Merge branch 'master' into rule-devel

.github/workflows/pypi-publish.yml

@@ -1,27 +0,0 @@
-# This workflows will upload a Python Package using Twine when a release is created
-# For more information see: https://help.github.com/en/actions/language-and-framework-guides/using-python-with-github-actions#publishing-to-package-registries
-
-name: Upload Sigmatools Package to PyPI
-on:
-  release:
-    types: [created]
-
-jobs:
-  deploy:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v2
-    - name: Set up Python
-      uses: actions/setup-python@v1
-      with:
-        python-version: '3.x'
-    - name: Install dependencies
-      run: |
-        python -m pip install --upgrade pip
-        pip install setuptools wheel twine
-    - name: Build and publish
-      env:
-        TWINE_USERNAME: ${{ secrets.PYPI_USERNAME }}
-        TWINE_PASSWORD: ${{ secrets.PYPI_PASSWORD }}
-      run: |
-        make upload

.github/workflows/sigma-test.yml

@@ -8,7 +8,7 @@ on:
     branches:
       - "*"
   pull_request:
-    branches: [ master ]
+    branches: [ master, oscd ]
 
 jobs:
   test-sigma:
@@ -22,10 +22,11 @@ jobs:
     - name: Install dependencies
       run: |
         python -m pip install --upgrade pip
-        pip install -r tools/requirements.txt -r tools/requirements-devel.txt
+        pip install pipenv
+        pipenv install --dev --deploy
     - name: Test Sigma Tools and Rules
       run: |
-        make test
+        pipenv run make test
     - name: Test SQL(ite) Backend
       run: |
-        make test-backend-sql
+        pipenv run make test-backend-sql

Pipfile

@@ -10,6 +10,9 @@ elasticsearch = "~=7.6"
 elasticsearch-async = "~=6.2"
 pytest = "~=5.4"
 colorama = "*"
+setuptools = "*"
+stix2 = "*"
+attackcti = "*"
 
 [packages]
 requests = "~=2.23"
@@ -19,4 +22,4 @@ pymisp = "~=2.4.123"
 PyYAML = "~=5.1"
 
 [requires]
-python_version = "~=3.8.2"
+python_version = "3.8"

