified: 2022/09/02
+modified: 2022/09/09
 references:
     - https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/
     - https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/
@@ -33,11 +33,13 @@ detection:
         CommandLine|contains:
             # Add more groups for other languages
             - 'domain admins'
-            - ' administrators'
-            - ' administrateurs'
+            - ' administrator' # Typo without an 'S' so we catch both
+            - ' administrateur' # Typo without an 'S' so we catch both
             - 'enterprise admins'
             - 'Exchange Trusted Subsystem'
             - 'Remote Desktop Users'
+            - 'Utilisateurs du Bureau à distance' # French for "Remote Desktop Users"
+            - 'Usuarios de escritorio remoto' # Spanish for "Remote Desktop Users"
             - ' /do' # short for domain
     # Covers 'accounts' flag
     selection_accounts_root:

rules/windows/process_creation/proc_creation_win_netsh_allow_port_rdp.yml

@@ -13,16 +13,16 @@ logsource:
 detection:
     selection1:
         CommandLine|contains|all:
-            - netsh
-            - firewall add portopening
-            - tcp 3389
+            - 'netsh'
+            - 'firewall add portopening'
+            - 'tcp 3389'
     selection2:
         CommandLine|contains|all:
-            - netsh
-            - advfirewall firewall add rule
-            - action=allow
-            - protocol=TCP
-            - localport=3389
+            - 'netsh'
+            - 'advfirewall firewall add rule'
+            - 'action=allow'
+            - 'protocol=TCP'
+            - 'localport=3389'
     condition: 1 of selection*
 falsepositives:
     - Legitimate administration

rules/windows/process_creation/proc_creation_win_node_abuse.yml

@@ -0,0 +1,34 @@
+title: Node.exe Process Abuse
+id: 6640f31c-01ad-49b5-beb5-83498a5cd8bd
+status: experimental
+description: Detects the execution node.exe which is shipped with multiple softwares such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc
+references:
+    - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
+    - https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return
+    - https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/
+    - https://nodejs.org/api/cli.html
+author: Nasreddine Bencherchali
+date: 2022/09/09
+tags:
+    - attack.defense_evasion
+    - attack.t1127
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith: '\node.exe'
+        CommandLine|contains:
+            - ' -e '
+            - ' --eval '
+    # Add more pattern of abuse as actions
+    action_reverse_shell:
+        CommandLine|contains|all:
+            - '.exec('
+            - 'net.socket'
+            - '.connect'
+            - 'child_process'
+    condition: selection and 1 of action_*
+falsepositives:
+    - Unlikely
+level: high

rules/windows/process_creation/proc_creation_win_nslookup_poweshell_download.yml

@@ -0,0 +1,29 @@
+title: Nslookup PowerShell Download
+id: 1b3b01c7-84e9-4072-86e5-fc285a41ff23
+status: experimental
+description: Detects usage of powershell in conjunction with nslookup as a mean of download.
+author: Nasreddine Bencherchali
+references:
+    - https://twitter.com/Alh4zr3d/status/1566489367232651264
+date: 2022/09/05
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_cli:
+        CommandLine|contains|all:
+            - 'powershell .'
+            - 'nslookup'
+            - ' -q=txt '
+    selection_img:
+        ParentImage|endswith: '\powershell.exe'
+        Image|contains: '\nslookup.exe'
+        CommandLine|contains:
+            - ' -q=txt '
+            - ' -querytype=txt '
+    condition: 1 of selection_*
+falsepositives:
+    - Unlikely
+level: high
+tags:
+    - attack.defense_evasion

rules/windows/process_creation/proc_creation_win_nslookup_pwsh_download_cradle.yml

@@ -0,0 +1,22 @@
+title: Nslookup PwSh Download Cradle
+id: 72671447-4352-4413-bb91-b85569687135
+status: experimental
+description: This rule tries to detect powershell download cradles, e.g. powershell . (nslookup -q=txt http://some.owned.domain.com)[-1]
+author: Zach Mathis (@yamatosecurity)
+date: 2022/09/06
+tags:
+    - attack.command_and_control
+    - attack.t1105
+    - attack.t1071.004
+references:
+    - https://twitter.com/alh4zr3d/status/1566489367232651264
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        ParentImage|endswith: '\powershell.exe'
+        Image|contains: nslookup
+        CommandLine|contains: '=txt '
+    condition: selection
+level: medium

rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml

@@ -11,7 +11,7 @@ references:
     - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN
     - https://twitter.com/frack113/status/1555830623633375232
 date: 2022/08/07
-modified: 2022/08/12
+modified: 2022/09/12
 logsource:
     category: process_creation
     product: windows
@@ -27,6 +27,7 @@ detection:
         - ParentImage|endswith:
             - '\WebEx\WebexHost.exe'
             - '\thor\thor64.exe'
+            - '\veam.backup.shell.exe'
     condition: selection and not filter
 falsepositives:
     - Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process.

rules/windows/process_creation/proc_creation_win_quarks_pwdump.yml

@@ -0,0 +1,32 @@
+title: Quarks PwDump Usage
+id: 0685b176-c816-4837-8e7b-1216f346636b
+status: experimental
+description: Detects usage of the Quarks PwDump tool via commandline arguments
+author: Nasreddine Bencherchali
+references:
+    - https://github.com/quarkslab/quarkspwdump
+    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east
+date: 2022/09/05
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        Image|endswith: '\QuarksPwDump.exe'
+    selection_cli:
+        CommandLine:
+            - ' -dhl'
+            - ' --dump-hash-local'
+            - ' -dhdc'
+            - ' --dump-hash-domain-cached'
+            - ' --dump-bitlocker'
+            - ' -dhd '
+            - ' --dump-hash-domain '
+            - '--ntds-file'
+    condition: 1 of selection_*
+falsepositives:
+    - Unlikely
+level: high
+tags:
+    - attack.credential_access
+    - attack.t1003.002

rules/windows/process_creation/proc_creation_win_redirect_local_admin_share.yml

@@ -1,21 +1,23 @@
 title: Suspicious Redirection to Local Admin Share
 id: ab9e3b40-0c85-4ba1-aede-455d226fd124
 status: experimental
-description: Detects a suspicious output redirection to the local admins share as often found in malicious scripts or hacktool stagers
+description: Detects a suspicious output redirection to the local admins share, this technique is often found in malicious scripts or hacktool stagers
 author: Florian Roth
 date: 2022/01/16
-modified: 2022/02/01
+modified: 2022/09/09
 references:
     - https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/
+    - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
 logsource:
     category: process_creation
     product: windows
 detection:
-    selection:
-        CommandLine|contains: 
-            - '> \\\\127.0.0.1\\admin$'
-            - '> \\\\localhost\\admin$'
-    condition: selection
+    selection_redirect:
+        CommandLine|contains: '>'
+    selection_share:
+            - '\\\\127.0.0.1\\admin$\\'
+            - '\\\\localhost\\admin$\\'
+    condition: all of selection_*
 falsepositives:
     - Unknown
 level: high

rules/windows/process_creation/proc_creation_win_reg_enable_rdp.yml

@@ -6,7 +6,7 @@ author: '@Kostastsale, @TheDFIRReport, slightly modified by pH-T'
 references:
     - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
 date: 2022/02/12
-modified: 2022/08/06
+modified: 2022/09/09
 logsource:
     product: windows
     category: process_creation
@@ -15,7 +15,7 @@ detection:
         Image|endswith: '\reg.exe'
         CommandLine|contains|all:
             - ' add '
-            - '\SYSTEM\CurrentControlSet\Control\Terminal Server'
+            - '\CurrentControlSet\Control\Terminal Server'
             - 'REG_DWORD'
             - ' /f'
     selection_values_1:
@@ -34,6 +34,7 @@ detection:
             - 'TSAdvertise'
             - 'AllowTSConnections'
             - 'fSingleSessionPerUser'
+            - 'fDenyTSConnections'
     condition: selection_cli and 1 of selection_values_*
 falsepositives:
     - Unknown

