Merge pull request SigmaHQ#3010 from nasbench/master

Updated Rules to use "OriginalFileName" Field (First Batch)

rules/windows/file_rename/file_rename_win_not_dll_to_dll.yml

@@ -15,10 +15,10 @@ detection:
     to_dll:
         TargetFilename|endswith: '.dll'
     filter_from_dll:
-        - OriginalFilename|endswith: 
+        - OriginalFilename|endswith:
             - '.dll'
             - '.tmp'  # VSCode FP
-        - OriginalFilename|contains: 
+        - OriginalFilename|contains:
             - '.dll.'
             - '\SquirrelTemp\temp'
     filter_tiworker:

rules/windows/process_creation/proc_creation_win_creation_mavinject_dll.yml

@@ -3,6 +3,7 @@ id: 4f73421b-5a0b-4bbf-a892-5a7fb99bea66
 status: experimental
 author: frack113
 date: 2021/07/12
+modified: 2022/05/13
 description: Injects arbitrary DLL into running process specified by process ID. Requires Windows 10.
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md
@@ -18,11 +19,13 @@ logsource:
     product: windows
 detection:
     selection:
-        CommandLine|contains|all: 
+        CommandLine|contains|all:
             - ' /INJECTRUNNING'
             - '.dll' # space some time in the end
-        OriginalFileName|contains: mavinject
-    condition: selection 
+        OriginalFileName:
+            - 'mavinject32.exe'
+            - 'mavinject64.exe'
+    condition: selection
 fields:
     - ComputerName
     - User

rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml

@@ -7,16 +7,19 @@ references:
     - https://redcanary.com/threat-detection-report/threats/qbot/
 author: frack113
 date: 2022/02/13
+modified: 2022/05/12
 logsource:
     category: process_creation
     product: windows
 detection:
-    selection:
-        Image|endswith: \esentutl.exe
+    selection_img:
+        - Image|endswith: '\esentutl.exe'
+        - OriginalFileName: 'esentutl.exe'
+    selection_cli:
         CommandLine|contains|all:
             - '/r '
             - '\Windows\WebCache'
-    condition: selection
+    condition: all of selection*
 falsepositives:
     - Legitimate use
 level: medium

rules/windows/process_creation/proc_creation_win_powershell_defender_exclusion.yml

@@ -11,20 +11,21 @@ tags:
     - attack.t1562.001
 author: Florian Roth
 date: 2021/04/29
-modified: 2022/03/04
+modified: 2022/05/12
 logsource:
     category: process_creation
     product: windows
 detection:
     selection1:
-        CommandLine|contains: 
+        CommandLine|contains:
             - 'Add-MpPreference '
             - 'Set-MpPreference '
     selection2:
         CommandLine|contains:
             - ' -ExclusionPath '
             - ' -ExclusionExtension '
             - ' -ExclusionProcess '
+            - ' -ExclusionIpAddress '
     condition: all of selection*
 falsepositives:
     - Possible Admin Activity

rules/windows/process_creation/proc_creation_win_susp_advancedrun.yml

@@ -9,13 +9,13 @@ references:
     - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/
 author: Florian Roth
 date: 2022/01/20
-modified: 2022/05/05
+modified: 2022/05/13
 logsource:
     product: windows
     category: process_creation
 detection:
     selection:
-        - OriginalFileName|contains: 'AdvancedRun.exe'
+        - OriginalFileName: 'AdvancedRun.exe'
         - CommandLine|contains|all:
             - ' /EXEFilename '
             - ' /Run'

rules/windows/process_creation/proc_creation_win_susp_ftp.yml

@@ -6,15 +6,15 @@ author: Victor Sergeev, oscd.community
 references:
   - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Ftp.yml
 date: 2020/10/09
-modified: 2021/11/27
+modified: 2022/05/13
 logsource:
   category: process_creation
   product: windows
 detection:
   ftp_path:
     Image|endswith: 'ftp.exe'
   ftp_metadata:
-    OriginalFileName|contains: 'ftp.exe'
+    OriginalFileName: 'ftp.exe'
   cmd_with_script_modifier:
     CommandLine|contains: '-s:'
   parent_path:

rules/windows/process_creation/proc_creation_win_susp_psloglist.yml

@@ -8,6 +8,7 @@ references:
     - https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList
 author: Nasreddine Bencherchali @nas_bench
 date: 2021/12/18
+modified: 2022/05/13
 tags:
     - attack.discovery
     - attack.t1087
@@ -18,7 +19,7 @@ logsource:
     product: windows
 detection:
     selection1:
-        OriginalFileName|contains: 'psloglist'
+        OriginalFileName: 'psloglist'
     selection2:
         Image|endswith:
           - '\psloglist.exe'
@@ -32,7 +33,7 @@ detection:
           - '-s'
           - '/s'
     other:
-        CommandLine|contains|all: 
+        CommandLine|contains|all:
             - 'security'
             - 'accepteula'
     condition: (1 of selection*) or (flags and other)

rules/windows/process_creation/proc_creation_win_susp_trolleyexpress_procdump.yml