Pipfile.lock

@@ -1,11 +1,11 @@
 {
     "_meta": {
         "hash": {
-            "sha256": "588c969e3c9cf945190a258f9607bbcc53ee9715d34e538b130a852459e4848a"
+            "sha256": "6f2116e6d1b332715efdc61c59a958c9226831cb7e19fcd4cea3f4c569d90687"
         },
         "pipfile-spec": 6,
         "requires": {
-            "python_version": "3.6"
+            "python_version": "3.8"
         },
         "sources": [
             {
@@ -21,6 +21,7 @@
                 "sha256:31b2eced602aa8423c2aea9c76a724617ed67cf9513173fd3a4f03e3a929c7e6",
                 "sha256:832aa3cde19744e49938b91fea06d69ecb9e649c93ba974535d08ad92164f700"
             ],
+            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
             "version": "==20.3.0"
         },
         "certifi": {
@@ -32,33 +33,28 @@
         },
         "chardet": {
             "hashes": [
-                "sha256:84ab92ed1c4d4f16916e05906b6b75a6c0fb5db821cc65e70cbd64a3e2a5eaae",
-                "sha256:fc323ffcaeaed0e0a02bf4d117757b98aed530d9ed4531e3e15460124c106691"
+                "sha256:0d6f53a15db4120f2b08c94f11e7d93d2c911ee118b6b30a04ec3ee8310179fa",
+                "sha256:f864054d66fd9118f2e67044ac8981a54775ec5b67aed0441892edb553d21da5"
             ],
-            "version": "==3.0.4"
+            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'",
+            "version": "==4.0.0"
         },
         "deprecated": {
             "hashes": [
-                "sha256:471ec32b2755172046e28102cd46c481f21c6036a0ec027521eba8521aa4ef35",
-                "sha256:924b6921f822b64ec54f49be6700a126bab0640cfafca78f22c9d429ed590560"
+                "sha256:08452d69b6b5bc66e8330adde0a4f8642e969b9e1702904d137eeb29c8ffc771",
+                "sha256:6d2de2de7931a968874481ef30208fd4e08da39177d61d3d4ebdf4366e7dbca1"
             ],
-            "version": "==1.2.11"
+            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
+            "version": "==1.2.12"
         },
         "idna": {
             "hashes": [
                 "sha256:b307872f855b18632ce0c21c5e45be78c0ea7ae4c15c828c20788b26921eb3f6",
                 "sha256:b97d804b1e9b523befed77c48dacec60e6dcb0b5391d57af6a65a312a90648c0"
             ],
+            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
             "version": "==2.10"
         },
-        "importlib-metadata": {
-            "hashes": [
-                "sha256:24499ffde1b80be08284100393955842be4a59c7c16bbf2738aad0e464a8e0aa",
-                "sha256:c6af5dbf1126cd959c4a8d8efd61d4d3c83bddb0459a17e554284a077574b614"
-            ],
-            "markers": "python_version < '3.8'",
-            "version": "==3.7.0"
-        },
         "jsonschema": {
             "hashes": [
                 "sha256:4e5b3cf8216f577bee9ce139cbe72eca3ea4f292ec60928ff24758ce626cd163",
@@ -68,24 +64,25 @@
         },
         "progressbar2": {
             "hashes": [
-                "sha256:2c21c14482016162852c8265da03886c2b4dea6f84e5a817ad9b39f6bd82a772",
-                "sha256:7849b84c01a39e4eddd2b369a129fed5e24dfb78d484ae63f9e08e58277a2928"
+                "sha256:ef72be284e7f2b61ac0894b44165926f13f5d995b2bf3cd8a8dedc6224b255a7",
+                "sha256:fe2738e7ecb7df52ad76307fe610c460c52b50f5335fd26c3ab80ff7655ba1e0"
             ],
             "index": "pypi",
-            "version": "==3.50.1"
+            "version": "==3.53.1"
         },
         "pymisp": {
             "hashes": [
-                "sha256:1d27bc81ed492b5e6e216d099dcadf943d5c0c09457d6464ed33db8da39d0fdd",
-                "sha256:318cb9cee371ce3918b3216e2c1a61938747203f89f9d42d4e4a51b40066f9b3"
+                "sha256:7ab159ba589f54d105c59cb990722369c57d8f587b5df215a79ed4059cb57b8a",
+                "sha256:c6496a6884fe3a671e9dd3c314564b4e94b8827845f5ea0004ab3649373e9db2"
             ],
             "index": "pypi",
-            "version": "==2.4.123"
+            "version": "==2.4.141.1"
         },
         "pyrsistent": {
             "hashes": [
                 "sha256:2e636185d9eb976a18a8a8e96efce62f2905fea90041958d8cc2a189756ebf3e"
             ],
+            "markers": "python_version >= '3.5'",
             "version": "==0.17.3"
         },
         "python-dateutil": {
@@ -93,6 +90,7 @@
                 "sha256:73ebfe9dbf22e832286dafa60473e4cd239f8592f699aa5adaf10050e6e1823c",
                 "sha256:75bb3f31ea686f1197762692a9ee6a7550b59fc6ca3a1f4b5d7e32fb98e2da2a"
             ],
+            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
             "version": "==2.8.1"
         },
         "python-utils": {
@@ -104,184 +102,233 @@
         },
         "pyyaml": {
             "hashes": [
-                "sha256:1adecc22f88d38052fb787d959f003811ca858b799590a5eaa70e63dca50308c",
-                "sha256:436bc774ecf7c103814098159fbb84c2715d25980175292c648f2da143909f95",
-                "sha256:460a5a4248763f6f37ea225d19d5c205677d8d525f6a83357ca622ed541830c2",
-                "sha256:5a22a9c84653debfbf198d02fe592c176ea548cccce47553f35f466e15cf2fd4",
-                "sha256:7a5d3f26b89d688db27822343dfa25c599627bc92093e788956372285c6298ad",
-                "sha256:9372b04a02080752d9e6f990179a4ab840227c6e2ce15b95e1278456664cf2ba",
-                "sha256:a5dcbebee834eaddf3fa7366316b880ff4062e4bcc9787b78c7fbb4a26ff2dd1",
-                "sha256:aee5bab92a176e7cd034e57f46e9df9a9862a71f8f37cad167c6fc74c65f5b4e",
-                "sha256:c51f642898c0bacd335fc119da60baae0824f2cde95b0330b56c0553439f0673",
-                "sha256:c68ea4d3ba1705da1e0d85da6684ac657912679a649e8868bd850d2c299cce13",
-                "sha256:e23d0cc5299223dcc37885dae624f382297717e459ea24053709675a976a3e19"
+                "sha256:08682f6b72c722394747bddaf0aa62277e02557c0fd1c42cb853016a38f8dedf",
+                "sha256:0f5f5786c0e09baddcd8b4b45f20a7b5d61a7e7e99846e3c799b05c7c53fa696",
+                "sha256:129def1b7c1bf22faffd67b8f3724645203b79d8f4cc81f674654d9902cb4393",
+                "sha256:294db365efa064d00b8d1ef65d8ea2c3426ac366c0c4368d930bf1c5fb497f77",
+                "sha256:3b2b1824fe7112845700f815ff6a489360226a5609b96ec2190a45e62a9fc922",
+                "sha256:3bd0e463264cf257d1ffd2e40223b197271046d09dadf73a0fe82b9c1fc385a5",
+                "sha256:4465124ef1b18d9ace298060f4eccc64b0850899ac4ac53294547536533800c8",
+                "sha256:49d4cdd9065b9b6e206d0595fee27a96b5dd22618e7520c33204a4a3239d5b10",
+                "sha256:4e0583d24c881e14342eaf4ec5fbc97f934b999a6828693a99157fde912540cc",
+                "sha256:5accb17103e43963b80e6f837831f38d314a0495500067cb25afab2e8d7a4018",
+                "sha256:607774cbba28732bfa802b54baa7484215f530991055bb562efbed5b2f20a45e",
+                "sha256:6c78645d400265a062508ae399b60b8c167bf003db364ecb26dcab2bda048253",
+                "sha256:72a01f726a9c7851ca9bfad6fd09ca4e090a023c00945ea05ba1638c09dc3347",
+                "sha256:74c1485f7707cf707a7aef42ef6322b8f97921bd89be2ab6317fd782c2d53183",
+                "sha256:895f61ef02e8fed38159bb70f7e100e00f471eae2bc838cd0f4ebb21e28f8541",
+                "sha256:8c1be557ee92a20f184922c7b6424e8ab6691788e6d86137c5d93c1a6ec1b8fb",
+                "sha256:bb4191dfc9306777bc594117aee052446b3fa88737cd13b7188d0e7aa8162185",
+                "sha256:bfb51918d4ff3d77c1c856a9699f8492c612cde32fd3bcd344af9be34999bfdc",
+                "sha256:c20cfa2d49991c8b4147af39859b167664f2ad4561704ee74c1de03318e898db",
+                "sha256:cb333c16912324fd5f769fff6bc5de372e9e7a202247b48870bc251ed40239aa",
+                "sha256:d2d9808ea7b4af864f35ea216be506ecec180628aced0704e34aca0b040ffe46",
+                "sha256:d483ad4e639292c90170eb6f7783ad19490e7a8defb3e46f97dfe4bacae89122",
+                "sha256:dd5de0646207f053eb0d6c74ae45ba98c3395a571a2891858e87df7c9b9bd51b",
+                "sha256:e1d4970ea66be07ae37a3c2e48b5ec63f7ba6804bdddfdbd3cfd954d25a82e63",
+                "sha256:e4fac90784481d221a8e4b1162afa7c47ed953be40d31ab4629ae917510051df",
+                "sha256:fa5ae20527d8e831e8230cbffd9f8fe952815b2b7dae6ffec25318803a7528fc",
+                "sha256:fd7f6999a8070df521b6384004ef42833b9bd62cfee11a09bda1079b4b704247",
+                "sha256:fdc842473cd33f45ff6bce46aea678a54e3d21f1b61a7750ce3c498eedfe25d6",
+                "sha256:fe69978f3f768926cfa37b867e3843918e012cf83f680806599ddce33c2c68b0"
             ],
             "index": "pypi",
-            "version": "==5.1"
+            "version": "==5.4.1"
         },
         "requests": {
             "hashes": [
-                "sha256:43999036bfa82904b6af1d99e4882b560e5e2c68e5c4b0aa03b655f3d7d73fee",
-                "sha256:b3f43d496c6daba4493e7c431722aeb7dbc6288f52a6e04e7b6023b0247817e6"
+                "sha256:27973dd4a904a4f13b263a19c866c13b92a39ed1c964655f025f3f8d3d75b804",
+                "sha256:c210084e36a42ae6b9219e00e48287def368a26d03a048ddad7bfee44f75871e"
             ],
             "index": "pypi",
-            "version": "==2.23.0"
+            "version": "==2.25.1"
         },
         "six": {
             "hashes": [
                 "sha256:30639c035cdb23534cd4aa2dd52c3bf48f06e5f4a941509c8bafd8ce11080259",
                 "sha256:8b74bedcbbbaca38ff6d7491d76f2b06b3592611af620f8426e82dddb04a5ced"
             ],
+            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
             "version": "==1.15.0"
         },
-        "typing-extensions": {
-            "hashes": [
-                "sha256:7cb407020f00f7bfc3cb3e7881628838e69d8f3fcab2f64742a5e76b2f841918",
-                "sha256:99d4073b617d30288f569d3f13d2bd7548c3a7e4c8de87db09a9d29bb3a4a60c",
-                "sha256:dafc7639cde7f1b6e1acc0f457842a83e722ccca8eef5270af2d74792619a89f"
-            ],
-            "markers": "python_version < '3.8'",
-            "version": "==3.7.4.3"
-        },
         "urllib3": {
             "hashes": [
-                "sha256:2f3db8b19923a873b3e5256dc9c2dedfa883e33d87c690d9c7913e1f40673cdc",
-                "sha256:87716c2d2a7121198ebcb7ce7cccf6ce5e9ba539041cfbaeecfb641dc0bf6acc"
+                "sha256:2f4da4594db7e1e110a944bb1b551fdf4e6c136ad42e4234131391e21eb5b0df",
+                "sha256:e7b021f7241115872f92f43c6508082facffbd1c048e3c6e2bb9c2a157e28937"
             ],
             "index": "pypi",
-            "version": "==1.25.8"
+            "version": "==1.26.4"
         },
         "wrapt": {
             "hashes": [
                 "sha256:b62ffa81fb85f4332a4f609cab4ac40709470da05643a082ec1eb88e6d9b97d7"
             ],
             "version": "==1.12.1"
-        },
-        "zipp": {
-            "hashes": [
-                "sha256:102c24ef8f171fd729d46599845e95c7ab894a4cf45f5de11a44cc7444fb1108",
-                "sha256:ed5eee1974372595f9e416cc7bbeeb12335201d8081ca8a0743c954d4446e5cb"
-            ],
-            "version": "==3.4.0"
         }
     },
     "develop": {
         "aiohttp": {
             "hashes": [
-                "sha256:119feb2bd551e58d83d1b38bfa4cb921af8ddedec9fad7183132db334c3133e0",
-                "sha256:16d0683ef8a6d803207f02b899c928223eb219111bd52420ef3d7a8aa76227b6",
-                "sha256:2eb3efe243e0f4ecbb654b08444ae6ffab37ac0ef8f69d3a2ffb958905379daf",
-                "sha256:2ffea7904e70350da429568113ae422c88d2234ae776519549513c8f217f58a9",
-                "sha256:40bd1b101b71a18a528ffce812cc14ff77d4a2a1272dfb8b11b200967489ef3e",
-                "sha256:418597633b5cd9639e514b1d748f358832c08cd5d9ef0870026535bd5eaefdd0",
-                "sha256:481d4b96969fbfdcc3ff35eea5305d8565a8300410d3d269ccac69e7256b1329",
-                "sha256:4c1bdbfdd231a20eee3e56bd0ac1cd88c4ff41b64ab679ed65b75c9c74b6c5c2",
-                "sha256:5563ad7fde451b1986d42b9bb9140e2599ecf4f8e42241f6da0d3d624b776f40",
-                "sha256:58c62152c4c8731a3152e7e650b29ace18304d086cb5552d317a54ff2749d32a",
-                "sha256:5b50e0b9460100fe05d7472264d1975f21ac007b35dcd6fd50279b72925a27f4",
-                "sha256:5d84ecc73141d0a0d61ece0742bb7ff5751b0657dab8405f899d3ceb104cc7de",
-                "sha256:5dde6d24bacac480be03f4f864e9a67faac5032e28841b00533cd168ab39cad9",
-                "sha256:5e91e927003d1ed9283dee9abcb989334fc8e72cf89ebe94dc3e07e3ff0b11e9",
-                "sha256:62bc216eafac3204877241569209d9ba6226185aa6d561c19159f2e1cbb6abfb",
-                "sha256:6c8200abc9dc5f27203986100579fc19ccad7a832c07d2bc151ce4ff17190076",
-                "sha256:6ca56bdfaf825f4439e9e3673775e1032d8b6ea63b8953d3812c71bd6a8b81de",
-                "sha256:71680321a8a7176a58dfbc230789790639db78dad61a6e120b39f314f43f1907",
-                "sha256:7c7820099e8b3171e54e7eedc33e9450afe7cd08172632d32128bd527f8cb77d",
-                "sha256:7dbd087ff2f4046b9b37ba28ed73f15fd0bc9f4fdc8ef6781913da7f808d9536",
-                "sha256:822bd4fd21abaa7b28d65fc9871ecabaddc42767884a626317ef5b75c20e8a2d",
-                "sha256:8ec1a38074f68d66ccb467ed9a673a726bb397142c273f90d4ba954666e87d54",
-                "sha256:950b7ef08b2afdab2488ee2edaff92a03ca500a48f1e1aaa5900e73d6cf992bc",
-                "sha256:99c5a5bf7135607959441b7d720d96c8e5c46a1f96e9d6d4c9498be8d5f24212",
-                "sha256:b84ad94868e1e6a5e30d30ec419956042815dfaea1b1df1cef623e4564c374d9",
-                "sha256:bc3d14bf71a3fb94e5acf5bbf67331ab335467129af6416a437bd6024e4f743d",
-                "sha256:c2a80fd9a8d7e41b4e38ea9fe149deed0d6aaede255c497e66b8213274d6d61b",
-                "sha256:c44d3c82a933c6cbc21039326767e778eface44fca55c65719921c4b9661a3f7",
-                "sha256:cc31e906be1cc121ee201adbdf844522ea3349600dd0a40366611ca18cd40e81",
-                "sha256:d5d102e945ecca93bcd9801a7bb2fa703e37ad188a2f81b1e65e4abe4b51b00c",
-                "sha256:dd7936f2a6daa861143e376b3a1fb56e9b802f4980923594edd9ca5670974895",
-                "sha256:dee68ec462ff10c1d836c0ea2642116aba6151c6880b688e56b4c0246770f297",
-                "sha256:e76e78863a4eaec3aee5722d85d04dcbd9844bc6cd3bfa6aa880ff46ad16bfcb",
-                "sha256:eab51036cac2da8a50d7ff0ea30be47750547c9aa1aa2cf1a1b710a1827e7dbe",
-                "sha256:f4496d8d04da2e98cc9133e238ccebf6a13ef39a93da2e87146c8c8ac9768242",
-                "sha256:fbd3b5e18d34683decc00d9a360179ac1e7a320a5fee10ab8053ffd6deab76e0",
-                "sha256:feb24ff1226beeb056e247cf2e24bba5232519efb5645121c4aea5b6ad74c1f2"
+                "sha256:02f46fc0e3c5ac58b80d4d56eb0a7c7d97fcef69ace9326289fb9f1955e65cfe",
+                "sha256:0563c1b3826945eecd62186f3f5c7d31abb7391fedc893b7e2b26303b5a9f3fe",
+                "sha256:114b281e4d68302a324dd33abb04778e8557d88947875cbf4e842c2c01a030c5",
+                "sha256:14762875b22d0055f05d12abc7f7d61d5fd4fe4642ce1a249abdf8c700bf1fd8",
+                "sha256:15492a6368d985b76a2a5fdd2166cddfea5d24e69eefed4630cbaae5c81d89bd",
+                "sha256:17c073de315745a1510393a96e680d20af8e67e324f70b42accbd4cb3315c9fb",
+                "sha256:209b4a8ee987eccc91e2bd3ac36adee0e53a5970b8ac52c273f7f8fd4872c94c",
+                "sha256:230a8f7e24298dea47659251abc0fd8b3c4e38a664c59d4b89cca7f6c09c9e87",
+                "sha256:2e19413bf84934d651344783c9f5e22dee452e251cfd220ebadbed2d9931dbf0",
+                "sha256:393f389841e8f2dfc86f774ad22f00923fdee66d238af89b70ea314c4aefd290",
+                "sha256:3cf75f7cdc2397ed4442594b935a11ed5569961333d49b7539ea741be2cc79d5",
+                "sha256:3d78619672183be860b96ed96f533046ec97ca067fd46ac1f6a09cd9b7484287",
+                "sha256:40eced07f07a9e60e825554a31f923e8d3997cfc7fb31dbc1328c70826e04cde",
+                "sha256:493d3299ebe5f5a7c66b9819eacdcfbbaaf1a8e84911ddffcdc48888497afecf",
+                "sha256:4b302b45040890cea949ad092479e01ba25911a15e648429c7c5aae9650c67a8",
+                "sha256:515dfef7f869a0feb2afee66b957cc7bbe9ad0cdee45aec7fdc623f4ecd4fb16",
+                "sha256:547da6cacac20666422d4882cfcd51298d45f7ccb60a04ec27424d2f36ba3eaf",
+                "sha256:5df68496d19f849921f05f14f31bd6ef53ad4b00245da3195048c69934521809",
+                "sha256:64322071e046020e8797117b3658b9c2f80e3267daec409b350b6a7a05041213",
+                "sha256:7615dab56bb07bff74bc865307aeb89a8bfd9941d2ef9d817b9436da3a0ea54f",
+                "sha256:79ebfc238612123a713a457d92afb4096e2148be17df6c50fb9bf7a81c2f8013",
+                "sha256:7b18b97cf8ee5452fa5f4e3af95d01d84d86d32c5e2bfa260cf041749d66360b",
+                "sha256:932bb1ea39a54e9ea27fc9232163059a0b8855256f4052e776357ad9add6f1c9",
+                "sha256:a00bb73540af068ca7390e636c01cbc4f644961896fa9363154ff43fd37af2f5",
+                "sha256:a5ca29ee66f8343ed336816c553e82d6cade48a3ad702b9ffa6125d187e2dedb",
+                "sha256:af9aa9ef5ba1fd5b8c948bb11f44891968ab30356d65fd0cc6707d989cd521df",
+                "sha256:bb437315738aa441251214dad17428cafda9cdc9729499f1d6001748e1d432f4",
+                "sha256:bdb230b4943891321e06fc7def63c7aace16095be7d9cf3b1e01be2f10fba439",
+                "sha256:c6e9dcb4cb338d91a73f178d866d051efe7c62a7166653a91e7d9fb18274058f",
+                "sha256:cffe3ab27871bc3ea47df5d8f7013945712c46a3cc5a95b6bee15887f1675c22",
+                "sha256:d012ad7911653a906425d8473a1465caa9f8dea7fcf07b6d870397b774ea7c0f",
+                "sha256:d9e13b33afd39ddeb377eff2c1c4f00544e191e1d1dee5b6c51ddee8ea6f0cf5",
+                "sha256:e4b2b334e68b18ac9817d828ba44d8fcb391f6acb398bcc5062b14b2cbeac970",
+                "sha256:e54962802d4b8b18b6207d4a927032826af39395a3bd9196a5af43fc4e60b009",
+                "sha256:f705e12750171c0ab4ef2a3c76b9a4024a62c4103e3a55dd6f99265b9bc6fcfc",
+                "sha256:f881853d2643a29e643609da57b96d5f9c9b93f62429dcc1cbb413c7d07f0e1a",
+                "sha256:fe60131d21b31fd1a14bd43e6bb88256f69dfc3188b3a89d736d6c71ed43ec95"
             ],
-            "index": "pypi",
-            "version": "==3.7.4"
+            "markers": "python_version >= '3.6'",
+            "version": "==3.7.4.post0"
+        },
+        "antlr4-python3-runtime": {
+            "hashes": [
+                "sha256:15793f5d0512a372b4e7d2284058ad32ce7dd27126b105fb0b2245130445db33"
+            ],
+            "markers": "python_version >= '3'",
+            "version": "==4.8"
         },
         "async-timeout": {
             "hashes": [
                 "sha256:0c3c816a028d47f659d6ff5c745cb2acf1f966da1fe5c19c77a70282b25f4c5f",
                 "sha256:4291ca197d287d274d0b6cb5d6f8f8f82d434ed288f962539ff18cc9012f9ea3"
             ],
+            "markers": "python_full_version >= '3.5.3'",
             "version": "==3.0.1"
         },
+        "attackcti": {
+            "hashes": [
+                "sha256:60059c597f39074db979482931c8771c31581c76e0ae6451c04214a1330a5d2f",
+                "sha256:a0c44c7065d2568b728e62a8325b0c5fde9d6901e4e0199bde7a9bab974bdcb9"
+            ],
+            "index": "pypi",
+            "version": "==0.3.4.3"
+        },
         "attrs": {
             "hashes": [
                 "sha256:31b2eced602aa8423c2aea9c76a724617ed67cf9513173fd3a4f03e3a929c7e6",
                 "sha256:832aa3cde19744e49938b91fea06d69ecb9e649c93ba974535d08ad92164f700"
             ],
+            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
             "version": "==20.3.0"
         },
+        "certifi": {
+            "hashes": [
+                "sha256:1a4995114262bffbc2413b159f2a1a480c969de6e6eb13ee966d470af86af59c",
+                "sha256:719a74fb9e33b9bd44cc7f3a8d94bc35e4049deebe19ba7d8e108280cfd59830"
+            ],
+            "version": "==2020.12.5"
+        },
         "chardet": {
             "hashes": [
-                "sha256:84ab92ed1c4d4f16916e05906b6b75a6c0fb5db821cc65e70cbd64a3e2a5eaae",
-                "sha256:fc323ffcaeaed0e0a02bf4d117757b98aed530d9ed4531e3e15460124c106691"
+                "sha256:0d6f53a15db4120f2b08c94f11e7d93d2c911ee118b6b30a04ec3ee8310179fa",
+                "sha256:f864054d66fd9118f2e67044ac8981a54775ec5b67aed0441892edb553d21da5"
             ],
-            "version": "==3.0.4"
+            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'",
+            "version": "==4.0.0"
         },
         "colorama": {
             "hashes": [
-                "sha256:7d73d2a99753107a36ac6b455ee49046802e59d9d076ef8e47b61499fa29afff",
-                "sha256:e96da0d330793e2cb9485e9ddfd918d456036c7149416295932478192f4436a1"
+                "sha256:5941b2b48a20143d2267e95b1c2a7603ce057ee39fd88e7329b0c292aa16869b",
+                "sha256:9f47eda37229f68eee03b24b9748937c7dc3868f906e8ba69fbcbdd3bc5dc3e2"
             ],
             "index": "pypi",
-            "version": "==0.4.3"
+            "version": "==0.4.4"
         },
         "coverage": {
             "hashes": [
-                "sha256:03f630aba2b9b0d69871c2e8d23a69b7fe94a1e2f5f10df5049c0df99db639a0",
-                "sha256:046a1a742e66d065d16fb564a26c2a15867f17695e7f3d358d7b1ad8a61bca30",
-                "sha256:0a907199566269e1cfa304325cc3b45c72ae341fbb3253ddde19fa820ded7a8b",
-                "sha256:165a48268bfb5a77e2d9dbb80de7ea917332a79c7adb747bd005b3a07ff8caf0",
-                "sha256:1b60a95fc995649464e0cd48cecc8288bac5f4198f21d04b8229dc4097d76823",
-                "sha256:1f66cf263ec77af5b8fe14ef14c5e46e2eb4a795ac495ad7c03adc72ae43fafe",
-                "sha256:2e08c32cbede4a29e2a701822291ae2bc9b5220a971bba9d1e7615312efd3037",
-                "sha256:3844c3dab800ca8536f75ae89f3cf566848a3eb2af4d9f7b1103b4f4f7a5dad6",
-                "sha256:408ce64078398b2ee2ec08199ea3fcf382828d2f8a19c5a5ba2946fe5ddc6c31",
-                "sha256:443be7602c790960b9514567917af538cac7807a7c0c0727c4d2bbd4014920fd",
-                "sha256:4482f69e0701139d0f2c44f3c395d1d1d37abd81bfafbf9b6efbe2542679d892",
-                "sha256:4a8a259bf990044351baf69d3b23e575699dd60b18460c71e81dc565f5819ac1",
-                "sha256:513e6526e0082c59a984448f4104c9bf346c2da9961779ede1fc458e8e8a1f78",
-                "sha256:5f587dfd83cb669933186661a351ad6fc7166273bc3e3a1531ec5c783d997aac",
-                "sha256:62061e87071497951155cbccee487980524d7abea647a1b2a6eb6b9647df9006",
-                "sha256:641e329e7f2c01531c45c687efcec8aeca2a78a4ff26d49184dce3d53fc35014",
-                "sha256:65a7e00c00472cd0f59ae09d2fb8a8aaae7f4a0cf54b2b74f3138d9f9ceb9cb2",
-                "sha256:6ad6ca45e9e92c05295f638e78cd42bfaaf8ee07878c9ed73e93190b26c125f7",
-                "sha256:73aa6e86034dad9f00f4bbf5a666a889d17d79db73bc5af04abd6c20a014d9c8",
-                "sha256:7c9762f80a25d8d0e4ab3cb1af5d9dffbddb3ee5d21c43e3474c84bf5ff941f7",
-                "sha256:85596aa5d9aac1bf39fe39d9fa1051b0f00823982a1de5766e35d495b4a36ca9",
-                "sha256:86a0ea78fd851b313b2e712266f663e13b6bc78c2fb260b079e8b67d970474b1",
-                "sha256:8a620767b8209f3446197c0e29ba895d75a1e272a36af0786ec70fe7834e4307",
-                "sha256:922fb9ef2c67c3ab20e22948dcfd783397e4c043a5c5fa5ff5e9df5529074b0a",
-                "sha256:9fad78c13e71546a76c2f8789623eec8e499f8d2d799f4b4547162ce0a4df435",
-                "sha256:a37c6233b28e5bc340054cf6170e7090a4e85069513320275a4dc929144dccf0",
-                "sha256:c3fc325ce4cbf902d05a80daa47b645d07e796a80682c1c5800d6ac5045193e5",
-                "sha256:cda33311cb9fb9323958a69499a667bd728a39a7aa4718d7622597a44c4f1441",
-                "sha256:db1d4e38c9b15be1521722e946ee24f6db95b189d1447fa9ff18dd16ba89f732",
-                "sha256:eda55e6e9ea258f5e4add23bcf33dc53b2c319e70806e180aecbff8d90ea24de",
-                "sha256:f372cdbb240e09ee855735b9d85e7f50730dcfb6296b74b95a3e5dea0615c4c1"
+                "sha256:004d1880bed2d97151facef49f08e255a20ceb6f9432df75f4eef018fdd5a78c",
+                "sha256:01d84219b5cdbfc8122223b39a954820929497a1cb1422824bb86b07b74594b6",
+                "sha256:040af6c32813fa3eae5305d53f18875bedd079960822ef8ec067a66dd8afcd45",
+                "sha256:06191eb60f8d8a5bc046f3799f8a07a2d7aefb9504b0209aff0b47298333302a",
+                "sha256:13034c4409db851670bc9acd836243aeee299949bd5673e11844befcb0149f03",
+                "sha256:13c4ee887eca0f4c5a247b75398d4114c37882658300e153113dafb1d76de529",
+                "sha256:184a47bbe0aa6400ed2d41d8e9ed868b8205046518c52464fde713ea06e3a74a",
+                "sha256:18ba8bbede96a2c3dde7b868de9dcbd55670690af0988713f0603f037848418a",
+                "sha256:1aa846f56c3d49205c952d8318e76ccc2ae23303351d9270ab220004c580cfe2",
+                "sha256:217658ec7187497e3f3ebd901afdca1af062b42cfe3e0dafea4cced3983739f6",
+                "sha256:24d4a7de75446be83244eabbff746d66b9240ae020ced65d060815fac3423759",
+                "sha256:2910f4d36a6a9b4214bb7038d537f015346f413a975d57ca6b43bf23d6563b53",
+                "sha256:2949cad1c5208b8298d5686d5a85b66aae46d73eec2c3e08c817dd3513e5848a",
+                "sha256:2a3859cb82dcbda1cfd3e6f71c27081d18aa251d20a17d87d26d4cd216fb0af4",
+                "sha256:2cafbbb3af0733db200c9b5f798d18953b1a304d3f86a938367de1567f4b5bff",
+                "sha256:2e0d881ad471768bf6e6c2bf905d183543f10098e3b3640fc029509530091502",
+                "sha256:30c77c1dc9f253283e34c27935fded5015f7d1abe83bc7821680ac444eaf7793",
+                "sha256:3487286bc29a5aa4b93a072e9592f22254291ce96a9fbc5251f566b6b7343cdb",
+                "sha256:372da284cfd642d8e08ef606917846fa2ee350f64994bebfbd3afb0040436905",
+                "sha256:41179b8a845742d1eb60449bdb2992196e211341818565abded11cfa90efb821",
+                "sha256:44d654437b8ddd9eee7d1eaee28b7219bec228520ff809af170488fd2fed3e2b",
+                "sha256:4a7697d8cb0f27399b0e393c0b90f0f1e40c82023ea4d45d22bce7032a5d7b81",
+                "sha256:51cb9476a3987c8967ebab3f0fe144819781fca264f57f89760037a2ea191cb0",
+                "sha256:52596d3d0e8bdf3af43db3e9ba8dcdaac724ba7b5ca3f6358529d56f7a166f8b",
+                "sha256:53194af30d5bad77fcba80e23a1441c71abfb3e01192034f8246e0d8f99528f3",
+                "sha256:5fec2d43a2cc6965edc0bb9e83e1e4b557f76f843a77a2496cbe719583ce8184",
+                "sha256:6c90e11318f0d3c436a42409f2749ee1a115cd8b067d7f14c148f1ce5574d701",
+                "sha256:74d881fc777ebb11c63736622b60cb9e4aee5cace591ce274fb69e582a12a61a",
+                "sha256:7501140f755b725495941b43347ba8a2777407fc7f250d4f5a7d2a1050ba8e82",
+                "sha256:796c9c3c79747146ebd278dbe1e5c5c05dd6b10cc3bcb8389dfdf844f3ead638",
+                "sha256:869a64f53488f40fa5b5b9dcb9e9b2962a66a87dab37790f3fcfb5144b996ef5",
+                "sha256:8963a499849a1fc54b35b1c9f162f4108017b2e6db2c46c1bed93a72262ed083",
+                "sha256:8d0a0725ad7c1a0bcd8d1b437e191107d457e2ec1084b9f190630a4fb1af78e6",
+                "sha256:900fbf7759501bc7807fd6638c947d7a831fc9fdf742dc10f02956ff7220fa90",
+                "sha256:92b017ce34b68a7d67bd6d117e6d443a9bf63a2ecf8567bb3d8c6c7bc5014465",
+                "sha256:970284a88b99673ccb2e4e334cfb38a10aab7cd44f7457564d11898a74b62d0a",
+                "sha256:972c85d205b51e30e59525694670de6a8a89691186012535f9d7dbaa230e42c3",
+                "sha256:9a1ef3b66e38ef8618ce5fdc7bea3d9f45f3624e2a66295eea5e57966c85909e",
+                "sha256:af0e781009aaf59e25c5a678122391cb0f345ac0ec272c7961dc5455e1c40066",
+                "sha256:b6d534e4b2ab35c9f93f46229363e17f63c53ad01330df9f2d6bd1187e5eaacf",
+                "sha256:b7895207b4c843c76a25ab8c1e866261bcfe27bfaa20c192de5190121770672b",
+                "sha256:c0891a6a97b09c1f3e073a890514d5012eb256845c451bd48f7968ef939bf4ae",
+                "sha256:c2723d347ab06e7ddad1a58b2a821218239249a9e4365eaff6649d31180c1669",
+                "sha256:d1f8bf7b90ba55699b3a5e44930e93ff0189aa27186e96071fac7dd0d06a1873",
+                "sha256:d1f9ce122f83b2305592c11d64f181b87153fc2c2bbd3bb4a3dde8303cfb1a6b",
+                "sha256:d314ed732c25d29775e84a960c3c60808b682c08d86602ec2c3008e1202e3bb6",
+                "sha256:d636598c8305e1f90b439dbf4f66437de4a5e3c31fdf47ad29542478c8508bbb",
+                "sha256:deee1077aae10d8fa88cb02c845cfba9b62c55e1183f52f6ae6a2df6a2187160",
+                "sha256:ebe78fe9a0e874362175b02371bdfbee64d8edc42a044253ddf4ee7d3c15212c",
+                "sha256:f030f8873312a16414c0d8e1a1ddff2d3235655a2174e3648b4fa66b3f2f1079",
+                "sha256:f0b278ce10936db1a37e6954e15a3730bea96a0997c26d7fee88e6c396c2086d",
+                "sha256:f11642dddbb0253cc8853254301b51390ba0081750a8ac03f20ea8103f0c56b6"
             ],
             "index": "pypi",
-            "version": "==5.0.4"
+            "version": "==5.5"
         },
         "elasticsearch": {
             "hashes": [
-                "sha256:d228b2d37ac0865f7631335268172dbdaa426adec1da3ed006dddf05134f89c8",
-                "sha256:f4bb05cfe55cf369bdcb4d86d0129d39d66a91fd9517b13cd4e4231fbfcf5c81"
+                "sha256:9a77172be02bc4855210d83f0f1346a1e7d421e3cb2ca47ba81ac0c5a717b3a0",
+                "sha256:c67b0f6541eda6de9f92eaea319c070aa2710c5d4d4ee5e3dfa3c21bd95aa378"
             ],
             "index": "pypi",
-            "version": "==7.6.0"
+            "version": "==7.12.0"
         },
         "elasticsearch-async": {
             "hashes": [
@@ -296,28 +343,15 @@
                 "sha256:b307872f855b18632ce0c21c5e45be78c0ea7ae4c15c828c20788b26921eb3f6",
                 "sha256:b97d804b1e9b523befed77c48dacec60e6dcb0b5391d57af6a65a312a90648c0"
             ],
+            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
             "version": "==2.10"
         },
-        "idna-ssl": {
-            "hashes": [
-                "sha256:a933e3bb13da54383f9e8f35dc4f9cb9eb9b3b78c6b36f311254d6d0d92c6c7c"
-            ],
-            "markers": "python_version < '3.7'",
-            "version": "==1.1.0"
-        },
-        "importlib-metadata": {
-            "hashes": [
-                "sha256:24499ffde1b80be08284100393955842be4a59c7c16bbf2738aad0e464a8e0aa",
-                "sha256:c6af5dbf1126cd959c4a8d8efd61d4d3c83bddb0459a17e554284a077574b614"
-            ],
-            "markers": "python_version < '3.8'",
-            "version": "==3.7.0"
-        },
         "more-itertools": {
             "hashes": [
                 "sha256:5652a9ac72209ed7df8d9c15daf4e1aa0e3d2ccd3c87f8265a0673cd9cbc9ced",
                 "sha256:c5d6da9ca3ff65220c3bfd2a8db06d698f05d4d2b9be57e1deb2be5a45019713"
             ],
+            "markers": "python_version >= '3.5'",
             "version": "==8.7.0"
         },
         "multidict": {
@@ -360,6 +394,7 @@
                 "sha256:f21756997ad8ef815d8ef3d34edd98804ab5ea337feedcd62fb52d22bf531281",
                 "sha256:fc13a9524bc18b6fb6e0dbec3533ba0496bbed167c56d0aabefd965584557d80"
             ],
+            "markers": "python_version >= '3.6'",
             "version": "==5.1.0"
         },
         "packaging": {
@@ -367,6 +402,7 @@
                 "sha256:5b327ac1320dc863dca72f4514ecc086f31186744b84a230374cc1fd776feae5",
                 "sha256:67714da7f7bc052e064859c05c595155bd1ee9f69f76557e21f051443c20947a"
             ],
+            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
             "version": "==20.9"
         },
         "pathspec": {
@@ -381,6 +417,7 @@
                 "sha256:15b2acde666561e1298d71b523007ed7364de07029219b604cf808bfa1c765b0",
                 "sha256:966c145cd83c96502c3c3868f50408687b38434af77734af1e9ca461a4081d2d"
             ],
+            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
             "version": "==0.13.1"
         },
         "py": {
@@ -388,6 +425,7 @@
                 "sha256:21b81bda15b66ef5e1a777a21c4dcd9c20ad3efd0b3f817e7a809035269e1bd3",
                 "sha256:3b80836aa6d1feeaa108e046da6423ab8f6ceda6468545ae8d02d9d58d18818a"
             ],
+            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
             "version": "==1.10.0"
         },
         "pyparsing": {
@@ -395,32 +433,147 @@
                 "sha256:c203ec8783bf771a155b207279b9bccb8dea02d8f0c9e5f8ead507bc3246ecc1",
                 "sha256:ef9d7589ef3c200abe66653d3f1ab1033c3c419ae9b9bdb1240a85b024efc88b"
             ],
+            "markers": "python_version >= '2.6' and python_version not in '3.0, 3.1, 3.2, 3.3'",
             "version": "==2.4.7"
         },
         "pytest": {
             "hashes": [
-                "sha256:0e5b30f5cb04e887b91b1ee519fa3d89049595f428c1db76e73bd7f17b09b172",
-                "sha256:84dde37075b8805f3d1f392cc47e38a0e59518fb46a431cfdaf7cf1ce805f970"
+                "sha256:5c0db86b698e8f170ba4582a492248919255fcd4c79b1ee64ace34301fb589a1",
+                "sha256:7979331bfcba207414f5e1263b5a0f8f521d0f457318836a7355531ed1a4c7d8"
+            ],
+            "index": "pypi",
+            "version": "==5.4.3"
+        },
+        "pytz": {
+            "hashes": [
+                "sha256:83a4a90894bf38e243cf052c8b58f381bfe9a7a483f6a9cab140bc7f702ac4da",
+                "sha256:eb10ce3e7736052ed3623d49975ce333bcd712c7bb19a58b9e2089d4057d0798"
+            ],
+            "version": "==2021.1"
+        },
+        "pyyaml": {
+            "hashes": [
+                "sha256:08682f6b72c722394747bddaf0aa62277e02557c0fd1c42cb853016a38f8dedf",
+                "sha256:0f5f5786c0e09baddcd8b4b45f20a7b5d61a7e7e99846e3c799b05c7c53fa696",
+                "sha256:129def1b7c1bf22faffd67b8f3724645203b79d8f4cc81f674654d9902cb4393",
+                "sha256:294db365efa064d00b8d1ef65d8ea2c3426ac366c0c4368d930bf1c5fb497f77",
+                "sha256:3b2b1824fe7112845700f815ff6a489360226a5609b96ec2190a45e62a9fc922",
+                "sha256:3bd0e463264cf257d1ffd2e40223b197271046d09dadf73a0fe82b9c1fc385a5",
+                "sha256:4465124ef1b18d9ace298060f4eccc64b0850899ac4ac53294547536533800c8",
+                "sha256:49d4cdd9065b9b6e206d0595fee27a96b5dd22618e7520c33204a4a3239d5b10",
+                "sha256:4e0583d24c881e14342eaf4ec5fbc97f934b999a6828693a99157fde912540cc",
+                "sha256:5accb17103e43963b80e6f837831f38d314a0495500067cb25afab2e8d7a4018",
+                "sha256:607774cbba28732bfa802b54baa7484215f530991055bb562efbed5b2f20a45e",
+                "sha256:6c78645d400265a062508ae399b60b8c167bf003db364ecb26dcab2bda048253",
+                "sha256:72a01f726a9c7851ca9bfad6fd09ca4e090a023c00945ea05ba1638c09dc3347",
+                "sha256:74c1485f7707cf707a7aef42ef6322b8f97921bd89be2ab6317fd782c2d53183",
+                "sha256:895f61ef02e8fed38159bb70f7e100e00f471eae2bc838cd0f4ebb21e28f8541",
+                "sha256:8c1be557ee92a20f184922c7b6424e8ab6691788e6d86137c5d93c1a6ec1b8fb",
+                "sha256:bb4191dfc9306777bc594117aee052446b3fa88737cd13b7188d0e7aa8162185",
+                "sha256:bfb51918d4ff3d77c1c856a9699f8492c612cde32fd3bcd344af9be34999bfdc",
+                "sha256:c20cfa2d49991c8b4147af39859b167664f2ad4561704ee74c1de03318e898db",
+                "sha256:cb333c16912324fd5f769fff6bc5de372e9e7a202247b48870bc251ed40239aa",
+                "sha256:d2d9808ea7b4af864f35ea216be506ecec180628aced0704e34aca0b040ffe46",
+                "sha256:d483ad4e639292c90170eb6f7783ad19490e7a8defb3e46f97dfe4bacae89122",
+                "sha256:dd5de0646207f053eb0d6c74ae45ba98c3395a571a2891858e87df7c9b9bd51b",
+                "sha256:e1d4970ea66be07ae37a3c2e48b5ec63f7ba6804bdddfdbd3cfd954d25a82e63",
+                "sha256:e4fac90784481d221a8e4b1162afa7c47ed953be40d31ab4629ae917510051df",
+                "sha256:fa5ae20527d8e831e8230cbffd9f8fe952815b2b7dae6ffec25318803a7528fc",
+                "sha256:fd7f6999a8070df521b6384004ef42833b9bd62cfee11a09bda1079b4b704247",
+                "sha256:fdc842473cd33f45ff6bce46aea678a54e3d21f1b61a7750ce3c498eedfe25d6",
+                "sha256:fe69978f3f768926cfa37b867e3843918e012cf83f680806599ddce33c2c68b0"
             ],
             "index": "pypi",
             "version": "==5.4.1"
         },
-        "pyyaml": {
+        "requests": {
             "hashes": [
-                "sha256:1adecc22f88d38052fb787d959f003811ca858b799590a5eaa70e63dca50308c",
-                "sha256:436bc774ecf7c103814098159fbb84c2715d25980175292c648f2da143909f95",
-                "sha256:460a5a4248763f6f37ea225d19d5c205677d8d525f6a83357ca622ed541830c2",
-                "sha256:5a22a9c84653debfbf198d02fe592c176ea548cccce47553f35f466e15cf2fd4",
-                "sha256:7a5d3f26b89d688db27822343dfa25c599627bc92093e788956372285c6298ad",
-                "sha256:9372b04a02080752d9e6f990179a4ab840227c6e2ce15b95e1278456664cf2ba",
-                "sha256:a5dcbebee834eaddf3fa7366316b880ff4062e4bcc9787b78c7fbb4a26ff2dd1",
-                "sha256:aee5bab92a176e7cd034e57f46e9df9a9862a71f8f37cad167c6fc74c65f5b4e",
-                "sha256:c51f642898c0bacd335fc119da60baae0824f2cde95b0330b56c0553439f0673",
-                "sha256:c68ea4d3ba1705da1e0d85da6684ac657912679a649e8868bd850d2c299cce13",
-                "sha256:e23d0cc5299223dcc37885dae624f382297717e459ea24053709675a976a3e19"
+                "sha256:27973dd4a904a4f13b263a19c866c13b92a39ed1c964655f025f3f8d3d75b804",
+                "sha256:c210084e36a42ae6b9219e00e48287def368a26d03a048ddad7bfee44f75871e"
             ],
             "index": "pypi",
-            "version": "==5.1"
+            "version": "==2.25.1"
+        },
+        "simplejson": {
+            "hashes": [
+                "sha256:034550078a11664d77bc1a8364c90bb7eef0e44c2dbb1fd0a4d92e3997088667",
+                "sha256:05b43d568300c1cd43f95ff4bfcff984bc658aa001be91efb3bb21df9d6288d3",
+                "sha256:0dd9d9c738cb008bfc0862c9b8fa6743495c03a0ed543884bf92fb7d30f8d043",
+                "sha256:10fc250c3edea4abc15d930d77274ddb8df4803453dde7ad50c2f5565a18a4bb",
+                "sha256:2862beabfb9097a745a961426fe7daf66e1714151da8bb9a0c430dde3d59c7c0",
+                "sha256:292c2e3f53be314cc59853bd20a35bf1f965f3bc121e007ab6fd526ed412a85d",
+                "sha256:2d3eab2c3fe52007d703a26f71cf649a8c771fcdd949a3ae73041ba6797cfcf8",
+                "sha256:2e7b57c2c146f8e4dadf84977a83f7ee50da17c8861fd7faf694d55e3274784f",
+                "sha256:311f5dc2af07361725033b13cc3d0351de3da8bede3397d45650784c3f21fbcf",
+                "sha256:344e2d920a7f27b4023c087ab539877a1e39ce8e3e90b867e0bfa97829824748",
+                "sha256:3fabde09af43e0cbdee407555383063f8b45bfb52c361bc5da83fcffdb4fd278",
+                "sha256:42b8b8dd0799f78e067e2aaae97e60d58a8f63582939af60abce4c48631a0aa4",
+                "sha256:4b3442249d5e3893b90cb9f72c7d6ce4d2ea144d2c0d9f75b9ae1e5460f3121a",
+                "sha256:55d65f9cc1b733d85ef95ab11f559cce55c7649a2160da2ac7a078534da676c8",
+                "sha256:5c659a0efc80aaaba57fcd878855c8534ecb655a28ac8508885c50648e6e659d",
+                "sha256:72d8a3ffca19a901002d6b068cf746be85747571c6a7ba12cbcf427bfb4ed971",
+                "sha256:75ecc79f26d99222a084fbdd1ce5aad3ac3a8bd535cd9059528452da38b68841",
+                "sha256:76ac9605bf2f6d9b56abf6f9da9047a8782574ad3531c82eae774947ae99cc3f",
+                "sha256:7d276f69bfc8c7ba6c717ba8deaf28f9d3c8450ff0aa8713f5a3280e232be16b",
+                "sha256:7f10f8ba9c1b1430addc7dd385fc322e221559d3ae49b812aebf57470ce8de45",
+                "sha256:8042040af86a494a23c189b5aa0ea9433769cc029707833f261a79c98e3375f9",
+                "sha256:813846738277729d7db71b82176204abc7fdae2f566e2d9fcf874f9b6472e3e6",
+                "sha256:845a14f6deb124a3bcb98a62def067a67462a000e0508f256f9c18eff5847efc",
+                "sha256:869a183c8e44bc03be1b2bbcc9ec4338e37fa8557fc506bf6115887c1d3bb956",
+                "sha256:8acf76443cfb5c949b6e781c154278c059b09ac717d2757a830c869ba000cf8d",
+                "sha256:8f713ea65958ef40049b6c45c40c206ab363db9591ff5a49d89b448933fa5746",
+                "sha256:934115642c8ba9659b402c8bdbdedb48651fb94b576e3b3efd1ccb079609b04a",
+                "sha256:9551f23e09300a9a528f7af20e35c9f79686d46d646152a0c8fc41d2d074d9b0",
+                "sha256:9a2b7543559f8a1c9ed72724b549d8cc3515da7daf3e79813a15bdc4a769de25",
+                "sha256:a55c76254d7cf8d4494bc508e7abb993a82a192d0db4552421e5139235604625",
+                "sha256:ad8f41c2357b73bc9e8606d2fa226233bf4d55d85a8982ecdfd55823a6959995",
+                "sha256:af4868da7dd53296cd7630687161d53a7ebe2e63814234631445697bd7c29f46",
+                "sha256:afebfc3dd3520d37056f641969ce320b071bc7a0800639c71877b90d053e087f",
+                "sha256:b59aa298137ca74a744c1e6e22cfc0bf9dca3a2f41f51bc92eb05695155d905a",
+                "sha256:bc00d1210567a4cdd215ac6e17dc00cb9893ee521cee701adfd0fa43f7c73139",
+                "sha256:c1cb29b1fced01f97e6d5631c3edc2dadb424d1f4421dad079cb13fc97acb42f",
+                "sha256:c94dc64b1a389a416fc4218cd4799aa3756f25940cae33530a4f7f2f54f166da",
+                "sha256:ceaa28a5bce8a46a130cd223e895080e258a88d51bf6e8de2fc54a6ef7e38c34",
+                "sha256:cff6453e25204d3369c47b97dd34783ca820611bd334779d22192da23784194b",
+                "sha256:d0b64409df09edb4c365d95004775c988259efe9be39697d7315c42b7a5e7e94",
+                "sha256:d4813b30cb62d3b63ccc60dd12f2121780c7a3068db692daeb90f989877aaf04",
+                "sha256:da3c55cdc66cfc3fffb607db49a42448785ea2732f055ac1549b69dcb392663b",
+                "sha256:e058c7656c44fb494a11443191e381355388443d543f6fc1a245d5d238544396",
+                "sha256:fed0f22bf1313ff79c7fc318f7199d6c2f96d4de3234b2f12a1eab350e597c06",
+                "sha256:ffd4e4877a78c84d693e491b223385e0271278f5f4e1476a4962dca6824ecfeb"
+            ],
+            "markers": "python_version >= '2.5' and python_version not in '3.0, 3.1, 3.2, 3.3'",
+            "version": "==3.17.2"
+        },
+        "six": {
+            "hashes": [
+                "sha256:30639c035cdb23534cd4aa2dd52c3bf48f06e5f4a941509c8bafd8ce11080259",
+                "sha256:8b74bedcbbbaca38ff6d7491d76f2b06b3592611af620f8426e82dddb04a5ced"
+            ],
+            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
+            "version": "==1.15.0"
+        },
+        "stix2": {
+            "hashes": [
+                "sha256:15c9cf599f5c43124e76fe71b883e4918f6f4cf65b084c58ec64b6180f45c938",
+                "sha256:3ab60082e4bffb39f75ea9ddc338b64126ff1cd086e6173d39b860191ac26ff4"
+            ],
+            "index": "pypi",
+            "version": "==2.1.0"
+        },
+        "stix2-patterns": {
+            "hashes": [
+                "sha256:174fe5302d2c3223205033af987754132a9ea45a9f8e08aefafbe0549c889ea4",
+                "sha256:bc46cc4eba44b76a17eab7a3ff67f35203543cdb918ab24c1ebd58403fa27992"
+            ],
+            "version": "==1.3.2"
+        },
+        "taxii2-client": {
+            "hashes": [
+                "sha256:b4212b8a8bab170cd5dc386ca3ea36bc44b53932f1da30db150abeef00bce7b9",
+                "sha256:fb3bf895e2eaff3cd08bb7aad75c9d30682ffc00b9f3add77de3a67dc6b895a3"
+            ],
+            "version": "==2.3.0"
         },
         "typing-extensions": {
             "hashes": [
@@ -433,11 +586,11 @@
         },
         "urllib3": {
             "hashes": [
-                "sha256:2f3db8b19923a873b3e5256dc9c2dedfa883e33d87c690d9c7913e1f40673cdc",
-                "sha256:87716c2d2a7121198ebcb7ce7cccf6ce5e9ba539041cfbaeecfb641dc0bf6acc"
+                "sha256:2f4da4594db7e1e110a944bb1b551fdf4e6c136ad42e4234131391e21eb5b0df",
+                "sha256:e7b021f7241115872f92f43c6508082facffbd1c048e3c6e2bb9c2a157e28937"
             ],
             "index": "pypi",
-            "version": "==1.25.8"
+            "version": "==1.26.4"
         },
         "wcwidth": {
             "hashes": [
@@ -448,11 +601,11 @@
         },
         "yamllint": {
             "hashes": [
-                "sha256:09d554bafc57beb22b01619c94e1ba0e8fbb016fa9c1b35ddc68d7bfc16d177f",
-                "sha256:7e1e698b3d344b64bc46cbe8c4df7dfdfe7c00ed1a8d1c851ecd5b552d93d193"
+                "sha256:8a5f8e442f49309eaf3e9d7232ce76f2fc8026f5c0c0b164b83f33fed1399637",
+                "sha256:b0e4c89985c7f5f8451c2eb8c67d804d10ac13a4abe031cbf49bdf3465d01087"
             ],
             "index": "pypi",
-            "version": "==1.21.0"
+            "version": "==1.26.0"
         },
         "yarl": {
             "hashes": [
@@ -494,14 +647,8 @@
                 "sha256:f0b059678fd549c66b89bed03efcabb009075bd131c248ecdf087bdb6faba24a",
                 "sha256:fcbb48a93e8699eae920f8d92f7160c03567b421bc17362a9ffbbd706a816f71"
             ],
+            "markers": "python_version >= '3.6'",
             "version": "==1.6.3"
-        },
-        "zipp": {
-            "hashes": [
-                "sha256:102c24ef8f171fd729d46599845e95c7ab894a4cf45f5de11a44cc7444fb1108",
-                "sha256:ed5eee1974372595f9e416cc7bbeeb12335201d8081ca8a0743c954d4446e5cb"
-            ],
-            "version": "==3.4.0"
         }
     }
 }