rules/windows/process_creation/proc_creation_win_renamed_sdelete.yml

@@ -0,0 +1,31 @@
+title: Renamed Sysinternals Sdelete Usage
+id: c1d867fe-8d95-4487-aab4-e53f2d339f90
+description: Detects the use of a renamed SysInternals Sdelete, which is something an administrator shouldn't do (the renaming)
+status: experimental
+author: Florian Roth
+date: 2022/09/06
+references:
+   - https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete
+   - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md
+tags:
+   - attack.impact
+   - attack.t1485
+logsource:
+   category: process_creation
+   product: windows
+detection:
+   selection:
+      OriginalFileName: 'sdelete.exe'
+   filter:
+      Image|endswith: 
+            - '\sdelete.exe'
+            - '\sdelete64.exe'
+   condition: selection and not filter
+fields:
+   - ComputerName
+   - User
+   - CommandLine
+   - ParentCommandLine
+falsepositives:
+   - System administrator usage
+level: high

rules/windows/process_creation/proc_creation_win_renamed_vmnat.yml

@@ -0,0 +1,27 @@
+title: Renamed or Portable Vmnat.exe
+id: 7b4f794b-590a-4ad4-ba18-7964a2832205
+status: experimental
+description: Detects renamed vmnat.exe or portable version that can be used for DLL side-loading
+author: elhoim
+date: 2022/09/09
+references:
+    - https://twitter.com/malmoeb/status/1525901219247845376
+tags:
+    - attack.defense_evasion
+    - attack.t1574.002
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        OriginalFileName: 'vmnat.exe'
+    filter_rename:
+        Image|endswith: 'vmnat.exe'
+    filter_portable:
+        Image:
+            - 'C:\Program Files (x86)\VMware\VMware Workstation\vmnat.exe'
+            - 'C:\Windows\SysWOW64\vmnat.exe'
+    condition: selection and not 1 of filter_*
+falsepositives:
+     - Unknown
+level: high

rules/windows/process_creation/proc_creation_win_sdelete.yml

@@ -3,8 +3,8 @@ id: a4824fca-976f-4964-b334-0621379e84c4
 status: experimental
 author: frack113
 date: 2021/06/03
-modified: 2022/08/13
-description: Use of SDelete to erase a file not the free space
+modified: 2022/09/06
+description: Detects the use of SDelete to erase a file not the free space
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md
 tags:
@@ -29,5 +29,5 @@ fields:
     - CommandLine
     - ParentCommandLine
 falsepositives:
-    - System administrator Usage
-level: medium
+    - System administrator usage
+level: high

rules/windows/process_creation/proc_creation_win_sharp_chisel_usage.yml

@@ -0,0 +1,32 @@
+title: SharpChisel Usage
+id: cf93e05e-d798-4d9e-b522-b0248dc61eaf
+status: experimental
+description: Detects usage of the Sharp Chisel via the commandline arguments
+author: Nasreddine Bencherchali
+references:
+    - https://github.com/shantanu561993/SharpChisel
+    - https://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/
+date: 2022/09/05
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        Image|endswith: '\SharpChisel.exe'
+    selection_client_server:
+        CommandLine|contains:
+            - 'exe client '
+            - 'exe server '
+    selection_flags:
+        CommandLine|contains:
+            - ' --socks5'
+            - ' --reverse'
+            - ' r:'
+            - ':127.0.0.1:'
+    condition: 1 of selection_*
+falsepositives:
+    - Some flalse positives may occure with other tools with similar commandlines
+level: medium
+tags:
+    - attack.command_and_control
+    - attack.t1090.001

rules/windows/process_creation/proc_creation_win_susp_add_local_admin.yml

@@ -1,9 +1,13 @@
 title: Add User to Local Administrators
 id: ad720b90-25ad-43ff-9b5e-5c841facc8e5
+related:
+    - id: ffa28e60-bdb1-46e0-9f82-05f7a61cc06e
+      type: similar
 status: experimental
-description: Detects suspicious command line that adds an account to the local administrators group
-author: Florian Roth
+description: Detects suspicious command line that adds an account to the local administrators/administrateurs group
+author: Florian Roth, Nasreddine Bencherchali
 date: 2022/08/12
+modified: 2022/09/09
 references:
     - https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1
 logsource:
@@ -13,11 +17,18 @@ tags:
     - attack.persistence
     - attack.t1098
 detection:
-    selection:
-        CommandLine|contains|all:
-            - 'localgroup administrators '
+    selection_main:
+        - CommandLine|contains|all:
+            - 'localgroup '
             - ' /add'
-    condition: selection
+        - CommandLine|contains|all:
+            - 'Add-LocalGroupMember '
+            - ' -Group '
+    selection_group:
+        CommandLine|contains:
+            - ' administrators '
+            - ' administrateur' # Typo without an 'S' so we catch both
+    condition: all of selection_*
 falsepositives:
     - Administrative activity
 level: medium

rules/windows/process_creation/proc_creation_win_susp_add_user_remote_desktop.yml

@@ -1,28 +1,38 @@
 title: Suspicious Add User to Remote Desktop Users Group
 id: ffa28e60-bdb1-46e0-9f82-05f7a61cc06e
+related:
+    - id: ad720b90-25ad-43ff-9b5e-5c841facc8e5
+      type: similar
 status: experimental
 description: Detects suspicious command line in which a user gets added to the local Remote Desktop Users group
 author: Florian Roth
 date: 2021/12/06
+modified: 2022/09/09
 references:
     - https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/
 tags:
     - attack.persistence
+    - attack.lateral_movement
     - attack.t1133
     - attack.t1136.001
-    - attack.lateral_movement
     - attack.t1021.001
 logsource:
     category: process_creation
     product: windows
 detection:
-    selection:
-        CommandLine|contains|all:
-            - 'net '
-            - 'localgroup'
+    selection_main:
+        - CommandLine|contains|all:
+            - 'localgroup '
+            - ' /add'
+        - CommandLine|contains|all:
+            - 'Add-LocalGroupMember '
+            - ' -Group '
+    selection_group:
+        CommandLine|contains:
             - 'Remote Desktop Users'
-            - '/add'
-    condition: selection
+            - 'Utilisateurs du Bureau à distance' # French for "Remote Desktop Users"
+            - 'Usuarios de escritorio remoto' # Spanish for "Remote Desktop Users"
+    condition: all of selection_*
 fields:
     - CommandLine
     - ParentCommandLine