@@ -7,6 +7,7 @@ references:
   - https://twitter.com/_xpn_/status/1491557187168178176
   - https://www.youtube.com/watch?v=Ie831jF0bb0
 date: 2022/02/10
+modified: 2022/05/13
 logsource:
   category: process_creation
   product: windows

rules/windows/process_creation/proc_creation_win_susp_vaultcmd.yml

@@ -4,16 +4,19 @@ status: experimental
 description: List credentials currently stored in Windows Credential Manager via the native Windows utility vaultcmd.exe 
 author: frack113
 date: 2022/04/08
+modified: 2022/05/13
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.004/T1555.004.md#atomic-test-1---access-saved-credentials-via-vaultcmd
 logsource:
     category: process_creation
     product: windows
 detection:
-    selection:
-        Image|endswith: '\VaultCmd.exe'
+    selection_img:
+        - Image|endswith: '\VaultCmd.exe'
+        - OriginalFileName: 'VAULTCMD.EXE'
+    selection_cli:
         CommandLine|contains: '/listcreds:'
-    condition: selection
+    condition: all of selection*
 falsepositives:
     - Unknown
 level: medium

rules/windows/process_creation/proc_creation_win_susp_webdav_client_execution.yml

@@ -7,15 +7,17 @@ references:
   - https://github.com/OTRF/detection-hackathon-apt29/issues/17
   - https://threathunterplaybook.com/evals/apt29/detections/7.B.4_C10730EA-6345-4934-AA0F-B0EFCA0C4BA6.html
 date: 2020/05/02
-modified: 2021/11/27
+modified: 2022/05/13
 logsource:
   category: process_creation
   product: windows
 detection:
-  selection:
-    Image|endswith: '\rundll32.exe'
+  selection_img:
+    - Image|endswith: '\rundll32.exe'
+    - OriginalFileName: 'RUNDLL32.EXE'
+  selection_cli:
     CommandLine|contains: 'C:\windows\system32\davclnt.dll,DavSetCookie'
-  condition: selection
+  condition: all of selection*
 falsepositives:
   - Unknown
 level: medium

rules/windows/process_creation/proc_creation_win_susp_where_execution.yml

@@ -9,12 +9,14 @@ references:
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md
 author: frack113
 date: 2021/12/13
+modified: 2022/05/13
 logsource:
     category: process_creation
     product: windows
 detection:
     where_exe:
-        Image|endswith: '\where.exe'
+        - Image|endswith: '\where.exe'
+        - OriginalFileName: 'where.exe'
     where_opt:
         CommandLine|contains:
             - 'Bookmarks'

rules/windows/process_creation/proc_creation_win_susp_whoami.yml

@@ -7,13 +7,14 @@ references:
   - https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/
   - https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/
 date: 2018/08/13
-modified: 2021/11/27
+modified: 2022/05/13
 logsource:
   category: process_creation
   product: windows
 detection:
   selection:
-    Image|endswith: '\whoami.exe'
+    - Image|endswith: '\whoami.exe'
+    - OriginalFileName: 'whoami.exe'
   condition: selection
 falsepositives:
   - Admin activity

rules/windows/process_creation/proc_creation_win_susp_whoami_anomaly.yml

@@ -7,7 +7,7 @@ references:
     - https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/
 author: Florian Roth
 date: 2021/08/12
-modified: 2021/08/26
+modified: 2022/05/13
 tags:
     - attack.discovery
     - attack.t1033
@@ -17,9 +17,10 @@ logsource:
     product: windows
 detection:
     selection:
-        Image|endswith: '\whoami.exe'
+        - Image|endswith: '\whoami.exe'
+        - OriginalFileName: 'whoami.exe'
     filter1:
-        ParentImage|endswith: 
+        ParentImage|endswith:
             - '\cmd.exe'
             - '\powershell.exe'
     filter2:

