SigmaHQ · swachchhanda000 · Mar 5, 2025 · Mar 5, 2025 · Mar 5, 2025 · Mar 6, 2025
diff --git a/...-threat-hunting/windows/process_creation/proc_creation_win_susp_elevated_system_shell.yml b/...-threat-hunting/windows/process_creation/proc_creation_win_susp_elevated_system_shell.yml
@@ -10,6 +10,7 @@ references:
     - https://github.com/Wh04m1001/SysmonEoP
 author: Nasreddine Bencherchali (Nextron Systems), frack113
 date: 2023-11-23
+modified: 2025-03-06
 tags:
     - attack.privilege-escalation
     - attack.defense-evasion
@@ -23,10 +24,12 @@ detection:
     selection_shell:
         - Image|endswith:
               - '\powershell.exe'
+              - '\powershell_ise.exe'
               - '\pwsh.exe'
               - '\cmd.exe'
         - OriginalFileName:
               - 'PowerShell.EXE'
+              - 'powershell_ise.EXE'
               - 'pwsh.dll'
               - 'Cmd.Exe'
     selection_user:

diff --git a/rules/windows/file/file_event/file_event_win_powershell_drop_binary_or_script.yml b/rules/windows/file/file_event/file_event_win_powershell_drop_binary_or_script.yml
@@ -6,7 +6,7 @@ references:
     - https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution
 author: frack113, Nasreddine Bencherchali (Nextron Systems)
 date: 2023-03-17
-modified: 2023-05-09
+modified: 2025-03-05
 tags:
     - attack.persistence
 logsource:
@@ -45,6 +45,11 @@ detection:
         TargetFilename|endswith:
             - '.dll'
             - '.exe'
+    filter_main_system_temp:
+        TargetFilename|startswith: 'C:\Windows\SystemTemp\'
+        TargetFilename|endswith:
+            - '.dll'
+            - '.exe'
     condition: selection and not 1 of filter_main_*
 falsepositives:
     - False positives will differ depending on the environment and scripts used. Apply additional filters accordingly.

diff --git a/rules/windows/network_connection/net_connection_win_python.yml b/rules/windows/network_connection/net_connection_win_python.yml
@@ -7,7 +7,7 @@ references:
     - https://pypi.org/project/scapy/
 author: frack113
 date: 2021-12-10
-modified: 2025-01-20
+modified: 2025-03-05
 tags:
     - attack.discovery
     - attack.t1046
@@ -18,7 +18,9 @@ logsource:
 detection:
     selection:
         Initiated: 'true'
-        Image|contains: 'python'
+        Image|contains|all:
+            - '\python'
+            - '.exe'
     filter_optional_conda:
         # Related to anaconda updates. Command example: "conda update conda"
         # This filter will only work with aurora agent enriched data as Sysmon EID 3 doesn't contain CommandLine nor ParentImage

diff --git a/rules/windows/process_creation/proc_creation_win_conhost_uncommon_parent.yml b/rules/windows/process_creation/proc_creation_win_conhost_uncommon_parent.yml
@@ -6,7 +6,7 @@ references:
     - https://www.elastic.co/guide/en/security/current/conhost-spawned-by-suspicious-parent-process.html
 author: Tim Rauch, Elastic (idea)
 date: 2022-09-28
-modified: 2023-03-29
+modified: 2025-03-06
 tags:
     - attack.execution
     - attack.t1059
@@ -44,6 +44,7 @@ detection:
             - '-k NetworkService -p -s DoSvc'
             - '-k wsappx -p -s AppXSvc'
             - '-k wsappx -p -s ClipSVC'
+            - '-k wusvcs -p -s WaaSMedicSvc'
     filter_optional_dropbox:
         ParentCommandLine|contains:
             - 'C:\Program Files (x86)\Dropbox\Client\'

