Adding Windows file path validation for values of File_Path (#403)

yml/OtherMSBinaries/Bginfo.yml

@@ -59,7 +59,7 @@ Commands:
     Tags:
       - Execute: WSH
 Full_Path:
-  - Path: No fixed path
+  - Path: no default
 Detection:
   - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_bginfo.yml
   - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml

yml/OtherMSBinaries/Createdump.yml

@@ -12,10 +12,10 @@ Commands:
     MitreID: T1003
     OperatingSystem: Windows 10, Windows 11
 Full_Path:
-  - Path: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\*\createdump.exe
-  - Path: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\*\createdump.exe
-  - Path: C:\Program Files\Microsoft Visual Studio\*\Community\dotnet\runtime\shared\Microsoft.NETCore.App\6.0.0\createdump.exe
-  - Path: C:\Program Files (x86)\Microsoft Visual Studio\*\Community\dotnet\runtime\shared\Microsoft.NETCore.App\6.0.0\createdump.exe
+  - Path: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\<version>\createdump.exe
+  - Path: C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\<version>\createdump.exe
+  - Path: C:\Program Files\Microsoft Visual Studio\<version>\Community\dotnet\runtime\shared\Microsoft.NETCore.App\6.0.0\createdump.exe
+  - Path: C:\Program Files (x86)\Microsoft Visual Studio\<version>\Community\dotnet\runtime\shared\Microsoft.NETCore.App\6.0.0\createdump.exe
 Detection:
   - Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_proc_dump_createdump.yml
   - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_renamed_createdump.yml

yml/OtherMSBinaries/DefaultPack.yml

@@ -12,7 +12,7 @@ Commands:
     MitreID: T1218
     OperatingSystem: Windows
 Full_Path:
-  - Path: C:\Program Files (x86)\Microsoft\DefaultPack\
+  - Path: C:\Program Files (x86)\Microsoft\DefaultPack\DefaultPack.exe
 Code_Sample:
   - Code:
 Detection:

yml/OtherMSBinaries/Devinit.yml

@@ -12,8 +12,8 @@ Commands:
     MitreID: T1218.007
     OperatingSystem: Windows 10, Windows 11
 Full_Path:
-  - Path: C:\Program Files\Microsoft Visual Studio\*\Community\Common7\Tools\devinit\devinit.exe
-  - Path: C:\Program Files (x86)\Microsoft Visual Studio\*\Community\Common7\Tools\devinit\devinit.exe
+  - Path: C:\Program Files\Microsoft Visual Studio\<version>\Community\Common7\Tools\devinit\devinit.exe
+  - Path: C:\Program Files (x86)\Microsoft Visual Studio\<version>\Community\Common7\Tools\devinit\devinit.exe
 Detection:
   - Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_devinit_lolbin_usage.yml
 Resources:

yml/OtherMSBinaries/Dnx.yml

@@ -12,7 +12,7 @@ Commands:
     MitreID: T1127
     OperatingSystem: Windows
 Full_Path:
-  - Path: N/A
+  - Path: no default
 Code_Sample:
   - Code:
 Detection:

yml/OtherMSBinaries/DumpMinitool.yml

@@ -12,7 +12,7 @@ Commands:
     MitreID: T1003.001
     OperatingSystem: Windows 10, Windows 11
 Full_Path:
-  - Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\Extensions\TestPlatform\Extensions
+  - Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\Extensions\TestPlatform\Extensions\DumpMinitool.exe
 Detection:
   - Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_dumpminitool_execution.yml
   - Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_dumpminitool_susp_execution.yml

yml/OtherMSBinaries/Fsi.yml

@@ -19,7 +19,7 @@ Commands:
     MitreID: T1059
     OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
 Full_Path:
-  - Path: C:\Program Files\dotnet\sdk\[sdk version]\FSharp\fsi.exe
+  - Path: C:\Program Files\dotnet\sdk\<version>\FSharp\fsi.exe
   - Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsi.exe
 Code_Sample:
   - Code: https://gist.github.com/NickTyrer/51eb8c774a909634fa69b4d06fc79ae1

yml/OtherMSBinaries/Mftrace.yml

@@ -19,10 +19,10 @@ Commands:
     MitreID: T1127
     OperatingSystem: Windows
 Full_Path:
-  - Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x86
-  - Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x64
-  - Path: C:\Program Files (x86)\Windows Kits\10\bin\x86
-  - Path: C:\Program Files (x86)\Windows Kits\10\bin\x64
+  - Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x86\mftrace.exe
+  - Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x64\mftrace.exe
+  - Path: C:\Program Files (x86)\Windows Kits\10\bin\x86\mftrace.exe
+  - Path: C:\Program Files (x86)\Windows Kits\10\bin\x64\mftrace.exe
 Code_Sample:
   - Code:
 Detection:

yml/OtherMSBinaries/Microsoft.NodejsTools.PressAnyKey.yml

@@ -12,8 +12,8 @@ Commands:
     MitreID: T1127
     OperatingSystem: Windows
 Full_Path:
-  - Path: C:\Program Files\Microsoft Visual Studio\*\Community\Common7\IDE\Extensions\Microsoft\NodeJsTools\NodeJsTools\Microsoft.NodejsTools.PressAnyKey.exe
-  - Path: C:\Program Files (x86)\Microsoft Visual Studio\*\Community\Common7\IDE\Extensions\Microsoft\NodeJsTools\NodeJsTools\Microsoft.NodejsTools.PressAnyKey.exe
+  - Path: C:\Program Files\Microsoft Visual Studio\<version>\Community\Common7\IDE\Extensions\Microsoft\NodeJsTools\NodeJsTools\Microsoft.NodejsTools.PressAnyKey.exe
+  - Path: C:\Program Files (x86)\Microsoft Visual Studio\<version>\Community\Common7\IDE\Extensions\Microsoft\NodeJsTools\NodeJsTools\Microsoft.NodejsTools.PressAnyKey.exe
 Detection:
   - Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_renamed_pressanykey.yml
   - Sigma: https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/process_creation/proc_creation_win_pressanykey_lolbin_execution.yml

