Fixed fps and added coverage for ARM based windows dotnet paths

rules-threat-hunting/windows/file/file_event/file_event_win_susp_binary_dropper.yml

@@ -6,7 +6,7 @@ references:
     - Internal Research
 author: frack113
 date: 2022-03-09
-modified: 2023-11-06
+modified: 2025-02-24
 tags:
     - attack.resource-development
     - attack.t1587.001
@@ -75,7 +75,11 @@ detection:
         #       TargetFilename: C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\4f8c-0\MSBuild.exe
         #       TargetFilename: C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\49bc-0\testhost.net47.x86.exe
         #       TargetFilename: C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\39d8-0\fsc.exe
-        Image|contains: ':\Windows\Microsoft.NET\Framework\'
+        Image|contains:
+            - ':\Windows\Microsoft.NET\Framework\'
+            - ':\Windows\Microsoft.NET\Framework64\'
+            - ':\Windows\Microsoft.NET\FrameworkArm\'
+            - ':\Windows\Microsoft.NET\FrameworkArm64\'
         Image|endswith: '\mscorsvw.exe'
         TargetFilename|contains: ':\Windows\assembly\NativeImages_'
     filter_main_vscode:

rules-threat-hunting/windows/image_load/image_load_dll_amsi_uncommon_process.yml

@@ -8,7 +8,7 @@ references:
     - https://github.com/surya-dev-singh/AmsiBypass-OpenSession
 author: frack113
 date: 2023-03-12
-modified: 2023-12-18
+modified: 2025-02-24
 tags:
     - attack.defense-evasion
     - attack.impact
@@ -38,6 +38,8 @@ detection:
         Image|contains:
             - ':\Windows\Microsoft.NET\Framework\'
             - ':\Windows\Microsoft.NET\Framework64\'
+            - ':\Windows\Microsoft.NET\FrameworkArm\'
+            - ':\Windows\Microsoft.NET\FrameworkArm64\'
         Image|endswith: '\ngentask.exe'
     filter_main_null:
         Image: null

rules-threat-hunting/windows/image_load/image_load_wmi_module_load_by_uncommon_process.yml

@@ -6,7 +6,7 @@ references:
     - https://threathunterplaybook.com/hunts/windows/190811-WMIModuleLoad/notebook.html
 author: Roberto Rodriguez @Cyb3rWard0g
 date: 2019-08-10
-modified: 2023-12-11
+modified: 2025-02-24
 tags:
     - attack.execution
     - attack.t1047
@@ -32,6 +32,8 @@ detection:
             - ':\Program Files\'
             - ':\Windows\explorer.exe'
             - ':\Windows\Microsoft.NET\Framework\'
+            - ':\Windows\Microsoft.NET\FrameworkArm\'
+            - ':\Windows\Microsoft.NET\FrameworkArm64\'
             - ':\Windows\Microsoft.NET\Framework64\'
             - ':\Windows\System32\'
             - ':\Windows\SysWOW64\'

rules/windows/image_load/image_load_dll_system_management_automation_susp_load.yml

@@ -14,7 +14,7 @@ references:
     - https://github.com/p3nt4/PowerShdll
 author: Tom Kern, oscd.community, Natalia Shornikova, Tim Shelton, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 date: 2019-11-14
-modified: 2024-01-17
+modified: 2025-02-24
 tags:
     - attack.t1059.001
     - attack.execution
@@ -48,6 +48,8 @@ detection:
     filter_main_dotnet:
         Image|contains:
             - ':\Windows\Microsoft.NET\Framework\'
+            - ':\Windows\Microsoft.NET\FrameworkArm\'
+            - ':\Windows\Microsoft.NET\FrameworkArm64\'
             - ':\Windows\Microsoft.NET\Framework64\'
         Image|endswith: '\mscorsvw.exe'
     filter_optional_sql_server_mgmt:

