refactor: 🔨 Use windash modifier

frack113 · Mar 5, 2024 · 3f5eb05 · 3f5eb05
1 parent 4655938
commit 3f5eb05
Show file tree

Hide file tree

Showing 34 changed files with 80 additions and 196 deletions.
diff --git a/...ng-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml b/...ng-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml
@@ -6,6 +6,7 @@ references:
     - https://github.com/pr0xylife/Qakbot/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/05/26
+modified: 2024/03/05
 tags:
     - attack.defense_evasion
     - attack.execution
@@ -16,9 +17,7 @@ logsource:
 detection:
     selection:
         Image|endswith: '\regsvr32.exe'
-        CommandLine|contains:
-            - ' /s'
-            - ' -s'
+        CommandLine|contains|windash: ' -s'
         CommandLine|endswith: ' calc'
     condition: selection
 falsepositives:

diff --git a/rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml
@@ -8,6 +8,7 @@ references:
     - https://github.com/diego-treitos/linux-smart-enumeration
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/12/28
+modified: 2024/03/05
 tags:
     - attack.discovery
     - attack.t1083
@@ -17,9 +18,7 @@ logsource:
 detection:
     selection:
         Image|endswith: '/getcap'
-        CommandLine|contains:
-            - ' /r '
-            - ' -r '
+        CommandLine|contains|windash: ' -r '
     condition: selection
 falsepositives:
     - Unknown

diff --git a/...ws/builtin/system/service_control_manager/win_system_susp_service_installation_script.yml b/...ws/builtin/system/service_control_manager/win_system_susp_service_installation_script.yml
@@ -6,7 +6,7 @@ references:
     - Internal Research
 author: pH-T (Nextron Systems)
 date: 2022/03/18
-modified: 2024/02/23
+modified: 2024/03/05
 tags:
     - attack.persistence
     - attack.privilege_escalation
@@ -20,12 +20,9 @@ detection:
         Provider_Name: 'Service Control Manager'
         EventID: 7045
     selection_cmd_flags:
-        ImagePath|contains:
-            - ' /c '
+        ImagePath|contains|windash:
             - ' -c '
-            - ' /r '
             - ' -r '
-            - ' /k '
             - ' -k '
     selection_binaries:
         ImagePath|contains:

diff --git a/rules/windows/process_creation/proc_creation_win_certoc_load_dll.yml b/rules/windows/process_creation/proc_creation_win_certoc_load_dll.yml
@@ -11,7 +11,7 @@ references:
     - https://lolbas-project.github.io/lolbas/Binaries/Certoc/
 author: Austin Songer @austinsonger
 date: 2021/10/23
-modified: 2023/02/15
+modified: 2023/03/05
 tags:
     - attack.defense_evasion
     - attack.t1218
@@ -23,9 +23,7 @@ detection:
         - Image|endswith: '\certoc.exe'
         - OriginalFileName: 'CertOC.exe'
     selection_cli:
-        CommandLine|contains:
-            - ' -LoadDLL '
-            - ' /LoadDLL '
+        CommandLine|contains|windash: ' -LoadDLL '
     condition: all of selection_*
 fields:
     - CommandLine

diff --git a/rules/windows/process_creation/proc_creation_win_certoc_load_dll_susp_locations.yml b/rules/windows/process_creation/proc_creation_win_certoc_load_dll_susp_locations.yml
@@ -11,6 +11,7 @@ references:
     - https://lolbas-project.github.io/lolbas/Binaries/Certoc/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/02/15
+modified: 2024/03/05
 tags:
     - attack.defense_evasion
     - attack.t1218
@@ -22,9 +23,7 @@ detection:
         - Image|endswith: '\certoc.exe'
         - OriginalFileName: 'CertOC.exe'
     selection_cli:
-        CommandLine|contains:
-            - ' -LoadDLL '
-            - ' /LoadDLL '
+        CommandLine|contains|windash: ' -LoadDLL '
     selection_paths:
         CommandLine|contains:
             - '\Appdata\Local\Temp\'