rules/windows/process_creation/proc_creation_win_susp_base64_invoke.yml

@@ -4,8 +4,8 @@ status: test
 description: Detects base64 encoded powershell 'Invoke-' call
 author: pH-T
 related:
-  - id: fd6e2919-3936-40c9-99db-0aa922c356f7
-    type: similar
+    - id: fd6e2919-3936-40c9-99db-0aa922c356f7
+      type: similar
 date: 2022/05/20
 tags:
     - attack.execution
@@ -15,32 +15,32 @@ tags:
 references:
     - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
 logsource:
-  category: process_creation
-  product: windows
+    category: process_creation
+    product: windows
 detection:
-  selection:
-    CommandLine|contains:
-      # Invoke-
-      - 'SQBuAHYAbwBrAGUALQ'
-      - 'kAbgB2AG8AawBlAC0A'
-      - 'JAG4AdgBvAGsAZQAtA'
-  filter_other_rule:  # already covered in fd6e2919-3936-40c9-99db-0aa922c356f7
-    CommandLine|contains:
-      # Invoke-BloodHound
-      - 'SQBuAHYAbwBrAGUALQBCAGwAbwBvAGQASABvAHUAbgBkA'
-      - 'kAbgB2AG8AawBlAC0AQgBsAG8AbwBkAEgAbwB1AG4AZA'
-      - 'JAG4AdgBvAGsAZQAtAEIAbABvAG8AZABIAG8AdQBuAGQA'
-      # Invoke-Mimikatz
-      - 'SQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoA'
-      - 'kAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6A'
-      - 'JAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAeg'
-      # Invoke-WMIExec
-      - 'SQBuAHYAbwBrAGUALQBXAE0ASQBFAHgAZQBjA'
-      - 'kAbgB2AG8AawBlAC0AVwBNAEkARQB4AGUAYw'
-      - 'JAG4AdgBvAGsAZQAtAFcATQBJAEUAeABlAGMA'
-  condition: selection and not 1 of filter*
+    selection:
+        CommandLine|contains:
+            # Invoke-
+            - 'SQBuAHYAbwBrAGUALQ'
+            - 'kAbgB2AG8AawBlAC0A'
+            - 'JAG4AdgBvAGsAZQAtA'
+    filter_other_rule:  # already covered in fd6e2919-3936-40c9-99db-0aa922c356f7
+        CommandLine|contains:
+            # Invoke-BloodHound
+            - 'SQBuAHYAbwBrAGUALQBCAGwAbwBvAGQASABvAHUAbgBkA'
+            - 'kAbgB2AG8AawBlAC0AQgBsAG8AbwBkAEgAbwB1AG4AZA'
+            - 'JAG4AdgBvAGsAZQAtAEIAbABvAG8AZABIAG8AdQBuAGQA'
+            # Invoke-Mimikatz
+            - 'SQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoA'
+            - 'kAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6A'
+            - 'JAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAeg'
+            # Invoke-WMIExec
+            - 'SQBuAHYAbwBrAGUALQBXAE0ASQBFAHgAZQBjA'
+            - 'kAbgB2AG8AawBlAC0AVwBNAEkARQB4AGUAYw'
+            - 'JAG4AdgBvAGsAZQAtAFcATQBJAEUAeABlAGMA'
+    condition: selection and not 1 of filter*
 fields:
-  - CommandLine
+    - CommandLine
 falsepositives:
-  - Unlikely
-level: high
+    - Unlikely
+level: high

rules/windows/process_creation/proc_creation_win_susp_new_service_creation.yml

@@ -10,7 +10,7 @@ references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md
     - https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html
 date: 2022/07/14
-modified: 2022/08/04
+modified: 2022/09/09
 logsource:
     category: process_creation
     product: windows
@@ -35,6 +35,7 @@ detection:
             - 'dllhost'
             - 'cmd '
             - 'cmd.exe /c'
+            - 'cmd.exe /k'
             - 'rundll32'
             # Add more suspicious paths
             - 'C:\Users\Public'

rules/windows/process_creation/proc_creation_win_susp_ntds.yml

@@ -4,63 +4,63 @@ description: Detects suspicious process patterns used in NTDS.DIT exfiltration
 status: experimental
 author: Florian Roth
 references:
-    - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration
-    - https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/
-    - https://pentestlab.blog/tag/ntds-dit/
-    - https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1
-    - https://github.com/zcgonvh/NTDSDumpEx
-    - https://github.com/rapid7/metasploit-framework/blob/d297adcebb5c1df6fe30b12ca79b161deb71571c/data/post/powershell/NTDSgrab.ps1
-    - https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1
+   - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration
+   - https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/
+   - https://pentestlab.blog/tag/ntds-dit/
+   - https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1
+   - https://github.com/zcgonvh/NTDSDumpEx
+   - https://github.com/rapid7/metasploit-framework/blob/d297adcebb5c1df6fe30b12ca79b161deb71571c/data/post/powershell/NTDSgrab.ps1
+   - https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1
 date: 2022/03/11
 tags:
-    - attack.credential_access
-    - attack.t1003.003
+   - attack.credential_access
+   - attack.t1003.003
 logsource:
-    product: windows
-    category: process_creation
+   product: windows
+   category: process_creation
 detection:
-    selection_tool:
-        # https://github.com/zcgonvh/NTDSDumpEx
-        - Image|endswith:
-            - '\NTDSDump.exe'
-            - '\NTDSDumpEx.exe'
-        - CommandLine|contains|all:
-            # ntdsdumpex.exe -d ntds.dit -o hash.txt -s system.hiv
-            - 'ntds.dit'
-            - 'system.hiv'
-        - CommandLine|contains: 'NTDSgrab.ps1'
-    selection_oneliner_1:
-        # powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp' q q"
-        CommandLine|contains|all:
-            - 'ac i ntds'
-            - 'create full'
-    selection_onliner_2:
-        # cmd.exe /c copy z:\windows\ntds\ntds.dit c:\exfil\ntds.dit
-        CommandLine|contains|all:
-            - '/c copy '
-            - '\windows\ntds\ntds.dit'
-    selection_powershell:
-        CommandLine|contains|all:
-            - 'powershell'
-            - 'ntds.dit'
-    set1_selection_ntds_dit:
-        CommandLine|contains: 'ntds.dit'
-    set1_selection_image_folder:
-        - ParentImage|contains:
-            - '\apache'
-            - '\tomcat'
-            - '\AppData\'
-            - '\Temp\'
-            - '\Public\'
-            - '\PerfLogs\'
-        - Image|contains:
-            - '\apache'
-            - '\tomcat'
-            - '\AppData\'
-            - '\Temp\'
-            - '\Public\'
-            - '\PerfLogs\'
-    condition: 1 of selection* or all of set1*
+   selection_tool:
+      # https://github.com/zcgonvh/NTDSDumpEx
+      - Image|endswith:
+         - '\NTDSDump.exe'
+         - '\NTDSDumpEx.exe'
+      - CommandLine|contains|all:
+         # ntdsdumpex.exe -d ntds.dit -o hash.txt -s system.hiv
+         - 'ntds.dit'
+         - 'system.hiv'
+      - CommandLine|contains: 'NTDSgrab.ps1'
+   selection_oneliner_1:
+      # powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp' q q"
+      CommandLine|contains|all:
+         - 'ac i ntds'
+         - 'create full'
+   selection_onliner_2:
+      # cmd.exe /c copy z:\windows\ntds\ntds.dit c:\exfil\ntds.dit
+      CommandLine|contains|all:
+         - '/c copy '
+         - '\windows\ntds\ntds.dit'
+   selection_powershell:
+      CommandLine|contains|all:
+         - 'powershell'
+         - 'ntds.dit'
+   set1_selection_ntds_dit:
+      CommandLine|contains: 'ntds.dit'
+   set1_selection_image_folder:
+      - ParentImage|contains:
+         - '\apache'
+         - '\tomcat'
+         - '\AppData\'
+         - '\Temp\'
+         - '\Public\'
+         - '\PerfLogs\'
+      - Image|contains:
+         - '\apache'
+         - '\tomcat'
+         - '\AppData\'
+         - '\Temp\'
+         - '\Public\'
+         - '\PerfLogs\'
+   condition: 1 of selection* or all of set1*
 falsepositives:
-    - Unknown
+   - Unknown
 level: high

