feat: multiple updates and enhancements

rules/windows/process_creation/proc_creation_win_powershell_base64_invoke_susp_cmdlets.yml → rules-deprecated/windows/proc_creation_win_powershell_base64_invoke_susp_cmdlets.yml

@@ -1,9 +1,6 @@
 title: Malicious Base64 Encoded Powershell Invoke Cmdlets
 id: fd6e2919-3936-40c9-99db-0aa922c356f7
-related:
-    - id: 6385697e-9f1b-40bd-8817-f4a91f40508e
-      type: similar
-status: test
+status: deprecated
 description: Detects base64 encoded powershell cmdlet invocation of known suspicious cmdlets
 references:
     - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/

rules/windows/process_creation/proc_creation_win_powershell_base64_listing_shadowcopy.yml → rules-deprecated/windows/proc_creation_win_powershell_base64_listing_shadowcopy.yml

@@ -1,6 +1,6 @@
 title: Base64 Encoded Listing of Shadowcopy
 id: 47688f1b-9f51-4656-b013-3cc49a166a36
-status: test
+status: deprecated
 description: Detects base64 encoded listing Win32_Shadowcopy
 references:
     - https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar

rules/windows/process_creation/proc_creation_win_powershell_xor_encoded_command.yml → rules-deprecated/windows/proc_creation_win_powershell_xor_encoded_command.yml

@@ -1,9 +1,6 @@
 title: Potential Xor Encoded PowerShell Command
 id: 5b572dcf-254b-425c-a8c5-d9af6bea35a6
-related:
-    - id: cdf05894-89e7-4ead-b2b0-0a5f97a90f2f
-      type: similar
-status: test
+status: deprecated
 description: Detects usage of "xor" or "bxor" in combination of a "foreach" loop. This pattern is often found in encoded powershell code and commands as a way to avoid detection
 references:
     - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65

rules/windows/builtin/ldap/win_ldap_recon.yml

@@ -19,7 +19,7 @@ tags:
 logsource:
     product: windows
     service: ldap_debug
-    definition: 'Requires Microsoft-Windows-LDAP-Client/Debug ETW logging'
+    definition: 'Requirements: Microsoft-Windows-LDAP-Client/Debug ETW logging'
 detection:
     generic_search:
         EventID: 30

rules/windows/powershell/powershell_script/posh_ps_enable_windowsoptionalfeature.yml → rules/windows/powershell/powershell_script/posh_ps_enable_susp_windows_optional_feature.yml

@@ -35,7 +35,7 @@ detection:
             - 'SMB1Protocol'
             - 'Client-ProjFS'
             - 'Microsoft-Windows-Subsystem-Linux'
-    condition: all of selection*
+    condition: all of selection_*
 falsepositives:
-    - Unknown
+    - Legitimate usage of the features listed in the rule.
 level: medium

rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml

@@ -1,5 +1,8 @@
 title: Malicious PowerView PowerShell Commandlets
 id: dcd74b95-3f36-4ed9-9598-0490951643aa
+related:
+    - id: b2317cfa-4a47-4ead-b3ff-297438c0bc2d
+      type: similar
 status: test
 description: Detects Commandlet names from PowerView of PowerSploit exploitation framework.
 references:

rules/windows/process_access/proc_access_win_invoke_phantom.yml

@@ -1,13 +1,13 @@
-title: Suspect Svchost Memory Asccess
+title: Potential Svchost Memory Access
 id: 166e9c50-8cd9-44af-815d-d1f0c0e90dde
 status: experimental
-description: Detects suspect access to svchost process memory such as that used by Invoke-Phantom to kill the winRM windows event logging service.
+description: Detects potential access to svchost process memory such as that used by Invoke-Phantom to kill the winRM windows event logging service.
 references:
     - https://github.com/hlldz/Invoke-Phant0m
     - https://twitter.com/timbmsft/status/900724491076214784
 author: Tim Burrell
 date: 2020/01/02
-modified: 2022/11/01
+modified: 2023/01/30
 tags:
     - attack.defense_evasion
     - attack.t1562.002