README.md

@@ -40,9 +40,9 @@ The SANS webcast on Sigma contains a very good 20 min introduction to the projec
 
 # Why Sigma
 
-Today, everyone collects log data for analysis. People start working on their own, processing numerous white papers, blog posts and log analysis guidelines, extracting the necessary information and build their own searches and dashboard. Some of their searches and correlations are great and very useful but they lack a standardized format in which they can share their work with others. 
+Today, everyone collects log data for analysis. People start working on their own, processing numerous white papers, blog posts and log analysis guidelines, extracting the necessary information and build their own searches and dashboard. Some of their searches and correlations are great and very useful but they lack a standardized format in which they can share their work with others.
 
-Others provide excellent analyses, include IOCs and YARA rules to detect the malicious files and network connections, but have no way to describe a specific or generic detection method in log events. Sigma is meant to be an open standard in which such detection mechanisms can be defined, shared and collected in order to improve the detection capabilities for everyone. 
+Others provide excellent analyses, include IOCs and YARA rules to detect the malicious files and network connections, but have no way to describe a specific or generic detection method in log events. Sigma is meant to be an open standard in which such detection mechanisms can be defined, shared and collected in order to improve the detection capabilities for everyone.
 
 ## Slides
 
@@ -52,7 +52,7 @@ See the first slide deck that I prepared for a private conference in mid January
 
 # Specification
 
-The specifications can be found in the [Wiki](https://github.com/Neo23x0/sigma/wiki/Specification). 
+The specifications can be found in the [Wiki](https://github.com/Neo23x0/sigma/wiki/Specification).
 
 The current specification is a proposal. Feedback is requested.
 
@@ -62,7 +62,7 @@ The current specification is a proposal. Feedback is requested.
 
 Florian wrote a short [rule creation tutorial](https://www.nextron-systems.com/2018/02/10/write-sigma-rules/) that can help you getting started.
 