yml/OtherMSBinaries/Squirrel.yml

@@ -40,7 +40,7 @@ Commands:
     MitreID: T1218
     OperatingSystem: Windows 7 and up with Microsoft Teams installed
 Full_Path:
-  - Path: '%localappdata%\Microsoft\Teams\current\Squirrel.exe'
+  - Path: 'C:\Users\<username>\AppData\Local\Microsoft\Teams\current\Squirrel.exe'
 Code_Sample:
   - Code: https://github.com/jreegun/POC-s/tree/master/nuget-squirrel
 Detection:

yml/OtherMSBinaries/Teams.yml

@@ -26,7 +26,7 @@ Commands:
     MitreID: T1218.015
     OperatingSystem: Windows 10, Windows 11
 Full_Path:
-  - Path: "%LOCALAPPDATA%\\Microsoft\\Teams\\current\\Teams.exe"
+  - Path: 'C:\Users\<username>\AppData\Local\Microsoft\Teams\current\Teams.exe'
 Code_Sample:
   - Code: https://github.com/lltltk/LOLBAS-research/tree/master/Teams
 Detection:

yml/OtherMSBinaries/Update.yml

@@ -96,7 +96,7 @@ Commands:
     MitreID: T1070
     OperatingSystem: Windows 7 and up with Microsoft Teams installed
 Full_Path:
-  - Path: '%localappdata%\Microsoft\Teams\update.exe'
+  - Path: 'C:\Users\<username>\AppData\Local\Microsoft\Teams\update.exe'
 Code_Sample:
   - Code: https://github.com/jreegun/POC-s/tree/master/nuget-squirrel
 Detection:

yml/OtherMSBinaries/VisualUiaVerifyNative.yml

@@ -12,9 +12,9 @@ Commands:
     MitreID: T1218
     OperatingSystem: Windows 10 2004 (likely previous and newer versions as well)
 Full_Path:
-  - Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\arm64\UIAVerify\VisualUiaVerifyNative.exe
-  - Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\x64\UIAVerify\VisualUiaVerifyNative.exe
-  - Path: c:\Program Files (x86)\Windows Kits\10\bin\[SDK version]\UIAVerify\VisualUiaVerifyNative.exe
+  - Path: c:\Program Files (x86)\Windows Kits\10\bin\<version>\arm64\UIAVerify\VisualUiaVerifyNative.exe
+  - Path: c:\Program Files (x86)\Windows Kits\10\bin\<version>\x64\UIAVerify\VisualUiaVerifyNative.exe
+  - Path: c:\Program Files (x86)\Windows Kits\10\bin\<version>\UIAVerify\VisualUiaVerifyNative.exe
 Code_Sample:
   - Code:
 Detection:

yml/OtherMSBinaries/VsLaunchBrowser.yml

@@ -28,8 +28,8 @@ Commands:
     MitreID: T1127
     OperatingSystem: Windows
 Full_Path:
-  - Path: C:\Program Files\Microsoft Visual Studio\{version}\Community\Common7\IDE\VSLaunchBrowser.exe
-  - Path: C:\Program Files (x86)\Microsoft Visual Studio\{version}\Community\Common7\IDE\VSLaunchBrowser.exe
+  - Path: C:\Program Files\Microsoft Visual Studio\<version>\Community\Common7\IDE\VSLaunchBrowser.exe
+  - Path: C:\Program Files (x86)\Microsoft Visual Studio\<version>\Community\Common7\IDE\VSLaunchBrowser.exe
 Detection:
   - IOC: cmd.exe as sub-process of VSLaunchBrowser
   - IOC: URL on a VSLaunchBrowser command line

yml/OtherMSBinaries/devtunnels.yml

@@ -12,8 +12,8 @@ Commands:
     MitreID: T1105
     OperatingSystem: Windows 10, Windows 11, MacOS
 Full_Path:
-  - Path: C:\Users\<username>\AppData\Local\Temp\.net\devtunnel\
-  - Path: C:\Users\<username>\AppData\Local\Temp\DevTunnels
+  - Path: C:\Users\<username>\AppData\Local\Temp\.net\devtunnel\devtunnel.exe
+  - Path: C:\Users\<username>\AppData\Local\Temp\DevTunnels\devtunnel.exe
 Detection:
   - IOC: devtunnel.exe binary spawned
   - IOC: '*.devtunnels.ms'

yml/OtherMSBinaries/xsd.yml

@@ -14,7 +14,7 @@ Commands:
     Tags:
       - Download: INetCache
 Full_Path:
-  - Path: C:\Program Files (x86)\Microsoft SDKs\Windows\{version}\bin\NETFX {version} Tools\xsd.exe
+  - Path: C:\Program Files (x86)\Microsoft SDKs\Windows\<version>\bin\NETFX <version> Tools\xsd.exe
 Detection:
   - IOC: URL on a xsd.exe command line
   - IOC: xsd.exe making unexpected network connections or DNS requests