SigmaHQ · MalGamy12 · Nov 20, 2024 · Nov 20, 2024 · Nov 20, 2024 · Nov 20, 2024
diff --git a/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml b/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml
@@ -11,9 +11,9 @@ references:
     - https://github.com/redcanaryco/atomic-red-team/blob/987e3ca988ae3cff4b9f6e388c139c05bf44bbb8/atomics/T1518.001/T1518.001.md#atomic-test-1---security-software-discovery
     - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/
     - https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf
-author: Nasreddine Bencherchali (Nextron Systems), frack113
+author: Nasreddine Bencherchali (Nextron Systems), frack113, MalGamy (Nextron Systems)
 date: 2023-10-20
-modified: 2023-11-14
+modified: 2024-11-20
 tags:
     - attack.discovery
     - attack.t1518.001
@@ -29,34 +29,162 @@ detection:
               - 'FIND.EXE'
               - 'FINDSTR.EXE'
     selection_cli:
-        CommandLine|endswith:
+        CommandLine|contains:
             # Note: Add additional keywords to increase and enhance coverage
             # Note:
             #   We use the double quote variation because in cases of where the command is executed through cmd for example:
             #       cmd /c "tasklist | findstr virus"
             #   Logging utilties such as Sysmon would capture the end quote as part of findstr execution
-            - ' avira'
-            - ' avira"'
-            - ' cb'
-            - ' cb"'
-            - ' cylance'
+            - '"avastui '
+            - ' avastui"'
+            - ' avastui '
+            - '"aswidsagent '
+            - ' aswidsagent"'
+            - ' aswidsagent '
+            - '"avgui '
+            - ' avgui"'
+            - ' avgui '
+            - '"avguix'
+            - ' avguix"'
+            - ' avguix '
+            - '"bdservicehost '
+            - ' bdservicehost"'
+            - ' bdservicehost '
+            - '"bdagent '
+            - ' bdagent"'
+            - ' bdagent '
+            - '"vsserv '
+            - ' vsserv"'
+            - ' vsserv '
+            - '"nswscsvc '
+            - ' nswscsvc"'
+            - ' nswscsvc '
+            - '"ccsvchst '
+            - ' ccsvchst"'
+            - ' ccsvchst '
+            - '"nortonsecurity '
+            - ' nortonsecurity"'
+            - ' nortonsecurity '
+            - '"sophoshealth '
+            - ' sophoshealth"'
+            - ' sophoshealth '
+            - '"sophosui '
+            - ' sophosui"'
+            - ' sophosui '
+            - '"savservice '
+            - ' savservice"'
+            - ' savservice '
+            - '"mcshield '
+            - ' mcshield"'
+            - ' mcshield '
+            - '"mfemms '
+            - ' mfemms"'
+            - ' mfemms '
+            - '"mfeann '
+            - ' mfeann"'
+            - ' mfeann '
+            - '"avp '
+            - ' avp"'
+            - ' avp '
+            - '"ksde '
+            - ' ksde"'
+            - ' ksde '
+            - '"msmpeng '
+            - ' msmpeng"'
+            - ' msmpeng '
+            - '"mpcmdrun '
+            - ' mpcmdrun"'
+            - ' mpcmdrun '
+            - '"sgrmagent '
+            - ' sgrmagent"'
+            - ' sgrmagent '
+            - '"coreframeworkhost '
+            - ' coreframeworkhost"'
+            - ' coreframeworkhost '
+            - '"tmccsf '
+            - ' tmccsf"'
+            - ' tmccsff '
+            - '"egui '
+            - ' egui"'
+            - ' egui '
+            - '"ekrn '
+            - ' ekrn"'
+            - ' ekrn '
+            - '"mbamservice '
+            - ' mbamservice"'
+            - ' mbamservice '
+            - '"mbamtray '
+            - ' mbamtray"'
+            - ' mbamtray '
+            - '"csagent '
+            - ' csagent"'
+            - ' csagent '
+            - '"falconagent '
+            - ' falconagent"'
+            - ' falconagent '
+            - '"cylancesvc '
+            - ' cylancesvc"'
+            - ' cylancesvc '
+            - '"cylanceui '
+            - ' cylanceui"'
+            - ' cylanceui '
+            - '"cylance '
             - ' cylance"'
-            - ' defender'
+            - ' cylance '
+            - '"cyserver '
+            - ' cyserver"'
+            - ' cyserver '
+            - '"cytray '
+            - ' cytray"'
+            - ' cytray '
+            - '"sentinelagent '
+            - ' sentinelagent"'
+            - ' sentinelagent '
+            - '"sentineltray '
+            - ' sentineltray"'
+            - ' sentineltray '
+            - '"cb '
+            - ' cb"'
+            - ' cb '
+            - '"cbdefense '
+            - ' cbdefense"'
+            - ' cbdefense '
+            - '"xagt '
+            - ' xagt"'
+            - ' xagt '
+            - '"avira '
+            - ' avira"'
+            - ' avira '
+            - '"defender '
             - ' defender"'
-            - ' kaspersky'
+            - ' defender '
+            - '"kaspersky '
             - ' kaspersky"'
-            - ' kes'
+            - ' kaspersky '
+            - '"kes '
             - ' kes"'
-            - ' mc'
+            - ' kes '
+            - '"mc '
             - ' mc"'
-            - ' sec'
+            - ' mc '
+            - '"sec '
             - ' sec"'
-            - ' sentinel'
+            - ' sec '
+            - '"sentinel '
             - ' sentinel"'
-            - ' symantec'
+            - ' sentinel '
+            - '"symantec '
             - ' symantec"'
-            - ' virus'
+            - ' symantec '
+            - '"virus '
             - ' virus"'
+            - ' virus '
+            - '"opssvc'
+            - ' opssvc"'
+            - ' opssvc '
+            - '"wrsa '
+            - ' wrsa"'
+            - ' wrsa '
     condition: all of selection_*
 falsepositives:
     - Unknown