-## Rule Usage 
+## Rule Usage
 
 1. Download or clone the repository
 2. Check the `./rules` sub directory for an overview on the rule base
@@ -106,7 +106,7 @@ merges multiple YAML documents of a Sigma rule collection into simple Sigma rule
 
 ```bash
 usage: sigmac [-h] [--recurse] [--filter FILTER]
-              [--target {arcsight,es-qs,es-dsl,kibana,xpack-watcher,elastalert,graylog,limacharlie,logpoint,grep,netwitness,powershell,qradar,qualys,splunk,splunkxml,sumologic,fieldlist,mdatp,ee-outliers}]
+              [--target {sqlite,netwitness-epl,logpoint,graylog,netwitness,arcsight,carbonblack,es-rule,ala,elastalert-dsl,splunkxml,fieldlist,sysmon,arcsight-esm,kibana,csharp,qualys,powershell,es-qs,mdatp,humio,grep,qradar,logiq,sql,sumologic,ala-rule,limacharlie,elastalert,splunk,stix,xpack-watcher,crowdstrike,es-dsl,ee-outliers}]
               [--target-list] [--config CONFIG] [--output OUTPUT]
               [--backend-option BACKEND_OPTION] [--defer-abort]
               [--ignore-backend-errors] [--verbose] [--debug]
@@ -172,13 +172,13 @@ Translate a whole rule directory and ignore backend errors (`-I`) in rule conver
 ```
 tools/sigmac -I -t splunk -c splunk-windows -f 'level>=high' -r rules/windows/sysmon/
 ```
-#### Rule Set Translation with Custom Config 
+#### Rule Set Translation with Custom Config
 Apply your own config file (`-c ~/my-elk-winlogbeat.yml`) during conversion, which can contain you custom field and source mappings
 ```
 tools/sigmac -t es-qs -c ~/my-elk-winlogbeat.yml -r rules/windows/sysmon
 ```
 #### Generic Rule Set Translation
-Use a config file for `process_creation` rules (`-r rules/windows/process_creation`) that instructs sigmac to create queries for a Sysmon log source (`-c tools/config/generic/sysmon.yml`) and the ElasticSearch target backend (`-t es-qs`) 
+Use a config file for `process_creation` rules (`-r rules/windows/process_creation`) that instructs sigmac to create queries for a Sysmon log source (`-c tools/config/generic/sysmon.yml`) and the ElasticSearch target backend (`-t es-qs`)
 ```
 tools/sigmac -t es-qs -c tools/config/generic/sysmon.yml -r rules/windows/process_creation
 ```
@@ -209,6 +209,7 @@ tools/sigmac -t splunk -c ~/my-splunk-mapping.yml -c tools/config/generic/window
 * [LimaCharlie](https://limacharlie.io)
 * [ee-outliers](https://github.com/NVISO-BE/ee-outliers)
 * [Structured Threat Information Expression (STIX)](https://oasis-open.github.io/cti-documentation/stix/intro.html)
+* [LOGIQ](https://www.logiq.ai)
 * [uberAgent ESA](https://uberagent.com/)
 
 Current work-in-progress
@@ -228,16 +229,18 @@ It's available on PyPI. Install with:
 pip3 install sigmatools
 ```
 
-Alternatively, if used from the Sigma Github repository, the Python dependencies can be installed with:
+Alternatively, if used from the Sigma Github repository, the Python dependencies can be installed with [Pipenv](https://pypi.org/project/pipenv/).
+Run the following command to get a shell with the installed requirements:
 
 ```bash
-pip3 install -r tools/requirements.txt
+pipenv shell
 ```
 
 For development (e.g. execution of integration tests with `make` and packaging), further dependencies are required and can be installed with:
 
 ```bash
-pip3 install -r tools/requirements-devel.txt
+pipenv install --dev
+pipenv shell
 ```
 
 ## Sigma2MISP
@@ -251,7 +254,7 @@ Example:
 *misp.conf*:
 ```
 url https://host
-key foobarfoobarfoobarfoobarfoobarfoobarfoo 
+key foobarfoobarfoobarfoobarfoobarfoobarfoo
 ```
 
 Load Sigma rule into MISP event 1234:
@@ -266,7 +269,7 @@ sigma2misp @misp.conf --same-event --info "Test Event" -r sigma_rules/
 
 ## Evt2Sigma
 
-[Evt2Sigma](https://github.com/Neo23x0/evt2sigma) helps you with the rule creation. It generates a Sigma rule from a log entry. 
+[Evt2Sigma](https://github.com/Neo23x0/evt2sigma) helps you with the rule creation. It generates a Sigma rule from a log entry.
 
 ## Sigma2attack
 
@@ -291,7 +294,7 @@ Result once imported in the MITRE ATT&CK® Navigator ([online version](https://m
 
 ## S2AN
 
-Similar to **Sigma2attack**, [S2AN](https://github.com/3CORESec/S2AN) is a pre-compiled binary for both Windows and GNU/Linux that generates [MITRE ATT&CK® Navigator](https://github.com/mitre/attack-navigator/) layers from a directory of Sigma rules. 
+Similar to **Sigma2attack**, [S2AN](https://github.com/3CORESec/S2AN) is a pre-compiled binary for both Windows and GNU/Linux that generates [MITRE ATT&CK® Navigator](https://github.com/mitre/attack-navigator/) layers from a directory of Sigma rules.
 
 S2AN was developed to be used as a standalone tool or as part of a CI/CD pipeline where it can be quickly downloaded and executed without external dependencies.
 
@@ -317,11 +320,11 @@ These tools are not part of the main toolchain and maintained separately by thei
 * [uncoder.io](https://uncoder.io/) - Online Translator for SIEM Searches
 * [THOR](https://www.nextron-systems.com/2018/06/28/spark-applies-sigma-rules-in-eventlog-scan/) - Scan with Sigma rules on endpoints
 * [Joe Sandbox](https://www.joesecurity.org/)
-* [ypsilon](https://github.com/P4T12ICK/ypsilon) - Automated Use Case Testing 
+* [ypsilon](https://github.com/P4T12ICK/ypsilon) - Automated Use Case Testing
 * [RANK VASA](https://globenewswire.com/news-release/2019/03/04/1745907/0/en/RANK-Software-to-Help-MSSPs-Scale-Cybersecurity-Offerings.html)
 * [TA-Sigma-Searches](https://github.com/dstaulcu/TA-Sigma-Searches) (Splunk App)
 * [TimeSketch](https://github.com/google/timesketch/commit/0c6c4b65a6c0f2051d074e87bbb2da2424fa6c35)
-* [SIΣGMA](https://github.com/3CORESec/SIEGMA) - SIEM consumable generator that utilizes Sigma for query conversion 
+* [SIΣGMA](https://github.com/3CORESec/SIEGMA) - SIEM consumable generator that utilizes Sigma for query conversion
 
 Sigma is available in some Linux distribution repositories:
 
@@ -333,10 +336,10 @@ If you want to contribute, you are more then welcome. There are numerous ways to
 
 ## Use it and provide feedback
 
-If you use it, let us know what works and what does not work. 
+If you use it, let us know what works and what does not work.
 
 E.g.
-- Tell us about false positives (issues section) 
+- Tell us about false positives (issues section)
 - Try to provide an improved rule (new filter) via [pull request](https://help.github.com/en/articles/editing-files-in-another-users-repository) on that rule
 
 ## Work on open issues
@@ -345,7 +348,7 @@ The github issue tracker is a good place to start tackling some issues others ra
 
 ## Provide Backends / Backend Features / Bugfixes
 
-Various requests for sigmac (sigma converter) backends exist. Some backends are very limited and need features. We are working on a documentation on how to write new backends but our time for this project is currently mostly spent for issue resolutions. 
+Various requests for sigmac (sigma converter) backends exist. Some backends are very limited and need features. We are working on a documentation on how to write new backends but our time for this project is currently mostly spent for issue resolutions.
 
 ## Spread the word
 

rules-unsupported/sysmon_always_install_elevated_parent_child_correlated.yml

@@ -0,0 +1,42 @@
+title: Always Install Elevated Parent Child Correlated
+id: 078235c5-6ec5-48e7-94b2-f8b5474379ea
+description: This rule will looks any process with low privilege launching Windows Installer service (msiexec.exe) that tries to install MSI packages with SYSTEM privilege 
+#look for MSI start by low privilege user, write the process guid to the suspicious_guid variable
+#look for child process from the suspicious_guid, alert if it's Windows Installer trying to install package with SYSTEM privilege
+status: experimental
+author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community
+date: 2020/10/13
+references: 
+    - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-48-638.jpg
+tags:
+    - attack.privilege_escalation
+    - attack.t1548.002
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    system_integrity:
+        IntegrityLevel: 'System'
+    system_user:
+        User: 'NT AUTHORITY\SYSTEM'
+    image_1:
+        Image|contains|all: 
+            - '\Windows\Installer\'
+            - 'msi'
+        Image|endswith: 
+            - 'tmp'
+    image_2:
+        Image|endswith: '\msiexec.exe'
+    child_of_suspicious_guid:  
+        ParentProcessGuid: '%suspicious_guid%'
+    condition: write ProcessGuid from (event_id and image_2 and not system_user) to %suspicious_guid%; then if (child_of_suspicious_guid and event_id and image_1 and system_user) or (suspicious_guid and event_id and image_2 and system_user and integrity_level) -> alert
+fields:
+    - EventID
+    - IntegrityLevel
+    - User
+    - Image
+    ParentProcessGuid
+falsepositives:
+    - System administrator usage
+    - Penetration test 
+level: high

rules-unsupported/win_access_fake_files_with_stored_credentials.yml

@@ -0,0 +1,29 @@
+title: Stored Credentials in Fake Files
+id: 692b979c-f747-41dc-ad72-1f11c01b110e
+description: Search for accessing of fake files with stored credentials
+status: experimental
+author: Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community
+date: 2020/10/05
+references: 
+    - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-13-638.jpg
+tags:
+    - attack.credential_access
+    - attack.t1555
+logsource:
+    product: windows
+    service: security
+detection:
+    selection:
+        EventID: 4663
+        AccessList|contains: '%%4416'
+        ObjectName|endswith:
+            - '\%POLICY_ID%\Machine\Preferences\Groups\Groups.xml'
+            - '\%FOLDER_NAME%\Unattend.xml'
+    condition: selection
+fields:
+    - EventID
+    - AccessList
+    - ObjectName
+falsepositives:
+    - Unknown
+level: high

rules-unsupported/win_remote_schtask.yml

@@ -0,0 +1,44 @@
+title: Remote Schtasks Creation
+id: cf349c4b-99af-40fa-a051-823aa2307a84
+status: experimental
+description: Detects remote execution via scheduled task creation or update on the destination host
+author: Jai Minton, oscd.community
+date: 2020/10/05
+references:
+    - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
+tags:
+    - attack.lateral_movement
+    - attack.persistence
+    - attack.execution
+    - attack.t1053.005
+logsource:
+    product: windows
+    service: security
+    definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection (not in the baseline recommendations by Microsoft).'
+detection:
+    selection1:
+        EventID: 4624
+        Logon_Type: 3
+    selection2:
+        EventID:
+            - 4698
+            - 4702
+    filter1: 
+        Source_Network_Address:
+            - '::1'
+            - '127.0.0.1'
+    filter2: 
+        Source_Network_Address: '-'
+    timeframe: 30d
+    condition: (selection1 and not filter1) or selection2 and not filter2
+    #   where:
+    #       selection1: TargetLogonID = selection2: SubjectLogonID, grouped by host over 30seconds | eventcount > 1
+    #   Rule should trigger where the SubjectLogonID from event 4698 or 4702 is the same as the TargetLogonID from event 4624 with a Logon_Type of 3, in a 30second period, provided its from the same host.
+    #   This logic would be similar to the Splunk 'Transaction' operator which groups related events over a timeframe. 
+    #       This takes both field values (e.g. Logon_ID), and an expression provided (e.g. startswith=(EventCode=4624) maxspan=30s) which occurs over the raw event log to find events, at which point a Union based on the criteria provided occurs to merge these events into a single transaction.
+    #   This is similar to stats as an aggregation function, but allows you to see the raw text of events rather than to calculate stats on then, and it retains the raw event to allow an eval expression to occur for grouping. This is beneficial as fields such as LogonIDs are reused over time. 
+    #   By having this you can group logon events to their remote schtask creation event (as it is searching for a logon followed by a schtask creation) even by using a search timeframe over a long period of time e.g. 30days without running the risk of incorrectly grouping a logonID at one time, to a task creation at another.
+    #   Rule logic is currently not supported by SIGMA.
+falsepositives:
+    - Unknown
+level: medium

rules-unsupported/win_remote_service.yml

@@ -0,0 +1,50 @@
+action: global
+title: Remote Service Creation
+id: 4a3a2b96-d7fc-4cb9-80e4-4a545fe95f46
+status: experimental
+description: Detects remote execution via service creation on the destination host
+author: Jai Minton, oscd.community
+date: 2020/10/05
+references:
+    - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
+tags:
+    - attack.lateral_movement
+    - attack.persistence
+    - attack.execution
+    - attack.t1543.003 
+detection:
+    selection1:
+        EventID: 4624
+        Logon_Type: 3
+    filter1: 
+        Source_Network_Address:
+            - '::1'
+            - '127.0.0.1'
+    timeframe: 30s
+    condition: (selection1 and not filter1) or selection2
+    #   where:
+    #       selection1: TargetLogonID = selection2: SubjectLogonID, grouped by host over 30seconds | eventcount > 1
+    #   Rule should trigger where the SubjectLogonID from event 7045 is the same as the TargetLogonID from event 4624 with a Logon_Type of 3, in a 30second period, provided its from the same host.
+    #   This logic would be similar to the Splunk 'Transaction' operator which groups related events over a timeframe. 
+    #       This takes both field values (e.g. host), and an expression provided (e.g. startswith=(EventCode=4624) maxspan=30s) which occurs over the raw event log to find events, at which point a Union based on the criteria provided occurs to merge these events into a single transaction.
+    #   This is similar to stats as an aggregation function, but allows you to see the raw text of events rather than to calculate stats on then, and it retains the raw event to allow an eval expression to occur for grouping. This is beneficial as fields such as LogonIDs are reused over time. 
+    #   By having this you can group logon events to their remote service creation event (as it is searching for a logon followed by a service creation) even by using a search timeframe over a long period of time e.g. 30days without running the risk of incorrectly grouping a logonID at one time, to a task creation at another.
+    #   Rule logic is currently not supported by SIGMA.
+    
+falsepositives:
+    - Unknown
+level: medium
+---
+ logsource:
+     product: windows
+     service: security
+ detection:
+     selection2:
+         EventID: 4697
+---
+logsource:
+    product: windows
+    service: system
+detection:
+    selection2:
+        EventID: 7045

rules/cloud/aws_ec2_vm_export_failure.yml

@@ -18,7 +18,7 @@ detection:
     errorCode: '*'
   filter3:
     eventName: 'ConsoleLogin'
-    responseElements: '*Failure*'
+    responseElements|contains: 'Failure'
   condition: selection and (filter1 or filter2 or filter3)
 level: low
 tags:

rules/linux/at_command.yml

@@ -0,0 +1,23 @@
+title: Scheduled Task/Job At
+id: d2d642d7-b393-43fe-bae4-e81ed5915c4b
+status: stable
+description: Detects the use of at/atd
+author: Ömer Günal, oscd.community
+date: 2020/10/06
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.001/T1053.001.md
+logsource:
+    product: linux
+    category: process_creation
+detection:
+    selection:
+        ProcessName|endswith:
+          - '/at'
+          - '/atd'
+    condition: selection
+falsepositives:
+    - Legitimate administration activities
+level: low
+tags:
+    - attack.persistence
+    - attack.t1053.001

rules/linux/auditd/lnx_auditd_create_account.yml

@@ -12,7 +12,7 @@ logsource:
 detection:
     selection:
         type: 'SYSCALL'
-        exe: '*/useradd'
+        exe|endswith: '/useradd'
     condition: selection
 falsepositives:
     - Admin activity
@@ -20,4 +20,4 @@ level: medium
 tags:
     - attack.t1136    # an old one
     - attack.t1136.001
-    - attack.persistence
+    - attack.persistence

rules/linux/auditd/lnx_auditd_masquerading_crond.yml

@@ -16,9 +16,9 @@ detection:
         a0: 'cp'
         a1: '-i'
         a2: '/bin/sh'
-        a3: '*/crond'
+        a3|endswith: '/crond'
     condition: selection
 level: medium
 tags:
     - attack.defense_evasion
-    - attack.t1036.003
+    - attack.t1036.003

rules/linux/auditd/lnx_auditd_susp_exe_folders.yml

@@ -12,26 +12,26 @@ logsource:
 detection:
     selection:
         type: 'SYSCALL'
-        exe:
+        exe|startswith:
             # Temporary folder
-            - '/tmp/*'
+            - '/tmp/'
             # Web server 
-            - '/var/www/*'              # Standard
-            - '/home/*/public_html/*'   # Per-user
-            - '/usr/local/apache2/*'    # Classical Apache
-            - '/usr/local/httpd/*'      # Old SuSE Linux 6.* Apache
-            - '/var/apache/*'           # Solaris Apache
-            - '/srv/www/*'              # SuSE Linux 9.*
-            - '/home/httpd/html/*'      # Redhat 6 or older Apache
-            - '/srv/http/*'             # ArchLinux standard
-            - '/usr/share/nginx/html/*' # ArchLinux nginx
+            - '/var/www/'              # Standard
+            - '/home/*/public_html/'   # Per-user
+            - '/usr/local/apache2/'    # Classical Apache
+            - '/usr/local/httpd/'      # Old SuSE Linux 6.* Apache
+            - '/var/apache/'           # Solaris Apache
+            - '/srv/www/'              # SuSE Linux 9.*
+            - '/home/httpd/html/'      # Redhat 6 or older Apache
+            - '/srv/http/'             # ArchLinux standard
+            - '/usr/share/nginx/html/' # ArchLinux nginx
             # Data dirs of typically exploited services (incomplete list)
-            - '/var/lib/pgsql/data/*'
-            - '/usr/local/mysql/data/*'
-            - '/var/lib/mysql/*'
-            - '/var/vsftpd/*'
-            - '/etc/bind/*'
-            - '/var/named/*'
+            - '/var/lib/pgsql/data/'
+            - '/usr/local/mysql/data/'
+            - '/var/lib/mysql/'
+            - '/var/vsftpd/'
+            - '/etc/bind/'
+            - '/var/named/'
     condition: selection
 falsepositives:
     - Admin activity (especially in /tmp folders)

rules/linux/lnx_base64_decode.yml

@@ -0,0 +1,22 @@
+title: Decode Base64 Encoded Text
+id: e2072cab-8c9a-459b-b63c-40ae79e27031
+status: experimental
+description: Detects usage of base64 utility to decode arbitrary base64-encoded text
+author: Daniil Yugoslavskiy, oscd.community
+date: 2020/10/19
+references:
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md
+logsource:
+  category: process_creation
+  product: linux
+detection:
+  base64_execution:
+    Image|endswith: '/base64'
+    CommandLine|contains: '-d'
+  condition: base64_execution
+falsepositives:
+  - Legitimate activities
+level: low
+tags:
+  - attack.defense_evasion
+  - attack.t1027

rules/linux/lnx_binary_padding.yml

@@ -0,0 +1,35 @@
+title: 'Binary Padding'
+id: c52a914f-3d8b-4b2a-bb75-b3991e75f8ba
+status: experimental
+description: 'Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.'
+  # For this rule to work execve auditing / file system auditing with "execute access" to specific binaries must be configured
+  # Example config (place it at the bottom of audit.rules)
+  # -a always,exit -F arch=b32 -S execve -k execve
+  # -a always,exit -F arch=b64 -S execve -k execve
+author: 'Igor Fits, oscd.community'
+date: 2020/10/13
+references:
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md
+logsource:
+    product: linux
+    service: auditd
+detection:
+    selection1:
+        type: 'EXECVE'
+        keywords|contains|all:
+             - 'truncate'
+             - '-s'
+    selection2:
+        type: 'EXECVE'
+        keywords|contains|all:
+             - 'dd'
+             - 'if='
+    filter:
+        keywords|contains: 'of='
+    condition: selection1 or (selection2 and not filter)
+falsepositives:
+    - 'Legitimate script work'
+level: high
+tags:
+    - attack.defense_evasion
+    - attack.t1027.001

rules/linux/lnx_change_file_time_attr.yml

@@ -0,0 +1,33 @@
+title: 'File Time Attribute Change'
+id: b3cec4e7-6901-4b0d-a02d-8ab2d8eb818b
+status: experimental
+description: 'Detect file time attribute change to hide new or changes to existing files.'
+  # For this rule to work execve auditing must be configured
+  # Example config (place it at the bottom of audit.rules)
+  # -a always,exit -F arch=b32 -S execve -k execve
+  # -a always,exit -F arch=b64 -S execve -k execve
+author: 'Igor Fits, oscd.community'
+date: 2020/10/15
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md
+logsource:
+    product: linux
+    service: auditd
+detection:
+    selection1:
+        type: 'EXECVE'
+        keywords|contains: 'touch'
+    selection2:
+        type: 'EXECVE'
+        keywords|contains:
+         - '-t'
+         - '-acmr'
+         - '-d'
+         - '-r'
+    condition: selection1 and selection2
+falsepositives:
+    - 'Unknown'
+level: medium
+tags:
+    - attack.defense_evasion
+    - attack.t1070.006