rules/windows/image_load/image_load_side_load_from_non_system_location.yml

@@ -8,9 +8,9 @@ references:
     - https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/ # iphlpapi.dll
     - https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md # XForceIR (SideLoadHunter Project), Chris Spehn (research WFH Dridex)
     - https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/
-author: Nasreddine Bencherchali (Nextron Systems)
+author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
 date: 2022-08-14
-modified: 2024-07-11
+modified: 2025-02-24
 tags:
     - attack.defense-evasion
     - attack.persistence
@@ -451,51 +451,52 @@ detection:
     filter_main_generic:
         # Note: this filter is generic on purpose to avoid insane amount of FP from legitimate third party applications. A better approach would be to baseline everything and add specific filters to avoid blind spots
         ImageLoaded|contains:
-            - 'C:\$WINDOWS.~BT\'
-            - 'C:\$WinREAgent\'
-            - 'C:\Windows\SoftwareDistribution\'
-            - 'C:\Windows\System32\'
-            - 'C:\Windows\SystemTemp\'
-            - 'C:\Windows\SysWOW64\'
-            - 'C:\Windows\WinSxS\'
+            - ':\$WINDOWS.~BT\'
+            - ':\$WinREAgent\'
+            - ':\Windows\SoftwareDistribution\'
+            - ':\Windows\System32\'
+            - ':\Windows\SystemTemp\'
+            - ':\Windows\SysWOW64\'
+            - ':\Windows\WinSxS\'
+            - ':\Windows\SyChpe32\' # “hybrid” binaries containing x86-to-ARM stubs to improve the x86 emulation performance
     filter_main_dot_net:
-        ImageLoaded|startswith: 'C:\Windows\Microsoft.NET\'
+        ImageLoaded|contains: ':\Windows\Microsoft.NET\'
         ImageLoaded|endswith: '\cscui.dll'
     filter_main_defender:
-        ImageLoaded|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
+        ImageLoaded|contains: ':\ProgramData\Microsoft\Windows Defender\Platform\'
         ImageLoaded|endswith: '\version.dll'
     filter_main_directx:
-        ImageLoaded|startswith: 'C:\Program Files\WindowsApps\Microsoft.DirectXRuntime_'
+        ImageLoaded|contains: ':\Program Files\WindowsApps\Microsoft.DirectXRuntime_'
         ImageLoaded|endswith: '\d3dx9_43.dll'
     filter_optional_exchange:
-        ImageLoaded|startswith: 'C:\Program Files\Microsoft\Exchange Server\'
+        ImageLoaded|contains: ':\Program Files\Microsoft\Exchange Server\'
         ImageLoaded|endswith: '\mswb7.dll'
     filter_optional_arsenal_image_mounter:
-        ImageLoaded|startswith: 'C:\Program Files\Arsenal-Image-Mounter-'
+        ImageLoaded|contains: ':\Program Files\Arsenal-Image-Mounter-'
         ImageLoaded|endswith:
             - '\mi.dll'
             - '\miutils.dl'
     filter_optional_office_appvpolicy:
-        Image: 'C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe'
-        ImageLoaded: 'C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll'
+        Image|contains: ':\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe'
+        ImageLoaded: ':\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll'
     filter_optional_azure:
-        ImageLoaded|startswith: 'C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\'
+        ImageLoaded|contains: ':\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\'
     filter_optional_dell:
         Image|contains:
-            - 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs'
-            - 'C:\Windows\System32\backgroundTaskHost.exe'
-        ImageLoaded|startswith: 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs'
+            - ':\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs'
+            - ':\Windows\System32\backgroundTaskHost.exe'
+        ImageLoaded|contains: ':\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs'
     filter_optional_dell_wldp:
-        Image|startswith: 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs'
+        Image|contains: ':\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs'
         Image|endswith: '\wldp.dll'
     filter_optional_checkpoint:
-        Image|startswith:
-            - 'C:\Program Files\CheckPoint\'
-            - 'C:\Program Files (x86)\CheckPoint\'
+        Image|contains:
+            - ':\Program Files\CheckPoint\'
+            - ':\Program Files (x86)\CheckPoint\'
         Image|endswith: '\SmartConsole.exe'
-        ImageLoaded|startswith:
-            - 'C:\Program Files\CheckPoint\'
-            - 'C:\Program Files (x86)\CheckPoint\'
+        ImageLoaded|contains:
+            - ':\Program Files\CheckPoint\'
+            - ':\Program Files (x86)\CheckPoint\'
         ImageLoaded|endswith: '\PolicyManager.dll'
     condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:

rules/windows/image_load/image_load_side_load_mscorsvc.yml

@@ -6,6 +6,7 @@ references:
     - https://hijacklibs.net/entries/microsoft/built-in/mscorsvc.html
 author: Wietze Beukema
 date: 2024-07-11
+modified: 2025-02-24
 tags:
     - attack.defense-evasion
     - attack.t1574.002
@@ -16,10 +17,12 @@ detection:
     selection:
         ImageLoaded|endswith: '\mscorsvc.dll'
     filter_main_generic:
-        ImageLoaded|startswith:
-            - 'C:\Windows\Microsoft.NET\Framework\'
-            - 'C:\Windows\Microsoft.NET\Framework64\'
-            - 'C:\Windows\WinSxS\'
+        ImageLoaded|contains:
+            - ':\Windows\Microsoft.NET\Framework\'
+            - ':\Windows\Microsoft.NET\Framework64\'
+            - ':\Windows\Microsoft.NET\FrameworkArm\'
+            - ':\Windows\Microsoft.NET\FrameworkArm64\'
+            - ':\Windows\WinSxS\'
     condition: selection and not 1 of filter_main_*
 falsepositives:
     - Legitimate applications loading their own versions of the DLL mentioned in this rule.

rules/windows/image_load/image_load_wsman_provider_image_load.yml

@@ -9,7 +9,7 @@ references:
     - https://github.com/bohops/WSMan-WinRM
 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 date: 2020-06-24
-modified: 2022-10-07
+modified: 2025-02-24
 tags:
     - attack.execution
     - attack.t1059.001
@@ -43,9 +43,11 @@ detection:
             - 'svchost.exe -k NetworkService -p -s Wecsvc'
             - 'svchost.exe -k netsvcs'
     filter_mscorsvw: # Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
-        Image|startswith:
-            - 'C:\Windows\Microsoft.NET\Framework64\v'
-            - 'C:\Windows\Microsoft.NET\Framework\v'
+        Image|contains:
+            - ':\Windows\Microsoft.NET\Framework64\v'
+            - ':\Windows\Microsoft.NET\Framework\v'
+            - ':\Windows\Microsoft.NET\FrameworkArm\v'
+            - ':\Windows\Microsoft.NET\FrameworkArm64\v'
         Image|endswith: '\mscorsvw.exe'
     filter_svr_2019:
         Image:

rules/windows/process_creation/proc_creation_win_addinutil_uncommon_dir_exec.yml

@@ -4,8 +4,9 @@ status: test
 description: Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) from a non-standard directory.
 references:
     - https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html
-author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)
+author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri), Swachchhanda Shrawan Poudel (Nextron Systems)
 date: 2023-09-18
+modified: 2025-02-24
 tags:
     - attack.defense-evasion
     - attack.t1218
@@ -20,6 +21,8 @@ detection:
         Image|contains:
             - ':\Windows\Microsoft.NET\Framework\'
             - ':\Windows\Microsoft.NET\Framework64\'
+            - ':\Windows\Microsoft.NET\FrameworkArm\'
+            - ':\Windows\Microsoft.NET\FrameworkArm64\'
             - ':\Windows\WinSxS\'
     condition: selection and not 1 of filter_main_*
 falsepositives:

rules/windows/process_creation/proc_creation_win_aspnet_compiler_exectuion.yml

@@ -12,9 +12,9 @@ description: Detects execution of "aspnet_compiler.exe" which can be abused to c
 references:
     - https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/
     - https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/
-author: frack113
+author: frack113, Swachchhanda Shrawan Poudel (Nextron Systems)
 date: 2021-11-24
-modified: 2023-08-14
+modified: 2025-02-24
 tags:
     - attack.defense-evasion
     - attack.t1127
@@ -24,8 +24,10 @@ logsource:
 detection:
     selection:
         Image|contains:
-            - 'C:\Windows\Microsoft.NET\Framework\'
-            - 'C:\Windows\Microsoft.NET\Framework64\'
+            - ':\Windows\Microsoft.NET\Framework\'
+            - ':\Windows\Microsoft.NET\Framework64\'
+            - ':\Windows\Microsoft.NET\FrameworkArm\'
+            - ':\Windows\Microsoft.NET\FrameworkArm64\'
         Image|endswith: '\aspnet_compiler.exe'
     condition: selection
 falsepositives:

rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_paths.yml

@@ -12,8 +12,9 @@ description: Detects execution of "aspnet_compiler.exe" with potentially suspici
 references:
     - https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/
     - https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/
-author: Nasreddine Bencherchali (Nextron Systems)
+author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
 date: 2023-08-14
+modified: 2025-02-24
 tags:
     - attack.defense-evasion
     - attack.t1127
@@ -23,8 +24,10 @@ logsource:
 detection:
     selection:
         Image|contains:
-            - 'C:\Windows\Microsoft.NET\Framework\'
-            - 'C:\Windows\Microsoft.NET\Framework64\'
+            - ':\Windows\Microsoft.NET\Framework\'
+            - ':\Windows\Microsoft.NET\Framework64\'
+            - ':\Windows\Microsoft.NET\FrameworkArm\'
+            - ':\Windows\Microsoft.NET\FrameworkArm64\'
         Image|endswith: '\aspnet_compiler.exe'
         CommandLine|contains:
             # Note: add other potential suspicious paths