From 2cab121c71193e3022daa85d8eedfe8b32fa185d Mon Sep 17 00:00:00 2001
From: phantinuss <phantinuss@posteo.org>
Date: Wed, 31 Mar 2021 16:12:38 +0200
Subject: [PATCH] refactor: merging rule
 process_creation/win_susp_exec_folder.yml and
 process_creation/win_susp_prog_location_process_starts.yml because of
 significant overlap

---
 .../process_creation/win_susp_exec_folder.yml | 42 -------------------
 .../win_susp_execution_path.yml               | 22 +++++++++-
 .../win_susp_prog_location_process_starts.yml | 28 -------------
 3 files changed, 20 insertions(+), 72 deletions(-)
 delete mode 100644 rules/windows/process_creation/win_susp_exec_folder.yml
 delete mode 100644 rules/windows/process_creation/win_susp_prog_location_process_starts.yml

diff --git a/rules/windows/process_creation/win_susp_exec_folder.yml b/rules/windows/process_creation/win_susp_exec_folder.yml
deleted file mode 100644
index f42c4c82..00000000
--- a/rules/windows/process_creation/win_susp_exec_folder.yml
+++ /dev/null
@@ -1,42 +0,0 @@
-title: Executables Started in Suspicious Folder
-id: 7a38aa19-86a9-4af7-ac51-6bfe4e59f254
-status: experimental
-description: Detects process starts of binaries from a suspicious folder
-author: Florian Roth
-date: 2017/10/14
-modified: 2019/02/21
-references:
-    - https://github.com/mbevilacqua/appcompatprocessor/blob/master/AppCompatSearch.txt
-    - https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses
-    - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
-    - https://github.com/ThreatHuntingProject/ThreatHunting/blob/master/hunts/suspicious_process_creation_via_windows_event_logs.md
-tags:
-    - attack.defense_evasion
-    - attack.t1036
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        Image:
-            - C:\PerfLogs\\*
-            - C:\$Recycle.bin\\*
-            - C:\Intel\Logs\\*
-            - C:\Users\Default\\*
-            - C:\Users\Public\\*
-            - C:\Users\NetworkService\\*
-            - C:\Windows\Fonts\\*
-            - C:\Windows\Debug\\*
-            - C:\Windows\Media\\*
-            - C:\Windows\Help\\*
-            - C:\Windows\addins\\*
-            - C:\Windows\repair\\*
-            - C:\Windows\security\\*
-            - '*\RSA\MachineKeys\\*'
-            - C:\Windows\system32\config\systemprofile\\*
-            - C:\Windows\Tasks\\*
-            - C:\Windows\System32\Tasks\\*
-    condition: selection
-falsepositives:
-    - Unknown
-level: high
diff --git a/rules/windows/process_creation/win_susp_execution_path.yml b/rules/windows/process_creation/win_susp_execution_path.yml
index 69c3fa09..18f4ad21 100644
--- a/rules/windows/process_creation/win_susp_execution_path.yml
+++ b/rules/windows/process_creation/win_susp_execution_path.yml
@@ -1,9 +1,15 @@
-title: Execution in Non-Executable Folder
+title: Execution from Suspicious Folder
 id: 3dfd06d2-eaf4-4532-9555-68aca59f57c4
 status: experimental
 description: Detects a suspicious execution from an uncommon folder
 author: Florian Roth
 date: 2019/01/16
+modified: 2021/03/31
+references:
+    - https://github.com/mbevilacqua/appcompatprocessor/blob/master/AppCompatSearch.txt
+    - https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses
+    - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
+    - https://github.com/ThreatHuntingProject/ThreatHunting/blob/master/hunts/suspicious_process_creation_via_windows_event_logs.md
 tags:
     - attack.defense_evasion
     - attack.t1036
@@ -13,7 +19,7 @@ logsource:
 detection:
     selection:
         Image:
-            - '*\$Recycle.bin'
+            - '*\$Recycle.bin\\*'
             - '*\Users\All Users\\*'
             - '*\Users\Default\\*'
             - '*\Users\Public\\*'
@@ -22,6 +28,18 @@ detection:
             - '*\Windows\Fonts\\*'
             - '*\Windows\IME\\*'
             - '*\Windows\addins\\*'
+            - '*\Intel\Logs\\*'
+            - '*\Users\NetworkService\\*'
+            - '*\Windows\debug\\*'
+            - '*\Windows\Media\\*'
+            - '*\Windows\Help\\*'
+            - '*\Windows\repair\\*'
+            - '*\Windows\security\\*'
+            - '*\RSA\MachineKeys\\*'
+            - '*\Windows\system32\config\systemprofile\\*'
+            - '*\Windows\Tasks\\*'
+            - '*\Windows\System32\Tasks\\*'
+
     condition: selection
 fields:
     - CommandLine
diff --git a/rules/windows/process_creation/win_susp_prog_location_process_starts.yml b/rules/windows/process_creation/win_susp_prog_location_process_starts.yml
deleted file mode 100644
index fef504ff..00000000
--- a/rules/windows/process_creation/win_susp_prog_location_process_starts.yml
+++ /dev/null
@@ -1,28 +0,0 @@
-title: Suspicious Program Location Process Starts
-id: f50bfd8b-e2a3-4c15-9373-7900b5a4c6d5
-status: experimental
-description: Detects programs running in suspicious files system locations
-references:
-    - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
-tags:
-    - attack.defense_evasion
-    - attack.t1036
-author: Florian Roth
-date: 2019/01/15
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        Image:
-            - '*\$Recycle.bin'
-            - '*\Users\Public\\*'
-            - 'C:\Perflogs\\*'
-            - '*\Windows\Fonts\\*'
-            - '*\Windows\IME\\*'
-            - '*\Windows\addins\\*'
-            - '*\Windows\debug\\*'
-    condition: selection
-falsepositives:
-    - unknown
-level: high