From e69daf27a14128bfbe5d12997e5ab111a9879c6d Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 31 Jul 2023 12:28:34 +0200 Subject: [PATCH] fix: apply suggestions from code review Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> --- .../posh_ps_win_api_functions_access.yml | 2 +- ...mage_load_credui_uncommon_process_load.yml | 4 ++-- .../posh_ps_win_api_susp_access.yml | 2 +- ...oc_creation_win_curl_custom_user_agent.yml | 2 +- ...c_creation_win_curl_download_direct_ip.yml | 24 +++++++++---------- ...url_download_susp_file_sharing_domains.yml | 2 +- ...reation_win_curl_insecure_porxy_or_doh.yml | 2 +- ...in_vmware_toolbox_cmd_persistence_susp.yml | 2 +- ...c_creation_win_wget_download_direct_ip.yml | 24 +++++++++---------- ...get_download_susp_file_sharing_domains.yml | 22 ++++++++--------- 10 files changed, 43 insertions(+), 43 deletions(-) diff --git a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_win_api_functions_access.yml b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_win_api_functions_access.yml index 0c05ccd28f0..279a17a36f0 100644 --- a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_win_api_functions_access.yml +++ b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_win_api_functions_access.yml @@ -8,7 +8,7 @@ related: - id: 9f22ccd5-a435-453b-af96-bf99cbb594d4 type: similar status: experimental -description: Detects calls to WinAPI libraries from PowerShell scripts. Attackers can often leverage these API to avoid detection based on typical PowerShell function calls. Use this rule as a basis to hunt for interesting scripts. +description: Detects calls to WinAPI libraries from PowerShell scripts. Attackers can often leverage these APIs to avoid detection based on typical PowerShell function calls. Use this rule as a basis to hunt for interesting scripts. references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse author: Nikita Nazarov, oscd.community, Nasreddine Bencherchali (Nextron Systems) diff --git a/rules/windows/image_load/image_load_credui_uncommon_process_load.yml b/rules/windows/image_load/image_load_credui_uncommon_process_load.yml index 56c5ece3771..e3121bd5671 100644 --- a/rules/windows/image_load/image_load_credui_uncommon_process_load.yml +++ b/rules/windows/image_load/image_load_credui_uncommon_process_load.yml @@ -1,7 +1,7 @@ -title: CredUI.DLL Load By Uncommon Process +title: CredUI.DLL Loaded By Uncommon Process id: 9ae01559-cf7e-4f8e-8e14-4c290a1b4784 status: experimental -description: Detects load of "credui.dll" and related DLLs by an uncommon process. Attackers might leverage this DLL for potential use of "CredUIPromptForCredentials" or "CredUnPackAuthenticationBufferW". +description: Detects loading of "credui.dll" and related DLLs by an uncommon process. Attackers might leverage this DLL for potential use of "CredUIPromptForCredentials" or "CredUnPackAuthenticationBufferW". references: - https://securitydatasets.com/notebooks/atomic/windows/credential_access/SDWIN-201020013208.html - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password diff --git a/rules/windows/powershell/powershell_script/posh_ps_win_api_susp_access.yml b/rules/windows/powershell/powershell_script/posh_ps_win_api_susp_access.yml index 00a19097182..20df8bdd808 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_win_api_susp_access.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_win_api_susp_access.yml @@ -4,7 +4,7 @@ related: - id: ba3f5c1b-6272-4119-9dbd-0bc8d21c2702 type: similar status: experimental -description: Detects use of WinAPI Functions in PowerShell scripts +description: Detects use of WinAPI functions in PowerShell scripts references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse author: Nasreddine Bencherchali (Nextron Systems), Nikita Nazarov, oscd.community diff --git a/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent.yml b/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent.yml index 71d732a9d23..3fe0a02c1d1 100644 --- a/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent.yml +++ b/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent.yml @@ -17,7 +17,7 @@ detection: - Image|endswith: '\curl.exe' - OriginalFileName: 'curl.exe' selection_header: - CommandLine|re: '\s-H\s' # Must be Regex as its case sensitive + CommandLine|re: '\s-H\s' # Must be Regex as the flag needs to be case sensitive CommandLine|contains: 'User-Agent:' condition: all of selection_* falsepositives: diff --git a/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip.yml b/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip.yml index 77bfed35cbe..1cc866c15f0 100644 --- a/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip.yml +++ b/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip.yml @@ -1,7 +1,7 @@ -title: Suspicious File Download From Direct IP Via Curl.EXE +title: Suspicious File Download From IP Via Curl.EXE id: 5cb299fc-5fb1-4d07-b989-0644c68b6043 status: experimental -description: Detects potential suspicious file download from direct ip domains using curl.exe +description: Detects potentially suspicious file downloads directly from IP addresses using curl.exe references: - https://labs.withsecure.com/publications/fin7-target-veeam-servers - https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv @@ -27,34 +27,34 @@ detection: - '--output' selection_ext: CommandLine|endswith: - - ".ps1" + - '.ps1' - ".ps1'" - '.ps1"' - - ".dat" + - '.dat' - ".dat'" - '.dat"' - - ".msi" + - '.msi' - ".msi'" - '.msi"' - - ".bat" + - '.bat' - ".bat'" - '.bat"' - - ".exe" + - '.exe' - ".exe'" - '.exe"' - - ".vbs" + - '.vbs' - ".vbs'" - '.vbs"' - - ".vbe" + - '.vbe' - ".vbe'" - '.vbe"' - - ".hta" + - '.hta' - ".hta'" - '.hta"' - - ".dll" + - '.dll' - ".dll'" - '.dll"' - - ".psm1" + - '.psm1' - ".psm1'" - '.psm1"' condition: all of selection_* diff --git a/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml b/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml index 0f9714abb63..7d9eb67296a 100644 --- a/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml +++ b/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml @@ -1,7 +1,7 @@ title: Suspicious File Download From File Sharing Domain Via Curl.EXE id: 56454143-524f-49fb-b1c6-3fb8b1ad41fb status: experimental -description: Detects potential suspicious file download from file sharing domains using curl.exe +description: Detects potentially suspicious file download from file sharing domains using curl.exe references: - https://labs.withsecure.com/publications/fin7-target-veeam-servers - https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv diff --git a/rules/windows/process_creation/proc_creation_win_curl_insecure_porxy_or_doh.yml b/rules/windows/process_creation/proc_creation_win_curl_insecure_porxy_or_doh.yml index 778a28b9462..6ac10640b65 100644 --- a/rules/windows/process_creation/proc_creation_win_curl_insecure_porxy_or_doh.yml +++ b/rules/windows/process_creation/proc_creation_win_curl_insecure_porxy_or_doh.yml @@ -1,7 +1,7 @@ title: Insecure Proxy/DOH Transfer Via Curl.EXE id: 2c1486f5-02e8-4f86-9099-b97f2da4ed77 status: experimental -description: Detects execution of "curl.exe" with the "insecure" flag over Proxy or DOH. +description: Detects execution of "curl.exe" with the "insecure" flag over proxy or DOH. references: - https://curl.se/docs/manpage.html author: Nasreddine Bencherchali (Nextron Systems) diff --git a/rules/windows/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence_susp.yml b/rules/windows/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence_susp.yml index d6047d532fb..af3330d57cc 100644 --- a/rules/windows/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence_susp.yml +++ b/rules/windows/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence_susp.yml @@ -4,7 +4,7 @@ related: - id: 7aa4e81a-a65c-4e10-9f81-b200eb229d7d type: derived status: experimental -description: Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script that's located in a potential suspicious location to run for a specific VM state +description: Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script that's located in a potentially suspicious location to run for a specific VM state references: - https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/ author: Nasreddine Bencherchali (Nextron Systems) diff --git a/rules/windows/process_creation/proc_creation_win_wget_download_direct_ip.yml b/rules/windows/process_creation/proc_creation_win_wget_download_direct_ip.yml index bff4f558500..05195a8178d 100644 --- a/rules/windows/process_creation/proc_creation_win_wget_download_direct_ip.yml +++ b/rules/windows/process_creation/proc_creation_win_wget_download_direct_ip.yml @@ -1,7 +1,7 @@ -title: Suspicious File Download From Direct IP Via Wget.EXE +title: Suspicious File Download From IP Via Wget.EXE id: 17f0c0a8-8bd5-4ee0-8c5f-a342c0199f35 status: experimental -description: Detects potential suspicious file download from direct ip domains using Wget.exe +description: Detects potentially suspicious file downloads directly from IP addresses using Wget.exe references: - https://www.gnu.org/software/wget/manual/wget.html author: Nasreddine Bencherchali (Nextron Systems) @@ -24,34 +24,34 @@ detection: - CommandLine|contains: '--output-document' selection_ext: CommandLine|endswith: - - ".ps1" + - '.ps1' - ".ps1'" - '.ps1"' - - ".dat" + - '.dat' - ".dat'" - '.dat"' - - ".msi" + - '.msi' - ".msi'" - '.msi"' - - ".bat" + - '.bat' - ".bat'" - '.bat"' - - ".exe" + - '.exe' - ".exe'" - '.exe"' - - ".vbs" + - '.vbs' - ".vbs'" - '.vbs"' - - ".vbe" + - '.vbe' - ".vbe'" - '.vbe"' - - ".hta" + - '.hta' - ".hta'" - '.hta"' - - ".dll" + - '.dll' - ".dll'" - '.dll"' - - ".psm1" + - '.psm1' - ".psm1'" - '.psm1"' condition: all of selection_* diff --git a/rules/windows/process_creation/proc_creation_win_wget_download_susp_file_sharing_domains.yml b/rules/windows/process_creation/proc_creation_win_wget_download_susp_file_sharing_domains.yml index 2a6652f91e9..4288a31fce3 100644 --- a/rules/windows/process_creation/proc_creation_win_wget_download_susp_file_sharing_domains.yml +++ b/rules/windows/process_creation/proc_creation_win_wget_download_susp_file_sharing_domains.yml @@ -1,7 +1,7 @@ title: Suspicious File Download From File Sharing Domain Via Wget.EXE id: a0d7e4d2-bede-4141-8896-bc6e237e977c status: experimental -description: Detects potential suspicious file download from file sharing domains using wget.exe +description: Detects potentially suspicious file downloads from file sharing domains using wget.exe references: - https://labs.withsecure.com/publications/fin7-target-veeam-servers - https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv @@ -48,34 +48,34 @@ detection: - CommandLine|contains: '--output-document' selection_ext: CommandLine|endswith: - - ".ps1" + - '.ps1' - ".ps1'" - '.ps1"' - - ".dat" + - '.dat' - ".dat'" - '.dat"' - - ".msi" + - '.msi' - ".msi'" - '.msi"' - - ".bat" + - '.bat' - ".bat'" - '.bat"' - - ".exe" + - '.exe' - ".exe'" - '.exe"' - - ".vbs" + - '.vbs' - ".vbs'" - '.vbs"' - - ".vbe" + - '.vbe' - ".vbe'" - '.vbe"' - - ".hta" + - '.hta' - ".hta'" - '.hta"' - - ".dll" + - '.dll' - ".dll'" - '.dll"' - - ".psm1" + - '.psm1' - ".psm1'" - '.psm1"' condition: all of selection_*