Change status for old rules

2021-11-27 11:33:14 +01:00
parent 6664d6e522
commit 01dc930c17
547 changed files with 11964 additions and 11755 deletions
@@ -1,32 +1,33 @@
 title: Edit of .bash_profile and .bashrc
 id: e74e15cc-c4b6-4c80-b7eb-dfe49feb7fe9
-status: experimental
+status: test
 description: Detects change of user environment. Adversaries can insert code into these files to gain persistence each time a user logs in or opens a new shell.
 author: Peter Matkovski
-date: 2019/05/12
 references:
-    - 'MITRE Attack technique T1156; .bash_profile and .bashrc. '
+  - 'MITRE Attack technique T1156; .bash_profile and .bashrc. '
+date: 2019/05/12
+modified: 2021/11/27
 logsource:
-    product: linux
-    service: auditd
+  product: linux
+  service: auditd
 detection:
-    selection:
-        type: 'PATH'
-        name:
-            - '/home/*/.bashrc'
-            - '/home/*/.bash_profile'
-            - '/home/*/.profile'
-            - '/etc/profile'
-            - '/etc/shells'
-            - '/etc/bashrc'
-            - '/etc/csh.cshrc'
-            - '/etc/csh.login'
-    condition: selection
+  selection:
+    type: 'PATH'
+    name:
+      - '/home/*/.bashrc'
+      - '/home/*/.bash_profile'
+      - '/home/*/.profile'
+      - '/etc/profile'
+      - '/etc/shells'
+      - '/etc/bashrc'
+      - '/etc/csh.cshrc'
+      - '/etc/csh.login'
+  condition: selection
 falsepositives:
-    - Admin or User activity
+  - Admin or User activity
 level: medium
 tags:
-    - attack.s0003
-    - attack.t1156    # an old one
-    - attack.persistence
-    - attack.t1546.004
+  - attack.s0003
+  - attack.t1156      # an old one
+  - attack.persistence
+  - attack.t1546.004
@@ -1,35 +1,32 @@
 title: Auditing Configuration Changes on Linux Host
 id: 977ef627-4539-4875-adf4-ed8f780c4922
-status: experimental
+status: test
 description: Detect changes in auditd configuration files
-    # Example config for this one (place it at the top of audit.rules)
-    # -w /etc/audit/ -p wa -k etc_modify_auditconfig
-    # -w /etc/libaudit.conf -p wa -k etc_modify_libauditconfig
-    # -w /etc/audisp/ -p wa -k etc_modify_audispconfig
 author: Mikhail Larin, oscd.community
-date: 2019/10/25
 references:
-    - https://github.com/Neo23x0/auditd/blob/master/audit.rules
-    - self experience
+  - https://github.com/Neo23x0/auditd/blob/master/audit.rules
+  - self experience
+date: 2019/10/25
+modified: 2021/11/27
 logsource:
-    product: linux
-    service: auditd
+  product: linux
+  service: auditd
 detection:
-    selection:
-        type: PATH
-        name:
-            - /etc/audit/*
-            - /etc/libaudit.conf
-            - /etc/audisp/*
-    condition: selection
+  selection:
+    type: PATH
+    name:
+      - /etc/audit/*
+      - /etc/libaudit.conf
+      - /etc/audisp/*
+  condition: selection
 fields:
-    - exe
-    - comm
-    - key
+  - exe
+  - comm
+  - key
 falsepositives:
-    - Legitimate administrative activity
+  - Legitimate administrative activity
 level: high
 tags:
-    - attack.defense_evasion
-    - attack.t1054    # an old one
-    - attack.t1562.006
+  - attack.defense_evasion
+  - attack.t1054      # an old one
+  - attack.t1562.006
@@ -1,33 +1,30 @@
 title: 'Binary Padding'
 id: c52a914f-3d8b-4b2a-bb75-b3991e75f8ba
-status: experimental
+status: test
 description: 'Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.'
-  # For this rule to work execve auditing / file system auditing with "execute access" to specific binaries must be configured
-  # Example config (place it at the bottom of audit.rules)
-  # -a always,exit -F arch=b32 -S execve -k execve
-  # -a always,exit -F arch=b64 -S execve -k execve
 author: 'Igor Fits, oscd.community'
-date: 2020/10/13
 references:
  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md
+date: 2020/10/13
+modified: 2021/11/27
 logsource:
-    product: linux
-    service: auditd
+  product: linux
+  service: auditd
 detection:
-    execve:
-        type: 'EXECVE'
-    truncate:
-        - 'truncate'
-        - '-s'
-    dd:
-        - 'dd'
-        - 'if='
-    filter:
-        - 'of='
-    condition: execve and (all of truncate or (all of dd and not filter))
+  execve:
+    type: 'EXECVE'
+  truncate:
+    - 'truncate'
+    - '-s'
+  dd:
+    - 'dd'
+    - 'if='
+  filter:
+    - 'of='
+  condition: execve and (all of truncate or (all of dd and not filter))
 falsepositives:
-    - 'Legitimate script work'
+  - 'Legitimate script work'
 level: high
 tags:
-    - attack.defense_evasion
-    - attack.t1027.001
+  - attack.defense_evasion
+  - attack.t1027.001
@@ -1,32 +1,29 @@
 title: 'File Time Attribute Change'
 id: b3cec4e7-6901-4b0d-a02d-8ab2d8eb818b
-status: experimental
+status: test
 description: 'Detect file time attribute change to hide new or changes to existing files.'