rules/windows/process_creation/proc_creation_win_susp_reg_add.yml

@@ -1,13 +1,13 @@
-title: Reg Add Suspicious Path To AppDataLow
+title: Reg Add Suspicious Paths
 id: b7e2a8d4-74bb-4b78-adc9-3f92af2d4829
 status: experimental
-description: Detects when an adversary uses the 'AppDataLow' subkeys as a place to store data as seen in the URSNIF phishing campaign
+description: Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md
     - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.001/T1562.001.md
-author: frack113
+author: frack113, Nasreddine Bencherchali
 date: 2022/08/19
-modified: 2022/08/20
+modified: 2022/09/09
 logsource:
     category: process_creation
     product: windows
@@ -17,13 +17,16 @@ detection:
         - OriginalFileName: 'reg.exe'
     selection_path:
         CommandLine|contains:
-            - '\Software\AppDataLow\Software\Microsoft\'
-            - '\Software\Policies\Microsoft\Windows\OOBE'
-            - '\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon'
+            # Add more suspicious registry locations below
+            - '\AppDataLow\Software\Microsoft\'
+            - '\Policies\Microsoft\Windows\OOBE'
+            - '\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon'
+            - '\CurrentControlSet\Control\SecurityProviders\WDigest'
+            - '\Microsoft\Windows Defender\'
     condition: all of selection_*
 falsepositives:
-    - Legitimate use
-level: medium
+    - Rare legitimate add to registry via cli (to these locations)
+level: high
 tags:
   - attack.defense_evasion
   - attack.t1112

rules/windows/process_creation/proc_creation_win_susp_reg_bitlocker.yml

@@ -1,7 +1,7 @@
 title: Suspicious Reg Add BitLocker
 id: 0e0255bf-2548-47b8-9582-c0955c9283f5
 status: experimental
-description: Suspicious add key for BitLocker
+description: Detects suspicious addition to BitLocker related registry keys via the reg.exe utility
 references:
     - https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/
 tags:
@@ -9,19 +9,18 @@ tags:
     - attack.t1486
 author: frack113
 date: 2021/11/15
-modified: 2022/08/05
+modified: 2022/09/09
 logsource:
     category: process_creation
     product: windows
 detection:
-    set:
+    selection:
         CommandLine|contains|all:
             - 'REG'
             - 'ADD'
             - '\SOFTWARE\Policies\Microsoft\FVE'
             - '/v'
             - '/f'
-    key:
         CommandLine|contains:
             - 'EnableBDEWithNoTPM'
             - 'UseAdvancedStartup'
@@ -31,7 +30,7 @@ detection:
             - 'RecoveryKeyMessageSource'
             - 'UseTPMPIN'
             - 'RecoveryKeyMessage'
-    condition: set and key
+    condition: selection
 falsepositives:
-    - Unknown
-level: medium
+    - Unlikely
+level: high

rules/windows/process_creation/proc_creation_win_susp_schtasks_delete.yml

@@ -0,0 +1,36 @@
+title: Delete Important Scheduled Task
+id: dbc1f800-0fe0-4bc0-9c66-292c2abe3f78
+related:
+    - id: 9ac94dc8-9042-493c-ba45-3b5e7c86b980
+      type: derived
+status: experimental
+description: Detects when adversaries stop services or processes by disabling their respective schdueled tasks in order to conduct data destructive activities
+author: Nasreddine Bencherchali
+references:
+    - Internal Research
+date: 2022/09/09
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    schtasks_exe:
+        Image|endswith: '\schtasks.exe'
+        CommandLine|contains|all:
+            - '/delete'
+            - '/tn'
+        CommandLine|contains:
+            # Add more important tasks
+            - '\Windows\SystemRestore\SR'
+            - '\Windows\Windows Defender\'
+            - '\Windows\BitLocker'
+            - '\Windows\WindowsBackup\'
+            - '\Windows\WindowsUpdate\'
+            - '\Windows\UpdateOrchestrator\'
+            - '\Windows\ExploitGuard'
+    condition: all of schtasks_*
+falsepositives:
+    - Unlikely
+level: high
+tags:
+    - attack.impact
+    - attack.t1489

rules/windows/process_creation/proc_creation_win_susp_schtasks_delete_all.yml

@@ -0,0 +1,25 @@
+title: Delete All Scheduled Tasks
+id: 220457c1-1c9f-4c2e-afe6-9598926222c1
+status: experimental
+description: Detects the usage of schtasks with the delete flag and the asterisk symbole to delete all tasks from the schedule of the local computer, including tasks scheduled by other users.
+author: Nasreddine Bencherchali
+references:
+    - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-delete
+date: 2022/09/09
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith: '\schtasks.exe'
+        CommandLine|contains|all:
+            - ' /delete '
+            - '/tn \*'
+            - ' /f'
+    condition: selection
+falsepositives:
+    - Unlikely
+level: high
+tags:
+    - attack.impact
+    - attack.t1489

rules/windows/process_creation/proc_creation_win_susp_schtasks_disable.yml

@@ -1,7 +1,7 @@
 title: Disable Important Scheduled Task
 id: 9ac94dc8-9042-493c-ba45-3b5e7c86b980
 status: experimental
-description: Adversaries may stop services or processes in order to conduct Data Destruction or Data Encrypted for Impact on the data stores of services like Exchange, SQL Server...etc.
+description: Detects when adversaries stop services or processes by disabling their respective schdueled tasks in order to conduct data destructive activities
 author: frack113, Nasreddine Bencherchali
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task
@@ -19,15 +19,15 @@ detection:
             - '/Change'
             - '/TN'
             - '/disable'
-        #split to add other
         CommandLine|contains:
-            - 'Microsoft\Windows\SystemRestore\SR'
-            - 'Microsoft\Windows\Windows Defender\'
-            - 'Microsoft\Windows\BitLocker'
-            - 'Microsoft\Windows\WindowsBackup\'
-            - 'Microsoft\Windows\WindowsUpdate\'
-            - 'Microsoft\Windows\UpdateOrchestrator\'
-            - 'Windows\ExploitGuard'
+            # Add more important tasks
+            - '\Windows\SystemRestore\SR'
+            - '\Windows\Windows Defender\'
+            - '\Windows\BitLocker'
+            - '\Windows\WindowsBackup\'
+            - '\Windows\WindowsUpdate\'
+            - '\Windows\UpdateOrchestrator\'
+            - '\Windows\ExploitGuard'
     condition: all of schtasks_*
 falsepositives:
     - Unknown

rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type.yml

@@ -1,15 +1,19 @@
-title: Suspicious Schtasks Schedule Type
-id: 7a02e22e-b885-4404-b38b-1ddc7e65258a
-description: Detects scheduled task creations or modification to be run with high privileges on a suspicious schedule type
+title: Suspicious Schtasks Schedule Types
+id: 24c8392b-aa3c-46b7-a545-43f71657fe98
+related:
+    - id: 7a02e22e-b885-4404-b38b-1ddc7e65258a
+      type: similar
+description: Detects scheduled task creations or modification on a suspicious schedule type
 status: experimental
 references:
     - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change
     - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create
+    - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
 tags:
     - attack.execution
     - attack.t1053.005
 author: Nasreddine Bencherchali
-date: 2022/08/31
+date: 2022/09/09
 logsource:
     product: windows
     category: process_creation
@@ -23,12 +27,12 @@ detection:
             - ' ONSTART '
             - ' ONCE '
             - ' ONIDLE '
-    selection_privs:
+    filter_privs:
         CommandLine|contains:
             - 'NT AUT' # This covers the usual NT AUTHORITY\SYSTEM
             - ' SYSTEM' # SYSTEM is a valid value for schtasks hence it gets it's own value with space
             - 'HIGHEST'
-    condition: all of selection_*
+    condition: all of selection_* and not 1 of filter_*
 falsepositives:
-    - Unknown
+    - Legitmate processes that run at logon. Filter according to your environment
 level: high

rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type_system.yml

@@ -0,0 +1,37 @@
+title: Suspicious Schtasks Schedule Type With High Privileges
+id: 7a02e22e-b885-4404-b38b-1ddc7e65258a
+related:
+    - id: 24c8392b-aa3c-46b7-a545-43f71657fe98
+      type: similar
+description: Detects scheduled task creations or modification to be run with high privileges on a suspicious schedule type
+status: experimental
+references:
+    - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change
+    - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create
+tags:
+    - attack.execution
+    - attack.t1053.005
+author: Nasreddine Bencherchali
+date: 2022/08/31
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    selection_img:
+        - Image|endswith: '\schtasks.exe'
+        - OriginalFileName: 'schtasks.exe'
+    selection_time:
+        CommandLine|contains:
+            - ' ONLOGON '
+            - ' ONSTART '
+            - ' ONCE '
+            - ' ONIDLE '
+    selection_privs:
+        CommandLine|contains:
+            - 'NT AUT' # This covers the usual NT AUTHORITY\SYSTEM
+            - ' SYSTEM' # SYSTEM is a valid value for schtasks hence it gets it's own value with space
+            - 'HIGHEST'
+    condition: all of selection_*
+falsepositives:
+    - Some installers were seen using this method of creation unfortunately. Filter them in your environment
+level: medium

rules/windows/process_creation/proc_creation_win_sysmon_disable_sharpevtmute.yml

@@ -0,0 +1,25 @@
+title: SharpEvtMute EvtMuteHook Load
+id: bedfc8ad-d1c7-4e37-a20e-e2b0dbee759c
+status: experimental
+description: Detects the use of SharpEvtHook, a tool to tamper with Windows event logs
+references:
+   - https://github.com/bats3c/EvtMute
+author: Florian Roth
+date: 2022/09/07
+tags:
+   - attack.defense_evasion
+   - attack.t1562.002
+logsource:
+   product: windows
+   category: process_creation
+detection:
+   selection:
+      - Image|endswith: '\SharpEvtMute.exe'
+      - Description: 'SharpEvtMute'
+      - CommandLine|contains:
+            - '--Filter "rule '
+            - '--Encoded --Filter \"'
+   condition: selection
+falsepositives:
+   - Unknown
+level: high

rules/windows/process_creation/proc_creation_win_system_exe_anomaly.yml

@@ -6,7 +6,7 @@ references:
     - https://twitter.com/GelosSnake/status/934900723426439170
 author: Florian Roth, Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali
 date: 2017/11/27
-modified: 2022/07/14
+modified: 2022/09/07
 tags:
     - attack.defense_evasion
     - attack.t1036
@@ -69,7 +69,7 @@ detection:
             - 'C:\Windows\System32\'
             - 'C:\Windows\SysWOW64\'
             - 'C:\Windows\WinSxS\'
-            - 'C:\avast! sandbox'
+            # - 'C:\avast! sandbox'
         - Image|contains: '\SystemRoot\System32\'
         - Image: 'C:\Windows\explorer.exe'
     condition: selection and not filter

rules/windows/process_creation/proc_creation_win_user_discovery_get_aduser.yml

@@ -0,0 +1,30 @@
+title: User Discovery Via Get-ADUser Cmdlet
+id: c2993223-6da8-4b1a-88ee-668b8bf315e9
+status: experimental
+description: Detects usage of the Get-ADUser cmdlet to collect user information
+author: Nasreddine Bencherchali
+references:
+    - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
+date: 2022/09/09
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith:
+            - '\powershell.exe'
+            - '\pwsh.exe'
+        - OriginalFileName:
+            - 'PowerShell.EXE'
+            - 'pwsh.dll'
+    selection_cli:
+        CommandLine|contains|all:
+            - 'Get-ADUser '
+            - ' -Filter \*'
+    condition: all of selection_*
+falsepositives:
+    - Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often
+level: medium
+tags:
+    - attack.discovery
+    - attack.t1033

rules/windows/process_creation/proc_creation_win_wevtutil_recon.yml

@@ -0,0 +1,28 @@
+title: Wevtutil Recon
+id: beaa66d6-aa1b-4e3c-80f5-e0145369bfaf
+status: experimental
+description: Detects usage of the wevtutil utility to perform reconnaissance
+references:
+    - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
+author: Nasreddine Bencherchali
+date: 2022/09/09
+tags:
+    - attack.discovery
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_cli:
+        Image|endswith: '\wevtutil.exe'
+        CommandLine|contains:
+            - ' qe '
+            - ' query-events '
+    selection_logs:
+        CommandLine|contains:
+            # Add more event log channels that are interesting for attackers
+            - 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
+            - 'Microsoft-Windows-Terminal-Services-RemoteConnectionManager/Operational'
+    condition: all of selection_*
+falsepositives:
+    - Legitmate usage of the utility by administrators to query the event log
+level: medium

rules/windows/process_creation/proc_creation_win_wmic_computersystem_recon.yml

@@ -0,0 +1,27 @@
+title: Suspicious Get Local Groups Information with WMIC
+id: 9d7ca793-f6bd-471c-8d0f-11e68b2f0d2f
+status: experimental
+description: Detects execution of wmic utility with the "computersystem" flag in order to obtain information about the machine such as the domain, username, model...etc.
+references:
+    - https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/
+author: Nasreddine Bencherchali
+date: 2022/09/08
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    selection_img:
+        - Image|endswith: '\wmic.exe'
+        - OriginalFileName: 'wmic.exe'
+    selection_cli:
+        CommandLine|contains|all:
+            - ' computersystem '
+            - ' get '
+    condition: all of selection*
+falsepositives:
+    - Unknown
+level: medium
+tags:
+    - attack.discovery
+    - attack.execution
+    - attack.t1047

rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml

@@ -16,7 +16,7 @@ logsource:
     category: registry_event
 detection:
     selection:
-        TargetObject|contains|all: 
+        TargetObject|contains|all:
             - 'SYSTEM\'
             - 'ControlSet'
             - '\Control\Lsa'
@@ -27,4 +27,4 @@ detection:
     condition: selection
 falsepositives:
     - Unknown
-level: high
+level: high

rules/windows/registry/registry_event/registry_event_silentprocessexit_lsass.yml

@@ -1,12 +1,16 @@
-title: SilentProcessExit Monitor Registrytion for LSASS
+title: SilentProcessExit Monitor Registration for LSASS
 id: 55e29995-75e7-451a-bef0-6225e2f13597
-description: Detects changes to the Registry in which a monitor program gets registered to dump process memory of the lsass.exe process memory
+related:
+    - id: 1f24c7c1-0b71-4e4e-8a6d-f863c9d8aa4a
+      type: similar
+description: Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process
 status: experimental
 author: Florian Roth
 references:
     - https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/
     - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/
 date: 2021/02/26
+modified: 2022/09/07
 tags:
     - attack.credential_access
     - attack.t1003.007
@@ -14,9 +18,9 @@ logsource:
     category: registry_event
     product: windows
 detection:
-    selection:       
+    selection:
         TargetObject|contains: 'Microsoft\Windows NT\CurrentVersion\SilentProcessExit\lsass.exe'
     condition: selection
 falsepositives:
-    - Unknown
-level: critical
+    - Unlikely
+level: critical

rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml

@@ -12,7 +12,7 @@ references:
     - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
     - https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/
 date: 2019/10/25
-modified: 2022/08/23
+modified: 2022/09/06
 logsource:
     category: registry_set
     product: windows
@@ -98,7 +98,9 @@ detection:
             - '{C973DA94-CBDF-4E77-81D1-E5B794FBD146}'
             - '{51EF1569-67EE-4AD6-9646-E726C3FFC8A2}'
     filter_onedrive:
-        Details|startswith: 'C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\'
+        Details|startswith:
+            - 'C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\'
+            - 'C:\Windows\system32\cmd.exe /q /c del /q "C:\Users\'
         Details|contains: '\AppData\Local\Microsoft\OneDrive\'
     filter_python:
         TargetObject|endswith: '\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\{c60fd5ac-367d-4e3a-a975-f157502ac30a}'

rules/windows/registry/registry_set/registry_set_disable_system_restore.yml

@@ -3,7 +3,7 @@ id: 5de03871-5d46-4539-a82d-3aa992a69a83
 description: Detects the modification of the registry to disable a system restore on the computer
 author: frack113
 date: 2022/04/04
-modified: 2022/06/26
+modified: 2022/09/09
 status: experimental
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-9---disable-system-restore-through-registry
@@ -13,9 +13,9 @@ logsource:
 detection:
     selection:
         EventType: Setvalue
-        TargetObject|startswith:
-            - 'HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore'
-            - 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore'
+        TargetObject|contains:
+            - '\Policies\Microsoft\Windows NT\SystemRestore'
+            - '\Microsoft\Windows NT\CurrentVersion\SystemRestore'
         TargetObject|endswith:
             - DisableConfig
             - DisableSR

rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml

@@ -3,7 +3,7 @@ id: 2f78da12-f7c7-430b-8b19-a28f269b77a3
 description: Detects tempering with the "Enabled" registry key in order to disable windows logging of a windows event channel
 author: frack113, Nasreddine Bencherchali
 date: 2022/07/04
-modified: 2022/08/26
+modified: 2022/09/08
 status: experimental
 references:
     - https://twitter.com/WhichbufferArda/status/1543900539280293889
@@ -27,6 +27,10 @@ detection:
         TargetObject|contains:
             - '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-FileInfoMinifilter'
             - '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-ASN1\'
+    filter_empty:
+        Image:
+            - ''
+            - null
     condition: selection and not 1 of filter*
 falsepositives:
     - Legitimate administrators disabling specific event log for troubleshooting

rules/windows/registry/registry_set/registry_set_enabling_turnoffcheck.yml

@@ -2,6 +2,7 @@ title: Scripted Diagnostics Turn Off Check Enabled - Registry
 id: 7d995e63-ec83-4aa3-89d5-8a17b5c87c86
 description: Detects enabling TurnOffCheck which can be used to bypass defense of MSDT Follina vulnerability
 date: 2022/06/15
+modified: 2022/09/09
 author: 'Christopher Peacock @securepeacock, SCYTHE @scythe_io'
 references:
     - https://twitter.com/wdormann/status/1537075968568877057?s=20&t=0lr18OAnmAGoGpma6grLUw
@@ -12,7 +13,7 @@ logsource:
 detection:
     selection:
         EventType: SetValue
-        TargetObject: 'HKLM\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnostics\TurnOffCheck'
+        TargetObject|endswith: '\Policies\Microsoft\Windows\ScriptedDiagnostics\TurnOffCheck'
         Details: 'DWORD (0x00000001)'
     condition: selection
 falsepositives:

rules/windows/registry/registry_set/registry_set_globalflags_persistence.yml

@@ -1,35 +1,35 @@
 title: GlobalFlags Registry Persistence Mechanisms
 id: 36803969-5421-41ec-b92f-8500f79c23b0
 status: test
-description: Detects persistence using GlobalFlags in image file executiobn options
+description: Detects persistence using GlobalFlags in image file execution options
 author: Karneades, Jonhnathan Ribeiro
 references:
-  - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/
+    - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/
 date: 2018/04/11
-modified: 2022/03/26
+modified: 2022/09/07
 logsource:
-  category: registry_set
-  product: windows
+    category: registry_set
+    product: windows
 detection:
-  selection_reg1:
-    TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion'
-  selection_reg2:
-    - TargetObject|contains|all:
-      - '\Image File Execution Options\'
-      - '\GlobalFlag'
-    - TargetObject|contains|all:
-      - 'SilentProcessExit\'
-      - '\ReportingMode'
-    - TargetObject|contains|all:
-      - 'SilentProcessExit\'
-      - '\MonitorProcess'
-  condition: selection_reg1 and selection_reg2
+    selection_reg1:
+        TargetObject|contains: '\Microsoft\Windows NT\CurrentVersion\'
+    selection_reg2:
+        - TargetObject|contains|all:
+            - '\Image File Execution Options\'
+            - '\GlobalFlag'
+        - TargetObject|contains|all:
+            - 'SilentProcessExit\'
+            - '\ReportingMode'
+        - TargetObject|contains|all:
+            - 'SilentProcessExit\'
+            - '\MonitorProcess'
+    condition: all of selection_*
 falsepositives:
-  - Unknown
+    - Unknown
 level: high
 tags:
-  - attack.privilege_escalation
-  - attack.persistence
-  - attack.defense_evasion
-  - attack.t1546.012
-  - car.2013-01-002
+    - attack.privilege_escalation
+    - attack.persistence
+    - attack.defense_evasion
+    - attack.t1546.012
+    - car.2013-01-002

rules/windows/registry/registry_set/registry_set_hide_function_user.yml

@@ -18,7 +18,7 @@ detection:
             - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth'
             - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCANetwork'
             - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAPower'
-            - 'Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAVolume'
+            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAVolume'
         Details: 'DWORD (0x00000001)'
     selection_set_0:
         EventType: SetValue

rules/windows/registry/registry_set/registry_set_install_root_or_ca_certificat.yml

@@ -21,7 +21,7 @@ detection:
             - '\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\'
             - '\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates\'
             - '\SOFTWARE\Microsoft\EnterpriseCertificates\CA\Certificates\'
-            - '\Software\Microsoft\SystemCertificates\AuthRoot\Certificates\'
+            - '\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\'
             - '\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\Certificates\'
             - '\SOFTWARE\Microsoft\EnterpriseCertificates\AuthRoot\Certificates\'
         TargetObject|endswith: '\Blob'

rules/windows/registry/registry_set/registry_set_silentprocessexit.yml

@@ -1,4 +1,4 @@
-title: SilentProcessExit Monitor Registrytion
+title: SilentProcessExit Monitor Registration
 id: c81fe886-cac0-4913-a511-2822d72ff505
 description: Detects changes to the Registry in which a monitor program gets registered to monitor the exit of another process
 status: experimental

rules/windows/registry/registry_set/registry_set_winlogon_allow_multiple_tssessions.yml

@@ -0,0 +1,22 @@
+title: Winlogon AllowMultipleTSSessions Enable
+id: f7997770-92c3-4ec9-b112-774c4ef96f96
+description: Detects when the 'AllowMultipleTSSessions' value is enabled. Which allows for multiple Remote Desktop connection sessions to be opened at once. This is often used by attacker as a way to connect to an RDP session without disconnecting the other users
+author: Nasreddine Bencherchali
+date: 2022/09/09
+status: experimental
+references:
+    - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
+logsource:
+    category: registry_set
+    product: windows
+detection:
+    selection:
+        EventType: SetValue
+        TargetObject|endswith: '\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions'
+        Details|endswith: DWORD (0x00000001)
+    condition: selection
+falsepositives:
+    - Legitmate use of the multi session functionality
+level: medium
+tags:
+    - attack.persistence

tests/test-base64offset-all.yml

@@ -0,0 +1,10 @@
+title: Testrule
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine|base64offset|contains|all:
+            - foo
+            - bar
+    condition: selection

tests/test-windash-all.yml

@@ -0,0 +1,10 @@
+title: Testrule
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine|windash|contains|all:
+            - -foo-1 -bar-2 -bla-3
+            - -foo-bar
+    condition: selection

tools/README.md

@@ -8,6 +8,8 @@ This folder contains libraries and the following command line tools:
 
 # Sigmac
 
+<span style="color:red">Sigmac will be deprecated by the end of 2022</span> in favour of [sigma-cli](https://github.com/SigmaHQ/sigma-cli) and [pySigma](https://github.com/SigmaHQ/pySigma). <span style="color:red">Please stop contributing backends</span> to this tool. Limited support is offered until the end of 2023, especially for backends that haven't been migrated yet.
+
 The Sigmac is one of the most important files, as this is what sets the correct fields that your backend/database will use after being translated from the (original) log source's field names.
 Please read below to understand how a SIGMAC is constructed. Additionally, see [Choosing the Right Sigmac](#choosing-the-right-sigmac) for an idea of which file and command line options (if applicable) that will best suite your environment.
 

tools/setup.py

@@ -14,7 +14,7 @@ with open(path.join(here, 'LONG_DESCRIPTION.md'), encoding='utf-8') as f:
 
 setup(
     name='sigmatools',
-    version='0.21.0',
+    version='0.22.1',
     description='Tools for the Generic Signature Format for SIEM Systems',
     long_description=long_description,
     long_description_content_type="text/markdown",

tools/sigma/backends/base.py

@@ -21,6 +21,7 @@ import yaml
 import re
 
 from sigma.backends.exceptions import NotSupportedError
+from sigma.parser.condition import ConditionOR, NodeSubexpression
 from .mixins import RulenameCommentMixin, QuoteCharMixin
 from sigma.parser.modifiers.base import SigmaTypeModifier
 
@@ -328,6 +329,8 @@ class SingleTextQueryBackend(RulenameCommentMixin, BaseBackend, QuoteCharMixin):
             return self.generateMapItemTypedNode(transformed_fieldname, value)
         elif value is None:
             return self.nullExpression % (transformed_fieldname, )
+        elif isinstance(value, NodeSubexpression):
+            return self.generateSubexpressionNode(value)
         else:
             raise TypeError("Backend does not support map values of type " + str(type(value)))
 

tools/sigma/backends/splunk.py

@@ -48,6 +48,9 @@ class SplunkBackend(SingleTextQueryBackend):
             raise TypeError("List values must be strings or numbers")
         return "(" + (" OR ".join(['%s=%s' % (key, self.generateValueNode(item)) for item in value])) + ")"
 
+    def generateANDNode(self, node):
+        return "(" + super().generateANDNode(node) + ")"
+
     def generateAggregation(self, agg):
         if agg == None:
             return ""

tools/sigma/parser/modifiers/mixins.py

@@ -14,6 +14,9 @@
 # You should have received a copy of the GNU Lesser General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
+from sigma.parser.condition import ConditionAND, ConditionBase, ConditionOR, NodeSubexpression
+
+
 class ListOrStringModifierMixin(object):
     """
     Definitions and convenience methods for modifiers that can be applied to lists and strings.
@@ -28,21 +31,32 @@ class ListOrStringModifierMixin(object):
     valid_input_types = (list, tuple, str, )
 
     def apply(self):
-        if type(self.value) in (list, tuple, ):
-            return self.apply_list()
+        if isinstance(self.value, (list, tuple, ConditionBase, NodeSubexpression)):
+            return self.apply_list(self.value)
         else:
             return self.apply_str(self.value)
 
-    def apply_list(self):
+    def apply_list(self, l):
         """Method is called if modifier value contains a list"""
-        l = [ self.apply_str(val) for val in self.value ]
-        rl = list()
-        for i in l:
-            if type(i) in { list, tuple, set }:
-                rl.extend(i)
-            else:
-                rl.append(i)
-        return rl
+        if isinstance(l, (list, tuple)):
+            l = [
+                self.apply_str(v)
+                if isinstance(v, str)
+                else self.apply_list(v)
+                for v in l ]
+            rl = list()
+            for i in l:
+                if type(i) in { list, tuple, set }:
+                    rl.extend(i)
+                else:
+                    rl.append(i)
+            return rl
+        elif isinstance(l, NodeSubexpression):
+            return NodeSubexpression(self.apply_list(l.items))
+        elif isinstance(l, ( ConditionOR, ConditionAND )):
+            cond = l.__class__()
+            cond.items = self.apply_list(l.items)
+            return cond
 
     def apply_str(self, val : str):
         """Method is called if modifier input value contains a string or once for each list element"""

tools/sigma/parser/modifiers/transform.py

@@ -14,9 +14,10 @@
 # You should have received a copy of the GNU Lesser General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
+import re
 from .base import SigmaTransformModifier
 from .mixins import ListOrStringModifierMixin
-from sigma.parser.condition import ConditionAND
+from sigma.parser.condition import ConditionAND, ConditionBase, ConditionOR, NodeSubexpression
 from base64 import b64encode
 
 class SigmaContainsModifier(ListOrStringModifierMixin, SigmaTransformModifier):
@@ -24,14 +25,17 @@ class SigmaContainsModifier(ListOrStringModifierMixin, SigmaTransformModifier):
     identifier = "contains"
     active = True
 
-    def apply_str(self, val : str):
-        if not val.startswith("*"):
-            val = "*" + val
-        if not val.endswith("*"):
-            if val.endswith("\\"):
-                val += "\\*"
-            else:
-                val += "*"
+    def apply_str(self, val):
+        try:
+            if not val.startswith("*"):
+                val = "*" + val
+            if not val.endswith("*"):
+                if val.endswith("\\"):
+                    val += "\\*"
+                else:
+                    val += "*"
+        except AttributeError:
+            pass
         return val
 
 class SigmaStartswithModifier(ListOrStringModifierMixin, SigmaTransformModifier):
@@ -61,7 +65,7 @@ class SigmaAllValuesModifier(SigmaTransformModifier):
     """Override default OR-linking behavior for list with AND-linking of all list values"""
     identifier = "all"
     active = True
-    valid_input_types = (list, tuple, )
+    valid_input_types = (list, tuple, ConditionBase)
 
     def apply(self):
         vals = super().apply()
@@ -93,7 +97,7 @@ class SigmaBase64OffsetModifier(ListOrStringModifierMixin, SigmaTransformModifie
     def apply_str(self, val):
         if type(val) == str:
             val = val.encode()
-        return [
+        items = [
                 b64encode(
                     i * b' ' + val
                     )[
@@ -102,6 +106,46 @@ class SigmaBase64OffsetModifier(ListOrStringModifierMixin, SigmaTransformModifie
                         ].decode()
                 for i in range(3)
                 ]
+        cond = ConditionOR()
+        cond.items = items
+        return NodeSubexpression(cond)
+
+class SigmaWindashModifier(ListOrStringModifierMixin, SigmaTransformModifier):
+    """
+    Expand parameter characters / and - that are often interchangeable in Windows into the other
+    form if it appears between word boundaries. E.g. in -param-name the first dash will be expanded
+    into /param-name while the second dash is left untouched.
+    """
+    identifier = "windash"
+    active = True
+    valid_input_types = ListOrStringModifierMixin.valid_input_types
+
+    def expand_dashes(self, val, locations, offset=0):
+        i = locations[0]
+        if len(locations) == 1:
+            subexpansions = [ val[i + 1:]]
+        else:
+            subexpansions = self.expand_dashes(val, locations[1:], i + 1)
+
+        return [
+            val[offset:i] + expanded + subexpansion
+            for expanded in ("-", "/")
+            for subexpansion in subexpansions
+        ]
+
+    def apply_str(self, val):
+        dash_locations = [
+            m.start()
+            for m in re.finditer(re.compile("\\B[-/]\\b"), val)
+        ]
+        if dash_locations == []:
+            return val
+        else:
+            items = self.expand_dashes(val, dash_locations)
+
+        cond = ConditionOR()
+        cond.items = items
+        return NodeSubexpression(cond)
 
 class SigmaEncodingBaseModifier(ListOrStringModifierMixin, SigmaTransformModifier):
     """

tools/sigma/sigmac.py

@@ -1,7 +1,6 @@
 #!/usr/bin/env python3
 # A Sigma to SIEM converter
 # Copyright 2016-2017 Thomas Patzke, Florian Roth
-
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU Lesser General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
@@ -37,6 +36,7 @@ import codecs
 import copy
 import time
 import datetime
+from termcolor import colored
 
 sys.stdout = codecs.getwriter('utf-8')(sys.stdout.detach())
 
