refactor: more robust reg add ImagePath rule

SigmaHQ · Mar 29, 2022 · cc45743 · cc45743
1 parent 507551c
commit cc45743
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 6 deletions.
diff --git a/rules/windows/process_creation/proc_creation_win_reg_service_imagepath_change.yml b/rules/windows/process_creation/proc_creation_win_reg_service_imagepath_change.yml
@@ -9,19 +9,22 @@ references:
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md#atomic-test-2---service-imagepath-change-with-regexe
 author: frack113
 date: 2021/12/30
+modified: 2022/03/29
 logsource:
     category: process_creation
     product: windows
 detection:
     selection:
-        Image|endswith: \reg.exe 
+        Image|endswith: \reg.exe
         CommandLine|contains|all:
             - 'add '
-            - 'HKLM\SYSTEM\CurrentControlSet\Services\'
-            - '/v '
-            - 'ImagePath '
-            - '/d '
-    condition: selection
+            - 'SYSTEM\CurrentControlSet\Services\'
+            - ' ImagePath '
+    selection_value:
+        CommandLine|contains:
+            - ' /d '
+            - ' -d '
+    condition: all of selection*
 falsepositives:
     - Unknown
 level: medium

diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_iex_patterns.yml b/rules/windows/process_creation/proc_creation_win_susp_powershell_iex_patterns.yml
@@ -4,6 +4,7 @@ status: experimental
 description: Detects suspicious ways to run Invoke-Execution using IEX acronym
 author: Florian Roth
 date: 2022/03/24
+modified:
 references:
    - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.2
 logsource: