|
304 | 304 | </Rule> |
305 | 305 | <Rule name="Attack=T1059,Technique=Scripting,Tactic=Execution,DS=Process: Process Creation,Level=2,Alert=Suspicious wscript commands,Risk=60" groupRelation="and"> |
306 | 306 | <Image condition="image">wscript.exe</Image> |
307 | | - <CommandLine condition="contains">.jse</CommandLine> |
308 | | - <CommandLine condition="contains">.js</CommandLine> |
309 | | - <CommandLine condition="contains">.vba</CommandLine> |
310 | | - <CommandLine condition="contains">.vbe</CommandLine> |
| 307 | + <CommandLine condition="contains any">.jse;.js;.vba;.vbe</CommandLine> |
311 | 308 | </Rule> |
312 | 309 | <Rule name="Attack=T1059,Technique=Scripting,Tactic=Execution,DS=Process: Process Creation,Level=3,Alert=Suspicious scripting to dll commands,Risk=70" groupRelation="and"> |
313 | 310 | <ParentImage condition="contains any">\wscript.exe;\cscript.exe</ParentImage> |
|
321 | 318 | </Rule> |
322 | 319 | <Rule name="Attack=T1059,Technique=Scripting,Tactic=Execution,DS=Process: Process Creation,Level=2,Alert=cscript execution,Risk=60" groupRelation="and"> |
323 | 320 | <Image condition="image">cscript.exe</Image> |
324 | | - <CommandLine condition="contains">.js</CommandLine> |
325 | | - <CommandLine condition="contains">.jse</CommandLine> |
326 | | - <CommandLine condition="contains">.vba</CommandLine> |
327 | | - <CommandLine condition="contains">.vbe</CommandLine> |
| 321 | + <CommandLine condition="contains any">.jse;.js;.vba;.vbe</CommandLine> |
328 | 322 | </Rule> |
329 | 323 | <Rule name="Attack=T1059,Technique=Scripting,Tactic=Execution,DS=Process: Process Creation,Level=4,Alert=Suspicious or Malicious mshta exec,Risk=70" groupRelation="and"> |
330 | 324 | <CommandLine condition="contains any">mshta vbscript:CreateObject("Wscript.Shell");mshta vbscript:Execute("Execute;mshta vbscript:CreateObject("Wscript.Shell").Run("mshta.exe;javascript:a=</CommandLine> |
|
2484 | 2478 | <CommandLine condition="image">start-bitstransfer</CommandLine> |
2485 | 2479 | </Rule> |
2486 | 2480 | <Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=Expand File copy,Risk=70" groupRelation="and"> |
2487 | | - <CommandLine condition="contains">expand \\</CommandLine> |
| 2481 | + <CommandLine condition="contains all">expand;\\</CommandLine> |
2488 | 2482 | </Rule> |
2489 | 2483 | <Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=Expand File copy,Risk=70" groupRelation="and"> |
2490 | | - <CommandLine condition="contains">expand.exe \\</CommandLine> |
| 2484 | + <CommandLine condition="contains all">expand.exe;\\</CommandLine> |
2491 | 2485 | </Rule> |
2492 | 2486 | <Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=Ingress Tool Transfer with ieexec,Risk=70" groupRelation="and"> |
2493 | 2487 | <CommandLine condition="contains">ieexec http</CommandLine> |
|
2505 | 2499 | <CommandLine condition="contains any">esentutl.exe /y \\;esentutl.exe -y \\</CommandLine> |
2506 | 2500 | </Rule> |
2507 | 2501 | <Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=extrac32 Ingress Tool Transfer,Risk=70" groupRelation="and"> |
2508 | | - <CommandLine condition="contains">extrac32 \\</CommandLine> |
| 2502 | + <CommandLine condition="contains all">extrac32;\\</CommandLine> |
2509 | 2503 | </Rule> |
2510 | 2504 | <Rule name="Attack=T1105,Technique=Ingress Tool Transfer,Tactic=Command And Control,DS=Process: Process Creation,Level=4,Alert=extrac32 Ingress Tool Transfer,Risk=70" groupRelation="and"> |
2511 | | - <CommandLine condition="contains">extrac32.exe \\</CommandLine> |
| 2505 | + <CommandLine condition="contains all">extrac32.exe;\\</CommandLine> |
2512 | 2506 | </Rule> |
2513 | 2507 | <!--MITRE ATT&CK TECHNIQUE: Multi-Stage Channels--> |
2514 | 2508 | <!--MITRE ATT&CK TECHNIQUE: Non-Application Layer Protocol--> |
|
2650 | 2644 | <CommandLine condition="contains">erase</CommandLine> |
2651 | 2645 | </Rule> |
2652 | 2646 | <Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=2,Alert=vShadow Commands" groupRelation="and"> |
2653 | | - <CommandLine condition="contains">-nw -exec=</CommandLine> |
| 2647 | + <CommandLine condition="contains all">-nw;-exec=</CommandLine> |
| 2648 | + </Rule> |
| 2649 | + <Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=2,Alert=vShadow Commands" groupRelation="and"> |
| 2650 | + <CommandLine condition="contains all">/nw;/exec=</CommandLine> |
| 2651 | + </Rule> |
| 2652 | + <Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Alert=vShadow Commands" groupRelation="and"> |
| 2653 | + <CommandLine condition="contains all">-p;-nw</CommandLine> |
2654 | 2654 | </Rule> |
2655 | 2655 | <Rule name="Attack=None,Technique=None,Tactic=None,DS=Process: Process Creation,Level=0,Alert=vShadow Commands" groupRelation="and"> |
2656 | | - <CommandLine condition="contains">-p -nw</CommandLine> |
| 2656 | + <CommandLine condition="contains all">/p;/nw</CommandLine> |
2657 | 2657 | </Rule> |
2658 | 2658 | <Rule name="Attack=T1485,Technique=Data Destruction,Tactic=Impact,DS=Process: Process Creation,Level=4,Alert=Data Destruction with shred Detected,Risk=100" groupRelation="and"> |
2659 | 2659 | <Image condition="contains">shred</Image> |
|
2678 | 2678 | <!--MITRE ATT&CK TECHNIQUE: Disk Wipe--> |
2679 | 2679 | <Rule name="Attack=T1107,Technique=File Deletion,Tactic=Defense Evasion,DS=Process: Process Creation,Level=3,Alert=FSUtil USN Journal Deletion,Risk=60" groupRelation="and"> |
2680 | 2680 | <Image condition="image">fsutil.exe</Image> |
2681 | | - <CommandLine condition="contains">deletejournal</CommandLine> |
2682 | | - <CommandLine condition="contains">usn</CommandLine> |
| 2681 | + <CommandLine condition="contains all">usn;deletejournal</CommandLine> |
2683 | 2682 | </Rule> |
2684 | 2683 | <!--MITRE ATT&CK TECHNIQUE: Endpoint Denial of Service--> |
2685 | 2684 | <!--MITRE ATT&CK TECHNIQUE: Firmware Corruption--> |
|
2950 | 2949 | <ParentImage condition="image">C:\Windows\System32\wbem\WmiPrvSE.exe</ParentImage> |
2951 | 2950 | </Rule> |
2952 | 2951 | <Rule name="exclude armoury Crate from cmdline file deletion rule" groupRelation="and"> |
2953 | | - <ParentImage condition="excludes">C:\Program Files\ASUS\ARMOURY CRATE Service\ArmouryCrate.Service.exe</ParentImage> |
| 2952 | + <ParentImage condition="image">C:\Program Files\ASUS\ARMOURY CRATE Service\ArmouryCrate.Service.exe</ParentImage> |
2954 | 2953 | </Rule> |
2955 | 2954 | </ProcessCreate> |
2956 | 2955 | </RuleGroup> |
|
9680 | 9679 | <Image condition="begin with">C:\Users\</Image> |
9681 | 9680 | <Image condition="contains">Content.Outlook</Image> |
9682 | 9681 | </Rule> |
9683 | | - <Rule name="Attack=T1036.008,Technique=Masquerading: Masquerade File Type,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=Pe File Detected under Unusual File extension,Risk=10" groupRelation="or"> |
| 9682 | + <Rule name="Attack=T1036.008,Technique=Masquerading: Masquerade File Type,Tactic=Defense Evasion,DS=File: File Creation,Level=4,Alert=Pe File Detected under Unusual File extension,Risk=10" groupRelation="and"> |
9684 | 9683 | <TargetFilename condition="not end with">.exe</TargetFilename> |
9685 | 9684 | <TargetFilename condition="not end with">.dll</TargetFilename> |
9686 | 9685 | <TargetFilename condition="not end with">.sys</TargetFilename> |
|
0 commit comments