diff --git a/rules/windows/process_creation/proc_creation_win_certutil_certificate_installation.yml b/rules/windows/process_creation/proc_creation_win_certutil_certificate_installation.yml
@@ -13,6 +13,7 @@ references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md
 author: oscd.community, @redcanary, Zach Stanford @svch0st
 date: 2023/03/05
+modified: 2024/03/05
 tags:
     - attack.defense_evasion
     - attack.t1553.004
@@ -25,9 +26,7 @@ detection:
         - Image|endswith: '\certutil.exe'
         - OriginalFileName: 'CertUtil.exe'
     selection_cli_add:
-        CommandLine|contains:
-            - '/addstore'
-            - '-addstore'
+        CommandLine|contains|windash: '-addstore'
     selection_cli_store:
         CommandLine|contains: 'root'
     condition: all of selection_*

diff --git a/rules/windows/process_creation/proc_creation_win_certutil_decode.yml b/rules/windows/process_creation/proc_creation_win_certutil_decode.yml
@@ -11,6 +11,7 @@ references:
     - https://lolbas-project.github.io/lolbas/Binaries/Certutil/
 author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
 date: 2023/02/15
+modified: 2024/03/05
 tags:
     - attack.defense_evasion
     - attack.t1027
@@ -22,13 +23,9 @@ detection:
         - Image|endswith: '\certutil.exe'
         - OriginalFileName: 'CertUtil.exe'
     selection_cli:
-        CommandLine|contains:
-            # Decode Base64
-            - '-decode '
-            - '/decode '
-            # Decode Hex
-            - '-decodehex '
-            - '/decodehex '
+        CommandLine|contains|windash:
+            - '-decode ' # Decode Base64
+            - '-decodehex ' # Decode Hex
     condition: all of selection_*
 falsepositives:
     - Unknown

diff --git a/rules/windows/process_creation/proc_creation_win_certutil_encode.yml b/rules/windows/process_creation/proc_creation_win_certutil_encode.yml
@@ -8,7 +8,7 @@ references:
     - https://lolbas-project.github.io/lolbas/Binaries/Certutil/
 author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)
 date: 2019/02/24
-modified: 2023/02/15
+modified: 2024/03/05
 tags:
     - attack.defense_evasion
     - attack.t1027
@@ -20,9 +20,7 @@ detection:
         - Image|endswith: '\certutil.exe'
         - OriginalFileName: 'CertUtil.exe'
     selection_cli:
-        CommandLine|contains:
-            - '-encode'
-            - '/encode'
+        CommandLine|contains|windash: '-encode'
     condition: all of selection_*
 falsepositives:
     - As this is a general purpose rule, legitimate usage of the encode functionality will trigger some false positives. Apply additional filters accordingly

diff --git a/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml b/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml
@@ -12,6 +12,7 @@ references:
     - https://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/05/15
+modified: 2024/03/05
 tags:
     - attack.defense_evasion
     - attack.t1027
@@ -23,9 +24,7 @@ detection:
         - Image|endswith: '\certutil.exe'
         - OriginalFileName: 'CertUtil.exe'
     selection_cli:
-        CommandLine|contains:
-            - '-encode'
-            - '/encode'
+        CommandLine|contains|windash: '-encode'
     selection_extension:
         CommandLine|contains:
             - '.acl'

diff --git a/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location.yml b/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location.yml
@@ -12,6 +12,7 @@ references:
     - https://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/05/15
+modified: 2024/03/05
 tags:
     - attack.defense_evasion
     - attack.t1027
@@ -23,9 +24,7 @@ detection:
         - Image|endswith: '\certutil.exe'
         - OriginalFileName: 'CertUtil.exe'
     selection_cli:
-        CommandLine|contains:
-            - '-encode'
-            - '/encode'
+        CommandLine|contains|windash: '-encode'
     selection_extension:
         CommandLine|contains:
             # Note: Add more suspicious locations to increase coverage