rules/linux/lnx_clear_logs.yml

@@ -0,0 +1,26 @@
+title: Clear Linux Logs
+id: 80915f59-9b56-4616-9de0-fd0dea6c12fe
+status: stable
+description: Detects clear logs
+author: Ömer Günal, oscd.community
+date: 2020/10/07
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md
+logsource:
+    product: linux
+    category: process_creation
+detection:
+    selection:
+        Image|endswith:
+            - '/rm'    # covers /rmdir as well
+            - '/shred'
+        CommandLine|contains:
+            - '/var/log'
+            - '/var/spool/mail'
+    condition: selection
+falsepositives:
+    - Legitimate administration activities
+level: medium
+tags:
+    - attack.defense_evasion
+    - attack.t1070.002

rules/linux/lnx_file_and_directory_discovery.yml

@@ -0,0 +1,29 @@
+title: File and Directory Discovery
+id: d3feb4ee-ff1d-4d3d-bd10-5b28a238cc72
+status: experimental
+description: Detects usage of system utilities to discover files and directories
+author: Daniil Yugoslavskiy, oscd.community
+date: 2020/10/19
+references:
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md
+logsource:
+  category: process_creation
+  product: linux
+detection:
+  file_with_asterisk:
+    Image|endswith: '/file'
+    CommandLine|re: '(.){200,}' # execution of the 'file */* *>> /tmp/output.txt' will produce huge commandline
+  recursive_ls:
+    Image|endswith: '/ls'
+    CommandLine|contains: '-R'
+  find_execution:
+    Image|endswith: '/find'
+  tree_execution:
+    Image|endswith: '/tree'
+  condition: 1 of them
+falsepositives:
+  - Legitimate activities
+level: informational
+tags:
+  - attack.discovery
+  - attack.t1083

rules/linux/lnx_file_copy.yml

@@ -11,18 +11,20 @@ logsource:
 detection:
     keywords:
         - Scp|contains:
-          - 'scp * *@*:*'
-          - 'scp *@*:* *'
+          - 'scp'
         - Rsync|contains:
-          - 'rsync -r *@*:* *'
-          - 'rsync -r * *@*:*'
+          - 'rsync -r'
         - Sftp|contains:
-          - 'sftp *@*:* *'
-    condition: keywords
+          - 'sftp'
+    filter:
+        message|contains|all:
+          - '@'
+          - ':'
+    condition: keywords and filter
 falsepositives:
     - Legitimate administration activities
 level: low
 tags:
     - attack.command_and_control
     - attack.lateral_movement
-    - attack.t1105
+    - attack.t1105

rules/linux/lnx_file_deletion.yml

@@ -0,0 +1,23 @@
+title: File Deletion
+id: 30aed7b6-d2c1-4eaf-9382-b6bc43e50c57
+status: stable
+description: Detects file deletion commands
+author: Ömer Günal, oscd.community
+date: 2020/10/07
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md
+logsource:
+    product: linux
+    category: process_creation
+detection:
+    selection:
+        Image|endswith:
+            - '/rm'     # covers /rmdir as well
+            - '/shred'
+    condition: selection
+falsepositives:
+    - Legitimate administration activities
+level: informational
+tags:
+    - attack.defense_evasion
+    - attack.t1070.004

rules/linux/lnx_find_cred_in_files.yml

@@ -0,0 +1,29 @@
+title: 'Credentials In Files'
+id: df3fcaea-2715-4214-99c5-0056ea59eb35
+status: experimental
+description: 'Detecting attempts to extract passwords with grep'
+  # For this rule to work execve auditing must be configured
+  # Example config (place it at the bottom of audit.rules)
+  # -a always,exit -F arch=b32 -S execve -k execve
+  # -a always,exit -F arch=b64 -S execve -k execve
+author: 'Igor Fits, oscd.community'
+date: 2020/10/15
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md
+logsource:
+    product: linux
+    service: auditd
+detection:
+    selection1:
+        type: 'EXECVE'
+        keywords|contains: 'grep'
+    selection2:
+        type: 'EXECVE'
+        keywords|contains: 'password'
+    condition: selection1 and selection2
+falsepositives:
+    - 'Unknown'
+level: high
+tags:
+    - attack.credential_access
+    - attack.t1552.001

rules/linux/lnx_install_root_certificate.yml

@@ -0,0 +1,22 @@
+title: Install Root Certificate
+id: 78a80655-a51e-4669-bc6b-e9d206a462ee
+description: Detects installed new certificate
+author: Ömer Günal, oscd.community
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md
+date: 2020/10/05
+tags:
+    - attack.defense_evasion
+    - attack.t1553.004
+level: low
+logsource:
+    product: linux
+    category: process_creation
+detection:
+    selection:
+         Image|endswith:
+          - '/update-ca-certificates'
+          - '/update-ca-trust'
+    condition: selection
+falsepositives:
+    - Legitimate administration activities

rules/linux/lnx_local_account.yml

@@ -0,0 +1,39 @@
+title: Local System Accounts Discovery
+id: b45e3d6f-42c6-47d8-a478-df6bd6cf534c
+status: experimental
+description: Detects enumeration of local systeam accounts
+author: Alejandro Ortuno, oscd.community
+date: 2020/10/08
+references:
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md
+logsource:
+  category: process_creation
+  product: linux
+detection:
+  selection_1:
+    Image|endswith:
+      - '/lastlog'
+  selection_2:
+    CommandLine|contains:
+      - "'x:0:'"
+  selection_3:
+    Image|endswith:
+      - '/cat'
+    CommandLine|contains:
+      - '/etc/passwd'
+      - '/etc/sudoers'
+  selection_4:
+    Image|endswith:
+      - '/id'
+  selection_5:
+    Image|endswith:
+      - '/lsof'
+    CommandLine|contains:
+      - '-u'
+  condition: 1 of them
+falsepositives:
+  - Legitimate administration activities
+level: low
+tags:
+  - attack.discovery
+  - attack.t1087.001

rules/linux/lnx_local_groups.yml

@@ -0,0 +1,27 @@
+title: Local Groups Discovery
+id: 676381a6-15ca-4d73-a9c8-6a22e970b90d
+status: experimental
+description: Detects enumeration of local system groups
+author: Ömer Günal, Alejandro Ortuno, oscd.community
+date: 2020/10/11
+references:
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md
+logsource:
+  category: process_creation
+  product: linux
+detection:
+  selection_1:
+    Image|endswith:
+      - '/groups'
+  selection_2:
+    Image|endswith:
+      - '/cat'
+    CommandLine|contains:
+      - '/etc/group'
+  condition: 1 of them
+falsepositives:
+  - Legitimate administration activities
+level: low
+tags:
+  - attack.discovery
+  - attack.t1069.001

rules/linux/lnx_network_service_scanning.yml

@@ -0,0 +1,47 @@
+action: global
+title: Linux Network Service Scanning
+id: 3e102cd9-a70d-4a7a-9508-403963092f31
+status: experimental
+description: Detects enumeration of local or remote network services.
+author: Alejandro Ortuno, oscd.community
+date: 2020/10/21
+references:
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md
+falsepositives:
+  - Legitimate administration activities
+level: low
+tags:
+  - attack.discovery
+  - attack.t1046
+---
+logsource:
+  category: process_creation
+  product: linux
+  definition: 'Detect netcat and filter our listening mode'
+detection:
+  netcat:
+    Image|endswith:
+      - '/nc'
+      - '/netcat'
+  network_scanning_tools:
+    Image|endswith:
+      - '/telnet' # could be wget, curl, ssh, many things. basically everything that is able to do network connection. consider fine tuning
+      - '/nmap'
+  netcat_listen_flag:
+    CommandLine|contains: 'l'
+  condition: (netcat and not netcat_listen_flag) or network_scanning_tools
+---
+logsource:
+  product: linux
+  service: auditd
+  definition: 'Configure these rules https://github.com/Neo23x0/auditd/blob/master/audit.rules#L182-L183'
+detection:
+  selection:
+    type: 'SYSCALL'
+    exe|endswith:
+      - '/telnet'
+      - '/nmap'
+      - '/netcat'
+      - '/nc'
+    key: 'network_connect_4'
+  condition: selection

rules/linux/lnx_password_policy_discovery.yml

@@ -0,0 +1,25 @@
+title: Password Policy Discovery
+id: ca94a6db-8106-4737-9ed2-3e3bb826af0a
+status: stable
+description: Detects password policy discovery commands
+author: Ömer Günal, oscd.community
+date: 2020/10/08
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md
+logsource:
+    service: auditd
+detection:
+    selection:
+      type: 'PATH'
+      name:
+          - '/etc/pam.d/common-password'
+          - '/etc/security/pwquality.conf'
+          - '/etc/pam.d/system-auth'
+          - '/etc/login.defs'
+    condition: selection
+falsepositives:
+    - Legitimate administration activities
+level: low
+tags:
+    - attack.discovery
+    - attack.t1201

rules/linux/lnx_process_discovery.yml

@@ -0,0 +1,23 @@
+title: Process Discovery
+id: 4e2f5868-08d4-413d-899f-dc2f1508627b
+status: stable
+description: Detects process discovery commands
+author: Ömer Günal, oscd.community
+date: 2020/10/06
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md
+logsource:
+    product: linux
+    category: process_creation
+detection:
+    selection:
+        - Image|endswith:
+          - '/ps'
+          - '/top'
+    condition: selection
+falsepositives:
+    - Legitimate administration activities
+level: informational
+tags:
+    - attack.discovery
+    - attack.t1057

rules/linux/lnx_remote_system_discovery.yml

@@ -0,0 +1,45 @@
+title: Linux Remote System Discovery
+id: 11063ec2-de63-4153-935e-b1a8b9e616f1
+status: experimental
+description: Detects the enumeration of other remote systems.
+author: Alejandro Ortuno, oscd.community
+date: 2020/10/22
+references:
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md
+logsource:
+  category: process_creation
+  product: linux
+detection:
+  selection_1:
+    Image|endswith: '/arp'
+    CommandLine|contains: '-a'
+  selection_2:
+    Image|endswith: '/ping'
+    CommandLine|contains:
+      - ' 10.' #10.0.0.0/8
+      - ' 192.168.' #192.168.0.0/16
+      - ' 172.16.' #172.16.0.0/12
+      - ' 172.17.'
+      - ' 172.18.'
+      - ' 172.19.'
+      - ' 172.20.'
+      - ' 172.21.'
+      - ' 172.22.'
+      - ' 172.23.'
+      - ' 172.24.'
+      - ' 172.25.'
+      - ' 172.26.'
+      - ' 172.27.'
+      - ' 172.28.'
+      - ' 172.29.'
+      - ' 172.30.'
+      - ' 172.31.'
+      - ' 127.' #127.0.0.0/8
+      - ' 169.254.' #169.254.0.0/16
+  condition: 1 of them
+falsepositives:
+  - Legitimate administration activities
+level: low
+tags:
+  - attack.discovery
+  - attack.t1018

rules/linux/lnx_schedule_task_job_cron.yml

@@ -0,0 +1,26 @@
+title: Scheduled Cron Task/Job
+id: 6b14bac8-3e3a-4324-8109-42f0546a347f
+status: experimental
+description: Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.
+author: Alejandro Ortuno, oscd.community
+date: 2020/10/06
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md
+logsource:
+  category: process_creation
+  product: linux
+detection:
+  selection:
+    Image|endswith:
+      - 'crontab'
+    CommandLine|contains:
+      - '/tmp/'
+  condition: selection
+falsepositives:
+    - Legitimate administration activities
+level: medium
+tags:
+    - attack.execution
+    - attack.persistence
+    - attack.privilege_escalation
+    - attack.t1053.003

rules/linux/lnx_security_software_discovery.yml

@@ -0,0 +1,31 @@
+title: Security Software Discovery
+id: c9d8b7fd-78e4-44fe-88f6-599135d46d60
+status: experimental
+description: Detects usage of system utilities (only grep for now) to discover security software discovery
+author: Daniil Yugoslavskiy, oscd.community
+date: 2020/10/19
+references:
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md
+logsource:
+  category: process_creation
+  product: linux
+detection:
+  grep_execution:
+    Image|endswith: '/grep'
+  security_services_and_processes:
+    CommandLine|contains: 
+      - 'nessusd'        # nessus vulnerability scanner
+      - 'td-agent'       # fluentd log shipper
+      - 'packetbeat'     # elastic network logger/shipper
+      - 'filebeat'       # elastic log file shipper
+      - 'auditbeat'      # elastic auditing agent/log shipper
+      - 'osqueryd'       # facebook osquery
+      - 'cbagentd'       # carbon black
+      - 'falcond'        # crowdstrike falcon
+  condition: grep_execution and security_services_and_processes
+falsepositives:
+  - Legitimate activities
+level: low
+tags:
+  - attack.discovery
+  - attack.t1518.001

rules/linux/lnx_security_tools_disabling.yml

@@ -1,34 +1,97 @@
+action: global
 title: Disabling Security Tools
 id: e3a8a052-111f-4606-9aee-f28ebeb76776
 status: experimental
 description: Detects disabling security tools
-author: Ömer Günal
+author: Ömer Günal, Alejandro Ortuno, oscd.community
 date: 2020/06/17
 references:
-    - https://attack.mitre.org/techniques/T1089/
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1089/T1089.md
-logsource:
-    product: linux
-detection:
-    keywords:
-        - Command|contains:
-          - 'service iptables stop'
-          - 'chkconfig off iptables'
-          - 'service ip6tables stop'
-          - 'chkconfig off ip6tables'
-        - CarbonBlack|contains:
-          - 'service cbdaemon stop'
-          - 'chkconfig off cbdaemon'
-          - 'systemctl stop cbdaemon'
-          - 'systemctl disable cbdaemon'
-        - SELinux:
-          - 'setenforce 0'
-        - Crowdstrike|contains:
-          - 'systemctl stop falcon-sensor.service'
-          - 'systemctl disable falcon-sensor.service'
-    condition: keywords
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md
 falsepositives:
     - Legitimate administration activities
 level: medium
 tags:
-    - attack.defense_evasion
+    - attack.defense_evasion
+    - attack.t1562.004
+    - attack.t1089
+---
+logsource:
+    category: process_creation
+    product: linux
+detection:
+    iptables_1:
+        Image|endswith: '/service'
+        CommandLine|contains|all:
+          - 'iptables'
+          - 'stop'
+    iptables_2:
+        Image|endswith: '/service'
+        CommandLine|contains|all:
+          - 'ip6tables'
+          - 'stop'
+    iptables_3:
+        Image|endswith: '/chkconfig'
+        CommandLine|contains|all:
+          - 'iptables'
+          - 'stop'
+    iptables_4:
+        Image|endswith: '/chkconfig'
+        CommandLine|contains|all:
+          - 'ip6tables'
+          - 'stop'
+    firewall_1:
+        Image|endswith: '/systemctl'
+        CommandLine|contains|all:
+          - 'firewalld'
+          - 'stop'
+    firewall_2:
+        Image|endswith: '/systemctl'
+        CommandLine|contains|all:
+          - 'firewalld'
+          - 'disable'
+    carbonblack_1:
+        Image|endswith: '/service'
+        CommandLine|contains|all:
+          - 'cbdaemon'
+          - 'stop'
+    carbonblack_2:
+        Image|endswith: '/chkconfig'
+        CommandLine|contains|all:
+          - 'cbdaemon'
+          - 'off'
+    carbonblack_3:
+        Image|endswith: '/systemctl'
+        CommandLine|contains|all:
+          - 'cbdaemon'
+          - 'stop'
+    carbonblack_4:
+        Image|endswith: '/systemctl'
+        CommandLine|contains|all:
+          - 'cbdaemon'
+          - 'disable'
+    selinux:
+        Image|endswith: '/setenforce'
+        CommandLine|contains: '0'
+    crowdstrike_1:
+        Image|endswith: '/systemctl'
+        CommandLine|contains|all:
+          - 'stop'
+          - 'falcon-sensor'
+    crowdstrike_2:
+        Image|endswith: '/systemctl'
+        CommandLine|contains|all:
+          - 'disable'
+          - 'falcon-sensor'
+    condition: 1 of them
+---
+logsource:
+    product: linux
+    service: syslog
+detection: 
+    keywords:
+        - '*stopping iptables*'
+        - '*stopping ip6tables*'
+        - '*stopping firewalld*'
+        - '*stopping cbdaemon*'
+        - '*stopping falcon-sensor*'
+    condition: keywords

rules/linux/lnx_split_file_into_pieces.yml

@@ -0,0 +1,26 @@
+title: 'Split A File Into Pieces'
+id: 2dad0cba-c62a-4a4f-949f-5f6ecd619769
+status: experimental
+description: 'Detection use of the command "split" to split files into parts and possible transfer.'
+  # For this rule to work execve auditing / file system auditing with "execute access" to specific binaries must be configured
+  # Example config (place it at the bottom of audit.rules)
+  # -a always,exit -F arch=b32 -S execve -k execve
+  # -a always,exit -F arch=b64 -S execve -k execve
+author: 'Igor Fits, oscd.community'
+date: 2020/10/15
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md
+logsource:
+    product: linux
+    service: auditd
+detection:
+    selection:
+        type: 'SYSCALL'
+        comm: 'split'
+    condition: selection
+falsepositives:
+    - 'Legitimate administrative activity'
+level: low
+tags:
+    - attack.exfiltration
+    - attack.t1030

rules/linux/lnx_sudo_cve_2019_14287.yml

@@ -30,4 +30,4 @@ detection:
         USER:
             - '#-*'
             - '#*4294967295'
-    condition: selection_user
+    condition: selection_user

rules/linux/lnx_susp_histfile_operations.yml

@@ -0,0 +1,42 @@
+title: 'Suspicious History File Operations'
+id: eae8ce9f-bde9-47a6-8e79-f20d18419910
+status: experimental
+description: 'Detects commandline operations on shell history files'
+    # Rule detects presence of various shell history files in process commandline
+    # Normally user expected to view own history with dedicated 'history' command and not some other tools
+    # There is a possibility for rule to trigger, when T1070.003 techinuque is used (history file cleared)
+    # For this rule to work execve auditing must be configured
+    # Example config (place it at the bottom of audit.rules)
+    # -a always,exit -F arch=b32 -S execve -k execve
+    # -a always,exit -F arch=b64 -S execve -k execve
+author: 'Mikhail Larin, oscd.community'
+date: 2020/10/17
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md
+logsource:
+    product: linux
+    service: auditd
+detection:
+    selection:
+        type: EXECVE
+        keywords|contains:
+            - '.bash_history'
+            - '.zsh_history'
+            - '.zhistory'
+            - '.history'
+            - '.sh_history'
+            - 'fish_history'
+    condition: selection
+fields:
+    - a0
+    - a1
+    - a2
+    - a3
+    - key
+falsepositives:
+    - 'Legitimate administrative activity'
+    - 'Ligitimate software, cleaning hist file'
+level: medium
+tags:
+    - attack.credential_access
+    - attack.t1552.003

rules/linux/lnx_susp_named.yml

@@ -20,4 +20,4 @@ falsepositives:
 level: high
 tags:
     - attack.initial_access
-    - attack.t1190
+    - attack.t1190

rules/linux/lnx_susp_ssh.yml

@@ -30,4 +30,4 @@ falsepositives:
 level: medium
 tags:
     - attack.initial_access
-    - attack.t1190
+    - attack.t1190

rules/linux/lnx_system_info_discovery.yml

@@ -0,0 +1,48 @@
+action: global
+title: System Information Discovery
+id: 42df45e7-e6e9-43b5-8f26-bec5b39cc239
+status: stable
+description: Detects system information discovery commands
+author: Ömer Günal, oscd.community
+date: 2020/10/08
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md
+falsepositives:
+    - Legitimate administration activities
+level: informational
+tags:
+    - attack.discovery
+    - attack.t1082
+---
+logsource:
+    product: linux
+    categories: process_creation
+detection:
+    selection:
+        Image|endswith:
+          - '/uname'
+          - '/hostname'
+          - '/uptime'
+          - '/lspci'
+          - '/dmidecode'
+          - '/lscpu'
+          - '/lsmod'
+    condition: selection
+---
+logsource:
+    product: linux
+    categories: auditd
+detection:
+    selection:
+      type: 'PATH'
+      name:
+          - '/sys/class/dmi/id/bios_version'
+          - '/sys/class/dmi/id/product_name'
+          - '/sys/class/dmi/id/chassis_vendor'
+          - '/proc/scsi/scsi'
+          - '/proc/ide/hd0/model'
+          - '/proc/version'
+          - '/etc/*version'
+          - '/etc/*release'
+          - '/etc/issue'
+    condition: selection