-  # For this rule to work execve auditing must be configured
-  # Example config (place it at the bottom of audit.rules)
-  # -a always,exit -F arch=b32 -S execve -k execve
-  # -a always,exit -F arch=b64 -S execve -k execve
 author: 'Igor Fits, oscd.community'
-date: 2020/10/15
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md
+date: 2020/10/15
+modified: 2021/11/27
 logsource:
-    product: linux
-    service: auditd
+  product: linux
+  service: auditd
 detection:
-    execve:
-        type: 'EXECVE'
-    touch:
-         - 'touch'
-    selection2:
-         - '-t'
-         - '-acmr'
-         - '-d'
-         - '-r'
-    condition: execve and touch and selection2
+  execve:
+    type: 'EXECVE'
+  touch:
+    - 'touch'
+  selection2:
+    - '-t'
+    - '-acmr'
+    - '-d'
+    - '-r'
+  condition: execve and touch and selection2
 falsepositives:
-    - 'Unknown'
+  - 'Unknown'
 level: medium
 tags:
-    - attack.defense_evasion
-    - attack.t1070.006
+  - attack.defense_evasion
+  - attack.t1070.006
@@ -1,23 +1,24 @@
 title: Remove Immutable File Attribute
 id: a5b977d6-8a81-4475-91b9-49dbfcd941f7
-status: experimental
+status: test
 description: Detects removing immutable file attribute.
 author: Jakob Weinzettl, oscd.community
-date: 2019/09/23
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md
+date: 2019/09/23
+modified: 2021/11/27
 logsource:
-    product: linux
-    service: auditd
+  product: linux
+  service: auditd
 detection:
-    selection:
-        type: 'EXECVE'
-        a0|contains: 'chattr'
-        a1|contains: '-i'
-    condition: selection
+  selection:
+    type: 'EXECVE'
+    a0|contains: 'chattr'
+    a1|contains: '-i'
+  condition: selection
 falsepositives:
-    - Administrator interacting with immutable files (e.g. for instance backups).
+  - Administrator interacting with immutable files (e.g. for instance backups).
 level: medium
 tags:
-    - attack.defense_evasion
-    - attack.t1222.002
+  - attack.defense_evasion
+  - attack.t1222.002
@@ -1,23 +1,24 @@
 title: Creation Of An User Account
 id: 759d0d51-bc99-4b5e-9add-8f5b2c8e7512
-status: experimental
+status: test
 description: Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.
 author: Marie Euler
-date: 2020/05/18
 references:
-    - 'MITRE Attack technique T1136; Create Account '
+  - 'MITRE Attack technique T1136; Create Account '
+date: 2020/05/18
+modified: 2021/11/27
 logsource:
-    product: linux
-    service: auditd
+  product: linux
+  service: auditd
 detection:
-    selection:
-        type: 'SYSCALL'
-        exe|endswith: '/useradd'
-    condition: selection
+  selection:
+    type: 'SYSCALL'
+    exe|endswith: '/useradd'
+  condition: selection
 falsepositives:
-    - Admin activity
+  - Admin activity
 level: medium
 tags:
-    - attack.t1136    # an old one
-    - attack.t1136.001
-    - attack.persistence
+  - attack.t1136      # an old one
+  - attack.t1136.001
+  - attack.persistence
@@ -1,24 +1,25 @@
 title: File or Folder Permissions Change
 id: 74c01ace-0152-4094-8ae2-6fd776dd43e5
-status: experimental
+status: test
 description: Detects file and folder permission changes.
 author: Jakob Weinzettl, oscd.community
-date: 2019/09/23
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md
+date: 2019/09/23
+modified: 2021/11/27
 logsource:
-    product: linux
-    service: auditd
+  product: linux
+  service: auditd
 detection:
-    selection:
-        type: 'EXECVE'
-        a0|contains:
-            - 'chmod'
-            - 'chown'
-    condition: selection
+  selection:
+    type: 'EXECVE'
+    a0|contains:
+      - 'chmod'
+      - 'chown'
+  condition: selection
 falsepositives:
-    - User interacting with files permissions (normal/daily behaviour).
+  - User interacting with files permissions (normal/daily behaviour).
 level: low
 tags:
-    - attack.defense_evasion
-    - attack.t1222.002
+  - attack.defense_evasion
+  - attack.t1222.002
@@ -1,28 +1,25 @@
 title: 'Credentials In Files'
 id: df3fcaea-2715-4214-99c5-0056ea59eb35
-status: experimental
+status: test
 description: 'Detecting attempts to extract passwords with grep'
-  # For this rule to work execve auditing must be configured
-  # Example config (place it at the bottom of audit.rules)
-  # -a always,exit -F arch=b32 -S execve -k execve
-  # -a always,exit -F arch=b64 -S execve -k execve
 author: 'Igor Fits, oscd.community'
-date: 2020/10/15
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md
+date: 2020/10/15
+modified: 2021/11/27
 logsource:
-    product: linux
-    service: auditd
+  product: linux
+  service: auditd
 detection:
-    execve:
-        type: 'EXECVE'
-    passwordgrep:
-        - 'grep'
-        - 'password'
-    condition: execve and all of passwordgrep
+  execve:
+    type: 'EXECVE'
+  passwordgrep:
+    - 'grep'
+    - 'password'
+  condition: execve and all of passwordgrep
 falsepositives:
-    - 'Unknown'
+  - 'Unknown'
 level: high
 tags:
-    - attack.credential_access
-    - attack.t1552.001
+  - attack.credential_access
+  - attack.t1552.001
@@ -1,24 +1,24 @@
 title: Modification of ld.so.preload
 id: 4b3cb710-5e83-4715-8c45-8b2b5b3e5751
-status: experimental
+status: test
 description: Identifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes.