diff --git a/rules/windows/process_creation/proc_creation_win_certutil_export_pfx.yml b/rules/windows/process_creation/proc_creation_win_certutil_export_pfx.yml
@@ -6,7 +6,7 @@ references:
     - https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html
 author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)
 date: 2023/02/15
-modified: 2023/02/20
+modified: 2024/03/05
 tags:
     - attack.defense_evasion
     - attack.t1027
@@ -18,9 +18,7 @@ detection:
         - Image|endswith: '\certutil.exe'
         - OriginalFileName: 'CertUtil.exe'
     selection_cli:
-        CommandLine|contains:
-            - '-exportPFX '
-            - '/exportPFX '
+        CommandLine|contains|windash: '-exportPFX '
     condition: all of selection_*
 falsepositives:
     - There legitimate reasons to export certificates. Investigate the activity to determine if it's benign

diff --git a/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup.yml b/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup.yml
@@ -7,7 +7,7 @@ references:
     - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/chcp
 author: _pete_0, TheDFIRReport
 date: 2022/02/21
-modified: 2024/02/16
+modified: 2024/03/05
 tags:
     - attack.discovery
     - attack.t1614.001
@@ -17,12 +17,9 @@ logsource:
 detection:
     selection:
         ParentImage|endswith: '\cmd.exe'
-        ParentCommandLine|contains:
-            - ' /c '
+        ParentCommandLine|contains|windash:
             - ' -c '
-            - ' /r '
             - ' -r '
-            - ' /k '
             - ' -k '
         Image|endswith: '\chcp.com'
         CommandLine|endswith:

diff --git a/rules/windows/process_creation/proc_creation_win_cmd_curl_download_exec_combo.yml b/rules/windows/process_creation/proc_creation_win_cmd_curl_download_exec_combo.yml
@@ -6,7 +6,7 @@ references:
     - https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983 # Dead Link
 author: Sreeman, Nasreddine Bencherchali (Nextron Systems)
 date: 2020/01/13
-modified: 2024/02/17
+modified: 2024/03/05
 tags:
     - attack.defense_evasion
     - attack.t1218
@@ -17,9 +17,7 @@ logsource:
     product: windows
 detection:
     selection:
-        CommandLine|contains:
-            - ' /c '
-            - ' -c '
+        CommandLine|contains|windash: ' -c '
         CommandLine|contains|all:
             - 'curl '
             - 'http'

diff --git a/rules/windows/process_creation/proc_creation_win_cmd_del_execution.yml b/rules/windows/process_creation/proc_creation_win_cmd_del_execution.yml
@@ -11,7 +11,7 @@ references:
     - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase
 author: frack113
 date: 2022/01/15
-modified: 2024/02/17
+modified: 2024/03/05
 tags:
     - attack.defense_evasion
     - attack.t1070.004
@@ -27,13 +27,10 @@ detection:
             - 'del '
             - 'erase '
     selection_flags:
-        CommandLine|contains:
-            - ' /f' # Force deleting of read-only files.
-            - ' -f'
-            - ' /s' # Delete specified files from all subdirectories.
-            - ' -s'
-            - ' /q' # Quiet mode, do not ask if ok to delete on global wildcard
-            - ' -q'
+        CommandLine|contains|windash:
+            - ' -f' # Force deleting of read-only files.
+            - ' -s' # Delete specified files from all subdirectories.
+            - ' -q' # Quiet mode, do not ask if ok to delete on global wildcard
     condition: all of selection_*
 falsepositives:
     - False positives levels will differ Depending on the environment. You can use a combination of ParentImage and other keywords from the CommandLine field to filter legitimate activity