rules/windows/process_creation/proc_creation_win_cobaltstrike_bloopers_cmd.yml

@@ -1,5 +1,8 @@
 title: Operator Bloopers Cobalt Strike Commands
 id: 647c7b9e-d784-4fda-b9a0-45c565a7b729
+related:
+    - id: 4f154fb6-27d1-4813-a759-78b93e0b9c48
+      type: similar
 status: experimental
 description: Detects use of Cobalt Strike commands accidentally entered in the CMD shell
 references:
@@ -8,7 +11,7 @@ references:
     - https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/
 author: _pete_0, TheDFIRReport
 date: 2022/05/06
-modified: 2022/11/11
+modified: 2023/01/30
 tags:
     - attack.execution
     - attack.t1059.003
@@ -21,27 +24,20 @@ detection:
         - Image|endswith: '\cmd.exe'
     selection_cli:
         CommandLine|startswith:
+            - 'cmd '
             - 'cmd.exe'
             - 'c:\windows\system32\cmd.exe'
         CommandLine|contains:
-            - psinject
-            - spawnas
-            - make_token
-            - remote-exec
-            - rev2self
-            - dcsync
-            - logonpasswords
-            - execute-assembly
-            - getsystem
-    filter_vscode:
-        # This FP could occure when VSCode is installed and a search/or string selection is made to look for one of these detections mentioned above
-        ParentImage|endswith: \AppData\Local\Programs\Microsoft VS Code\Code.exe # This is the default install location please add your custom one to avoid FP
-        CommandLine|contains|all:
-            - '/d /s /c '
-            - 'checkfilenameiocs --ioc-path '
-    condition: all of selection_* and not 1 of filter_*
-fields:
-    - CommandLine
+            - 'psinject'
+            - 'spawnas'
+            - 'make_token'
+            - 'remote-exec'
+            - 'rev2self'
+            - 'dcsync'
+            - 'logonpasswords'
+            - 'execute-assembly'
+            - 'getsystem'
+    condition: all of selection_*
 falsepositives:
     - Unknown
 level: high

rules/windows/process_creation/proc_creation_win_cobaltstrike_bloopers_modules.yml

@@ -1,5 +1,8 @@
 title: Operator Bloopers Cobalt Strike Modules
 id: 4f154fb6-27d1-4813-a759-78b93e0b9c48
+related:
+    - id: 647c7b9e-d784-4fda-b9a0-45c565a7b729
+      type: similar
 status: experimental
 description: Detects Cobalt Strike module/commands accidentally entered in CMD shell
 references:
@@ -8,7 +11,7 @@ references:
     - https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/
 author: _pete_0, TheDFIRReport
 date: 2022/05/06
-modified: 2022/11/11
+modified: 2023/01/30
 tags:
     - attack.execution
     - attack.t1059.003
@@ -21,19 +24,18 @@ detection:
         - Image|endswith: '\cmd.exe'
     selection_cli:
         CommandLine|startswith:
+            - 'cmd '
             - 'cmd.exe'
             - 'c:\windows\system32\cmd.exe'
         CommandLine|contains:
-            - Invoke-UserHunter
-            - Invoke-ShareFinder
-            - Invoke-Kerberoast
-            - Invoke-SMBAutoBrute
-            - Invoke-Nightmare
-            - zerologon
-            - av_query
+            - 'Invoke-UserHunter'
+            - 'Invoke-ShareFinder'
+            - 'Invoke-Kerberoast'
+            - 'Invoke-SMBAutoBrute'
+            - 'Invoke-Nightmare'
+            - 'zerologon'
+            - 'av_query'
     condition: all of selection_*
-fields:
-    - CommandLine
 falsepositives:
     - Unknown
 level: high

rules/windows/process_creation/proc_creation_win_windowsoptionalfeature.yml → rules/windows/process_creation/proc_creation_win_enable_susp_windows_optional_feature.yml

@@ -25,15 +25,15 @@ detection:
             - '-Online'
             - '-FeatureName'
     selection_feature:
-        # Add any unsecure/unusual windows features to your env
+        # Add any unsecure/unusual windows features that you don't use in your environment
         CommandLine|contains:
             - 'TelnetServer'
             - 'Internet-Explorer-Optional-amd64'
             - 'TFTP'
             - 'SMB1Protocol'
             - 'Client-ProjFS'
             - 'Microsoft-Windows-Subsystem-Linux'
-    condition: all of selection*
+    condition: all of selection_*
 falsepositives:
-    - Unknown
+    - Legitimate usage of the features listed in the rule.
 level: medium

rules/windows/process_creation/proc_creation_win_pdq_deploy.yml → rules/windows/process_creation/proc_creation_win_pdqdeploy.yml