 author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community
-date: 2019/10/24
-modified: 2019/11/11
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md
-    - https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md
+  - https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html
+date: 2019/10/24
+modified: 2021/11/27
 logsource:
-    product: linux
-    service: auditd
+  product: linux
+  service: auditd
 detection:
-    selection:
-        type: 'PATH'
-        name: '/etc/ld.so.preload'
-    condition: selection
+  selection:
+    type: 'PATH'
+    name: '/etc/ld.so.preload'
+  condition: selection
 falsepositives:
-    - Unknown
+  - Unknown
 level: high
 tags:
-    - attack.defense_evasion
-    - attack.t1574.006
+  - attack.defense_evasion
+  - attack.t1574.006
@@ -1,34 +1,31 @@
 title: Logging Configuration Changes on Linux Host
 id: c830f15d-6f6e-430f-8074-6f73d6807841
-status: experimental
+status: test
 description: Detect changes of syslog daemons configuration files
-    # Example config for this one (place it at the top of audit.rules)
-    # -w /etc/syslog.conf -p wa -k etc_modify_syslogconfig
-    # -w /etc/rsyslog.conf -p wa -k etc_modify_rsyslogconfig
-    # -w /etc/syslog-ng/syslog-ng.conf -p wa -k etc_modify_syslogngconfig
 author: Mikhail Larin, oscd.community
-date: 2019/10/25
 references:
-    - self experience
+  - self experience
+date: 2019/10/25
+modified: 2021/11/27
 logsource:
-    product: linux
-    service: auditd
+  product: linux
+  service: auditd
 detection:
-    selection:
-        type: 'PATH'
-        name:
-            - /etc/syslog.conf
-            - /etc/rsyslog.conf
-            - /etc/syslog-ng/syslog-ng.conf
-    condition: selection
+  selection:
+    type: 'PATH'
+    name:
+      - /etc/syslog.conf
+      - /etc/rsyslog.conf
+      - /etc/syslog-ng/syslog-ng.conf
+  condition: selection
 fields:
-    - exe
-    - comm
-    - key
+  - exe
+  - comm
+  - key
 falsepositives:
-    - Legitimate administrative activity
+  - Legitimate administrative activity
 level: high
 tags:
-    - attack.defense_evasion
-    - attack.t1054    # an old one
-    - attack.t1562.006
+  - attack.defense_evasion
+  - attack.t1054      # an old one
+  - attack.t1562.006
@@ -1,24 +1,24 @@
 title: Masquerading as Linux Crond Process
 id: 9d4548fa-bba0-4e88-bd66-5d5bf516cda0
-status: experimental
-description: Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and
-    observation. Several different variations of this technique have been observed.
+status: test
+description: Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed.
 author: Timur Zinniatullin, oscd.community
-date: 2019/10/21
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md
+date: 2019/10/21
+modified: 2021/11/27
 logsource:
-    product: linux
-    service: auditd
+  product: linux
+  service: auditd
 detection:
-    selection:
-        type: 'execve'
-        a0: 'cp'
-        a1: '-i'
-        a2: '/bin/sh'
-        a3|endswith: '/crond'
-    condition: selection
+  selection:
+    type: 'execve'
+    a0: 'cp'
+    a1: '-i'
+    a2: '/bin/sh'
+    a3|endswith: '/crond'
+  condition: selection
 level: medium
 tags:
-    - attack.defense_evasion
-    - attack.t1036.003
+  - attack.defense_evasion
+  - attack.t1036.003
@@ -1,27 +1,28 @@
 title: Systemd Service Reload or Start
 id: 2625cc59-0634-40d0-821e-cb67382a3dd7
-status: experimental
+status: test
 description: Detects a reload or a start of a service.
 author: Jakob Weinzettl, oscd.community
-date: 2019/09/23
 references:
-    - https://attack.mitre.org/techniques/T1543/002/
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md
+  - https://attack.mitre.org/techniques/T1543/002/
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md
+date: 2019/09/23
+modified: 2021/11/27
 logsource:
-    product: linux
-    service: auditd
+  product: linux
+  service: auditd
 detection:
-    selection:
-        type: 'EXECVE'
-        a0|contains: 'systemctl'
-        a1|contains:
-            - 'daemon-reload'
-            - 'start'
-    condition: selection
+  selection:
+    type: 'EXECVE'
+    a0|contains: 'systemctl'
+    a1|contains:
+      - 'daemon-reload'
+      - 'start'
+  condition: selection
 falsepositives:
-    - Installation of legitimate service.
-    - Legitimate reconfiguration of service.
+  - Installation of legitimate service.
+  - Legitimate reconfiguration of service.
 level: low
 tags:
-    - attack.persistence
-    - attack.t1543.002
+  - attack.persistence
+  - attack.t1543.002
@@ -1,26 +1,23 @@
 title: 'Split A File Into Pieces'
 id: 2dad0cba-c62a-4a4f-949f-5f6ecd619769
-status: experimental
+status: test
 description: 'Detection use of the command "split" to split files into parts and possible transfer.'
