Add more comsvcs variations

Based on this https://twitter.com/Wietze/status/1542107456507203586

other/godmode_sigma_rule.yml

@@ -19,7 +19,7 @@ description: 'PoC rule to detect malicious activity - following the principle: i
 status: experimental
 author: Florian Roth
 date: 2019/12/22
-modified: 2022/07/14
+modified: 2022/08/04
 level: high
 action: global
 ---
@@ -56,6 +56,9 @@ detection:
             - ' comsvcs.dll,#24'  # Process dumping method apart from procdump
             - ' comsvcs.dll MiniDump'  # Process dumping method apart from procdump
             - ' comsvcs.dll #24'  # Process dumping method apart from procdump
+            - ' comsvcs `#'  # Process dumping method apart from procdump
+            - ' comsvcs #'  # Process dumping method apart from procdump
+            - ' comsvcs MiniDump'  # Process dumping method apart from procdump
             - '.dmp full'  # Process dumping method apart from procdump
     selection_parent_child:
         ParentImage|contains:

rules/windows/process_creation/proc_creation_win_process_dump_rundll32_comsvcs.yml

@@ -1,36 +1,43 @@
 title: Process Dump via Rundll32 and Comsvcs.dll
 id: 646ea171-dded-4578-8a4d-65e9822892e3
-description: Detects a process memory dump performed via ordinal function 24 in comsvcs.dll
-status: experimental
+related:
+    - id: 09e6d5c0-05b8-4ff8-9eeb-043046ec774c
+      type: obsoletes
+description: Detects process memory dump via comsvcs.dll and rundll32 using different techniques (ordinal, minidump function...etc)
+status: test
 references:
     - https://twitter.com/shantanukhande/status/1229348874298388484
     - https://twitter.com/pythonresponder/status/1385064506049630211?s=21
     - https://twitter.com/Hexacorn/status/1224848930795552769
-author: Florian Roth
+    - https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/
+    - https://twitter.com/SBousseaden/status/1167417096374050817
+    - https://twitter.com/Wietze/status/1542107456507203586
+author: Florian Roth, Modexp, Nasreddine Bencherchali (update)
 date: 2020/02/18
-modified: 2021/12/08
+modified: 2022/08/04
 tags:
     - attack.defense_evasion
-    - attack.t1036
     - attack.credential_access
-    - car.2013-05-009
+    - attack.t1036
     - attack.t1003.001
+    - car.2013-05-009
 logsource:
     category: process_creation
     product: windows
 detection:
-    selection_comsvcs:
-        CommandLine|contains: 
-            - 'comsvcs.dll'
-            - 'rundll32'
-            - '.dmp'
-    selection_function:
+    selection_img:
+        - Image|endswith: '\rundll32.exe'
+        - OriginalFileName: 'RUNDLL32.EXE'
+        - CommandLine|contains: 'rundll32'
+    selection_cli:
+        CommandLine|contains|all:
+            - 'comsvcs'
+            - 'full'
         Commandline|contains:
+            - '24 '
             - '#24'
             - '#+24'
-            - 'MiniDump'
-    selection_full:
-        CommandLine|contains: ' full'
+            - 'MiniDump' #Matches MiniDump and MinidumpW
     unique_selection:
         CommandLine|contains: '#-4294967272'  # https://twitter.com/Hexacorn/status/1224848930795552769
     condition: all of selection* or unique_selection

rules/windows/process_creation/proc_creation_win_susp_comsvcs_procdump.yml

@@ -1,34 +0,0 @@
-title: Process Dump via Comsvcs DLL
-id: 09e6d5c0-05b8-4ff8-9eeb-043046ec774c
-status: test
-description: Detects process memory dump via comsvcs.dll and rundll32
-author: Modexp (idea)
-references:
-    - https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/
-    - https://twitter.com/SBousseaden/status/1167417096374050817
-date: 2019/09/02
-modified: 2022/07/28
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection__img:
-        - Image|endswith: '\rundll32.exe'
-        - OriginalFileName: 'RUNDLL32.EXE'
-    selection_cli:
-        CommandLine|contains|all:
-            - 'comsvcs'
-            - 'MiniDump'       #Matches MiniDump and MinidumpW
-            - 'full'
-    condition: all of selection_*
-fields:
-    - CommandLine
-    - ParentCommandLine
-falsepositives:
-    - Unknown
-level: high
-tags:
-    - attack.defense_evasion
-    - attack.t1218.011
-    - attack.credential_access
-    - attack.t1003.001

