From f7c1d9fe9dd59f68c26dabfaa697c88384ef571a Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Date: Tue, 8 Nov 2022 14:52:42 +0100
Subject: [PATCH] Update proc_creation_win_weak_or_abused_passwords.yml

---
 .../proc_creation_win_weak_or_abused_passwords.yml           | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/rules/windows/process_creation/proc_creation_win_weak_or_abused_passwords.yml b/rules/windows/process_creation/proc_creation_win_weak_or_abused_passwords.yml
index 0068a7f2c..b19d0ca3f 100644
--- a/rules/windows/process_creation/proc_creation_win_weak_or_abused_passwords.yml
+++ b/rules/windows/process_creation/proc_creation_win_weak_or_abused_passwords.yml
@@ -5,9 +5,10 @@ description: Detects weak passwords or often abused passwords (seen used by thre
 references:
     - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments
     - https://thedfirreport.com/2022/09/26/bumblebee-round-two/
+    - https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/
 author: Nasreddine Bencherchali
 date: 2022/09/14
-modified: 2022/09/27
+modified: 2022/11/08
 tags:
     - attack.defense_evasion
     - attack.execution
@@ -19,7 +20,7 @@ detection:
         CommandLine|contains:
             # Add more passwords
             - 'Asd123.aaaa'
-            - 'password123'
+            - 'password123' # Also covers PASSWORD123123! as seen in https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/
             - '123456789'
             - 'P@ssw0rd!'
     condition: selection