rules/linux/lnx_system_network_connections_discovery.yml

@@ -0,0 +1,26 @@
+title: System Network Connections Discovery
+id: 4c519226-f0cd-4471-bd2f-6fbb2bb68a79
+status: experimental
+description: Detects usage of system utilities to discover system network connections
+author: Daniil Yugoslavskiy, oscd.community
+date: 2020/10/19
+references:
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md
+logsource:
+  category: process_creation
+  product: linux
+detection:
+  selection:
+    Image|endswith: 
+      - '/who'
+      - '/w'
+      - '/last'
+      - '/lsof'
+      - '/netstat'
+  condition: selection
+falsepositives:
+  - Legitimate activities
+level: low
+tags:
+  - attack.discovery
+  - attack.t1049

rules/linux/lnx_system_network_discovery.yml

@@ -0,0 +1,32 @@
+title: System Network Discovery - Linux
+id: e7bd1cfa-b446-4c88-8afb-403bcd79e3fa
+status: experimental
+description: Detects enumeration of local network configuration
+author: Ömer Günal and remotephone, oscd.community
+date: 2020/10/06
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md
+logsource:
+    category: process_creation
+    product: linux
+detection:
+    selection1:
+        Image|endswith:
+            - '/firewall-cmd'
+            - '/ufw'
+            - '/iptables'
+            - '/netstat'
+            - '/ss'
+            - '/ip'
+            - '/ifconfig'
+            - '/systemd-resolve'
+            - '/route'
+    selection2:
+        CommandLine|contains: '/etc/resolv.conf'
+    condition: selection1 or selection2
+falsepositives:
+    - Legitimate administration activities
+level: informational
+tags:
+    - attack.discovery
+    - attack.t1016

rules/linux/lnx_system_shutdown_reboot.yml

@@ -0,0 +1,40 @@
+title: 'System Shutdown/Reboot'
+id: 4cb57c2f-1f29-41f8-893d-8bed8e1c1d2f
+status: experimental
+description: 'Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.'
+  # For this rule to work execve auditing must be configured
+  # Example config (place it at the bottom of audit.rules)
+  # -a always,exit -F arch=b32 -S execve -k execve
+  # -a always,exit -F arch=b64 -S execve -k execve
+author: 'Igor Fits, oscd.community'
+date: 2020/10/15
+references:
+    - hhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md
+logsource:
+    product: linux
+    service: auditd
+detection:
+    selection1:
+       type: 'EXECVE'
+       keywords|contains:
+              - 'shutdown'
+              - 'reboot'
+              - 'halt'
+              - 'poweroff'
+    selection2:
+       type: 'EXECVE'
+       keywords|contains:
+              - 'init'
+              - 'telinit'
+    selection3:
+        type: 'EXECVE'
+        keywords|contains:
+              - '0'
+              - '6'
+    condition: selection1 or (selection2 and selection3)
+falsepositives:
+    - 'Legitimate administrative activity'
+level: informational
+tags:
+    - attack.impact
+    - attack.t1529

rules/linux/macos_applescript.yml

@@ -0,0 +1,24 @@
+title: MacOS Scripting Interpreter AppleScript
+id: 1bc2e6c5-0885-472b-bed6-be5ea8eace55
+status: experimental
+description: Detects execution of AppleScript of the macOS scripting language AppleScript.
+author: Alejandro Ortuno, oscd.community
+date: 2020/10/21
+references:
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.002/T1059.002.md
+logsource:
+  category: process_creation
+  product: macos
+detection:
+  selection:
+    Image|endswith:
+      - '/osascript'
+    CommandLine|contains|all:
+      - '-e'
+  condition: selection
+falsepositives:
+  - Application installers might contain scripts as part of the installation process.
+level: medium
+tags:
+  - attack.execution
+  - attack.t1059.002

rules/linux/macos_base64_decode.yml

@@ -0,0 +1,22 @@
+title: Decode Base64 Encoded Text
+id: 719c22d7-c11a-4f2c-93a6-2cfdd5412f68
+status: experimental
+description: Detects usage of base64 utility to decode arbitrary base64-encoded text
+author: Daniil Yugoslavskiy, oscd.community
+date: 2020/10/19
+references:
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md
+logsource:
+  category: process_creation
+  product: macos
+detection:
+  base64_execution:
+    Image: '/usr/bin/base64'
+    CommandLine|contains: '-d'
+  condition: base64_execution
+falsepositives:
+  - Legitimate activities
+level: low
+tags:
+  - attack.defense_evasion
+  - attack.t1027

rules/linux/macos_binary_padding.yml

@@ -0,0 +1,33 @@
+title: 'Binary Padding'
+id: 95361ce5-c891-4b0a-87ca-e24607884a96
+status: experimental
+description: 'Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.'
+    # For this rule to work you must enable audit of process execution in OpenBSM, see
+    # https://osquery.readthedocs.io/en/stable/deployment/process-auditing/#macos-process-socket-auditing
+author: 'Igor Fits, Mikhail Larin, oscd.community'
+date: 2020/10/19
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md
+logsource:
+    product: macos
+    category: process_creation
+detection:
+    selection1:
+        Image|endswith:
+             - '/truncate'
+        CommandLine|contains:
+             - '-s'
+    selection2:
+        Image|endswith:
+             - '/dd'
+        CommandLine|contains:
+             - 'if='
+    filter:
+        CommandLine|contains: 'of='
+    condition: selection1 or (selection2 and not filter)
+falsepositives:
+    - 'Legitimate script work'
+level: high
+tags:
+    - attack.defense_evasion
+    - attack.t1027.001

rules/linux/macos_change_file_time_attr.yml

@@ -0,0 +1,29 @@
+title: 'File Time Attribute Change'
+id: b3cec4e7-6901-4b0d-a02d-8ab2d8eb818b
+status: experimental
+description: 'Detect file time attribute change to hide new or changes to existing files.'
+    # For this rule to work you must enable audit of process execution in OpenBSM, see
+    # https://osquery.readthedocs.io/en/stable/deployment/process-auditing/#macos-process-socket-auditing
+author: 'Igor Fits, Mikhail Larin, oscd.community'
+date: 2020/10/19
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md
+logsource:
+    product: macos
+    category: process_creation
+detection:
+    selection1:
+        Image|endswith: '/touch'
+    selection2:
+        CommandLine|contains:
+         - '-t'
+         - '-acmr'
+         - '-d'
+         - '-r'
+    condition: selection1 and selection2
+falsepositives:
+    - 'Unknown'
+level: medium
+tags:
+    - attack.defense_evasion
+    - attack.t1070.006

rules/linux/macos_clear_system_logs.yml

@@ -0,0 +1,27 @@
+title: Indicator Removal on Host - Clear Mac System Logs
+id: acf61bd8-d814-4272-81f0-a7a269aa69aa
+status: experimental
+description: Detects deletion of local audit logs
+author: remotephone, oscd.community
+date: 2020/10/11
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md
+logsource:
+    product: macos
+    category: process_creation
+detection:
+    selection1:
+      - Image|endswith: '/rm'
+    selection2:
+        CommandLine|contains: '/var/log'
+    selection3:
+        Commandline|contains|all:
+            - '/Users/'
+            - '/Library/Logs/'
+    condition: selection1 and (selection2 or selection3)
+falsepositives:
+    - Legitimate administration activities
+level: medium
+tags:
+    - attack.defense_evasion
+    - attack.t1070.002

rules/linux/macos_create_account.yml

@@ -0,0 +1,25 @@
+title: Creation Of A Local User Account
+id: 51719bf5-e4fd-4e44-8ba8-b830e7ac0731
+status: experimental
+description: Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.
+author: Alejandro Ortuno, oscd.community
+date: 2020/10/06
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md
+logsource:
+  category: process_creation
+  product: macos
+detection:
+  selection:
+    Image|endswith:
+      - '/dscl'
+    CommandLine|contains:
+      - 'create'
+  condition: selection
+falsepositives:
+  - Legitimate administration activities
+level: low
+tags:
+    - attack.t1136    # an old one
+    - attack.t1136.001
+    - attack.persistence

rules/linux/macos_create_hidden_account.yml

@@ -0,0 +1,33 @@
+title: Hidden User Creation
+id: b22a5b36-2431-493a-8be1-0bae56c28ef3
+status: experimental
+description: Detects creation of a hidden user account on macOS (UserID < 500) or with IsHidden option
+author: Daniil Yugoslavskiy, oscd.community
+date: 2020/10/10
+references:
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md
+logsource:
+  category: process_creation
+  product: macos
+detection:
+  dscl_create:
+    Image|endswith: '/dscl'
+    CommandLine|contains: 'create'
+  id_below_500:
+    CommandLine|contains: UniqueID
+    CommandLine|re: '([0-9]|[1-9][0-9]|[1-4][0-9]{2})'
+  ishidden_option_declaration:
+    CommandLine|contains: 'IsHidden'
+  ishidden_option_confirmation:
+    CommandLine|contains:
+      - 'true'
+      - 'yes'
+      - '1'
+  condition: dscl_create and id_below_500 or
+             dscl_create and (ishidden_option_declaration and ishidden_option_confirmation)
+falsepositives:
+  - Legitimate administration activities
+level: medium
+tags:
+  - attack.defense_evasion
+  - attack.t1564.002

rules/linux/macos_creds_from_keychain.yml

@@ -0,0 +1,29 @@
+title: Credentials from Password Stores - Keychain
+id: b120b587-a4c2-4b94-875d-99c9807d6955
+status: experimental
+description: Detects passwords dumps from Keychain
+author: Tim Ismilyaev, oscd.community, Florian Roth
+date: 2020/10/19
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md
+    - https://gist.github.com/Capybara/6228955
+logsource:
+    category: process_creation
+    product: macos
+detection:
+    selection1:
+        Image: '/usr/bin/security'
+        CommandLine|contains:
+            - 'find-certificate'
+            - ' export '
+    selection2:
+        CommandLine|contains:
+            - ' dump-keychain '
+            - ' login-keychain '
+    condition: 1 of them
+falsepositives:
+    - Legitimate administration activities
+level: medium
+tags:
+    - attack.credential_access
+    - attack.t1555.001

rules/linux/macos_disable_security_tools.yml

@@ -0,0 +1,42 @@
+title: Disable Security Tools
+id: ff39f1a6-84ac-476f-a1af-37fcdf53d7c0
+status: experimental
+description: Detects disabling security tools
+author: Daniil Yugoslavskiy, oscd.community
+date: 2020/10/19
+references:
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
+logsource:
+  category: process_creation
+  product: macos
+detection:
+  launchctl_unload:
+    Image: '/bin/launchctl'
+    CommandLine|contains: 'unload'
+  security_plists:
+    CommandLine|contains:
+      - 'com.objective-see.lulu.plist'                     # Objective-See firewall management utility
+      - 'com.objective-see.blockblock.plist'               # Objective-See persistence locations watcher/blocker
+      - 'com.google.santad.plist'                          # google santa
+      - 'com.carbonblack.defense.daemon.plist'             # carbon black
+      - 'com.carbonblack.daemon.plist'                     # carbon black
+      - 'at.obdev.littlesnitchd.plist'                     # Objective Development Software firewall management utility
+      - 'com.tenablesecurity.nessusagent.plist'            # Tenable Nessus
+      - 'com.opendns.osx.RoamingClientConfigUpdater.plist' # OpenDNS Umbrella
+      - 'com.crowdstrike.falcond.plist'                    # Crowdstrike Falcon
+      - 'com.crowdstrike.userdaemon.plist'                 # Crowdstrike Falcon
+      - 'osquery'                                          # facebook osquery
+      - 'filebeat'                                         # elastic log file shipper
+      - 'auditbeat'                                        # elastic auditing agent/log shipper
+      - 'packetbeat'                                       # elastic network logger/shipper
+      - 'td-agent'                                         # fluentd log shipper
+  disable_gatekeeper:
+    Image: '/usr/sbin/spctl'
+    CommandLine|contains: 'disable'
+  condition: (launchctl_unload and security_plists) or disable_gatekeeper
+falsepositives:
+  - Legitimate activities
+level: medium
+tags:
+  - attack.defense_evasion
+  - attack.t1562.001

rules/linux/macos_emond_launch_daemon.yml

@@ -0,0 +1,26 @@
+title: MacOS Emond Launch Daemon
+id: 23c43900-e732-45a4-8354-63e4a6c187ce
+status: experimental
+description: Detects additions to the Emond Launch Daemon that adversaries may use to gain persistence and elevate privileges.
+author: Alejandro Ortuno, oscd.community
+date: 2020/10/23
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.014/T1546.014.md
+    - https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124
+logsource:
+  category: file_event
+  product: macos
+detection:
+  selection_1:
+    TargetFilename|contains: '/etc/emond.d/rules/'
+    TargetFilename|endswith: '.plist'
+  selection_2:
+    TargetFilename|contains: '/private/var/db/emondClients/'
+  condition: selection_1 or selection_2
+falsepositives:
+    - Legitimate administration activities
+level: medium
+tags:
+    - attack.persistence
+    - attack.privilege_escalation
+    - attack.t1546.014

rules/linux/macos_file_and_directory_discovery.yml

@@ -0,0 +1,31 @@
+title: File and Directory Discovery
+id: 089dbdf6-b960-4bcc-90e3-ffc3480c20f6
+status: experimental
+description: Detects usage of system utilities to discover files and directories
+author: Daniil Yugoslavskiy, oscd.community
+date: 2020/10/19
+references:
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md
+logsource:
+  category: process_creation
+  product: macos
+detection:
+  file_with_asterisk:
+    Image: '/usr/bin/file'
+    CommandLine|re: '(.){200,}' # execution of the 'file */* *>> /tmp/output.txt' will produce huge commandline
+  recursive_ls:
+    Image: '/bin/ls'
+    CommandLine|contains: '-R'
+  find_execution:
+    Image: '/usr/bin/find'
+  mdfind_execution:
+    Image: '/usr/bin/mdfind'
+  tree_execution|endswith:
+    Image: '/tree'
+  condition: 1 of them
+falsepositives:
+  - Legitimate activities
+level: informational
+tags:
+  - attack.discovery
+  - attack.t1083

rules/linux/macos_find_cred_in_files.yml

@@ -0,0 +1,28 @@
+title: 'Credentials In Files'
+id: df3fcaea-2715-4214-99c5-0056ea59eb35
+status: experimental
+description: 'Detecting attempts to extract passwords with grep and laZagne'
+    # For this rule to work you must enable audit of process execution in OpenBSM, see
+    # https://osquery.readthedocs.io/en/stable/deployment/process-auditing/#macos-process-socket-auditing
+author: 'Igor Fits, Mikhail Larin, oscd.community'
+date: 2020/10/19
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md
+logsource:
+    product: macos
+    category: process_creation
+detection:
+    selection1:
+        Image|endswith:
+          - '/grep'
+        CommandLine|contains:
+          - 'password'
+    selection2:
+        CommandLine|contains: 'laZagne'
+    condition: selection1 or selection2
+falsepositives:
+    - 'Unknown'
+level: high
+tags:
+    - attack.credential_access
+    - attack.t1552.001

rules/linux/macos_gui_input_capture.yml

@@ -0,0 +1,39 @@
+title: GUI Input Capture - macOS
+id: 60f1ce20-484e-41bd-85f4-ac4afec2c541
+status: experimental
+description: Detects attempts to use system dialog prompts to capture user credentials
+author: remotephone, oscd.community
+date: 2020/10/13
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md
+    - https://scriptingosx.com/2018/08/user-interaction-from-bash-scripts/
+logsource:
+    product: macos
+    category: process_creation
+detection:
+    selection1:
+        Image:
+            - '/usr/sbin/osascript'
+    selection2:
+        Commandline|contains|all:
+            - '-e'
+            - 'display'
+            - 'dialog'
+            - 'answer'
+    selection3:
+        Commandline|contains:
+            - 'admin'
+            - 'administrator'
+            - 'authenticate'
+            - 'authentication'
+            - 'credentials'
+            - 'pass'
+            - 'password'
+            - 'unlock'
+    condition: all of them
+falsepositives:
+    - Legitimate administration tools and activities
+level: low
+tags:
+    - attack.credential_access
+    - attack.t1056.002

rules/linux/macos_local_account.yml

@@ -0,0 +1,48 @@
+title: Local System Accounts Discovery
+id: ddf36b67-e872-4507-ab2e-46bda21b842c
+status: experimental
+description: Detects enumeration of local systeam accounts on MacOS
+author: Alejandro Ortuno, oscd.community
+date: 2020/10/08
+references:
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md
+logsource:
+  category: process_creation
+  product: macos
+detection:
+  selection_1:
+    Image|endswith:
+      - '/dscl'
+    CommandLine|contains|all:
+      - 'list'
+      - '/users'
+  selection_2:
+    Image|endswith:
+      - '/dscacheutil'
+    CommandLine|contains|all:
+      - '-q'
+      - 'user'
+  selection_3:
+    CommandLine|contains:
+      - "'x:0:'"
+  selection_4:
+    Image|endswith:
+      - '/cat'
+    CommandLine|contains:
+      - '/etc/passwd'
+      - '/etc/sudoers'
+  selection_5:
+    Image|endswith:
+      - '/id'
+  selection_6:
+    Image|endswith:
+      - '/lsof'
+    CommandLine|contains:
+      - '-u'
+  condition: 1 of them
+falsepositives:
+  - Legitimate administration activities
+level: low
+tags:
+  - attack.discovery
+  - attack.t1087.001

rules/linux/macos_local_groups.yml

@@ -0,0 +1,36 @@
+title: Local Groups Discovery
+id: 89bb1f97-c7b9-40e8-b52b-7d6afbd67276
+status: experimental
+description: Detects enumeration of local system groups
+author: Ömer Günal, Alejandro Ortuno, oscd.community
+date: 2020/10/11
+references:
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md
+logsource:
+  category: process_creation
+  product: macos
+detection:
+  selection_1:
+    Image|endswith:
+      - '/dscacheutil'
+    CommandLine|contains|all:
+      - '-q'
+      - 'group'
+  selection_2:
+    Image|endswith:
+      - '/cat'
+    CommandLine|contains:
+      - '/etc/group'
+  selection_3:
+    Image|endswith:
+      - '/dscl'
+    CommandLine|contains|all:
+      - '-list'
+      - '/groups'
+  condition: 1 of them
+falsepositives:
+  - Legitimate administration activities
+level: informational
+tags:
+  - attack.discovery
+  - attack.t1069.001

rules/linux/macos_network_service_scanning.yml

@@ -0,0 +1,29 @@
+title: MacOS Network Service Scanning
+id: 84bae5d4-b518-4ae0-b331-6d4afd34d00f
+status: experimental
+description: Detects enumeration of local or remote network services.
+author: Alejandro Ortuno, oscd.community
+date: 2020/10/21
+references:
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md
+logsource:
+  category: process_creation
+  product: macos
+detection:
+  selection_1:
+    Image|endswith:
+      - '/nc'
+      - '/netcat'
+  selection_2:
+    Image|endswith:
+      - '/nmap'
+      - '/telnet'
+  filter:
+    CommandLine|contains: 'l'
+  condition: (selection_1 and not filter) or selection_2 
+falsepositives:
+  - Legitimate administration activities
+level: low
+tags:
+  - attack.discovery
+  - attack.t1046

rules/linux/macos_network_sniffing.yml

@@ -0,0 +1,24 @@
+title: Network Sniffing
+id: adc9bcc4-c39c-4f6b-a711-1884017bf043
+status: experimental
+description: Detects the usage of tooling to sniff network traffic. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
+author: Alejandro Ortuno, oscd.community
+date: 2020/10/14
+references:
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md
+logsource:
+  category: process_creation
+  product: macos
+detection:
+  selection:
+    Image|endswith:
+      - '/tcpdump'
+      - '/tshark'
+  condition: selection
+falsepositives:
+  - Legitimate administration activities
+level: informational
+tags:
+  - attack.discovery
+  - attack.credential_access
+  - attack.t1040

