Merge pull request #2784 from frack113/refactor_regex

Refactor regex

rules/windows/builtin/system/win_invoke_obfuscation_via_rundll_services.yml

@@ -4,14 +4,9 @@ description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
 status: experimental
 author: Timur Zinniatullin, oscd.community
 date: 2020/10/18
-modified: 2021/11/30
+modified: 2022/03/07
 references:
     - https://github.com/Neo23x0/sigma/issues/1009 #(Task 23)
-tags:
-    - attack.defense_evasion
-    - attack.t1027
-    - attack.execution
-    - attack.t1059.001
 logsource:
     product: windows
     service: system
@@ -19,8 +14,17 @@ detection:
     selection:
         Provider_Name: 'Service Control Manager'
         EventID: 7045
-        ImagePath|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"'
+        ImagePath|contains|all: 
+            - 'rundll32.exe'
+            - 'shell32.dll'
+            - 'shellexec_rundll'
+            - 'powershell'
     condition: selection
 falsepositives:
     - Unknown
-level: medium
+level: medium
+tags:
+    - attack.defense_evasion
+    - attack.t1027
+    - attack.execution
+    - attack.t1059.001

rules/windows/builtin/system/win_invoke_obfuscation_via_use_rundll32_services.yml

@@ -4,14 +4,9 @@ description: Detects Obfuscated Powershell via use Rundll32 in Scripts
 status: experimental
 author: Nikita Nazarov, oscd.community
 date: 2020/10/09
-modified: 2021/11/30
+modified: 2022/03/07
 references:
     - https://github.com/Neo23x0/sigma/issues/1009 #(Task30)
-tags:
-    - attack.defense_evasion
-    - attack.t1027
-    - attack.execution
-    - attack.t1059.001
 logsource:
     product: windows
     service: system
@@ -19,8 +14,22 @@ detection:
     selection:
         Provider_Name: 'Service Control Manager'
         EventID: 7045
-        ImagePath|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"'
+        ImagePath|contains|all:
+            - '&&'
+            - 'rundll32'
+            - 'shell32.dll'
+            - 'shellexec_rundll'
+        ImagePath|contains:    
+            - 'value'
+            - 'invoke'
+            - 'comspec'
+            - 'iex'
     condition: selection
 falsepositives:
     - Unknown
-level: high
+level: high
+tags:
+    - attack.defense_evasion
+    - attack.t1027
+    - attack.execution
+    - attack.t1059.001

rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yml

@@ -21,8 +21,14 @@ logsource:
     definition: PowerShell Module Logging must be enabled
 detection:
     selection_4103:
-        Payload|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend'
+        Payload|contains|all:
+            - 'new-object'
+            - 'text.encoding]::ascii'
+        Payload|contains:
+            - 'system.io.compression.deflatestream'
+            - 'system.io.streamreader'
+        Payload|endswith: 'readtoend'
     condition: selection_4103
 falsepositives:
     - unknown
-level: medium
+level: medium

rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml

@@ -7,22 +7,28 @@ description: Detects Obfuscated Powershell via use MSHTA in Scripts
 status: experimental
 author: Nikita Nazarov, oscd.community
 date: 2020/10/08
-modified: 2021/10/16
+modified: 2022/03/07
 references:
     - https://github.com/Neo23x0/sigma/issues/1009 #(Task31)
-tags:
-    - attack.defense_evasion
-    - attack.t1027
-    - attack.execution
-    - attack.t1059.001
 logsource:
     product: windows
     category: ps_module
     definition: PowerShell Module Logging must be enabledd
 detection:
     selection_4103:
-        Payload|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"'
+        Payload|contains|all:
+            - 'set'
+            - '&&'
+            - 'mshta'
+            - 'vbscript:createobject'
+            - '.run'
+            - '(window.close)'
     condition: selection_4103
 falsepositives:
     - Unknown
 level: high
+tags:
+    - attack.defense_evasion
+    - attack.t1027
+    - attack.execution
+    - attack.t1059.001

rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_mhsta.yml

@@ -4,22 +4,28 @@ description: Detects Obfuscated Powershell via use MSHTA in Scripts
 status: experimental
 author: Nikita Nazarov, oscd.community
 date: 2020/10/08
-modified: 2021/10/16
+modified: 2022/03/07
 references:
     - https://github.com/Neo23x0/sigma/issues/1009 #(Task31)
-tags:
-    - attack.defense_evasion
-    - attack.t1027
-    - attack.execution
-    - attack.t1059.001
 logsource:
     product: windows
     category: ps_script
     definition: Script block logging must be enabled
 detection:
     selection_4104:
-        ScriptBlockText|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"'
+        ScriptBlockText|contains|all:
+            - 'set'
+            - '&&'
+            - 'mshta'
+            - 'vbscript:createobject'
+            - '.run'
+            - '(window.close)'
     condition: selection_4104
 falsepositives:
     - Unknown
 level: high
+tags:
+    - attack.defense_evasion
+    - attack.t1027
+    - attack.execution
+    - attack.t1059.001

rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_compress.yml

@@ -6,13 +6,19 @@ author: Timur Zinniatullin, oscd.community
 references:
   - https://github.com/Neo23x0/sigma/issues/1009   #(Task 19)
 date: 2020/10/18
-modified: 2021/11/27
+modified: 2022/03/07
 logsource:
   category: process_creation
   product: windows
 detection:
   selection:
-    CommandLine|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend'
+    CommandLine|contains|all:
+      - 'new-object'
+      - 'text.encoding]::ascii'
+    CommandLine|contains:
+      - 'system.io.compression.deflatestream'
+      - 'system.io.streamreader'
+    CommandLine|endswith: 'readtoend'
   condition: selection
 falsepositives:
   - unknown

rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_rundll.yml

@@ -6,13 +6,17 @@ author: Timur Zinniatullin, oscd.community
 references:
   - https://github.com/Neo23x0/sigma/issues/1009   #(Task 23)
 date: 2020/10/18
-modified: 2021/11/27
+modified: 2022/03/07
 logsource:
   category: process_creation
   product: windows
 detection:
   selection:
-    CommandLine|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"'
+    CommandLine|contains|all:
+      - 'rundll32.exe'
+      - 'shell32.dll'
+      - 'shellexec_rundll'
+      - 'powershell'
   condition: selection
 falsepositives:
   - Unknown

rules/windows/process_creation/proc_creation_win_lolbas_execution_of_wuauclt.yml

@@ -6,17 +6,16 @@ references:
     - https://dtm.uk/wuauclt/
 author: Sreeman
 date: 2020/10/29
-modified: 2021/06/11
-tags:
-    - attack.defense_evasion
-    - attack.execution
-    - attack.t1218.011
+modified: 2022/03/07
 logsource:
     product: windows
     category: process_creation
 detection:
     selection:
-        CommandLine|re: '(?i)wuauclt\.exe.*\/UpdateDeploymentProvider.*\/Runhandlercomserver'
+        CommandLine|contains|all:
+            - 'wuauclt.exe'
+            - '/UpdateDeploymentProvider'
+            - '/Runhandlercomserver'
     filter:
         CommandLine|contains:
             - 'wuaueng.dll'
@@ -27,3 +26,7 @@ falsepositives:
 fields:
     - CommandLine
 level: medium
+tags:
+    - attack.defense_evasion
+    - attack.execution
+    - attack.t1218.011

rules/windows/process_creation/proc_creation_win_monitoring_for_persistence_via_bits.yml

@@ -4,10 +4,7 @@ description: BITS will allow you to schedule a command to execute after a succes
 status: experimental
 author: Sreeman
 date: 2020/10/29
-modified: 2021/07/15
-tags:
-    - attack.defense_evasion
-    - attack.t1197
+modified: 2022/03/07
 references:
     - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
     - http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html
@@ -17,12 +14,28 @@ logsource:
     category: process_creation
 detection:
     selection_1:
-        CommandLine|re: '(?i).*bitsadmin.*\/SetNotifyCmdLine.*(%COMSPEC%|cmd.exe|regsvr32.exe).*'
+        CommandLine|contains|all:
+            - 'bitsadmin'
+            - '/SetNotifyCmdLine'
+        CommandLine|contains:  
+            - '%COMSPEC%'
+            - 'cmd.exe'
+            - 'regsvr32.exe'
     selection_2:
-        CommandLine|re: '(?i).*bitsadmin.*\/Addfile.*(http|https|ftp|ftps):.*'
-    condition: selection_1 or selection_2
+        CommandLine|contains|all:
+            - 'bitsadmin'
+            - '/Addfile'
+        CommandLine|contains:    
+            - 'http:'
+            - 'https:'
+            - 'ftp:'
+            - 'ftps:'
+    condition: 1 of selection_*
 falsepositives:
     - None observed yet.
 fields:
     - CommandLine
-level: medium
+level: medium
+tags:
+    - attack.defense_evasion
+    - attack.t1197

rules/windows/process_creation/proc_creation_win_write_protect_for_storage_disabled.yml

@@ -4,17 +4,24 @@ description: Looks for changes to registry to disable any write-protect property
 status: experimental
 author: Sreeman
 date: 2021/06/11
-modified: 2021/06/11
-tags:
-    - attack.defense_evasion
-    - attack.t1562
+modified: 2022/03/07
 logsource:
     product: windows
     category: process_creation
 detection:
     selection:
-        CommandLine|re: '(?i).*reg add.*hklm\\\\system\\\\currentcontrolset\\\\control.*(storage|storagedevicepolicies).*write protection.*0.*'
+        CommandLine|contains|all:
+            - 'reg add'
+            - 'hklm\system\currentcontrolset\control'
+            - 'write protection'
+            - '0'
+        CommandLine|contains:   
+            - 'storage'
+            - 'storagedevicepolicies'
     condition: selection
 falsepositives:
     - none observed
-level: medium
+level: medium
+tags:
+    - attack.defense_evasion
+    - attack.t1562