rules/windows/process_creation/proc_creation_win_webshell_hacking.yml

@@ -4,95 +4,96 @@ description: Detects certain parent child patterns found in cases in which a web
 author: Florian Roth
 status: experimental
 references:
-   - https://youtu.be/7aemGhaE9ds?t=641
+    - https://youtu.be/7aemGhaE9ds?t=641
 date: 2022/03/17
+modified: 2022/08/04
 tags:
-   - attack.persistence
-   - attack.t1505.003
-   - attack.t1018
-   - attack.t1033
-   - attack.t1087
+    - attack.persistence
+    - attack.t1505.003
+    - attack.t1018
+    - attack.t1033
+    - attack.t1087
 logsource:
-   category: process_creation
-   product: windows
+    category: process_creation
+    product: windows
 detection:
    # Webserver
-   selection_webserver_image:
-      ParentImage|endswith:
-         - '\w3wp.exe'
-         - '\php-cgi.exe'
-         - '\nginx.exe'
-         - '\httpd.exe'
-         - '\caddy.exe'
-         - '\ws_tomcatservice.exe'
-   selection_webserver_characteristics_tomcat1:
-      ParentImage|endswith: 
-         - '\java.exe'
-         - '\javaw.exe'
-      ParentImage|contains: 
-         - '-tomcat-'
-         - '\tomcat'
-   selection_webserver_characteristics_tomcat2:
-      ParentImage|endswith: 
-         - '\java.exe'
-         - '\javaw.exe'
-      CommandLine|contains: 
-         - 'catalina.jar'
-         - 'CATALINA_HOME'
-   # Suspicious child processes
-   selection_child_1:
-      # Process dumping
-      CommandLine|contains|all:
-         - 'rundll32'
-         - 'comsvcs.dll'
-   selection_child_2:
-      # Winrar exfil
-      CommandLine|contains|all:
-         - ' -hp'
-         - ' a '
-         - ' -m'
-   selection_child_3:
-      # User add
-      CommandLine|contains|all:
-         - 'net'
-         - ' user '
-         - ' /add'
-   selection_child_4:
-      CommandLine|contains|all:
-         - 'net'
-         - ' localgroup '
-         - ' administrators '
-         - '/add'
-   selection_child_5:
-      Image|endswith:
-         # Credential stealing
-         - '\ntdsutil.exe'
-         # AD recon 
-         - '\ldifde.exe'
-         - '\adfind.exe'
-         # Process dumping
-         - '\procdump.exe'
-         - '\Nanodump.exe'
-         # Destruction / ransom groups
-         - '\vssadmin.exe'
-         - '\fsutil.exe'
-   selection_child_6:
-      # SUspicious patterns
-      CommandLine|contains:
-         - ' -NoP '  # Often used in malicious PowerShell commands
-         - ' -W Hidden '  # Often used in malicious PowerShell commands
-         - ' -decode '  # Used with certutil
-         - ' /decode '  # Used with certutil 
-         - 'reg save '  # save registry SAM - syskey extraction
-         - '.downloadstring('  # PowerShell download command
-         - '.downloadfile('  # PowerShell download command
-         - 'FromBase64String' # PowerShell encoded payload 
-         - ' /ticket:'  # Rubeus
-         - ' sekurlsa'  # Mimikatz
-         - '.dmp full'  # Process dumping method apart from procdump
-         - 'process call create' # WMIC process creation
-         - 'whoami /priv'
-   condition: 1 of selection_webserver* and 1 of selection_child*
+    selection_webserver_image:
+        ParentImage|endswith:
+            - '\w3wp.exe'
+            - '\php-cgi.exe'
+            - '\nginx.exe'
+            - '\httpd.exe'
+            - '\caddy.exe'
+            - '\ws_tomcatservice.exe'
+    selection_webserver_characteristics_tomcat1:
+        ParentImage|endswith:
+            - '\java.exe'
+            - '\javaw.exe'
+        ParentImage|contains:
+            - '-tomcat-'
+            - '\tomcat'
+    selection_webserver_characteristics_tomcat2:
+        ParentImage|endswith:
+            - '\java.exe'
+            - '\javaw.exe'
+        CommandLine|contains:
+            - 'catalina.jar'
+            - 'CATALINA_HOME'
+    # Suspicious child processes
+    selection_child_1:
+        # Process dumping
+        CommandLine|contains|all:
+            - 'rundll32'
+            - 'comsvcs'
+    selection_child_2:
+        # Winrar exfil
+        CommandLine|contains|all:
+            - ' -hp'
+            - ' a '
+            - ' -m'
+    selection_child_3:
+        # User add
+        CommandLine|contains|all:
+            - 'net'
+            - ' user '
+            - ' /add'
+    selection_child_4:
+        CommandLine|contains|all:
+            - 'net'
+            - ' localgroup '
+            - ' administrators '
+            - '/add'
+    selection_child_5:
+        Image|endswith:
+            # Credential stealing
+            - '\ntdsutil.exe'
+            # AD recon
+            - '\ldifde.exe'
+            - '\adfind.exe'
+            # Process dumping
+            - '\procdump.exe'
+            - '\Nanodump.exe'
+            # Destruction / ransom groups
+            - '\vssadmin.exe'
+            - '\fsutil.exe'
+    selection_child_6:
+        # SUspicious patterns
+        CommandLine|contains:
+            - ' -NoP '  # Often used in malicious PowerShell commands
+            - ' -W Hidden '  # Often used in malicious PowerShell commands
+            - ' -decode '  # Used with certutil
+            - ' /decode '  # Used with certutil
+            - 'reg save '  # save registry SAM - syskey extraction
+            - '.downloadstring('  # PowerShell download command
+            - '.downloadfile('  # PowerShell download command
+            - 'FromBase64String' # PowerShell encoded payload
+            - ' /ticket:'  # Rubeus
+            - ' sekurlsa'  # Mimikatz
+            - '.dmp full'  # Process dumping method apart from procdump
+            - 'process call create' # WMIC process creation
+            - 'whoami /priv'
+    condition: 1 of selection_webserver* and 1 of selection_child*
 falsepositives:
-   - Unlikely
+    - Unlikely
 level: high