diff --git a/rules/windows/process_creation/proc_creation_win_cmd_dir_execution.yml b/rules/windows/process_creation/proc_creation_win_cmd_dir_execution.yml
@@ -6,7 +6,7 @@ references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md
 author: frack113
 date: 2021/12/13
-modified: 2024/02/17
+modified: 2024/03/05
 tags:
     - attack.discovery
     - attack.t1217
@@ -17,13 +17,9 @@ detection:
     selection_dir:
         CommandLine|contains: 'dir '
     selection_cli_1:
-        CommandLine|contains:
-            - ' /s'
-            - ' -s'
+        CommandLine|contains|windash: ' -s'
     selection_cli_2:
-        CommandLine|contains:
-            - ' /b'
-            - ' -b'
+        CommandLine|contains|windash: ' -b'
     condition: all of selection_*
 falsepositives:
     - Unknown

diff --git a/rules/windows/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml b/rules/windows/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml
@@ -6,7 +6,7 @@ references:
     - Internal Research
 author: X__Junior (Nextron Systems)
 date: 2023/07/18
-modified: 2024/02/26
+modified: 2024/03/05
 tags:
     - attack.defense_evasion
     - attack.t1070.004
@@ -23,13 +23,9 @@ detection:
             - 'ping' # Covers "ping" and "ping.exe"
             - 'copy '
     selection_cli_1:
-        CommandLine|contains: # Count
-            - ' -n '
-            - ' /n '
+        CommandLine|contains|windash: ' -n ' # Count
     selection_cli_2:
-        CommandLine|contains:
-            - ' /y '
-            - ' -y '
+        CommandLine|contains|windash: ' -y '
     condition: all of selection_*
 falsepositives:
     - Unknown

diff --git a/rules/windows/process_creation/proc_creation_win_cmd_ping_del_combined_execution.yml b/rules/windows/process_creation/proc_creation_win_cmd_ping_del_combined_execution.yml
@@ -9,7 +9,7 @@ references:
     - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware
 author: Ilya Krestinichev
 date: 2022/11/03
-modified: 2023/02/07
+modified: 2024/03/05
 tags:
     - attack.defense_evasion
     - attack.t1070.004
@@ -20,16 +20,12 @@ detection:
     # Note: In the case of sysmon and similar logging utilities, see this discussion https://github.com/SigmaHQ/sigma/discussions/4277
     # Example: "C:\Windows\System32\cmd.exe"  /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\User\Desktop\lockbit\lockbit.exe" & Del /f /q "C:\Users\User\Desktop\lockbit\lockbit.exe".
     selection_count:
-        CommandLine|contains:
-            - ' -n '
-            - ' /n '
+        CommandLine|contains|windash: ' -n '
     selection_nul:
         CommandLine|contains: 'Nul' # Covers "> Nul" and ">Nul "
     selection_del_param:
-        CommandLine|contains:
-            - ' /f '
+        CommandLine|contains|windash:
             - ' -f '
-            - ' /q '
             - ' -q '
     selection_all:
         CommandLine|contains|all:

diff --git a/rules/windows/process_creation/proc_creation_win_cmdkey_adding_generic_creds.yml b/rules/windows/process_creation/proc_creation_win_cmdkey_adding_generic_creds.yml
@@ -6,7 +6,7 @@ references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol
 author: frack113, Nasreddine Bencherchali (Nextron Systems)
 date: 2023/02/03
-modified: 2024/02/23
+modified: 2024/03/05
 tags:
     - attack.credential_access
     - attack.t1003.005
@@ -18,17 +18,11 @@ detection:
         - Image|endswith: '\cmdkey.exe'
         - OriginalFileName: 'cmdkey.exe'
     selection_cli_1:
-        CommandLine|contains:
-            - ' /g'
-            - ' -g'
+        CommandLine|contains|windash: ' -g'
     selection_cli_2:
-        CommandLine|contains:
-            - ' /u'
-            - ' -u'
+        CommandLine|contains|windash: ' -u'
     selection_cli_3:
-        CommandLine|contains:
-            - ' /p'
-            - ' -p'
+        CommandLine|contains|windash: ' -p'
     condition: all of selection_*
 falsepositives:
     - Legitimate usage for administration purposes