diff --git a/...windows/process_creation/proc_creation_win_susp_elevated_system_shell_uncommon_parent.yml b/...windows/process_creation/proc_creation_win_susp_elevated_system_shell_uncommon_parent.yml
@@ -7,9 +7,9 @@ status: test
 description: Detects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges from a uncommon parent location.
 references:
     - https://github.com/Wh04m1001/SysmonEoP
-author: frack113, Tim Shelton (update fp)
+author: frack113, Tim Shelton (update fp), Swachchhanda Shrawan Poudel (Nextron Systems)
 date: 2022-12-05
-modified: 2023-11-23
+modified: 2025-03-06
 tags:
     - attack.privilege-escalation
     - attack.defense-evasion
@@ -22,10 +22,12 @@ detection:
     selection_shell:
         - Image|endswith:
               - '\powershell.exe'
+              - '\powershell_ise.exe'
               - '\pwsh.exe'
               - '\cmd.exe'
         - OriginalFileName:
               - 'PowerShell.EXE'
+              - 'powershell_ise.EXE'
               - 'pwsh.dll'
               - 'Cmd.Exe'
     selection_user:
@@ -62,8 +64,10 @@ detection:
     filter_main_parent_null:
         ParentImage: null
     filter_main_parent_empty:
-        ParentImage: ''
+        ParentImage:
+            - ''
+            - '-'
     condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
-    - Unknown
+    - Some legitimate applications may spawn shells from uncommon parent locations. Apply additional filters and perform an initial baseline before deploying.
 level: medium
diff --git a/rules/windows/process_creation/proc_creation_win_susp_inline_win_api_access.yml b/rules/windows/process_creation/proc_creation_win_susp_inline_win_api_access.yml
@@ -9,7 +9,7 @@ references:
     - https://twitter.com/m417z/status/1566674631788007425
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022-09-06
-modified: 2023-01-09
+modified: 2025-03-06
 tags:
     - attack.execution
     - attack.t1106
@@ -69,7 +69,14 @@ detection:
     filter_optional_mpcmdrun:
         Image|endswith: '\MpCmdRun.exe'
         CommandLine|contains: 'GetLoadLibraryWAddress32'
+    filter_optional_compatTelRunner:
+        ParentImage|endswith: '\CompatTelRunner.exe'
+        CommandLine|contains:
+            - 'FreeHGlobal'
+            - 'PtrToString'
+            - 'kernel32'
+            - 'CloseHandle'
     condition: selection and not 1 of filter_optional_*
 falsepositives:
-    - Unknown
+    - Some legitimate action or applications may use these functions. Investigate further to determine the legitimacy of the activity.
 level: high
diff --git a/rules/windows/process_creation/proc_creation_win_susp_proc_wrong_parent.yml b/rules/windows/process_creation/proc_creation_win_susp_proc_wrong_parent.yml
@@ -8,7 +8,7 @@ references:
     - https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf
 author: vburov
 date: 2019-02-23
-modified: 2022-02-14
+modified: 2025-03-06
 tags:
     - attack.defense-evasion
     - attack.t1036.003
@@ -42,7 +42,9 @@ detection:
         ParentImage|endswith: '\MsMpEng.exe'
     filter_null:
         - ParentImage: null
-        - ParentImage: '-'
+        - ParentImage:
+              - ''
+              - '-'
     condition: selection and not 1 of filter_*
 falsepositives:
     - Some security products seem to spawn these

diff --git a/rules/windows/process_creation/proc_creation_win_whoami_parent_anomaly.yml b/rules/windows/process_creation/proc_creation_win_whoami_parent_anomaly.yml
@@ -8,7 +8,7 @@ references:
     - https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s
 author: Florian Roth (Nextron Systems)
 date: 2021-08-12
-modified: 2023-12-04
+modified: 2025-03-06
 tags:
     - attack.discovery
     - attack.t1033
@@ -32,7 +32,9 @@ detection:
     filter_main_parent_null:
         ParentImage: null
     filter_main_parent_empty:
-        ParentImage: ''
+        ParentImage:
+            - ''
+            - '-'
     condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
     - Admin activity