-  # For this rule to work execve auditing / file system auditing with "execute access" to specific binaries must be configured
-  # Example config (place it at the bottom of audit.rules)
-  # -a always,exit -F arch=b32 -S execve -k execve
-  # -a always,exit -F arch=b64 -S execve -k execve
 author: 'Igor Fits, oscd.community'
-date: 2020/10/15
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md
+date: 2020/10/15
+modified: 2021/11/27
 logsource:
-    product: linux
-    service: auditd
+  product: linux
+  service: auditd
 detection:
-    selection:
-        type: 'SYSCALL'
-        comm: 'split'
-    condition: selection
+  selection:
+    type: 'SYSCALL'
+    comm: 'split'
+  condition: selection
 falsepositives:
-    - 'Legitimate administrative activity'
+  - 'Legitimate administrative activity'
 level: low
 tags:
-    - attack.exfiltration
-    - attack.t1030
+  - attack.exfiltration
+  - attack.t1030
@@ -1,21 +1,22 @@
 title: Suspicious C2 Activities
 id: f7158a64-6204-4d6d-868a-6e6378b467e0
-status: experimental
+status: test
 description: Detects suspicious activities as declared by Florian Roth in its 'Best Practice Auditd Configuration'. This includes the detection of the following commands; wget, curl, base64, nc, netcat, ncat, ssh, socat, wireshark, rawshark, rdesktop, nmap. These commands match a few techniques from the tactics "Command and Control", including not exhaustively the following; Application Layer Protocol (T1071), Non-Application Layer Protocol (T1095), Data Encoding (T1132)
 author: Marie Euler
 references:
-    - 'https://github.com/Neo23x0/auditd'
+  - 'https://github.com/Neo23x0/auditd'
 date: 2020/05/18
+modified: 2021/11/27
 logsource:
-    product: linux
-    service: auditd
+  product: linux
+  service: auditd
 detection:
-    selection:
-        key:
-            - 'susp_activity'
-    condition: selection
+  selection:
+    key:
+      - 'susp_activity'
+  condition: selection
 falsepositives:
-    - Admin or User activity
+  - Admin or User activity
 level: medium
 tags:
-    - attack.command_and_control
+  - attack.command_and_control
@@ -1,35 +1,36 @@
 title: Suspicious Commands Linux
 id: 1543ae20-cbdf-4ec1-8d12-7664d667a825
-status: experimental
+status: test
 description: Detects relevant commands often related to malware or hacking activity
 author: Florian Roth
-date: 2017/12/12
 references:
-    - Internal Research - mostly derived from exploit code including code in MSF
+  - Internal Research - mostly derived from exploit code including code in MSF
+date: 2017/12/12
+modified: 2021/11/27
 logsource:
-    product: linux
-    service: auditd
+  product: linux
+  service: auditd
 detection:
-    cmd1:
-        type: 'EXECVE'
-        a0: 'chmod'
-        a1: '777'
-    cmd2:
-        type: 'EXECVE'
-        a0: 'chmod'
-        a1: 'u+s'
-    cmd3:
-        type: 'EXECVE'
-        a0: 'cp'
-        a1: '/bin/ksh'
-    cmd4:
-        type: 'EXECVE'
-        a0: 'cp'
-        a1: '/bin/sh'
-    condition: 1 of them
+  cmd1:
+    type: 'EXECVE'
+    a0: 'chmod'
+    a1: '777'
+  cmd2:
+    type: 'EXECVE'
+    a0: 'chmod'
+    a1: 'u+s'
+  cmd3:
+    type: 'EXECVE'
+    a0: 'cp'
+    a1: '/bin/ksh'
+  cmd4:
+    type: 'EXECVE'
+    a0: 'cp'
+    a1: '/bin/sh'
+  condition: 1 of them
 falsepositives:
-    - Admin activity
+  - Admin activity
 level: medium
 tags:
-    - attack.execution
-    - attack.t1059.004
+  - attack.execution
+  - attack.t1059.004
@@ -1,43 +1,44 @@
 title: Program Executions in Suspicious Folders
 id: a39d7fa7-3fbd-4dc2-97e1-d87f546b1bbc
-status: experimental
+status: test
 description: Detects program executions in suspicious non-program folders related to malware or hacking activity
 author: Florian Roth
-date: 2018/01/23
 references:
-    - Internal Research
+  - Internal Research
+date: 2018/01/23
+modified: 2021/11/27
 logsource:
-    product: linux
-    service: auditd
+  product: linux
+  service: auditd
 detection:
-    selection:
-        type: 'SYSCALL'
-        exe|startswith:
+  selection:
+    type: 'SYSCALL'
+    exe|startswith:
            # Temporary folder
-            - '/tmp/'
+      - '/tmp/'
            # Web server 
-            - '/var/www/'              # Standard
-            - '/home/*/public_html/'   # Per-user
-            - '/usr/local/apache2/'    # Classical Apache
-            - '/usr/local/httpd/'      # Old SuSE Linux 6.* Apache
-            - '/var/apache/'           # Solaris Apache
-            - '/srv/www/'              # SuSE Linux 9.*
-            - '/home/httpd/html/'      # Redhat 6 or older Apache
-            - '/srv/http/'             # ArchLinux standard
-            - '/usr/share/nginx/html/' # ArchLinux nginx
+      - '/var/www/'                    # Standard
+      - '/home/*/public_html/'         # Per-user
+      - '/usr/local/apache2/'          # Classical Apache
