mbabinski · redsand · Nov 10, 2022 · Nov 10, 2022 · Nov 10, 2022 · Nov 10, 2022
diff --git a/2022_ChromeLoader/cmd_external_drive_batch_script_execution_chromeloader.yml b/2022_ChromeLoader/cmd_external_drive_batch_script_execution_chromeloader.yml
@@ -18,7 +18,7 @@ detection:
         ParentImage|endswith:
             - '\powershell.exe'
             - '\cmd.exe'
-        ParentCommandLine|contains|windash: '/c'
+        ParentCommandLine|contains: '/c'
         ParentCommandLine|re: '^.*[D-Z]:\\.*\.(bat|cmdline).*$'
     selection_child_proc:
         Image|endswith: '\tar.exe'

diff --git a/2022_RedCanary_ThreatDetectionReport/notepad_internal_name_mismatch.yml b/2022_RedCanary_ThreatDetectionReport/notepad_internal_name_mismatch.yml
@@ -6,8 +6,9 @@ description: Looks for the execution of non-powershell process with command line
     report.
 references:
     - https://redcanary.com/threat-detection-report/techniques/rename-system-utilities/
-author: Micah Babinski
+author: Micah Babinski, Tim Shelton
 date: 2022/11/04
+modified: 2022/11/09
 tags:
     - attack.defense_evasion
     - attack.t1036.003
@@ -17,11 +18,15 @@ logsource:
 detection:
     filter:
         Image|endswith: '\powershell.exe'
+    filter2:
+        Image|endswith: '\msiexec.exe'
+    filter3:
+        Image|endswith: '\iexplore.exe'
     selection:
         CommandLine|contains:
             - 'iex'
             - 'invoke-expression'
-    condition: selection and not filter
+    condition: selection and not 1 of filter*
 falsepositives:
     - Unknown
-level: high
+level: high
diff --git a/2022_RedCanary_ThreatDetectionReport/notpowershell_unusual_commandline.yml b/2022_RedCanary_ThreatDetectionReport/notpowershell_unusual_commandline.yml
@@ -21,7 +21,11 @@ detection:
             - 'invoke-expression'
     filter:
         Image|endswith: '\powershell.exe'
-    condition: selection and not filter
+    filter2:
+        Image|endswith: '\msiexec.exe'
+    filter3:
+        Image|endswith: '\iexplore.exe'
+    condition: selection and not 1 of filter*
 falsepositives:
     - Unknown
-level: high
+level: high
diff --git a/2022_RedCanary_ThreatDetectionReport/powershell_high_count_susp_chars.yml b/2022_RedCanary_ThreatDetectionReport/powershell_high_count_susp_chars.yml
@@ -5,8 +5,9 @@ description: Looks for the execution of PowerShell with unusually high counts of
     like ^, +, $, and %. Inspired by the 2022 Red Canary Threat Detection report.
 references:
     - https://redcanary.com/threat-detection-report/techniques/powershell/
-author: Micah Babinski
+author: Micah Babinski, Tim Shelton
 date: 2022/11/03
+modified: 2022/11/10
 tags:
     - attack.execution
     - attack.t1059.003
@@ -19,8 +20,8 @@ detection:
     selection:
         Image|endswith: '\powershell.exe'
         # regex below detects five or more occurrences of the suspicious characters
-        CommandLine|re: '^([^^+$%]*[\^+$%]){5,}[^^+$%]*$'
+        CommandLine|re: '^([^^+%]*[\^+%]){5,}[^^+%]*$'
     condition: selection
 falsepositives:
     - Unknown
-level: high
+level: low
diff --git a/2022_RedCanary_ThreatDetectionReport/schtasks_create_shell.yml b/2022_RedCanary_ThreatDetectionReport/schtasks_create_shell.yml
@@ -16,13 +16,14 @@ logsource:
     category: process_creation
     product: windows
 detection:
-    selection:
+    selection2:
         Image|endswith: '\schtasks.exe'
         CommandLine|contains: 'create'
-        CommandLine|contains|all|windash:
+    selection1:
+        CommandLine|contains|all:
             - '/c'
             - 'cmd'
-    condition: selection
+    condition: selection1 and selection2
 falsepositives:
     - Creation of legitimate scheduled tasks which need to run cmd.
-level: medium
+level: medium
diff --git a/2022_RedCanary_ThreatDetectionReport/schtasks_network_connections.yml b/2022_RedCanary_ThreatDetectionReport/schtasks_network_connections.yml
@@ -17,14 +17,15 @@ logsource:
     category: process_creation
     product: windows
 detection:
-    selection:
+    selection1:
         Image|endswith: '\schtasks.exe'
-        CommandLine|contains|windash: '/create'
+        CommandLine|contains: '/create'
+    selection2:
         CommandLine|contains:
             - 'https://'
             - 'http://'
             - 'ftp://'
-    condition: selection
+    condition: selection1 and selection2
 falsepositives:
     - Creation of legitimate scheduled tasks which need to access external sites.
-level: medium
+level: medium
diff --git a/2022_RedCanary_ThreatDetectionReport/schtasks_susp_behavior.yml b/2022_RedCanary_ThreatDetectionReport/schtasks_susp_behavior.yml
@@ -25,8 +25,9 @@ detection:
             - 'regsvr32.exe'
             - 'rundll32.exe'
             - 'mshta.exe'
-        CommandLine|contains|windash: '/create'
-    condition: selection
+    selection2:
+        CommandLine|contains: '/create'
+    condition: selection and selection2
 falsepositives:
     - Creation of legitimate scheduled tasks which need to run cmd or similar utilities.
-level: medium
+level: medium
diff --git a/2022_Solarmarker/win_susp_solarmarker_file_creation.yml b/2022_Solarmarker/win_susp_solarmarker_file_creation.yml
@@ -39,7 +39,7 @@ detection:
             - 'AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'
             - 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp'
         TargetFilename|re: '^.*\\([0-9a-fA-F]){29}\.(?i)lnk$'
-    condition: any of selection*
+    condition: 1 of selection*
 falsepositives:
     - Unknown
 level: high
diff --git a/2022_Solarmarker/win_victim_id_file_creation.yml b/2022_Solarmarker/win_victim_id_file_creation.yml
@@ -20,7 +20,7 @@ detection:
         TargetFilename|endswith: '='
     selection_2:
         TargetFilename|endswith: '\AppData\Roaming\solarmarker.dat'
-    condition: any of selection*
+    condition: 1 of selection*
 falsepositives:
     - Unknown
-level: high
+level: high