rules/windows/process_creation/proc_creation_win_susp_winrm_execution.yml

@@ -7,18 +7,20 @@ references:
   - https://twitter.com/bohops/status/994405551751815170
   - https://redcanary.com/blog/lateral-movement-winrm-wmi/
 date: 2020/10/07
-modified: 2021/11/27
+modified: 2022/05/13
 logsource:
   category: process_creation
   product: windows
 detection:
-  selection:
-    Image|endswith: '\cscript.exe'
+  selection_img:
+    - Image|endswith: '\cscript.exe'
+    - OriginalFileName: 'cscript.exe'
+  selection_cli:
     CommandLine|contains|all:
       - 'winrm'
       - 'invoke Create wmicimv2/Win32_'
       - '-r:http'
-  condition: selection
+  condition: all of selection*
 falsepositives:
   - Legitimate use for administartive purposes. Unlikely
 

rules/windows/process_creation/proc_creation_win_susp_wmi_execution.yml

@@ -8,13 +8,14 @@ references:
   - https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1
   - https://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/
 date: 2019/01/16
-modified: 2022/01/07
+modified: 2022/05/13
 logsource:
   category: process_creation
   product: windows
 detection:
   selection:
-    Image|endswith: '\wmic.exe'
+    - Image|endswith: '\wmic.exe'
+    - OriginalFileName: 'wmic.exe'
   selection2:
     CommandLine|contains|all:
       - 'process'

rules/windows/process_creation/proc_creation_win_susp_wsl_lolbin.yml

@@ -6,17 +6,19 @@ author: 'oscd.community, Zach Stanford @svch0st'
 references:
   - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/
 date: 2020/10/05
-modified: 2021/11/27
+modified: 2022/05/13
 logsource:
   category: process_creation
   product: windows
 detection:
-  selection:
-    Image|endswith: '\wsl.exe'
+  selection_img:
+    - Image|endswith: '\wsl.exe'
+    - OriginalFileName: 'wsl.exe'
+  selection_cli:
     CommandLine|contains:
       - ' -e '
       - ' --exec '
-  condition: selection
+  condition: all of selection*
 falsepositives:
   - Automation and orchestration scripts may use this method execute scripts etc
 level: medium

rules/windows/process_creation/proc_creation_win_susp_wuauclt.yml

@@ -6,7 +6,7 @@ references:
     - https://dtm.uk/wuauclt/
 author: FPT.EagleEye Team
 date: 2020/10/17
-modified: 2021/11/18
+modified: 2022/05/13
 tags:
     - attack.command_and_control
     - attack.execution
@@ -16,17 +16,19 @@ logsource:
     product: windows
     category: process_creation
 detection:
-    selection:
+    selection_cli:
         CommandLine|contains|all:
             - '/UpdateDeploymentProvider'
             - '/RunHandlerComServer'
             - '.dll'
-        Image|endswith: '\wuauclt.exe'
+    selection_img:
+        - Image|endswith: '\wuauclt.exe'
+        - OriginalFileName: 'wuauclt.exe'
     filter:
         CommandLine|contains:
             - ' /ClassId '
             - ' wuaueng.dll '
-    condition: selection and not filter
+    condition: all of selection* and not filter
 falsepositives:
     - Unknown
 level: high

rules/windows/process_creation/proc_creation_win_susp_wuauclt_cmdline.yml

@@ -6,14 +6,17 @@ author: Florian Roth
 references:
     - https://redcanary.com/blog/blackbyte-ransomware/
 date: 2022/02/26
+modified: 2022/05/13
 logsource:
     category: process_creation
     product: windows
 detection:
-    selection:
-        Image|endswith: '\Wuauclt.exe'
-        CommandLine|endswith: '\Wuauclt.exe' 
-    condition: selection
+    selection_img:
+        - Image|endswith: '\Wuauclt.exe'
+        - OriginalFileName: 'Wuauclt.exe'
+    selection_cli:
+        CommandLine|endswith: '\Wuauclt.exe'
+    condition: all of selection*
 falsepositives:
     - Unknown
 level: high

rules/windows/process_creation/proc_creation_win_suspicious_ad_reco.yml

@@ -9,14 +9,17 @@ references:
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md
 author: frack113
 date: 2021/12/12
+modified: 2022/05/13
 logsource:
     product: windows
     category: process_creation
 detection:
-    test_5:
-        Image|endswith: '\wmic.exe'
+    selection_img:
+        - Image|endswith: '\wmic.exe'
+        - OriginalFileName: 'wmic.exe'
+    selection_cli:
         CommandLine|contains: ' group'
-    condition: test_5
+    condition: all of selection*
 falsepositives:
     - Unknown
 level: low