@@ -64,6 +64,12 @@ ERR_FULL_FIELD_MATCH    = 90
 # Allowed fields in output
 allowed_fields = ["title", "id", "status", "description", "author", "references", "fields", "falsepositives", "level", "tags", "filename"]
 
+deprecation_warning_message = colored("Sigmac will be deprecated by the end of 2022",
+                                      "red") + " in favour of sigma-cli and pySigma. Please " +  colored("stop contributing backends", "red") + \
+                                               " to this tool. Limited support is offered until the end of 2023, " \
+                                               "especially for backends that haven't been migrated yet.\n "
+
+
 def alliter(path):
     for sub in path.iterdir():
         if sub.name.startswith("."):
@@ -96,7 +102,7 @@ class ActionBackendHelp(argparse.Action):
 def set_argparser():
     """Sets up and parses the command line arguments for Sigmac.
     Returns the argparser"""
-    argparser = argparse.ArgumentParser(description="Convert Sigma rules into SIEM signatures.")
+    argparser = argparse.ArgumentParser(description="Convert Sigma rules into SIEM signatures.\n" + deprecation_warning_message, formatter_class=argparse.RawTextHelpFormatter)
     argparser.add_argument("--recurse", "-r", action="store_true", help="Use directory as input (recurse into subdirectories is not implemented yet)")
     argparser.add_argument("--filter", "-f", help="""
     Define comma-separated filters that must match (AND-linked) to rule to be processed.
@@ -109,14 +115,14 @@ def set_argparser():
     Multiple log source specifications are AND linked.
     Special filter:
     inlastday=X rule create or modified in the last X days period
-    tlp=valid_tlp if rule have no tlp set to WHITE 
+    tlp=valid_tlp if rule have no tlp set to WHITE
             """)
     argparser.add_argument("--target", "-t", choices=backends.getBackendDict().keys(), help="Output target format")
     argparser.add_argument("--lists", "-l", action="store_true", help="List available output target formats and configurations")
     argparser.add_argument("--lists-files-after-date", "-L",help="List yml files  which is modified/created after the date (Example of the date: 2022/02/01).")
     argparser.add_argument("--config", "-c", action="append", help="Configurations with field name and index mapping for target environment. Multiple configurations are merged into one. Last config is authoritative in case of conflicts.")
     argparser.add_argument("--output", "-o", default=None, help="Output file or filename prefix (if end with a '_','/' or '\\')")
-    argparser.add_argument("--output-fields", "-of", help="""Enhance your output with additional fields from the Sigma rule (not only the converted rule itself). 
+    argparser.add_argument("--output-fields", "-of", help="""Enhance your output with additional fields from the Sigma rule (not only the converted rule itself).
     Select the fields you want by providing their list delimited with commas (no space). Only work with the '--output-format' option and with 'json' or 'yaml' value.
     available additional fields : title, id, status, description, author, references, fields, falsepositives, level, tags.
     This option do not have any effect for backends that already format output : elastalert, kibana, splukxml etc. """)
@@ -132,7 +138,7 @@ def set_argparser():
     argparser.add_argument("--verbose", "-v", action="store_true", help="Be verbose")
     argparser.add_argument("--debug", "-D", action="store_true", help="Debugging output")
     argparser.add_argument("inputs", nargs="*", help="Sigma input files ('-' for stdin)")
-    
+
     return argparser
 
 def list_backends(debug):
@@ -201,6 +207,7 @@ def main():
         sys.exit(0)
     elif len(cmdargs.inputs) == 0:
         print("Nothing to do!")
+        print(deprecation_warning_message)
         argparser.print_usage()
         sys.exit(0)
 
@@ -264,7 +271,7 @@ def main():
                 exit(ERR_CONFIG_PARSING)
 
     if cmdargs.output_fields:
-        if cmdargs.output_format: 
+        if cmdargs.output_format:
             output_fields_rejected = [field for field in cmdargs.output_fields.split(",") if field not in allowed_fields] # Not allowed fields
             if output_fields_rejected:
                     print("These fields are not allowed (check help for allow field list) : %s" % (", ".join(output_fields_rejected)), file=sys.stderr)
@@ -277,7 +284,7 @@ def main():
 
     backend_options = BackendOptions(cmdargs.backend_option, cmdargs.backend_config)
     backend = backend_class(sigmaconfigs, backend_options)
-    
+
     filename_ext = cmdargs.output_extention
     filename = cmdargs.output
     fileprefix = None
@@ -289,7 +296,7 @@ def main():
                 filename_ext = '.' + filename_ext
         else:
             filename_ext = '.rule'
-    
+
         if filename[-1:] in ['_','/','\\']:
             fileprefix = filename
         else:
@@ -321,7 +328,7 @@ def main():
 
             nb_result = len(list(copy.deepcopy(results)))
             inc_filenane = None if nb_result < 2 else 0
-            
+
             newline_separator = '\0' if cmdargs.print0 else '\n'
 
             results = list(results) # Since results is an iterator and used twice we convert it a list
@@ -338,7 +345,7 @@ def main():
                 elif  not fileprefix == None and inc_filenane == None: # a simple yml
                     try:
                         filename = fileprefix + str(sigmafile.name)
-                        filename = filename.replace('.yml',filename_ext) 
+                        filename = filename.replace('.yml',filename_ext)
                         out = open(filename, "w", encoding='utf-8')
                     except (IOError, OSError) as e:
                         print("Failed to open output file '%s': %s" % (filename, str(e)), file=sys.stderr)
@@ -368,7 +375,7 @@ def main():
                         fileprefix = None  # no need to open the same file many time
                     except (IOError, OSError) as e:
                         print("Failed to open output file '%s': %s" % (filename, str(e)), file=sys.stderr)
-                        exit(ERR_OUTPUT) 
+                        exit(ERR_OUTPUT)
 
         except OSError as e:
             print("Failed to open Sigma file %s: %s" % (sigmafile, str(e)), file=sys.stderr)
@@ -429,16 +436,16 @@ def main():
             if not cmdargs.ignore_backend_errors:
                 error = ERR_FULL_FIELD_MATCH
                 if not cmdargs.defer_abort:
-                    sys.exit(error)                
+                    sys.exit(error)
         finally:
             try:
                 f.close()
             except:
                 pass
-        
+
         if success :
-            logger.debug("* Convertion Sigma input %s SUCCESS" % (sigmafile)) 
- 
+            logger.debug("* Convertion Sigma input %s SUCCESS" % (sigmafile))
+
     result = backend.finalize()
     if result:
         print(result, file=out)