+      - '/usr/local/httpd/'            # Old SuSE Linux 6.* Apache
+      - '/var/apache/'                 # Solaris Apache
+      - '/srv/www/'                    # SuSE Linux 9.*
+      - '/home/httpd/html/'            # Redhat 6 or older Apache
+      - '/srv/http/'                   # ArchLinux standard
+      - '/usr/share/nginx/html/'       # ArchLinux nginx
            # Data dirs of typically exploited services (incomplete list)
-            - '/var/lib/pgsql/data/'
-            - '/usr/local/mysql/data/'
-            - '/var/lib/mysql/'
-            - '/var/vsftpd/'
-            - '/etc/bind/'
-            - '/var/named/'
-    condition: selection
+      - '/var/lib/pgsql/data/'
+      - '/usr/local/mysql/data/'
+      - '/var/lib/mysql/'
+      - '/var/vsftpd/'
+      - '/etc/bind/'
+      - '/var/named/'
+  condition: selection
 falsepositives:
-    - Admin activity (especially in /tmp folders)
-    - Crazy web applications
+  - Admin activity (especially in /tmp folders)
+  - Crazy web applications
 level: medium
 tags:
-    - attack.t1587
-    - attack.t1584 
-    - attack.resource_development 
+  - attack.t1587
+  - attack.t1584
+  - attack.resource_development
@@ -1,42 +1,36 @@
 title: 'Suspicious History File Operations'
 id: eae8ce9f-bde9-47a6-8e79-f20d18419910
-status: experimental
+status: test
 description: 'Detects commandline operations on shell history files'
-    # Rule detects presence of various shell history files in process commandline
-    # Normally user expected to view own history with dedicated 'history' command and not some other tools
-    # There is a possibility for rule to trigger, when T1070.003 techinuque is used (history file cleared)
-    # For this rule to work execve auditing must be configured
-    # Example config (place it at the bottom of audit.rules)
-    # -a always,exit -F arch=b32 -S execve -k execve
-    # -a always,exit -F arch=b64 -S execve -k execve
 author: 'Mikhail Larin, oscd.community'
-date: 2020/10/17
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md
+date: 2020/10/17
+modified: 2021/11/27
 logsource:
-    product: linux
-    service: auditd
+  product: linux
+  service: auditd
 detection:
-    execve:
-        type: EXECVE
-    history:
-        - '.bash_history'
-        - '.zsh_history'
-        - '.zhistory'
-        - '.history'
-        - '.sh_history'
-        - 'fish_history'
-    condition: execve and history
+  execve:
+    type: EXECVE
+  history:
+    - '.bash_history'
+    - '.zsh_history'
+    - '.zhistory'
+    - '.history'
+    - '.sh_history'
+    - 'fish_history'
+  condition: execve and history
 fields:
-    - a0
-    - a1
-    - a2
-    - a3
-    - key
+  - a0
+  - a1
+  - a2
+  - a3
+  - key
 falsepositives:
-    - 'Legitimate administrative activity'
-    - 'Ligitimate software, cleaning hist file'
+  - 'Legitimate administrative activity'
+  - 'Ligitimate software, cleaning hist file'
 level: medium
 tags:
-    - attack.credential_access
-    - attack.t1552.003
+  - attack.credential_access
+  - attack.t1552.003
@@ -1,36 +1,33 @@
 title: 'System Shutdown/Reboot'
 id: 4cb57c2f-1f29-41f8-893d-8bed8e1c1d2f
-status: experimental
+status: test
 description: 'Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.'
-  # For this rule to work execve auditing must be configured
-  # Example config (place it at the bottom of audit.rules)
-  # -a always,exit -F arch=b32 -S execve -k execve
-  # -a always,exit -F arch=b64 -S execve -k execve
 author: 'Igor Fits, oscd.community'
-date: 2020/10/15
 references:
-    - hhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md
+  - hhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md
+date: 2020/10/15
+modified: 2021/11/27
 logsource:
-    product: linux
-    service: auditd
+  product: linux
+  service: auditd
 detection:
-    execve:
-       type: 'EXECVE'
-    shutdowncmd:
-        - 'shutdown'
-        - 'reboot'
-        - 'halt'
-        - 'poweroff'
-    init:
-        - 'init'
-        - 'telinit'
-    initselection:
-        - '0'
-        - '6'
-    condition: execve and (shutdowncmd or (init and initselection))
+  execve:
+    type: 'EXECVE'
+  shutdowncmd:
+    - 'shutdown'
+    - 'reboot'
+    - 'halt'
+    - 'poweroff'
+  init:
+    - 'init'
+    - 'telinit'
+  initselection:
+    - '0'
+    - '6'
+  condition: execve and (shutdowncmd or (init and initselection))
 falsepositives:
-    - 'Legitimate administrative activity'
+  - 'Legitimate administrative activity'
 level: informational
 tags:
-    - attack.impact
-    - attack.t1529
+  - attack.impact
+  - attack.t1529
@@ -1,26 +1,26 @@
 title: System Owner or User Discovery
 id: 9a0d8ca0-2385-4020-b6c6-cb6153ca56f3
-status: experimental
-description: Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not
-    the adversary fully infects the target and/or attempts specific actions.
