Cleanup selection name

2024-11-06 09:25:17 +00:00 · 2021-10-10 10:17:24 +02:00 · 2021-10-10 10:17:24 +02:00 · 1337116d84
commit 1337116d84
parent 2379907f26
8 changed files with 17 additions and 17 deletions
--- a/rules/windows/powershell/powershell_module/powershell_clear_powershell_history.yml
+++ b/rules/windows/powershell/powershell_module/powershell_clear_powershell_history.yml
@ -19,21 +19,21 @@ logsource:
    service: powershell
    definition: PowerShell Module Logging must be enabled
 detection:
-    selection_4:
+    selection_id:
        EventID: 4103
-    selection_5:
+    selection_payload_1:
        Payload|contains:
            - 'del'
            - 'Remove-Item'
            - 'rm'
        Payload|contains|all:
            - '(Get-PSReadlineOption).HistorySavePath'
-    selection_6:
+    selection_payload_2:
        Payload|contains|all:
            - 'Set-PSReadlineOption'
            - '–HistorySaveStyle'
            - 'SaveNothing'
-    condition: selection_4 and ( selection_5 or selection_6 ) 
+    condition: selection_id and ( selection_payload_1 or selection_payload_2 ) 
 falsepositives:
    - Legitimate PowerShell scripts
 level: medium
--- a/rules/windows/powershell/powershell_module/powershell_decompress_commands.yml
+++ b/rules/windows/powershell/powershell_module/powershell_decompress_commands.yml
@ -19,10 +19,10 @@ logsource:
    service: powershell
    definition: PowerShell Module Logging must be enabled
 detection:
-    selection2:
+    selection_4103:
        EventID: 4103
        Payload|contains: 'Expand-Archive'
-    condition: selection2
+    condition: selection_4103
 falsepositives:
    - unknown
 level: informational
--- a/rules/windows/powershell/powershell_module/powershell_get_clipboard.yml
+++ b/rules/windows/powershell/powershell_module/powershell_get_clipboard.yml
@ -19,10 +19,10 @@ logsource:
    service: powershell
    definition: PowerShell Module Logging must be enabled
 detection:
-    selection2:
+    selection_4103:
        EventID: 4103
        Payload|contains: 'Get-Clipboard'
-    condition: selection2
+    condition: selection_4103
 falsepositives:
    - unknown
 level: medium
--- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_obfuscated_iex.yml
+++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_obfuscated_iex.yml
@ -19,9 +19,9 @@ logsource:
    service: powershell
    definition: PowerShell Module Logging must be enabled
 detection:
-    selection_3:
+    selection_id:
        EventID: 4103
-    selection_4:
+    selection_payload:
        - Payload|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\['
        - Payload|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\['
        - Payload|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\['
@ -29,7 +29,7 @@ detection:
        - Payload|re: '\\\\*mdr\\\\*\W\s*\)\.Name'
        - Payload|re: '\$VerbosePreference\.ToString\('
        - Payload|re: '\String\]\s*\$VerbosePreference'
-    condition: selection_3 and selection_4
+    condition: selection_id and selection_payload
 falsepositives:
    - Unknown
 level: high
--- a/rules/windows/powershell/powershell_script/powershell_cl_invocation_lolscript_count.yml
+++ b/rules/windows/powershell/powershell_script/powershell_cl_invocation_lolscript_count.yml
@ -16,12 +16,12 @@ logsource:
    service: powershell
    definition: Script block logging must be enabled
 detection:
-    selection2:
+    selection:
        EventID: 4104
        ScriptBlockText|contains:
          - 'CL_Invocation.ps1'
          - 'SyncInvoke'
-    condition: selection2 | count(ScriptBlockText) by Computer > 2
+    condition: selection | count(ScriptBlockText) by Computer > 2
      # PS > Import-Module c:\Windows\diagnostics\system\Audio\CL_Invocation.ps1
      # PS > SyncInvoke c:\Evil.exe
 falsepositives:
--- a/rules/windows/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript_count.yml
+++ b/rules/windows/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript_count.yml
@ -16,12 +16,12 @@ logsource:
    service: powershell
    definition: Script block logging must be enabled
 detection:
-    selection2:
+    selection:
        EventID: 4104
        ScriptBlockText|contains:
          - 'CL_Mutexverifiers.ps1'
          - 'runAfterCancelProcess'
-    condition: selection2 | count(ScriptBlockText) by Computer > 2
+    condition: selection | count(ScriptBlockText) by Computer > 2
      # PS > Import-Module c:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1
      # PS > runAfterCancelProcess c:\Evil.exe
 falsepositives:
--- a/rules/windows/powershell/powershell_script/powershell_detect_vm_env.yml
+++ b/rules/windows/powershell/powershell_script/powershell_detect_vm_env.yml
@ -23,7 +23,7 @@ detection:
        ScriptBlockText|contains: 
            - MSAcpi_ThermalZoneTemperature
            - Win32_ComputerSystem
-    condition: all of selection_*
+    condition: all of them
 falsepositives:
    - Unknown
 level: medium
--- a/rules/windows/powershell/powershell_script/powershell_wmi_persistence.yml
+++ b/rules/windows/powershell/powershell_script/powershell_wmi_persistence.yml
@ -28,7 +28,7 @@ detection:
            - '-Namespace root/subscription '
            - '-ClassName CommandLineEventConsumer '
            - '-Property ' #is a variable name 
-    condition: all of them
+    condition: selection_id and selection_ioc
 falsepositives:
    - Unknown
 level: medium