Update proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.yml

[DanielKoifman]

Summary of the Pull Request

Removed "/c" and "echo" parts of the command detection.
This is due to the fact that when you pipe a command in CMD, it actually splits the command into parts, one event for each pipe, as can be seen in the photos using the command example from the rule itself:

Changelog

Update proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.yml

Example Log Event

Fixed Issues

SigmaHQ Rule Creation Conventions

• If your PR adds new rules, please consider following and applying these conventions

[frack113]

hi,
It should be in the ParentCommandLine .
Can you provide the full log ?
thanks

[DanielKoifman]

In this article, it also supports this finding:

I am unable to find "ParentCommandLine" in the 4688 events, but here are the XMLs:

  <Data Name="SubjectUserSid">S-1-5-21-3845620932-348487932-1468179686-500</Data> 
  <Data Name="SubjectUserName">cops</Data> 
  <Data Name="SubjectDomainName">WS01</Data> 
  <Data Name="SubjectLogonId">0x17d696</Data> 
  <Data Name="NewProcessId">0xba8</Data> 
  <Data Name="NewProcessName">C:\Windows\System32\cmd.exe</Data> 
  <Data Name="TokenElevationType">%%1936</Data> 
  <Data Name="ProcessId">0x1a0c</Data> 
  <Data Name="CommandLine">C:\WINDOWS\system32\cmd.exe /C cmd.exe /c echo J9kzQ2Y0qO</Data> 
  <Data Name="TargetUserSid">S-1-0-0</Data> 
  <Data Name="TargetUserName">-</Data> 
  <Data Name="TargetDomainName">-</Data> 
  <Data Name="TargetLogonId">0x0</Data> 
  <Data Name="ParentProcessName">C:\Windows\System32\cmd.exe</Data> 
  <Data Name="MandatoryLabel">S-1-16-12288</Data> 

 <Data Name="SubjectUserSid">S-1-5-21-3845620932-348487932-1468179686-500</Data> 
  <Data Name="SubjectUserName">cops</Data> 
  <Data Name="SubjectDomainName">WS01</Data> 
  <Data Name="SubjectLogonId">0x17d696</Data> 
  <Data Name="NewProcessId">0x1b50</Data> 
  <Data Name="NewProcessName">C:\Users\cops.WS01\Downloads\AnyDesk.exe</Data> 
  <Data Name="TokenElevationType">%%1936</Data> 
  <Data Name="ProcessId">0x1a0c</Data> 
  <Data Name="CommandLine">C:\Users\cops.WS01\Downloads\AnyDesk.exe --set-password</Data> 
  <Data Name="TargetUserSid">S-1-0-0</Data> 
  <Data Name="TargetUserName">-</Data> 
  <Data Name="TargetDomainName">-</Data> 
  <Data Name="TargetLogonId">0x0</Data> 
  <Data Name="ParentProcessName">C:\Windows\System32\cmd.exe</Data> 
  <Data Name="MandatoryLabel">S-1-16-12288</Data> 

<Data Name="SubjectUserSid">S-1-5-21-3845620932-348487932-1468179686-500</Data> 
  <Data Name="SubjectUserName">cops</Data> 
  <Data Name="SubjectDomainName">WS01</Data> 
  <Data Name="SubjectLogonId">0x17d696</Data> 
  <Data Name="NewProcessId">0x1d90</Data> 
  <Data Name="NewProcessName">C:\Windows\System32\cmd.exe</Data> 
  <Data Name="TokenElevationType">%%1936</Data> 
  <Data Name="ProcessId">0xba8</Data> 
  <Data Name="CommandLine">cmd.exe /c echo J9kzQ2Y0qO</Data> 
  <Data Name="TargetUserSid">S-1-0-0</Data> 
  <Data Name="TargetUserName">-</Data> 
  <Data Name="TargetDomainName">-</Data> 
  <Data Name="TargetLogonId">0x0</Data> 
  <Data Name="ParentProcessName">C:\Windows\System32\cmd.exe</Data> 
  <Data Name="MandatoryLabel">S-1-16-12288</Data> 

[nasbench]

@DanielKoifman this rule is taking the case where the attacker uses quotes like this C:\WINDOWS\system32\cmd.exe /C "cmd.exe /c echo J9kzQ2Y0qO |C:\ProgramData\anydesk.exe --set-password" because without these quotes, as its known the commands will be split. That is a higher level of auspiciousness than just --set-password

If you want to catch any --set-password use, please create a new rules.

[DanielKoifman]

Thanks @nasbench I will close this PR and create a new rule based only on --set-password.

[nasbench]

Thanks @nasbench I will close this PR and create a new rule based only on --set-password.

Why close and not update this one? Closing and opening PRs is not fun for ys reviewers. So please refrain from unnecessarily closing PR that have comments and review.