Merge PR #4716 from @qasimqlf - Update rule condition and filter

update: External Disk Drive Or USB Storage Device Was Recognized By The System - Update selection to reflect the logic correctly fix: Uncommon Service Installation Image Path - Update filter logic to use correct modifiers --------- Co-authored-by: nasbench <[email protected]>
SigmaHQ · Feb 12, 2024 · cf84dcd · cf84dcd
1 parent 9ae511e
commit cf84dcd
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 10 deletions.
diff --git a/rules/windows/builtin/security/win_security_external_device.yml b/rules/windows/builtin/security/win_security_external_device.yml
@@ -1,12 +1,12 @@
 title: External Disk Drive Or USB Storage Device Was Recognized By The System
 id: f69a87ea-955e-4fb4-adb2-bb9fd6685632
 status: test
-description: Detects external diskdrives or plugged in USB devices, EventID 6416 on Windows 10 or later
+description: Detects external disk drives or plugged-in USB devices.
 references:
     - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6416
 author: Keith Wright
 date: 2019/11/20
-modified: 2024/01/16
+modified: 2024/02/09
 tags:
     - attack.t1091
     - attack.t1200
@@ -16,12 +16,12 @@ logsource:
     product: windows
     service: security
 detection:
-    selection_disk:
+    selection_eid:
         EventID: 6416
-        ClassName: 'DiskDrive'
-    selection_usb:
-        DeviceDescription: 'USB Mass Storage Device'
-    condition: 1 of selection_*
+    selection_field:
+        - ClassName: 'DiskDrive'
+        - DeviceDescription: 'USB Mass Storage Device'
+    condition: all of selection_*
 falsepositives:
     - Likely
 level: low
diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_uncommon.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_uncommon.yml
@@ -12,7 +12,7 @@ references:
     - Internal Research
 author: Florian Roth (Nextron Systems)
 date: 2022/03/18
-modified: 2023/12/04
+modified: 2024/02/09
 tags:
     - attack.persistence
     - attack.privilege_escalation
@@ -42,9 +42,9 @@ detection:
             - ' SQBFAFgA' # PowerShell encoded commands
             - ' SUVYI' # PowerShell encoded commands
     filter_optional_thor_remote:
-        ImagePath|startswith: ':\WINDOWS\TEMP\thor10-remote\thor64.exe'
+        ImagePath|startswith: 'C:\WINDOWS\TEMP\thor10-remote\thor64.exe'
     filter_main_defender_def_updates:
-        ImagePath|contains: ':\ProgramData\Microsoft\Windows Defender\Definition Updates\'
+        ImagePath|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Definition Updates\'
     condition: selection and ( suspicious_paths or all of suspicious_encoded_* ) and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
     - Unknown