From ed789f54cee7ad915b7b8b4b0a3cb938e23ae36d Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Date: Mon, 13 May 2024 16:59:44 +0200
Subject: [PATCH] Merge PR #4853 from @nasbench - Add some cosmetic changes and
 small updates

update: Potentially Suspicious Execution Of PDQDeployRunner - Add additional processes to the list
update: Use Icacls to Hide File to Everyone - Remove "C:\Users" to increase coverage
---
 .../proc_creation_win_attrib_system.yml       |  1 +
 .../proc_creation_win_attrib_hiding_files.yml |  6 +--
 ..._creation_win_attrib_system_susp_paths.yml |  4 +-
 .../proc_creation_win_icacls_deny.yml         |  6 +--
 ...ion_win_pdqdeploy_runner_susp_children.yml | 44 ++++++++++---------
 5 files changed, 32 insertions(+), 29 deletions(-)
 rename {rules => rules-threat-hunting}/windows/process_creation/proc_creation_win_attrib_system.yml (97%)

diff --git a/rules/windows/process_creation/proc_creation_win_attrib_system.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_attrib_system.yml
similarity index 97%
rename from rules/windows/process_creation/proc_creation_win_attrib_system.yml
rename to rules-threat-hunting/windows/process_creation/proc_creation_win_attrib_system.yml
index 92ce6018c60..8bd8375afd3 100644
--- a/rules/windows/process_creation/proc_creation_win_attrib_system.yml
+++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_attrib_system.yml
@@ -15,6 +15,7 @@ modified: 2023/03/14
 tags:
     - attack.defense_evasion
     - attack.t1564.001
+    - detection.threat_hunting
 logsource:
     category: process_creation
     product: windows
diff --git a/rules/windows/process_creation/proc_creation_win_attrib_hiding_files.yml b/rules/windows/process_creation/proc_creation_win_attrib_hiding_files.yml
index c73cc196aee..d94dbea8f45 100644
--- a/rules/windows/process_creation/proc_creation_win_attrib_hiding_files.yml
+++ b/rules/windows/process_creation/proc_creation_win_attrib_hiding_files.yml
@@ -20,13 +20,13 @@ detection:
         - OriginalFileName: 'ATTRIB.EXE'
     selection_cli:
         CommandLine|contains: ' +h '
-    filter_msiexec:
+    filter_main_msiexec:
         CommandLine|contains: '\desktop.ini '
-    filter_intel:
+    filter_optional_intel:
         ParentImage|endswith: '\cmd.exe'
         CommandLine: '+R +H +S +A \\\*.cui'
         ParentCommandLine: 'C:\\WINDOWS\\system32\\\*.bat'
-    condition: all of selection_* and not 1 of filter_*
+    condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
     - IgfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe and igfxCUIService.exe is the parent of the cmd.exe)
     - Msiexec.exe hiding desktop.ini
diff --git a/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml b/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml
index f9bf2a80cfc..f5999be8c19 100644
--- a/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml
+++ b/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml
@@ -42,11 +42,11 @@ detection:
             - '.ps1'
             - '.vbe'
             - '.vbs'
-    filter:
+    filter_optional_installer:
         CommandLine|contains|all:
             - '\Windows\TEMP\'
             - '.exe'
-    condition: all of selection* and not filter
+    condition: all of selection* and not 1 of filter_optional_*
 falsepositives:
     - Unknown
 level: high
diff --git a/rules/windows/process_creation/proc_creation_win_icacls_deny.yml b/rules/windows/process_creation/proc_creation_win_icacls_deny.yml
index 8a657974a37..6d091deae3a 100644
--- a/rules/windows/process_creation/proc_creation_win_icacls_deny.yml
+++ b/rules/windows/process_creation/proc_creation_win_icacls_deny.yml
@@ -6,6 +6,7 @@ references:
     - https://app.any.run/tasks/1df999e6-1cb8-45e3-8b61-499d1b7d5a9b/
 author: frack113
 date: 2022/07/18
+modified: 2024/04/29
 tags:
     - attack.defense_evasion
     - attack.t1564.001
@@ -18,10 +19,9 @@ detection:
         - Image|endswith: '\icacls.exe'
     selection_cmd: # icacls "C:\Users\admin\AppData\Local\37f92fe8-bcf0-4ee0-b8ba-561f797f5696" /deny *S-1-1-0:(OI)(CI)(DE,DC)
         CommandLine|contains|all:
-            - 'C:\Users\'
             - '/deny'
             - '*S-1-1-0:'
-    condition: all of selection*
+    condition: all of selection_*
 falsepositives:
-    - Legitimate use
+    - Unknown
 level: medium
diff --git a/rules/windows/process_creation/proc_creation_win_pdqdeploy_runner_susp_children.yml b/rules/windows/process_creation/proc_creation_win_pdqdeploy_runner_susp_children.yml
index 115ec6be208..a42777cb04c 100644
--- a/rules/windows/process_creation/proc_creation_win_pdqdeploy_runner_susp_children.yml
+++ b/rules/windows/process_creation/proc_creation_win_pdqdeploy_runner_susp_children.yml
@@ -1,4 +1,4 @@
-title: Suspicious Execution Of PDQDeployRunner
+title: Potentially Suspicious Execution Of PDQDeployRunner
 id: 12b8e9f5-96b2-41e1-9a42-8c6779a5c184
 related:
     - id: d679950c-abb7-43a6-80fb-2a480c4fc450
@@ -9,6 +9,7 @@ references:
     - https://twitter.com/malmoeb/status/1550483085472432128
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/07/22
+modified: 2024/05/02
 tags:
     - attack.execution
 logsource:
@@ -16,39 +17,40 @@ logsource:
     product: windows
 detection:
     selection_parent:
-        ParentImage|contains: 'PDQDeployRunner-'
-    selection_susp:
+        ParentImage|contains: '\PDQDeployRunner-'
+    selection_child:
         # Improve this section by adding other suspicious processes, commandlines or paths
         - Image|endswith:
               # If you use any of the following processes legitimately comment them out
-              - '\wscript.exe'
-              - '\cscript.exe'
-              - '\rundll32.exe'
-              - '\regsvr32.exe'
-              - '\wmic.exe'
-              - '\msiexec.exe'
-              - '\mshta.exe'
+              - '\bash.exe'
+              - '\certutil.exe'
+              - '\cmd.exe'
               - '\csc.exe'
+              - '\cscript.exe'
               - '\dllhost.exe'
-              - '\certutil.exe'
+              - '\mshta.exe'
+              - '\msiexec.exe'
+              - '\regsvr32.exe'
+              - '\rundll32.exe'
               - '\scriptrunner.exe'
-              - '\bash.exe'
+              - '\wmic.exe'
+              - '\wscript.exe'
               - '\wsl.exe'
         - Image|contains:
-              - 'C:\Users\Public\'
-              - 'C:\ProgramData\'
-              - 'C:\Windows\TEMP\'
+              - ':\ProgramData\'
+              - ':\Users\Public\'
+              - ':\Windows\TEMP\'
               - '\AppData\Local\Temp'
         - CommandLine|contains:
-              - 'iex '
-              - 'Invoke-'
-              - 'DownloadString'
-              - 'http'
+              - ' -decode '
               - ' -enc '
               - ' -encodedcommand '
-              - 'FromBase64String'
-              - ' -decode '
               - ' -w hidden'
+              - 'DownloadString'
+              - 'FromBase64String'
+              - 'http'
+              - 'iex '
+              - 'Invoke-'
     condition: all of selection_*
 falsepositives:
     - Legitimate use of the PDQDeploy tool to execute these commands