+status: test
+description: Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
 author: Timur Zinniatullin, oscd.community
-date: 2019/10/21
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md
+date: 2019/10/21
+modified: 2021/11/27
 logsource:
-    product: linux
-    service: auditd
+  product: linux
+  service: auditd
 detection:
-    selection:
-        type: 'EXECVE'
-        a0:
-            - 'users'
-            - 'w'
-            - 'who'
-    condition: selection
+  selection:
+    type: 'EXECVE'
+    a0:
+      - 'users'
+      - 'w'
+      - 'who'
+  condition: selection
 falsepositives:
-    - Admin activity
+  - Admin activity
 level: low
 tags:
-    - attack.discovery
-    - attack.t1033
+  - attack.discovery
+  - attack.t1033
@@ -1,31 +1,31 @@
 title: Data Compressed
 id: a3b5e3e9-1b49-4119-8b8e-0344a01f21ee
-status: experimental
+status: test
 description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
 author: Timur Zinniatullin, oscd.community
-date: 2019/10/21
-modified: 2019/11/04
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md
+date: 2019/10/21
+modified: 2021/11/27
 logsource:
-    product: linux
-    service: auditd
+  product: linux
+  service: auditd
 detection:
-    selection1:
-        type: 'execve'
-        a0: 'zip'
-    selection2:
-        type: 'execve'
-        a0: 'gzip'
-        a1: '-f'
-    selection3:
-        type: 'execve'
-        a0: 'tar'
-        a1|contains: '-c'
-    condition: 1 of them
+  selection1:
+    type: 'execve'
+    a0: 'zip'
+  selection2:
+    type: 'execve'
+    a0: 'gzip'
+    a1: '-f'
+  selection3:
+    type: 'execve'
+    a0: 'tar'
+    a1|contains: '-c'
+  condition: 1 of them
 falsepositives:
-    - Legitimate use of archiving tools by legitimate user.
+  - Legitimate use of archiving tools by legitimate user.
 level: low
 tags:
-    - attack.exfiltration
-    - attack.t1560.001
+  - attack.exfiltration
+  - attack.t1560.001
@@ -1,32 +1,31 @@
 title: Network Sniffing
 id: f4d3748a-65d1-4806-bd23-e25728081d01
-status: experimental
-description: Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary
-    may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
+status: test
+description: Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
 author: Timur Zinniatullin, oscd.community
-date: 2019/10/21
-modified: 2019/11/04
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md
+date: 2019/10/21
+modified: 2021/11/27
 logsource:
-    product: linux
-    service: auditd
+  product: linux
+  service: auditd
 detection:
-    selection1:
-        type: 'execve'
-        a0: 'tcpdump'
-        a1: '-c'
-        a3|contains: '-i'
-    selection2:
-        type: 'execve'
-        a0: 'tshark'
-        a1: '-c'
-        a3: '-i'
-    condition: selection1 or selection2
+  selection1:
+    type: 'execve'
+    a0: 'tcpdump'
+    a1: '-c'
+    a3|contains: '-i'
+  selection2:
+    type: 'execve'
+    a0: 'tshark'
+    a1: '-c'
+    a3: '-i'
+  condition: selection1 or selection2
 falsepositives:
-    - Legitimate administrator or user uses network sniffing tool for legitimate reasons.
+  - Legitimate administrator or user uses network sniffing tool for legitimate reasons.
 level: low
 tags:
-    - attack.credential_access
-    - attack.discovery
-    - attack.t1040
+  - attack.credential_access
+  - attack.discovery
+  - attack.t1040
@@ -1,81 +1,82 @@
 title: Equation Group Indicators
 id: 41e5c73d-9983-4b69-bd03-e13b67e9623c
-status: experimental
+status: test
 description: Detects suspicious shell commands used in various Equation Group scripts and tools
 author: Florian Roth
-date: 2017/04/09
 references:
-    - https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
+  - https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
+date: 2017/04/09
+modified: 2021/11/27
 logsource:
-    product: linux
+  product: linux
 detection:
-    keywords:
+  keywords:
        # evolvingstrategy, elgingamble, estesfox
-        - 'chown root*chmod 4777 '
-        - 'cp /bin/sh .;chown'
+    - 'chown root*chmod 4777 '
+    - 'cp /bin/sh .;chown'
        # tmpwatch
-        - 'chmod 4777 /tmp/.scsi/dev/bin/gsh'
-        - 'chown root:root /tmp/.scsi/dev/bin/'
+    - 'chmod 4777 /tmp/.scsi/dev/bin/gsh'
+    - 'chown root:root /tmp/.scsi/dev/bin/'
        # estesfox
-        - 'chown root:root x;'
+    - 'chown root:root x;'
        # ratload
-        - '/bin/telnet locip locport < /dev/console | /bin/sh'
-        - '/tmp/ratload'
+    - '/bin/telnet locip locport < /dev/console | /bin/sh'
+    - '/tmp/ratload'
        # ewok
-        - 'ewok -t '
+    - 'ewok -t '
        # xspy
-        - 'xspy -display '
+    - 'xspy -display '
        # elatedmonkey
-        - 'cat > /dev/tcp/127.0.0.1/80 <<END'
+    - 'cat > /dev/tcp/127.0.0.1/80 <<END'
        # ftshell
-        - 'rm -f /current/tmp/ftshell.latest'
+    - 'rm -f /current/tmp/ftshell.latest'
        # ghost
-        - 'ghost_* -v '
+    - 'ghost_* -v '
        # morerats client
-        - ' --wipe > /dev/null'
+    - ' --wipe > /dev/null'
        # noclient
-        - 'ping -c 2 *; grep * /proc/net/arp >/tmp/gx'
-        - 'iptables * OUTPUT -p tcp -d 127.0.0.1 --tcp-flags RST RST -j DROP;'
+    - 'ping -c 2 *; grep * /proc/net/arp >/tmp/gx'
+    - 'iptables * OUTPUT -p tcp -d 127.0.0.1 --tcp-flags RST RST -j DROP;'
        # auditcleaner
-        - '> /var/log/audit/audit.log; rm -f .'