@@ -1,12 +1,16 @@
-title: Use of PDQ Deploy Remote Adminstartion Tool
+title: PDQ Deploy Remote Adminstartion Tool Execution
 id: d679950c-abb7-43a6-80fb-2a480c4fc450
+related:
+    - id: 12b8e9f5-96b2-41e1-9a42-8c6779a5c184
+      type: similar
 status: experimental
 description: Detect use of PDQ Deploy remote admin tool
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1072/T1072.md
     - https://www.pdq.com/pdq-deploy/
 author: frack113
 date: 2022/10/01
+modified: 2023/01/30
 tags:
     - attack.execution
     - attack.lateral_movement

rules/windows/process_creation/proc_creation_win_pdqdeploy_runner_susp_children.yml

@@ -1,5 +1,8 @@
 title: Suspicious Execution Of PDQDeployRunner
 id: 12b8e9f5-96b2-41e1-9a42-8c6779a5c184
+related:
+    - id: d679950c-abb7-43a6-80fb-2a480c4fc450
+      type: similar
 status: experimental
 description: Detects suspicious execution of "PDQDeployRunner" which is part of the PDQDeploy service stack that is responsible for executing commands and packages on a remote machines
 references:

rules/windows/process_creation/proc_creation_win_possible_privilege_escalation_via_service_reg_perm.yml

@@ -1,4 +1,4 @@
-title: Possible Privilege Escalation via Service Permissions Weakness
+title: Potential Privilege Escalation via Service Permissions Weakness
 id: 0f9c21f1-6a73-4b0e-9809-cb562cb8d981
 status: test
 description: Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level
@@ -7,7 +7,7 @@ references:
     - https://pentestlab.blog/2017/03/31/insecure-registry-permissions/
 author: Teymur Kheirkhabarov
 date: 2019/10/26
-modified: 2022/10/09
+modified: 2023/01/30
 tags:
     - attack.privilege_escalation
     - attack.t1574.011
@@ -18,16 +18,13 @@ detection:
     selection:
         IntegrityLevel: 'Medium'
         CommandLine|contains|all:
-            - ControlSet
-            - services
+            - 'ControlSet'
+            - 'services'
         CommandLine|contains:
-            - \ImagePath
-            - \FailureCommand
-            - \ServiceDll
+            - '\ImagePath'
+            - '\FailureCommand'
+            - '\ServiceDll'
     condition: selection
 falsepositives:
     - Unknown
 level: high
-enrichment:
-    - EN_0001_cache_sysmon_event_id_1_info                      # http://bit.ly/314zc6x
-    - EN_0003_enrich_other_sysmon_events_with_event_id_1_data   # http://bit.ly/2ojW7fw

rules/windows/process_creation/proc_creation_win_encoded_frombase64string.yml → rules/windows/process_creation/proc_creation_win_powershell_base64_frombase64string.yml

@@ -1,7 +1,7 @@
-title: Encoded FromBase64String
+title: PowerShell Base64 Encoded FromBase64String Keyword
 id: fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c
 status: test
-description: Detects a base64 encoded FromBase64String keyword in a process command line
+description: Detects usage of a base64 encoded "FromBase64String" cmdlet in a process command line
 author: Florian Roth
 date: 2019/08/24
 modified: 2022/03/07
@@ -16,7 +16,7 @@ logsource:
 detection:
     selection:
         - CommandLine|base64offset|contains: '::FromBase64String'
-    # UTF-16 LE
+        # UTF-16 LE
         - CommandLine|contains:
             - 'OgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcA'
             - 'oAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnA'

rules/windows/process_creation/proc_creation_win_encoded_iex.yml → rules/windows/process_creation/proc_creation_win_powershell_base64_iex.yml

