diff --git a/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml b/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml index c965a45a02b..126d4ef4271 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml @@ -11,9 +11,9 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/987e3ca988ae3cff4b9f6e388c139c05bf44bbb8/atomics/T1518.001/T1518.001.md#atomic-test-1---security-software-discovery - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/ - https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf -author: Nasreddine Bencherchali (Nextron Systems), frack113 +author: Nasreddine Bencherchali (Nextron Systems), frack113, MalGamy (Nextron Systems) date: 2023-10-20 -modified: 2023-11-14 +modified: 2024-11-20 tags: - attack.discovery - attack.t1518.001 @@ -29,34 +29,162 @@ detection: - 'FIND.EXE' - 'FINDSTR.EXE' selection_cli: - CommandLine|endswith: + CommandLine|contains: # Note: Add additional keywords to increase and enhance coverage # Note: # We use the double quote variation because in cases of where the command is executed through cmd for example: # cmd /c "tasklist | findstr virus" # Logging utilties such as Sysmon would capture the end quote as part of findstr execution - - ' avira' - - ' avira"' - - ' cb' - - ' cb"' - - ' cylance' + - '"avastui ' + - ' avastui"' + - ' avastui ' + - '"aswidsagent ' + - ' aswidsagent"' + - ' aswidsagent ' + - '"avgui ' + - ' avgui"' + - ' avgui ' + - '"avguix' + - ' avguix"' + - ' avguix ' + - '"bdservicehost ' + - ' bdservicehost"' + - ' bdservicehost ' + - '"bdagent ' + - ' bdagent"' + - ' bdagent ' + - '"vsserv ' + - ' vsserv"' + - ' vsserv ' + - '"nswscsvc ' + - ' nswscsvc"' + - ' nswscsvc ' + - '"ccsvchst ' + - ' ccsvchst"' + - ' ccsvchst ' + - '"nortonsecurity ' + - ' nortonsecurity"' + - ' nortonsecurity ' + - '"sophoshealth ' + - ' sophoshealth"' + - ' sophoshealth ' + - '"sophosui ' + - ' sophosui"' + - ' sophosui ' + - '"savservice ' + - ' savservice"' + - ' savservice ' + - '"mcshield ' + - ' mcshield"' + - ' mcshield ' + - '"mfemms ' + - ' mfemms"' + - ' mfemms ' + - '"mfeann ' + - ' mfeann"' + - ' mfeann ' + - '"avp ' + - ' avp"' + - ' avp ' + - '"ksde ' + - ' ksde"' + - ' ksde ' + - '"msmpeng ' + - ' msmpeng"' + - ' msmpeng ' + - '"mpcmdrun ' + - ' mpcmdrun"' + - ' mpcmdrun ' + - '"sgrmagent ' + - ' sgrmagent"' + - ' sgrmagent ' + - '"coreframeworkhost ' + - ' coreframeworkhost"' + - ' coreframeworkhost ' + - '"tmccsf ' + - ' tmccsf"' + - ' tmccsff ' + - '"egui ' + - ' egui"' + - ' egui ' + - '"ekrn ' + - ' ekrn"' + - ' ekrn ' + - '"mbamservice ' + - ' mbamservice"' + - ' mbamservice ' + - '"mbamtray ' + - ' mbamtray"' + - ' mbamtray ' + - '"csagent ' + - ' csagent"' + - ' csagent ' + - '"falconagent ' + - ' falconagent"' + - ' falconagent ' + - '"cylancesvc ' + - ' cylancesvc"' + - ' cylancesvc ' + - '"cylanceui ' + - ' cylanceui"' + - ' cylanceui ' + - '"cylance ' - ' cylance"' - - ' defender' + - ' cylance ' + - '"cyserver ' + - ' cyserver"' + - ' cyserver ' + - '"cytray ' + - ' cytray"' + - ' cytray ' + - '"sentinelagent ' + - ' sentinelagent"' + - ' sentinelagent ' + - '"sentineltray ' + - ' sentineltray"' + - ' sentineltray ' + - '"cb ' + - ' cb"' + - ' cb ' + - '"cbdefense ' + - ' cbdefense"' + - ' cbdefense ' + - '"xagt ' + - ' xagt"' + - ' xagt ' + - '"avira ' + - ' avira"' + - ' avira ' + - '"defender ' - ' defender"' - - ' kaspersky' + - ' defender ' + - '"kaspersky ' - ' kaspersky"' - - ' kes' + - ' kaspersky ' + - '"kes ' - ' kes"' - - ' mc' + - ' kes ' + - '"mc ' - ' mc"' - - ' sec' + - ' mc ' + - '"sec ' - ' sec"' - - ' sentinel' + - ' sec ' + - '"sentinel ' - ' sentinel"' - - ' symantec' + - ' sentinel ' + - '"symantec ' - ' symantec"' - - ' virus' + - ' symantec ' + - '"virus ' - ' virus"' + - ' virus ' + - '"opssvc' + - ' opssvc"' + - ' opssvc ' + - '"wrsa ' + - ' wrsa"' + - ' wrsa ' condition: all of selection_* falsepositives: - Unknown