-        - 'cp /var/log/audit/audit.log .tmp'
+    - '> /var/log/audit/audit.log; rm -f .'
+    - 'cp /var/log/audit/audit.log .tmp'
        # reverse shell
-        - 'sh >/dev/tcp/* <&1 2>&1'
+    - 'sh >/dev/tcp/* <&1 2>&1'
        # packrat
-        - 'ncat -vv -l -p * <'
-        - 'nc -vv -l -p * <'
+    - 'ncat -vv -l -p * <'
+    - 'nc -vv -l -p * <'
        # empty bowl
-        - '< /dev/console | uudecode && uncompress'
-        - 'sendmail -osendmail;chmod +x sendmail'
+    - '< /dev/console | uudecode && uncompress'
+    - 'sendmail -osendmail;chmod +x sendmail'
        # echowrecker
-        - '/usr/bin/wget -O /tmp/a http* && chmod 755 /tmp/cron'
+    - '/usr/bin/wget -O /tmp/a http* && chmod 755 /tmp/cron'
        # dubmoat
-        - 'chmod 666 /var/run/utmp~'
+    - 'chmod 666 /var/run/utmp~'
        # poptop
-        - 'chmod 700 nscd crond'
+    - 'chmod 700 nscd crond'
        # abopscript
-        - 'cp /etc/shadow /tmp/.'
+    - 'cp /etc/shadow /tmp/.'
        # ys
-        - '</dev/console |uudecode > /dev/null 2>&1 && uncompress'
+    - '</dev/console |uudecode > /dev/null 2>&1 && uncompress'
        # jacktelnet
-        - 'chmod 700 jp&&netstat -an|grep'
+    - 'chmod 700 jp&&netstat -an|grep'
        # others
-        - 'uudecode > /dev/null 2>&1 && uncompress -f * && chmod 755'
-        - 'chmod 700 crond'
-        - 'wget http*; chmod +x /tmp/sendmail'
-        - 'chmod 700 fp sendmail pt'
-        - 'chmod 755 /usr/vmsys/bin/pipe'
-        - 'chmod -R 755 /usr/vmsys'
-        - 'chmod 755 $opbin/*tunnel'
-        - 'chmod 700 sendmail'
-        - 'chmod 0700 sendmail'
-        - '/usr/bin/wget http*sendmail;chmod +x sendmail;'
-        - '&& telnet * 2>&1 </dev/console'
-    condition: keywords
+    - 'uudecode > /dev/null 2>&1 && uncompress -f * && chmod 755'
+    - 'chmod 700 crond'
+    - 'wget http*; chmod +x /tmp/sendmail'
+    - 'chmod 700 fp sendmail pt'
+    - 'chmod 755 /usr/vmsys/bin/pipe'
+    - 'chmod -R 755 /usr/vmsys'
+    - 'chmod 755 $opbin/*tunnel'
+    - 'chmod 700 sendmail'
+    - 'chmod 0700 sendmail'
+    - '/usr/bin/wget http*sendmail;chmod +x sendmail;'
+    - '&& telnet * 2>&1 </dev/console'
+  condition: keywords
 falsepositives:
-    - Unknown
+  - Unknown
 level: high
 tags:
-    - attack.execution
-    - attack.g0020
-    - attack.t1059.004
+  - attack.execution
+  - attack.g0020
+  - attack.t1059.004
@@ -1,20 +1,21 @@
 title: Connection Proxy
 id: 72f4ab3f-787d-495d-a55d-68c2ff46cf4c
-status: experimental
+status: test
 description: Detects setting proxy
 author: Ömer Günal
-date: 2020/06/17
 references:
-    - https://attack.mitre.org/techniques/T1090/
+  - https://attack.mitre.org/techniques/T1090/
+date: 2020/06/17
+modified: 2021/11/27
 logsource:
-    product: linux
+  product: linux
 detection:
-    keyword:
-        - 'http_proxy=*'
-        - 'https_proxy=*'
-    condition: keyword
+  keyword:
+    - 'http_proxy=*'
+    - 'https_proxy=*'
+  condition: keyword
 falsepositives:
-    - Legitimate administration activities
+  - Legitimate administration activities
 level: low
 tags:
-    - attack.defense_evasion
+  - attack.defense_evasion
@@ -1,24 +1,25 @@
 title: Setuid and Setgid
 id: c21c4eaa-ba2e-419a-92b2-8371703cbe21
-status: experimental
+status: test
 description: Detects suspicious change of file privileges with chown and chmod commands
 author: Ömer Günal
-date: 2020/06/16
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1166/T1166.md
-    - https://attack.mitre.org/techniques/T1166/
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1166/T1166.md
+  - https://attack.mitre.org/techniques/T1166/
+date: 2020/06/16
+modified: 2021/11/27
 logsource:
-    product: linux
+  product: linux
 detection:
-    selection1:
-        - '*chown root*'    
-    selection2:
-        - '* chmod u+s*'
-    selection3:
-        - '* chmod g+s*'
-    condition: (selection1 and selection2) or (selection1 and selection3)
+  selection1:
+    - '*chown root*'
+  selection2:
+    - '* chmod u+s*'
+  selection3:
+    - '* chmod g+s*'
+  condition: (selection1 and selection2) or (selection1 and selection3)
 falsepositives:
-    - Legitimate administration activities
+  - Legitimate administration activities
 level: low
 tags:
-    - attack.persistence
+  - attack.persistence
@@ -1,70 +1,71 @@
 title: Privilege Escalation Preparation
 id: 444ade84-c362-4260-b1f3-e45e20e1a905
-status: experimental
+status: test
 description: Detects suspicious shell commands indicating the information gathering phase as preparation for the Privilege Escalation.