rules/linux/macos_remote_system_discovery.yml

@@ -0,0 +1,48 @@
+title: Macos Remote System Discovery
+id: 11063ec2-de63-4153-935e-b1a8b9e616f1
+status: experimental
+description: Detects the enumeration of other remote systems.
+author: Alejandro Ortuno, oscd.community
+date: 2020/10/22
+references:
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md
+logsource:
+  category: process_creation
+  product: macos
+detection:
+  selection_1:
+    Image|endswith:
+      - '/arp'
+    CommandLine|contains:
+      - '-a'
+  selection_2:
+    Image|endswith:
+      - '/ping'
+    CommandLine|contains:
+      - ' 10.' #10.0.0.0/8
+      - ' 192.168.' #192.168.0.0/16
+      - ' 172.16.' #172.16.0.0/12
+      - ' 172.17.'
+      - ' 172.18.'
+      - ' 172.19.'
+      - ' 172.20.'
+      - ' 172.21.'
+      - ' 172.22.'
+      - ' 172.23.'
+      - ' 172.24.'
+      - ' 172.25.'
+      - ' 172.26.'
+      - ' 172.27.'
+      - ' 172.28.'
+      - ' 172.29.'
+      - ' 172.30.'
+      - ' 172.31.'
+      - ' 127.' #127.0.0.0/8
+      - ' 169.254.' #169.254.0.0/16
+  condition: 1 of them
+falsepositives:
+  - Legitimate administration activities
+level: informational
+tags:
+  - attack.discovery
+  - attack.t1018

rules/linux/macos_schedule_task_job_cron.yml

@@ -0,0 +1,26 @@
+title: Scheduled Cron Task/Job
+id: 7c3b43d8-d794-47d2-800a-d277715aa460
+status: experimental
+description: Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.
+author: Alejandro Ortuno, oscd.community
+date: 2020/10/06
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md
+logsource:
+  category: process_creation
+  product: macos
+detection:
+  selection:
+    Image|endswith:
+      - '/crontab'
+    CommandLine|contains:
+      - '/tmp/'
+  condition: selection
+falsepositives:
+    - Legitimate administration activities
+level: medium
+tags:
+    - attack.execution
+    - attack.persistence
+    - attack.privilege_escalation
+    - attack.t1053.003

rules/linux/macos_screencapture.yml

@@ -0,0 +1,22 @@
+title: Screen Capture - macOS
+id: 0877ed01-da46-4c49-8476-d49cdd80dfa7
+status: experimental
+description: Detects attempts to use screencapture to collect macOS screenshots
+author: remotephone, oscd.community
+date: 2020/10/13
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md
+    - https://github.com/BC-SECURITY/Empire/blob/master/lib/modules/python/collection/osx/screenshot.py
+logsource:
+    product: macos
+    category: process_creation
+detection:
+    selection:
+        Image: '/usr/sbin/screencapture'
+    condition: selection
+falsepositives:
+    - Legitimate user activity taking screenshots
+level: low
+tags:
+    - attack.collection
+    - attack.t1113

rules/linux/macos_security_software_discovery.yml

@@ -0,0 +1,39 @@
+title: Security Software Discovery
+id: 0ed75b9c-c73b-424d-9e7d-496cd565fbe0
+status: experimental
+description: Detects usage of system utilities (only grep for now) to discover security software discovery
+author: Daniil Yugoslavskiy, oscd.community
+date: 2020/10/19
+references:
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md
+logsource:
+  category: process_creation
+  product: macos
+detection:
+  grep_execution:
+    Image: '/usr/bin/grep'
+  security_services_and_processes:
+    CommandLine|contains:
+      - 'nessusd'        # nessus vulnerability scanner
+      - 'santad'         # google santa
+      - 'CbDefense'      # carbon black
+      - 'falcond'        # crowdstrike falcon
+      - 'td-agent'       # fluentd log shipper
+      - 'packetbeat'     # elastic network logger/shipper
+      - 'filebeat'       # elastic log file shipper
+      - 'auditbeat'      # elastic auditing agent/log shipper
+      - 'osqueryd'       # facebook osquery
+      - 'BlockBlock'     # Objective-See persistence locations watcher/blocker
+      - 'LuLu'           # Objective-See firewall management utility
+  little_snitch_process: # Objective Development Software firewall management utility
+    CommandLine|contains|all:
+      - 'Little'
+      - 'Snitch'
+  condition: grep_execution and security_services_and_processes or
+             grep_execution and little_snitch_process
+falsepositives:
+  - Legitimate activities
+level: medium
+tags:
+  - attack.discovery
+  - attack.t1518.001

rules/linux/macos_split_file_into_pieces.yml

@@ -0,0 +1,23 @@
+title: 'Split A File Into Pieces'
+id: 7f2bb9d5-6395-4de5-969c-70c11fbe6b12
+status: experimental
+description: 'Detection use of the command "split" to split files into parts and possible transfer.'
+    # For this rule to work you must enable audit of process execution in OpenBSM, see link
+    # https://osquery.readthedocs.io/en/stable/deployment/process-auditing/#macos-process-socket-auditing
+author: 'Igor Fits, Mikhail Larin, oscd.community'
+date: 2020/10/15
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md
+logsource:
+    product: macos
+    category: process_creation
+detection:
+    selection:
+        Image|endswith: '/split'
+    condition: selection
+falsepositives:
+    - 'Legitimate administrative activity'
+level: low
+tags:
+    - attack.exfiltration
+    - attack.t1030

rules/linux/macos_startup_items.yml

@@ -0,0 +1,24 @@
+title: Startup Items
+id: dfe8b941-4e54-4242-b674-6b613d521962
+status: experimental
+description: Detects creation of startup item plist files that automatically get executed at boot initialization to establish persistence.
+author: Alejandro Ortuno, oscd.community
+date: 2020/10/14
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.005/T1037.005.md
+logsource:
+  category: file_event
+  product: macos
+detection:
+  selection_1:
+    TargetFilename|contains: '/Library/StartupItems/'
+  selection_2:
+    TargetFilename|endswith: '.plist'
+  condition: selection_1 and selection_2
+falsepositives:
+    - Legitimate administration activities
+level: low
+tags:
+    - attack.persistence
+    - attack.privilege_escalation
+    - attack.t1037.005

rules/linux/macos_susp_histfile_operations.yml

@@ -0,0 +1,33 @@
+title: 'Suspicious History File Operations'
+id: 508a9374-ad52-4789-b568-fc358def2c65
+status: experimental
+description: 'Detects commandline operations on shell history files'
+    # Rule detects presence of various shell history files in process commandline
+    # Normally user expected to view own history with dedicated 'history' command and not some other tools
+    # There is a possibility for rule to trigger, when T1070.003 techinuque is used (history file cleared)
+    # For this rule to work you must enable audit of process execution in OpenBSM, see
+    # https://osquery.readthedocs.io/en/stable/deployment/process-auditing/#macos-process-socket-auditing
+author: 'Mikhail Larin, oscd.community'
+date: 2020/10/17
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md
+logsource:
+    product: macos
+    category: process_creation
+detection:
+    selection:
+        CommandLine|contains:
+            - '.bash_history'
+            - '.zsh_history'
+            - '.zhistory'
+            - '.history'
+            - '.sh_history'
+            - 'fish_history'
+    condition: selection
+falsepositives:
+    - 'Legitimate administrative activity'
+    - 'Ligitimate software, cleaning hist file'
+level: medium
+tags:
+    - attack.credential_access
+    - attack.t1552.003

rules/linux/macos_system_network_connections_discovery.yml

@@ -0,0 +1,26 @@
+title: System Network Connections Discovery
+id: 9a7a0393-2144-4626-9bf1-7c2f5a7321db
+status: experimental
+description: Detects usage of system utilities to discover system network connections
+author: Daniil Yugoslavskiy, oscd.community
+date: 2020/10/19
+references:
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md
+logsource:
+  category: process_creation
+  product: macos
+detection:
+  selection:
+    Image:
+      - '/usr/bin/who'
+      - '/usr/bin/w'
+      - '/usr/bin/last'
+      - '/usr/sbin/lsof'
+      - '/usr/sbin/netstat'
+  condition: selection
+falsepositives:
+  - Legitimate activities
+level: informational
+tags:
+  - attack.discovery
+  - attack.t1049

rules/linux/macos_system_network_discovery.yml

@@ -0,0 +1,32 @@
+title: System Network Discovery - macOS
+id: 58800443-f9fc-4d55-ae0c-98a3966dfb97
+status: experimental
+description: Detects enumeration of local network configuration
+author: remotephone, oscd.community
+date: 2020/10/06
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md
+logsource:
+    product: macos
+    category: process_creation
+detection:
+    selection1:
+        Image:
+            - '/usr/sbin/netstat'
+            - '/sbin/ifconfig'
+            - '/usr/sbin/ipconfig'
+            - '/usr/libexec/ApplicationFirewall/socketfilterfw'
+            - '/usr/sbin/networksetup'
+            - '/usr/sbin/arp'
+    selection2:
+        Image: '/usr/bin/defaults'
+        Commandline|contains|all:
+            - 'read'
+            - '/Library/Preferences/com.apple.alf'
+    condition: selection1 or selection2
+falsepositives:
+    - Legitimate administration activities
+level: informational
+tags:
+    - attack.discovery
+    - attack.t1016

rules/linux/macos_system_shutdown_reboot.yml

@@ -0,0 +1,26 @@
+title: 'System Shutdown/Reboot'
+id: 40b1fbe2-18ea-4ee7-be47-0294285811de
+status: experimental
+description: 'Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.'
+    # For this rule to work you must enable audit of process execution in OpenBSM, see
+    # https://osquery.readthedocs.io/en/stable/deployment/process-auditing/#macos-process-socket-auditing
+author: 'Igor Fits, Mikhail Larin, oscd.community'
+date: 2020/10/19
+references:
+    - hhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md
+logsource:
+    product: macos
+    category: process_creation
+detection:
+    selection:
+        Image|endswith:
+              - '/shutdown'
+              - '/reboot'
+              - '/halt'
+    condition: selection
+falsepositives:
+    - 'Legitimate administrative activity'
+level: informational
+tags:
+    - attack.impact
+    - attack.t1529

rules/linux/macos_xattr_gatekeeper_bypass.yml

@@ -0,0 +1,24 @@
+title: Gatekeeper Bypass via Xattr
+id: f5141b6d-9f42-41c6-a7bf-2a780678b29b
+status: experimental
+description: Detects macOS Gatekeeper bypass via xattr utility
+author: Daniil Yugoslavskiy, oscd.community
+date: 2020/10/19
+references:
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.001/T1553.001.md
+logsource:
+  category: process_creation
+  product: macos
+detection:
+  selection:
+    Image|endswith: '/xattr'
+    CommandLine|contains|all: 
+      - '-r'
+      - 'com.apple.quarantine'
+  condition: selection
+falsepositives:
+  - Legitimate activities
+level: low
+tags:
+  - attack.defense_evasion
+  - attack.t1553.001

rules/network/net_susp_dns_b64_queries.yml

@@ -11,8 +11,8 @@ logsource:
     category: dns
 detection:
     selection:
-        query:
-            - '*==.*'
+        query|contains:
+            - '==.'
     condition: selection
 falsepositives:
     - Unknown
@@ -23,4 +23,4 @@ tags:
     - attack.t1048.003
     - attack.command_and_control
     - attack.t1071 # an old one
-    - attack.t1071.004
+    - attack.t1071.004

rules/network/net_susp_dns_txt_exec_strings.yml

@@ -13,10 +13,10 @@ logsource:
 detection:
     selection:
         record_type: 'TXT'
-        answer:
-            - '*IEX*'
-            - '*Invoke-Expression*'
-            - '*cmd.exe*'
+        answer|contains:
+            - 'IEX'
+            - 'Invoke-Expression'
+            - 'cmd.exe'
     condition: selection
 falsepositives:
     - Unknown
@@ -24,4 +24,4 @@ level: high
 tags:
     - attack.command_and_control
     - attack.t1071 # an old one
-    - attack.t1071.004
+    - attack.t1071.004

rules/network/zeek/zeek_http_executable_download_from_webdav.yml

@@ -15,11 +15,11 @@ date: 2020/05/01
 modified: 2020/09/02
 detection:
     selection_webdav:
-        - c-useragent: '*WebDAV*'
-        - c-uri: '*webdav*'
+        - c-useragent|contains: 'WebDAV'
+        - c-uri|contains: 'webdav'
     selection_executable:
-        - resp_mime_types: '*dosexec*'
-        - c-uri: '*.exe'
+        - resp_mime_types|contains: 'dosexec'
+        - c-uri|endswith: '.exe'
     condition: selection_webdav AND selection_executable
 falsepositives:
     - unknown

rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml

@@ -16,8 +16,11 @@ logsource:
     service: smb_files
 detection:
     selection:
-        path: '\\*ADMIN$'
-        name: '*SYSTEM32\\*.tmp'
+        path|contains|all:
+            - '\'
+            - 'ADMIN$'
+        name|contains: 'SYSTEM32\'
+        name|endswith: '.tmp'
     condition: selection
 falsepositives:
     - 'unknown'

rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml

@@ -14,14 +14,18 @@ logsource:
     service: smb_files
 detection:
     selection1:
-        path: \\*\IPC$
-        name:
-            - '*-stdin'
-            - '*-stdout'
-            - '*-stderr'
+        path|contains|all: 
+            - '\\'
+            - '\IPC$'
+        name|endswith:
+            - '-stdin'
+            - '-stdout'
+            - '-stderr'
     selection2:
-        name: \\*\IPC$
-        path: 'PSEXESVC*'
+        name|contains|all: 
+            - '\\'
+            - '\IPC$'
+        path|startswith: 'PSEXESVC'
     condition: selection1 and not selection2
 falsepositives:
     - nothing observed so far

rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml

@@ -12,19 +12,19 @@ logsource:
   service: smb_files
 detection:
   selection:
-    name:
-      - '*.pst'
-      - '*.ost'
-      - '*.msg'
-      - '*.nst'
-      - '*.oab'
-      - '*.edb'
-      - '*.nsf'
-      - '*.bak'
-      - '*.dmp'
-      - '*.kirbi'
-      - '*\groups.xml'
-      - '*.rdp'
+    name|endswith:
+      - '.pst'
+      - '.ost'
+      - '.msg'
+      - '.nst'
+      - '.oab'
+      - '.edb'
+      - '.nsf'
+      - '.bak'
+      - '.dmp'
+      - '.kirbi'
+      - '\groups.xml'
+      - '.rdp'
   condition: selection
 fields:
     - ComputerName

rules/network/zeek/zeek_susp_kerberos_rc4.yml

@@ -17,7 +17,7 @@ detection:
         request_type: 'TGS'
         cipher: 'rc4-hmac'
     computer_acct:
-        service: '$*'
+        service|startswith: '$'
     condition: selection and not computer_acct
 falsepositives:
     - normal enterprise SPN requests activity

rules/proxy/proxy_chafer_malware.yml

@@ -10,7 +10,7 @@ logsource:
     category: proxy
 detection:
     selection:
-        c-uri: '*/asp.asp?ui=*'
+        c-uri|contains: '/asp.asp?ui='
     condition: selection
 fields:
     - ClientIP
@@ -22,4 +22,4 @@ level: critical
 tags:
     - attack.command_and_control
     - attack.t1071.001
-    - attack.t1043  # an old one
+    - attack.t1043  # an old one

rules/proxy/proxy_cobalt_amazon.yml

@@ -16,7 +16,7 @@ detection:
     cs-method: 'GET'
     c-uri: '/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books'
     cs-host: 'www.amazon.com'
-    cs-cookie: '*=csm-hit=s-24KU11BB82RZSYGJ3BDK|1419899012996'
+    cs-cookie|endswith: '=csm-hit=s-24KU11BB82RZSYGJ3BDK|1419899012996'
   selection2:
     c-useragent: "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
     cs-method: 'POST'
@@ -30,4 +30,4 @@ tags:
   - attack.defense_evasion
   - attack.command_and_control
   - attack.t1071.001
-  - attack.t1043  # an old one
+  - attack.t1043  # an old one

rules/proxy/proxy_cobalt_ocsp.yml

@@ -16,7 +16,7 @@ logsource:
     category: proxy
 detection:
     selection:
-      c-uri: '*/oscp/*'
+      c-uri|contains: '/oscp/'
       cs-host: 'ocsp.verisign.com'
 
     condition: selection

rules/proxy/proxy_cobalt_onedrive.yml

@@ -4,7 +4,7 @@ status: experimental
 description: Detects Malleable OneDrive Profile
 author: Markus Neis
 date: 2019/11/12
-modified: 2020/09/02
+modified: 2020/11/28
 references:
     - https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/onedrive_getonly.profile
 logsource:
@@ -12,10 +12,11 @@ logsource:
 detection:
     selection:
       cs-method: 'GET'
-      c-uri: '*?manifest=wac'
+      c-uri|endswith: '?manifest=wac'
       cs-host: 'onedrive.live.com'
     filter:
-      c-uri: 'http*://onedrive.live.com/*'
+      c-uri|startswith: 'http'
+      c-uri|contains: '://onedrive.live.com/'
     condition: selection and not filter
 falsepositives:
     - Unknown
@@ -24,4 +25,4 @@ tags:
     - attack.defense_evasion
     - attack.command_and_control
     - attack.t1071.001
-    - attack.t1043  # an old one
+    - attack.t1043  # an old one

rules/proxy/proxy_download_susp_dyndns.yml

@@ -30,77 +30,77 @@ detection:
             - 'sct'
             - 'zip'
             # If you want to add more extensions - see https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/
-        r-dns: 
-            - '*.hopto.org'
-            - '*.no-ip.org'
-            - '*.no-ip.info'
-            - '*.no-ip.biz'
-            - '*.no-ip.com'
-            - '*.noip.com'
-            - '*.ddns.name'
-            - '*.myftp.org'
-            - '*.myftp.biz'
-            - '*.serveblog.net'
-            - '*.servebeer.com'
-            - '*.servemp3.com'
-            - '*.serveftp.com'
-            - '*.servequake.com'
-            - '*.servehalflife.com'
-            - '*.servehttp.com'
-            - '*.servegame.com'
-            - '*.servepics.com'
-            - '*.myvnc.com'
-            - '*.ignorelist.com'
-            - '*.jkub.com'
-            - '*.dlinkddns.com'
-            - '*.jumpingcrab.com'
-            - '*.ddns.info'
-            - '*.mooo.com'
-            - '*.dns-dns.com'
-            - '*.strangled.net'
-            - '*.adultdns.net'
-            - '*.craftx.biz'
-            - '*.ddns01.com'
-            - '*.dns53.biz'
-            - '*.dnsapi.info'
-            - '*.dnsd.info'
-            - '*.dnsdynamic.com'
-            - '*.dnsdynamic.net'
-            - '*.dnsget.org'
-            - '*.fe100.net'
-            - '*.flashserv.net'
-            - '*.ftp21.net'
-            - '*.http01.com'
-            - '*.http80.info'
-            - '*.https443.com'
-            - '*.imap01.com'
-            - '*.kadm5.com'
-            - '*.mysq1.net'
-            - '*.ns360.info'
-            - '*.ntdll.net'
-            - '*.ole32.com'
-            - '*.proxy8080.com'
-            - '*.sql01.com'
-            - '*.ssh01.com'
-            - '*.ssh22.net'
-            - '*.tempors.com'
-            - '*.tftpd.net'
-            - '*.ttl60.com'
-            - '*.ttl60.org'
-            - '*.user32.com'
-            - '*.voip01.com'
-            - '*.wow64.net'
-            - '*.x64.me'
-            - '*.xns01.com'
-            - '*.dyndns.org'
-            - '*.dyndns.info'
-            - '*.dyndns.tv'
-            - '*.dyndns-at-home.com'
-            - '*.dnsomatic.com'
-            - '*.zapto.org'
-            - '*.webhop.net'
-            - '*.25u.com'
-            - '*.slyip.net'
+        r-dns|endswith: 
+            - '.hopto.org'
+            - '.no-ip.org'
+            - '.no-ip.info'
+            - '.no-ip.biz'
+            - '.no-ip.com'
+            - '.noip.com'
+            - '.ddns.name'
+            - '.myftp.org'
+            - '.myftp.biz'
+            - '.serveblog.net'
+            - '.servebeer.com'
+            - '.servemp3.com'
+            - '.serveftp.com'
+            - '.servequake.com'
+            - '.servehalflife.com'
+            - '.servehttp.com'
+            - '.servegame.com'
+            - '.servepics.com'
+            - '.myvnc.com'
+            - '.ignorelist.com'
+            - '.jkub.com'
+            - '.dlinkddns.com'
+            - '.jumpingcrab.com'
+            - '.ddns.info'
+            - '.mooo.com'
+            - '.dns-dns.com'
+            - '.strangled.net'
+            - '.adultdns.net'
+            - '.craftx.biz'
+            - '.ddns01.com'
+            - '.dns53.biz'
+            - '.dnsapi.info'
+            - '.dnsd.info'
+            - '.dnsdynamic.com'
+            - '.dnsdynamic.net'
+            - '.dnsget.org'
+            - '.fe100.net'
+            - '.flashserv.net'
+            - '.ftp21.net'
+            - '.http01.com'
+            - '.http80.info'
+            - '.https443.com'
+            - '.imap01.com'
+            - '.kadm5.com'
+            - '.mysq1.net'
+            - '.ns360.info'
+            - '.ntdll.net'
+            - '.ole32.com'
+            - '.proxy8080.com'
+            - '.sql01.com'
+            - '.ssh01.com'
+            - '.ssh22.net'
+            - '.tempors.com'
+            - '.tftpd.net'
+            - '.ttl60.com'
+            - '.ttl60.org'
+            - '.user32.com'
+            - '.voip01.com'
+            - '.wow64.net'
+            - '.x64.me'
+            - '.xns01.com'
+            - '.dyndns.org'
+            - '.dyndns.info'
+            - '.dyndns.tv'
+            - '.dyndns-at-home.com'
+            - '.dnsomatic.com'
+            - '.zapto.org'
+            - '.webhop.net'
+            - '.25u.com'
+            - '.slyip.net'
     condition: selection
 fields:
     - cs-ip
@@ -112,4 +112,4 @@ tags:
     - attack.defense_evasion
     - attack.command_and_control
     - attack.t1105
-    - attack.t1568
+    - attack.t1568

rules/proxy/proxy_download_susp_tlds_blacklist.yml

@@ -33,73 +33,73 @@ detection:
             - 'sct'
             - 'zip'
             # If you want to add more extensions - see https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/
-        r-dns:
+        r-dns|endswith:
             # Symantec / Chris Larsen analysis
-            - '*.country'
-            - '*.stream'
-            - '*.gdn'
-            - '*.mom'
-            - '*.xin'
-            - '*.kim'
-            - '*.men'
-            - '*.loan'
-            - '*.download'
-            - '*.racing'
-            - '*.online'
-            - '*.science'
-            - '*.ren'
-            - '*.gb'
-            - '*.win'
-            - '*.top'
-            - '*.review'
-            - '*.vip'
-            - '*.party'
-            - '*.tech'
-            - '*.xyz'
-            - '*.date'
-            - '*.faith'
-            - '*.zip'
-            - '*.cricket'
-            - '*.space'
+            - '.country'
+            - '.stream'
+            - '.gdn'
+            - '.mom'
+            - '.xin'
+            - '.kim'
+            - '.men'
+            - '.loan'
+            - '.download'
+            - '.racing'
+            - '.online'
+            - '.science'
+            - '.ren'
+            - '.gb'
+            - '.win'
+            - '.top'
+            - '.review'
+            - '.vip'
+            - '.party'
+            - '.tech'
+            - '.xyz'
+            - '.date'
+            - '.faith'
+            - '.zip'
+            - '.cricket'
+            - '.space'
             # McAfee report
-            - '*.info'
-            - '*.vn'
-            - '*.cm'
-            - '*.am'
-            - '*.cc'
-            - '*.asia'
-            - '*.ws'
-            - '*.tk'
-            - '*.biz'
-            - '*.su'
-            - '*.st'
-            - '*.ro'
-            - '*.ge'
-            - '*.ms'
-            - '*.pk'
-            - '*.nu'
-            - '*.me'
-            - '*.ph'
-            - '*.to'
-            - '*.tt'
-            - '*.name'
-            - '*.tv'
-            - '*.kz'
-            - '*.tc'
-            - '*.mobi'
+            - '.info'
+            - '.vn'
+            - '.cm'
+            - '.am'
+            - '.cc'
+            - '.asia'
+            - '.ws'
+            - '.tk'
+            - '.biz'
+            - '.su'
+            - '.st'
+            - '.ro'
+            - '.ge'
+            - '.ms'
+            - '.pk'
+            - '.nu'
+            - '.me'
+            - '.ph'
+            - '.to'
+            - '.tt'
+            - '.name'
+            - '.tv'
+            - '.kz'
+            - '.tc'
+            - '.mobi'
             # Spamhaus
-            - '*.study'
-            - '*.click'
-            - '*.link'
-            - '*.trade'
-            - '*.accountant'
+            - '.study'
+            - '.click'
+            - '.link'
+            - '.trade'
+            - '.accountant'
             # Spamhaus 2018 https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/
-            - '*.cf'
-            - '*.gq'
-            - '*.ml'
-            - '*.ga'
+            - '.cf'
+            - '.gq'
+            - '.ml'
+            - '.ga'
             # Custom
-            - '*.pw'
+            - '.pw'
     condition: selection
 fields:
     - ClientIP
@@ -113,4 +113,4 @@ tags:
     - attack.execution
     - attack.t1203
     - attack.t1204.002
-    - attack.t1204  # an old one
+    - attack.t1204  # an old one

rules/proxy/proxy_download_susp_tlds_whitelist.yml

@@ -29,25 +29,25 @@ detection:
             - 'zip'
             # If you want to add more extensions - see https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/
     filter:
-        r-dns:
-            - '*.com'
-            - '*.org'
-            - '*.net'
-            - '*.edu'
-            - '*.gov'
-            - '*.uk'
-            - '*.ca'
-            - '*.de'
-            - '*.jp'
-            - '*.fr'
-            - '*.au'
-            - '*.us'
-            - '*.ch'
-            - '*.it'
-            - '*.nl'
-            - '*.se'
-            - '*.no'
-            - '*.es'
+        r-dns|endswith:
+            - '.com'
+            - '.org'
+            - '.net'
+            - '.edu'
+            - '.gov'
+            - '.uk'
+            - '.ca'
+            - '.de'
+            - '.jp'
+            - '.fr'
+            - '.au'
+            - '.us'
+            - '.ch'
+            - '.it'
+            - '.nl'
+            - '.se'
+            - '.no'
+            - '.es'
             # Extend this list as needed
     condition: selection and not filter
 fields:

rules/proxy/proxy_downloadcradle_webdav.yml

@@ -11,7 +11,7 @@ logsource:
     category: proxy
 detection:
     selection:
-      c-useragent: 'Microsoft-WebDAV-MiniRedir/*'
+      c-useragent|startswith: 'Microsoft-WebDAV-MiniRedir/'
       cs-method: 'GET'
     condition: selection
 fields:
@@ -27,4 +27,4 @@ level: high
 tags:
     - attack.command_and_control
     - attack.t1071.001
-    - attack.t1043  # an old one
+    - attack.t1043  # an old one

rules/proxy/proxy_ios_implant.yml

@@ -12,7 +12,7 @@ logsource:
     category: proxy
 detection:
     selection:
-        c-uri: '*/list/suc?name=*'
+        c-uri|contains: '/list/suc?name='
     condition: selection
 fields:
     - ClientIP
@@ -30,4 +30,4 @@ tags:
     - attack.credential_access
     - attack.t1528
     - attack.t1552.001
-    - attack.t1081  # an old one
+    - attack.t1081  # an old one

rules/proxy/proxy_powershell_ua.yml

@@ -11,7 +11,7 @@ logsource:
     category: proxy
 detection:
     selection:
-      c-useragent: '* WindowsPowerShell/*'
+      c-useragent|contains: ' WindowsPowerShell/'
     condition: selection
 fields:
     - ClientIP
@@ -24,4 +24,4 @@ level: medium
 tags:
   - attack.defense_evasion
   - attack.command_and_control
-  - attack.t1071.001
+  - attack.t1071.001

rules/proxy/proxy_susp_flash_download_loc.yml

@@ -4,17 +4,17 @@ status: experimental
 description: Detects a flashplayer update from an unofficial location
 author: Florian Roth
 date: 2017/10/25
+modified: 2020/11/28
 references:
     - https://gist.github.com/roycewilliams/a723aaf8a6ac3ba4f817847610935cfb
 logsource:
     category: proxy
 detection:
     selection:
-        c-uri-query:
-            - '*/install_flash_player.exe'
-            - '*/flash_install.php*'
+        - c-uri-query|contains: '/flash_install.php'
+        - c-uri-query|endswith: '/install_flash_player.exe'
     filter:
-        c-uri-stem: '*.adobe.com/*'
+        c-uri-stem|contains: '.adobe.com/'
     condition: selection and not filter
 falsepositives:
     - Unknown flash download locations
@@ -27,4 +27,4 @@ tags:
     - attack.t1204  # an old one
     - attack.defense_evasion
     - attack.t1036.005
-    - attack.t1036  # an old one
+    - attack.t1036  # an old one

rules/proxy/proxy_telegram_api.yml

@@ -16,10 +16,10 @@ detection:
         r-dns: 
             - 'api.telegram.org'  # Often used by Bots
     filter:
-        c-useragent: 
+        c-useragent|contains: 
             # Used https://core.telegram.org/bots/samples for this list
-            - '*Telegram*'
-            - '*Bot*'
+            - 'Telegram'
+            - 'Bot'
     condition: selection and not filter
 fields:
     - ClientIP

rules/proxy/proxy_ua_bitsadmin_susp_tld.yml

@@ -9,13 +9,13 @@ logsource:
     category: proxy
 detection:
     selection:
-        c-useragent:
-            - 'Microsoft BITS/*'
+        c-useragent|startswith:
+            - 'Microsoft BITS/'
     falsepositives:
-        r-dns:
-            - '*.com' 
-            - '*.net' 
-            - '*.org' 
+        r-dns|endswith:
+            - '.com' 
+            - '.net' 
+            - '.org' 
     condition: selection and not falsepositives
 fields:
     - ClientIP
@@ -30,4 +30,4 @@ tags:
     - attack.defense_evasion
     - attack.persistence
     - attack.t1197
-    - attack.s0190
+    - attack.s0190

rules/proxy/proxy_ua_cryptominer.yml

@@ -12,11 +12,11 @@ logsource:
     category: proxy
 detection:
     selection:
-      c-useragent:
+      c-useragent|startswith:
         # XMRig
-        - 'XMRig *'
+        - 'XMRig '
         # CCMiner
-        - 'ccminer*'
+        - 'ccminer'
     condition: selection
 fields:
     - ClientIP
@@ -27,4 +27,4 @@ falsepositives:
 level: high
 tags:
     - attack.command_and_control
-    - attack.t1071.001
+    - attack.t1071.001

rules/proxy/proxy_ua_hacktool.yml

@@ -12,58 +12,58 @@ logsource:
     category: proxy
 detection:
     selection:
-      c-useragent:
-        # Vulnerability scanner and brute force tools
-        - '*(hydra)*'
-        - '* arachni/*'
-        - '* BFAC *'
-        - '* brutus *'
-        - '* cgichk *'
-        - '*core-project/1.0*'
-        - '* crimscanner/*'
-        - '*datacha0s*'
-        - '*dirbuster*'
-        - '*domino hunter*'
-        - '*dotdotpwn*'
-        - 'FHScan Core'
-        - '*floodgate*'
-        - '*get-minimal*'
-        - '*gootkit auto-rooter scanner*'
-        - '*grendel-scan*'
-        - '* inspath *'
-        - '*internet ninja*'
-        - '*jaascois*'
-        - '* zmeu *'
-        - '*masscan*'
-        - '* metis *'
-        - '*morfeus fucking scanner*'
-        - '*n-stealth*'
-        - '*nsauditor*'
-        - '*pmafind*'
-        - '*security scan*'
-        - '*springenwerk*'
-        - '*teh forest lobster*'
-        - '*toata dragostea*'
-        - '* vega/*'
-        - '*voideye*'
-        - '*webshag*'
-        - '*webvulnscan*'
-        - '* whcc/*'
+        c-useragent|contains:
+            # Vulnerbility scanner and brute force tools
+            - '(hydra)'
+            - ' arachni/'
+            - ' BFAC '
+            - ' brutus '
+            - ' cgichk '
+            - 'core-project/1.0'
+            - ' crimscanner/'
+            - 'datacha0s'
+            - 'dirbuster'
+            - 'domino hunter'
+            - 'dotdotpwn'
+            - 'FHScan Core'
+            - 'floodgate'
+            - 'get-minimal'
+            - 'gootkit auto-rooter scanner'
+            - 'grendel-scan'
+            - ' inspath '
+            - 'internet ninja'
+            - 'jaascois'
+            - ' zmeu '
+            - 'masscan'
+            - ' metis '
+            - 'morfeus fucking scanner'
+            - 'n-stealth'
+            - 'nsauditor'
+            - 'pmafind'
+            - 'security scan'
+            - 'springenwerk'
+            - 'teh forest lobster'
+            - 'toata dragostea'
+            - ' vega/'
+            - 'voideye'
+            - 'webshag'
+            - 'webvulnscan'
+            - ' whcc/'
 
-        # SQL Injection
-        - '* Havij'
-        - '*absinthe*'
-        - '*bsqlbf*'
-        - '*mysqloit*'
-        - '*pangolin*'
-        - '*sql power injector*'
-        - '*sqlmap*'
-        - '*sqlninja*'
-        - '*uil2pn*'
+            # SQL Injection
+            - ' Havij'
+            - 'absinthe'
+            - 'bsqlbf'
+            - 'mysqloit'
+            - 'pangolin'
+            - 'sql power injector'
+            - 'sqlmap'
+            - 'sqlninja'
+            - 'uil2pn'
 
-        # Hack tool
-        - 'ruler'  # https://www.crowdstrike.com/blog/using-outlook-forms-lateral-movement-persistence/
-        - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)'  # SQLi Dumper
+            # Hack tool
+            - 'ruler'  # https://www.crowdstrike.com/blog/using-outlook-forms-lateral-movement-persistence/
+            - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)'  # SQLi Dumper
     condition: selection
 fields:
     - ClientIP
@@ -76,4 +76,4 @@ tags:
     - attack.initial_access
     - attack.t1190
     - attack.credential_access
-    - attack.t1110
+    - attack.t1110

rules/proxy/proxy_ursnif_malware.yml

@@ -4,12 +4,15 @@ status: stable
 description: Detects download of Ursnif malware done by dropper documents.
 author: Thomas Patzke
 date: 2019/12/19
-modified: 2020/09/03
+modified: 2020/11/28
 logsource:
   category: proxy
 detection:
   selection:
-    c-uri: '*/*.php?l=*.cab'
+    c-uri|contains|all: 
+      - '/'
+      - '.php?l='
+    c-uri|endswith: '.cab'
     sc-status: 200
   condition: selection
 fields:
@@ -32,13 +35,13 @@ logsource:
   category: proxy
 detection:
   b64encoding:
-    c-uri:
-      - "*_2f*"
-      - "*_2b*"
+    c-uri|contains:
+      - "_2f"
+      - "_2b"
   urlpatterns:
-    c-uri|all:
-      - "*.avi"
-      - "*/images/*"
+    c-uri|contains|all:
+      - ".avi"
+      - "/images/"
   condition: b64encoding and urlpatterns
 fields:
   - c-ip
@@ -56,4 +59,4 @@ tags:
     - attack.t1204.002
     - attack.t1204  # an old one
     - attack.command_and_control
-    - attack.t1071.001
+    - attack.t1071.001

rules/web/web_cve_2021_21978_vmware_view_planner_exploit.yml

@@ -0,0 +1,30 @@
+title: CVE-2021-21978 Exploitation Attempt
+id: 77586a7f-7ea4-4c41-b19c-820140b84ca9
+status: experimental
+description: Detects the exploitation of the VMware View Planner vulnerability described in CVE-2021-21978
+author: Bhabesh Raj
+date: 2020/03/10
+references:
+    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21978
+    - https://twitter.com/wugeej/status/1369476795255320580
+    - https://paper.seebug.org/1495/
+logsource:
+    category: webserver
+detection:
+    selection:
+        cs-method: 'POST'
+        c-uri|contains|all: 
+            - 'logupload'
+            - 'logMetaData'
+            - 'wsgi_log_upload.py'
+    condition: selection
+fields:
+    - c-ip
+    - c-dns
+falsepositives:
+    - None
+level: high
+tags:
+    - attack.initial_access
+    - attack.t1190
+    - cve.2021-21978

rules/web/win_webshell_regeorg.yml

@@ -13,11 +13,11 @@ logsource:
 detection:
     selection:
         uri_query|contains:
-            - '*cmd=read*'
-            - '*connect&target*'
-            - '*cmd=connect*'
-            - '*cmd=disconnect*'
-            - '*cmd=forward*'
+            - 'cmd=read'
+            - 'connect&target'
+            - 'cmd=connect'
+            - 'cmd=disconnect'
+            - 'cmd=forward'
     filter:
         referer: null
         useragent: null

rules/windows/builtin/win_GPO_scheduledtasks.yml

@@ -19,8 +19,8 @@ detection:
     selection:
         EventID: 5145
         ShareName: \\*\SYSVOL
-        RelativeTargetName: '*ScheduledTasks.xml'
-        Accesses: '*WriteData*'
+        RelativeTargetName|endswith: 'ScheduledTasks.xml'
+        Accesses|contains: 'WriteData'
     condition: selection
 falsepositives:
     - if the source IP is not localhost then it's super suspicious, better to monitor both local and remote changes to GPO scheduledtasks

rules/windows/builtin/win_account_discovery.yml

@@ -21,18 +21,20 @@ detection:
         ObjectType:
         - 'SAM_USER'
         - 'SAM_GROUP'
-        ObjectName:
-         - '*-512'
-         - '*-502'
-         - '*-500'
-         - '*-505'
-         - '*-519'
-         - '*-520'
-         - '*-544'
-         - '*-551'
-         - '*-555'
-         - '*admin*'
-    condition: selection
+    selection_object:
+        - ObjectName|endswith:
+          - '-512'
+          - '-502'
+          - '-500'
+          - '-505'
+          - '-519'
+          - '-520'
+          - '-544'
+          - '-551'
+          - '-555'
+        - ObjectName|contains:
+          - 'admin'
+    condition: selection and selection_object
 falsepositives:
     - if source account name is not an admin then its super suspicious
 level: high

rules/windows/builtin/win_admin_rdp_login.yml

@@ -23,7 +23,7 @@ detection:
         EventID: 4624
         LogonType: 10
         AuthenticationPackageName: Negotiate
-        AccountName: 'Admin-*'
+        AccountName|startswith: 'Admin-'
     condition: selection
 falsepositives:
     - Legitimate administrative activity

rules/windows/builtin/win_admin_share_access.yml

@@ -18,7 +18,7 @@ detection:
         EventID: 5140
         ShareName: Admin$
     filter:
-        SubjectUserName: '*$'
+        SubjectUserName|endswith: '$'
     condition: selection and not filter
 falsepositives:
     - Legitimate administrative activity

rules/windows/builtin/win_alert_active_directory_user_control.yml

@@ -17,8 +17,8 @@ detection:
     selection:
         EventID: 4704
     keywords:
-        Message:
-            - '*SeEnableDelegationPrivilege*'
+        Message|contains:
+            - 'SeEnableDelegationPrivilege'
     condition: all of them
 falsepositives:
     - Unknown

rules/windows/builtin/win_alert_enable_weak_encryption.yml

@@ -18,13 +18,13 @@ detection:
     selection:
         EventID: 4738
     keywords:
-        Message:
-            - '*DES*'
-            - '*Preauth*'
-            - '*Encrypted*'
+        Message|contains:
+            - 'DES'
+            - 'Preauth'
+            - 'Encrypted'
     filters:
-        Message:
-            - '*Enabled*'
+        Message|contains:
+            - 'Enabled'
     condition: selection and keywords and filters
 falsepositives:
     - Unknown