@@ -1,10 +1,10 @@
-title: Encoded IEX
+title: PowerShell Base64 Encoded IEX Keyword
 id: 88f680b8-070e-402c-ae11-d2914f2257f1
 status: test
-description: Detects a base64 encoded IEX command string in a process command line
+description: Detects usage of a base64 encoded "IEX" string in a process command line
 author: Florian Roth
 date: 2019/08/23
-modified: 2022/03/07
+modified: 2023/01/30
 tags:
     - attack.execution
     - attack.t1059.001
@@ -18,7 +18,7 @@ detection:
             - 'iex (['
             - 'iex (New'
             - 'IEX (New'
-    # UTF16 LE
+        # UTF16 LE
         - CommandLine|contains:
             - 'SQBFAFgAIAAoAFsA'
             - 'kARQBYACAAKABbA'

rules/windows/process_creation/proc_creation_win_powershell_base64_invoke.yml

@@ -0,0 +1,36 @@
+title: PowerShell Base64 Encoded Invoke Keyword
+id: 6385697e-9f1b-40bd-8817-f4a91f40508e
+related:
+    - id: fd6e2919-3936-40c9-99db-0aa922c356f7
+      type: obsoletes
+status: test
+description: Detects UTF-8 and UTF-16 Base64 encoded powershell 'Invoke-' calls
+references:
+    - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
+author: pH-T, Harjot Singh, '@cyb3rjy0t'
+date: 2022/05/20
+modified: 2023/01/27
+tags:
+    - attack.execution
+    - attack.t1059.001
+    - attack.defense_evasion
+    - attack.t1027
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine|contains:
+            # Invoke-
+            # UTF-16LE
+            - 'SQBuAHYAbwBrAGUALQ'
+            - 'kAbgB2AG8AawBlAC0A'
+            - 'JAG4AdgBvAGsAZQAtA'
+            # UTF-8
+            - 'SW52b2tlL'
+            - 'ludm9rZS'
+            - 'JbnZva2Ut'
+    condition: selection
+falsepositives:
+    - Unlikely
+level: high

rules/windows/process_creation/proc_creation_win_powershell_defender_base64.yml → rules/windows/process_creation/proc_creation_win_powershell_base64_mppreference.yml

@@ -1,4 +1,4 @@
-title: Powershell Defender Base64 MpPreference
+title: Powershell Base64 Encoded MpPreference Cmdlet
 id: c6fb44c6-71f5-49e6-9462-1425d328aee3
 status: experimental
 description: Detects base64 encoded "MpPreference" PowerShell cmdlet code that tries to modifies or tamper with Windows Defender AV
@@ -8,21 +8,21 @@ references:
     - https://twitter.com/AdamTheAnalyst/status/1483497517119590403
 author: Florian Roth
 date: 2022/03/04
-modified: 2022/08/05
+modified: 2023/01/30
 tags:
     - attack.defense_evasion
     - attack.t1562.001
 logsource:
     category: process_creation
     product: windows
 detection:
-    selection_encoded:
-        CommandLine|base64offset|contains:
+    selection:
+        - CommandLine|base64offset|contains:
             - 'Add-MpPreference '
             - 'Set-MpPreference '
             - 'add-mppreference '
             - 'set-mppreference '
-        CommandLine|contains:
+        - CommandLine|contains:
             # UTF16-LE
             - 'QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgA'
             - 'EAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIA'
@@ -36,7 +36,7 @@ detection:
             - 'cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgA'
             - 'MAZQB0AC0AbQBwAHAAcgBlAGYAZQByAGUAbgBjAGUAIA'
             - 'zAGUAdAAtAG0AcABwAHIAZQBmAGUAcgBlAG4AYwBlACAA'
-    condition: selection_encoded
+    condition: selection
 falsepositives:
     - Possible Admin Activity
     - Other Cmdlets that may use the same parameters

rules/windows/process_creation/proc_creation_win_powershell_base64_reflective_assembly_load.yml

@@ -1,4 +1,4 @@
-title: Base64 Encoded Reflective Assembly Load
+title: PowerShell Base64 Encoded Reflective Assembly Load
 id: 62b7ccc9-23b4-471e-aa15-6da3663c4d59
 related:
     - id: 9c0295ce-d60d-40bd-bd74-84673b7592b1
@@ -8,7 +8,7 @@ description: Detects base64 encoded .NET reflective loading of Assembly
 references:
     - https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar
     - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
-author: "Christian Burkard, pH-T"
+author: Christian Burkard, pH-T
 date: 2022/03/01
 modified: 2022/05/20
 tags: