Merge pull request SigmaHQ#1554 from mlp1515/master

Update win_multiple_suspicious_cli.yml

rules/windows/builtin/win_user_added_to_local_administrators.yml

@@ -5,7 +5,7 @@ description: This rule triggers on user accounts that are added to the local Adm
 status: stable
 author: Florian Roth
 date: 2017/03/14
-modified: 2020/08/23
+modified: 2021/07/07
 tags:
     - attack.privilege_escalation
     - attack.t1078
@@ -18,9 +18,9 @@ detection:
     selection:
         EventID: 4732
     selection_group1:
-        GroupName: 'Administrators'
+        TargetUserName|startswith: 'Administr'
     selection_group2:
-        GroupSid: 'S-1-5-32-544'
+        TargetSid: 'S-1-5-32-544'
     filter:
         SubjectUserName|endswith: '$'
     condition: selection and (1 of selection_group*) and not filter

rules/windows/image_load/sysmon_wmi_module_load.yml

@@ -3,7 +3,7 @@ id: 671bb7e3-a020-4824-a00e-2ee5b55f385e
 description: Detects non wmiprvse loading WMI modules
 status: experimental
 date: 2019/08/10
-modified: 2019/11/10
+modified: 2021/06/15
 author: Roberto Rodriguez @Cyb3rWard0g
 references:
     - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190811201010.html
@@ -27,8 +27,8 @@ detection:
             - '\fastprox.dll'
     filter:
         Image|endswith:
-            - '\WmiPrvSe.exe'
-            - '\WmiAPsrv.exe'
+            - '\WmiPrvSE.exe'
+            - '\WmiApSrv.exe'
             - '\svchost.exe'
             - '\DeviceCensus.exe'
             - '\CompatTelRunner.exe'

rules/windows/network_connection/sysmon_powershell_network_connection.yml

@@ -5,6 +5,7 @@ description: Detects a Powershell process that opens network connections - check
     extend filters with company's ip range')
 author: Florian Roth
 date: 2017/03/13
+modified: 2021/06/14
 references:
     - https://www.youtube.com/watch?v=DLtJTxMWZ2o
 tags:
@@ -40,7 +41,11 @@ detection:
             - '172.30.'
             - '172.31.'
             - '127.0.0.1'
+        DestinationIsIpv6: 'false'
         User: 'NT AUTHORITY\SYSTEM'
+        User|contains|all:  # other languages
+            - 'AUT'
+            - ' NT'
     condition: selection and not filter
 falsepositives:
     - Administrative scripts

rules/windows/process_creation/win_multiple_suspicious_cli.yml

@@ -6,14 +6,15 @@ references:
     - https://car.mitre.org/wiki/CAR-2013-04-002
 author: juju4
 date: 2019/01/16
+modified: 2021/06/13
 tags:
     - car.2013-04-002
 logsource:
     category: process_creation
     product: windows
 detection:
     selection:
-        CommandLine:
+        CommandLine|contains:
             - arp.exe
             - at.exe
             - attrib.exe

rules/windows/sysmon/sysmon_config_modification.yml

@@ -5,7 +5,7 @@ description: Someone try to hide from Sysmon
 status: experimental
 author: frack113
 date: 2021/06/04
-modified: 2021/06/10
+modified: 2021/06/16
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
     - https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html
@@ -23,7 +23,7 @@ detection:
     selection_stop:
         State: Stopped
     selection_conf:
-        message|startswith:
+        Message|startswith:
             - 'Sysmon config state changed'
     condition: selection_stop or selection_conf
 ---
@@ -35,4 +35,4 @@ detection:
         Description|contains:
             - 'Failed to open service configuration with error'
             - 'Failed to connect to the driver to update configuration'
-    condition: selection_error
+    condition: selection_error