SigmaHQ · qasimqlf · Feb 26, 2024 · Feb 26, 2024 · Feb 26, 2024 · Feb 26, 2024
diff --git a/rules/windows/process_creation/proc_creation_win_esentutl_params.yml b/rules/windows/process_creation/proc_creation_win_esentutl_params.yml
@@ -8,7 +8,7 @@ references:
     - https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/
 author: sam0x90
 date: 2021/08/06
-modified: 2022/10/09
+modified: 2024/02/27
 tags:
     - attack.credential_access
     - attack.t1003
@@ -17,11 +17,14 @@ logsource:
     category: process_creation
     product: windows
 detection:
-    selection:
-        CommandLine|contains|all:
-            - 'esentutl'
+    selection_img:
+        - Image|endswith: '\esentutl.exe'
+        - OriginalFileName: 'esentutl.exe'
+    selection_flags:
+        CommandLine|contains:
             - ' /p'
-    condition: selection
+            - ' -p'
+    condition: all of selection_*
 fields:
     - User
     - CommandLine

diff --git a/rules/windows/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml b/rules/windows/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml
@@ -8,7 +8,7 @@ references:
     - https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/
 author: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
 date: 2019/10/22
-modified: 2022/11/11
+modified: 2024/02/27
 tags:
     - attack.credential_access
     - attack.t1003.002
@@ -26,7 +26,9 @@ detection:
         CommandLine|contains:
             - 'vss'
             - ' /m '
+            - ' -m '
             - ' /y '
+            - ' -y '
     selection_susp_paths:
         CommandLine|contains:
             - '\windows\ntds\ntds.dit'

diff --git a/rules/windows/process_creation/proc_creation_win_explorer_break_process_tree.yml b/rules/windows/process_creation/proc_creation_win_explorer_break_process_tree.yml
@@ -11,23 +11,26 @@ references:
     - https://securityboulevard.com/2019/09/deobfuscating-ostap-trickbots-34000-line-javascript-downloader/
 author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), @gott_cyber
 date: 2019/06/29
-modified: 2022/09/20
+modified: 2024/02/27
 tags:
     - attack.defense_evasion
     - attack.t1036
 logsource:
     category: process_creation
     product: windows
 detection:
-    selection:
+    selection_factory:
         # See CLSID_SeparateMultipleProcessExplorerHost in the registry for reference
-        - CommandLine|contains: '/factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b}' # This will catch, the new explorer spawning which indicates a process/tree break. But you won't be able to catch the executing process. For that you need historical data
+        CommandLine|contains: '/factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b}' # This will catch, the new explorer spawning which indicates a process/tree break. But you won't be able to catch the executing process. For that you need historical data
+    selection_cli_1:
         # There exists almost infinite possibilities to spawn from explorer. The "/root" flag is just an example
         # It's better to have the ability to look at the process tree and look for explorer processes with "weird" flags to be able to catch this technique.
-        - CommandLine|contains|all:
-              - 'explorer.exe'
-              - ' /root,'
-    condition: selection
+        CommandLine|contains: 'explorer.exe'
+    selection_cli_2:
+        CommandLine|contains:
+            - ' /root,'
+            - ' -root,'
+    condition: selection_factory or all of selection_cli_*
 falsepositives:
     - Unknown
 level: medium
diff --git a/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml b/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml
@@ -6,7 +6,7 @@ references:
     - https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1
 author: Florian Roth (Nextron Systems)
 date: 2022/08/12
-modified: 2023/11/11
+modified: 2024/02/27
 tags:
     - attack.credential_access
     - attack.t1552.006
@@ -26,7 +26,9 @@ detection:
     selection_special:
         CommandLine|contains:
             - ' /i "lsass'
+            - ' -i "lsass'
             - ' /i lsass.exe'
+            - ' -i lsass.exe'
             - 'findstr "lsass'
             - 'findstr lsass'
             - 'findstr.exe "lsass'

diff --git a/rules/windows/process_creation/proc_creation_win_iexpress_susp_execution.yml b/rules/windows/process_creation/proc_creation_win_iexpress_susp_execution.yml
@@ -11,6 +11,7 @@ references:
     - https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior
 author: Joseliyo Sanchez, @Joseliyo_Jstnk, Nasreddine Bencherchali (Nextron Systems)
 date: 2024/02/05
+modified: 2024/02/27
 tags:
     - attack.defense_evasion
     - attack.t1218
@@ -23,7 +24,9 @@ detection:
         - Image|endswith: '\iexpress.exe'
         - OriginalFileName: 'IEXPRESS.exe'
     selection_cli:
-        CommandLine|contains: ' /n '
+        CommandLine|contains:
+            - ' /n '
+            - ' -n '
     selection_paths:
         CommandLine|contains:
             # Note: Add more uncommon paths that fit your organizational needs.

diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_unregmp2.yml b/rules/windows/process_creation/proc_creation_win_lolbin_unregmp2.yml
@@ -6,6 +6,7 @@ references:
     - https://lolbas-project.github.io/lolbas/Binaries/Unregmp2/
 author: frack113
 date: 2022/12/29
+modified: 2024/02/27
 tags:
     - attack.defense_evasion
     - attack.t1218
@@ -17,7 +18,9 @@ detection:
         - Image|endswith: '\unregmp2.exe'
         - OriginalFileName: 'unregmp2.exe'
     selection_cmd:
-        CommandLine|contains: ' /HideWMP'
+        CommandLine|contains:
+            - ' /HideWMP'
+            - ' -HideWMP'
     condition: all of selection_*
 falsepositives:
     - Unknown

diff --git a/rules/windows/process_creation/proc_creation_win_mstsc_remote_connection.yml b/rules/windows/process_creation/proc_creation_win_mstsc_remote_connection.yml
@@ -9,7 +9,7 @@ references:
     - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc
 author: frack113
 date: 2022/01/07
-modified: 2023/02/03
+modified: 2024/02/27
 tags:
     - attack.lateral_movement
     - attack.t1021.001
@@ -21,7 +21,9 @@ detection:
         - Image|endswith: '\mstsc.exe'
         - OriginalFileName: 'mstsc.exe'
     selection_cli:
-        CommandLine|contains: ' /v:'
+        CommandLine|contains:
+            - ' /v:'
+            - ' -v:'
     filter_optional_wsl:
         # Example: mstsc.exe /v:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX /hvsocketserviceid:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX /silent /wslg /plugin:WSLDVC /wslgsharedmemorypath:WSL\XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX\wslg C:\ProgramData\Microsoft\WSL\wslg.rdp
         ParentImage: 'C:\Windows\System32\lxss\wslhost.exe'

diff --git a/...dows/process_creation/proc_creation_win_powershell_download_susp_file_sharing_domains.yml b/...dows/process_creation/proc_creation_win_powershell_download_susp_file_sharing_domains.yml
@@ -25,7 +25,7 @@ detection:
     selection_websites:
         CommandLine|contains:
             # Note: You might want to baseline the github domain before including it
-            #- '.githubusercontent.com'       # Includes both gists and github repositories / Michael Haag (idea).
+            # - '.githubusercontent.com'       # Includes both gists and github repositories / Michael Haag (idea).
             - 'anonfiles.com'
             - 'cdn.discordapp.com'
             - 'cdn.discordapp.com/attachments/'