Merge PR #4727 from @frack113 - Refactor the condition field to ali…

…gn with the standard chore: refactor the `condition` field to align with the standard --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
SigmaHQ · Feb 26, 2024 · 49bd839 · 49bd839
1 parent a519886
commit 49bd839
Show file tree

Hide file tree

Showing 9 changed files with 21 additions and 21 deletions.
diff --git a/rules-emerging-threats/2022/TA/MERCURY/proc_creation_win_apt_mercury.yml b/rules-emerging-threats/2022/TA/MERCURY/proc_creation_win_apt_mercury.yml
@@ -16,11 +16,11 @@ logsource:
     category: process_creation
     product: windows
 detection:
-    selection_base:
+    selection:
         CommandLine|contains|all:
             - '-exec bypass -w 1 -enc'
             - 'UwB0AGEAcgB0AC0ASgBvAGIAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAHsAKABzAGEAcABzACAAKAAiAHAA'  # Start-Job -ScriptBlock
-    condition: all of selection*
+    condition: selection
 falsepositives:
     - Unknown
 level: high
diff --git a/rules/windows/builtin/security/win_security_account_backdoor_dcsync_rights.yml b/rules/windows/builtin/security/win_security_account_backdoor_dcsync_rights.yml
@@ -5,7 +5,7 @@ description: Backdooring domain object to grant the rights associated with DCSyn
 references:
     - https://twitter.com/menasec1/status/1111556090137903104
     - https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf
-author: Samir Bousseaden; Roberto Rodriguez @Cyb3rWard0g; oscd.community; Tim Shelton; Maxence Fossat
+author: Samir Bousseaden, Roberto Rodriguez @Cyb3rWard0g, oscd.community, Tim Shelton, Maxence Fossat
 date: 2019/04/03
 modified: 2022/08/16
 tags:
@@ -14,7 +14,7 @@ tags:
 logsource:
     product: windows
     service: security
-    definition: The "Audit Directory Service Changes" logging policy must be configured in order to receive events. Audit events are generated only for objects with configured system access control lists (SACLs). Audit events are generated only for objects with configured system access control lists (SACLs) and only when accessed in a manner that matches their SACL settings. This policy covers the following events ids - 5136, 5137, 5138, 5139, 5141. Note that the default policy does not cover User objects. For that a custom AuditRule need to be setup (See https://github.com/OTRF/Set-AuditRule)
+    definition: 'Requirements: The "Audit Directory Service Changes" logging policy must be configured in order to receive events. Audit events are generated only for objects with configured system access control lists (SACLs). Audit events are generated only for objects with configured system access control lists (SACLs) and only when accessed in a manner that matches their SACL settings. This policy covers the following events ids - 5136, 5137, 5138, 5139, 5141. Note that the default policy does not cover User objects. For that a custom AuditRule need to be setup (See https://github.com/OTRF/Set-AuditRule)'
 detection:
     selection:
         EventID: 5136
@@ -23,12 +23,12 @@ detection:
             - '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2'
             - '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2'
             - '89e95b76-444d-4c62-991a-0facbeda640c'
-    filter1:
+    filter_main_dns_object_class:
         ObjectClass:
             - 'dnsNode'
             - 'dnsZoneScope'
             - 'dnsZone'
-    condition: selection and not 1 of filter*
+    condition: selection and not 1 of filter_main_*
 falsepositives:
     - New Domain Controller computer account, check user SIDs within the value attribute of event 5136 and verify if it's a regular user or DC computer account.
 level: high
diff --git a/...in/system/service_control_manager/win_system_susp_service_installation_folder_pattern.yml b/...in/system/service_control_manager/win_system_susp_service_installation_folder_pattern.yml
@@ -16,13 +16,13 @@ logsource:
     product: windows
     service: system
 detection:
-    selection:
+    selection_eid:
         Provider_Name: 'Service Control Manager'
         EventID: 7045
-    suspicious1:
+    selection_img_paths:
         - ImagePath|re: '^[Cc]:\\[Pp]rogram[Dd]ata\\.{1,9}\.exe'
         - ImagePath|re: '^[Cc]:\\.{1,9}\.exe'
-    condition: selection and 1 of suspicious*
+    condition: all of selection_*
 falsepositives:
     - Unknown
 level: high
diff --git a/rules/windows/file/file_event/file_event_win_lolbin_gather_network_info_script_output.yml b/rules/windows/file/file_event/file_event_win_lolbin_gather_network_info_script_output.yml
@@ -25,7 +25,7 @@ detection:
             - '\netiostate.txt'
             - '\sysportslog.txt'
             - '\VmSwitchLog.evtx'
-    condition: all of selection*
+    condition: selection
 falsepositives:
     - Unknown
 level: medium
diff --git a/rules/windows/file/file_event/file_event_win_susp_pfx_file_creation.yml b/rules/windows/file/file_event/file_event_win_susp_pfx_file_creation.yml
@@ -17,11 +17,11 @@ logsource:
 detection:
     selection:
         TargetFilename|endswith: '.pfx'
-    filter:
+    filter_main_windows_tmp_key:
         TargetFilename|contains|all:
             - '\Templates\Windows\Windows_TemporaryKey.pfx'
             - '\CMake\'
-    condition: selection and not 1 of filter*
+    condition: selection and not 1 of filter_main_*
 falsepositives:
-    - System administrators managing certififcates.
+    - System administrators managing certificates.
 level: medium
diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml b/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml
@@ -20,7 +20,7 @@ detection:
     selection:
         ParentImage|endswith: '\setres.exe'
         Image|endswith: '\choice'
-    condition: all of selection*
+    condition: selection
 falsepositives:
     - Legitimate usage of Setres
 level: medium
diff --git a/rules/windows/process_creation/proc_creation_win_net_use_password_plaintext.yml b/rules/windows/process_creation/proc_creation_win_net_use_password_plaintext.yml
@@ -31,9 +31,9 @@ detection:
             - ' use '
             - ':*\\'
             - '/USER:* *'
-    filter_empty:
+    filter_main_empty:
         CommandLine|endswith: ' '
-    condition: all of selection_* and not 1 of filter*
+    condition: all of selection_* and not 1 of filter_main_*
 falsepositives:
     - Unknown
 level: medium
diff --git a/rules/windows/process_creation/proc_creation_win_nslookup_domain_discovery.yml b/rules/windows/process_creation/proc_creation_win_nslookup_domain_discovery.yml
@@ -15,11 +15,11 @@ logsource:
     category: process_creation
     product: windows
 detection:
-    selection_nslookup:
+    selection:
         CommandLine|contains|all:
             - 'nslookup'
             - '_ldap._tcp.dc._msdcs.'
-    condition: 1 of selection*
+    condition: selection
 falsepositives:
     - False positives depend on scripts and administrative tools used in the monitored environment
 level: high
diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags.yml
@@ -19,7 +19,7 @@ logsource:
     category: process_creation
     product: windows
 detection:
-    selection_flags_1:
+    selection:
         # Escalation to LOCAL_SYSTEM
         CommandLine|contains:
             # Note that you don't need to add the ".exe" part when using psexec/paexec
@@ -58,13 +58,13 @@ detection:
             - ' /i /s powershell'
             - ' -i /s powershell'
             - ' /i -s powershell'
-    filter:
+    filter_main_exclude_coverage:
         # This filter exclude strings covered by 8834e2f7-6b4b-4f09-8906-d2276470ee23
         CommandLine|contains:
             - 'paexec'
             - 'PsExec'
             - 'accepteula'
-    condition: 1 of selection_flags_* and not filter
+    condition: selection and not 1 of filter_main_*
 falsepositives:
     - Weird admins that rename their tools
     - Software companies that bundle PsExec/PAExec with their software and rename it, so that it is less embarrassing