 author: Patrick Bareiss
-date: 2019/04/05
 references:
-    - https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
-    - https://patrick-bareiss.com/detect-privilege-escalation-preparation-in-linux-with-sigma/
+  - https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
+  - https://patrick-bareiss.com/detect-privilege-escalation-preparation-in-linux-with-sigma/
+date: 2019/04/05
+modified: 2021/11/27
 logsource:
-    product: linux
+  product: linux
 detection:
-    keywords:
+  keywords:
        # distribution type and kernel version
-        - 'cat /etc/issue'
-        - 'cat /etc/*-release'
-        - 'cat /proc/version'
-        - 'uname -a'
-        - 'uname -mrs'
-        - 'rpm -q kernel'
-        - 'dmesg | grep Linux'
-        - 'ls /boot | grep vmlinuz-'
+    - 'cat /etc/issue'
+    - 'cat /etc/*-release'
+    - 'cat /proc/version'
+    - 'uname -a'
+    - 'uname -mrs'
+    - 'rpm -q kernel'
+    - 'dmesg | grep Linux'
+    - 'ls /boot | grep vmlinuz-'
        # environment variables
-        - 'cat /etc/profile'
-        - 'cat /etc/bashrc'
-        - 'cat ~/.bash_profile'
-        - 'cat ~/.bashrc'
-        - 'cat ~/.bash_logout'
+    - 'cat /etc/profile'
+    - 'cat /etc/bashrc'
+    - 'cat ~/.bash_profile'
+    - 'cat ~/.bashrc'
+    - 'cat ~/.bash_logout'
        # applications and services as root
-        - 'ps -aux | grep root'
-        - 'ps -ef | grep root'
+    - 'ps -aux | grep root'
+    - 'ps -ef | grep root'
        # scheduled tasks
-        - 'crontab -l'
-        - 'cat /etc/cron*'
-        - 'cat /etc/cron.allow'
-        - 'cat /etc/cron.deny'
-        - 'cat /etc/crontab'
+    - 'crontab -l'
+    - 'cat /etc/cron*'
+    - 'cat /etc/cron.allow'
+    - 'cat /etc/cron.deny'
+    - 'cat /etc/crontab'
        # search for plain text user/passwords
-        - 'grep -i user *'
-        - 'grep -i pass *'
+    - 'grep -i user *'
+    - 'grep -i pass *'
        # networking
-        - 'ifconfig'
-        - 'cat /etc/network/interfaces'
-        - 'cat /etc/sysconfig/network'
-        - 'cat /etc/resolv.conf'
-        - 'cat /etc/networks'
-        - 'iptables -L'
-        - 'lsof -i'
-        - 'netstat -antup'
-        - 'netstat -antpx'
-        - 'netstat -tulpn'
-        - 'arp -e'
-        - 'route'
+    - 'ifconfig'
+    - 'cat /etc/network/interfaces'
+    - 'cat /etc/sysconfig/network'
+    - 'cat /etc/resolv.conf'
+    - 'cat /etc/networks'
+    - 'iptables -L'
+    - 'lsof -i'
+    - 'netstat -antup'
+    - 'netstat -antpx'
+    - 'netstat -tulpn'
+    - 'arp -e'
+    - 'route'
        # sensitive files
-        - 'cat /etc/passwd'
-        - 'cat /etc/group'
-        - 'cat /etc/shadow'
+    - 'cat /etc/passwd'
+    - 'cat /etc/group'
+    - 'cat /etc/shadow'
        # sticky bits
-        - 'find / -perm -u=s'
-        - 'find / -perm -g=s'
-        - 'find / -perm -4000'
-        - 'find / -perm -2000'
-    timeframe: 30m
-    condition: keywords | count() by host > 6
+    - 'find / -perm -u=s'
+    - 'find / -perm -g=s'
+    - 'find / -perm -4000'
+    - 'find / -perm -2000'
+  timeframe: 30m
+  condition: keywords | count() by host > 6
 falsepositives:
-    - Troubleshooting on Linux Machines
+  - Troubleshooting on Linux Machines
 level: medium
 tags:
-    - attack.execution
-    - attack.t1059.004
+  - attack.execution
+  - attack.t1059.004
@@ -1,59 +1,59 @@
 title: Suspicious Activity in Shell Commands
 id: 2aa1440c-9ae9-4d92-84a7-a9e5f5e31695
-status: experimental
+status: test
 description: Detects suspicious shell commands used in various exploit codes (see references)
 author: Florian Roth
-date: 2017/08/21
-modified: 2019/02/05
 references:
-    - http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html
-    - https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb#L121
-    - http://pastebin.com/FtygZ1cg
-    - https://artkond.com/2017/03/23/pivoting-guide/
+  - http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html
+  - https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb#L121
+  - http://pastebin.com/FtygZ1cg
+  - https://artkond.com/2017/03/23/pivoting-guide/
+date: 2017/08/21
+modified: 2021/11/27
 logsource:
-    product: linux
+  product: linux
 detection:
-    keywords:
+  keywords:
        # Generic suspicious commands
-        - 'wget * - http* | perl'
-        - 'wget * - http* | sh'
-        - 'wget * - http* | bash'
-        - 'python -m SimpleHTTPServer'
-        - '-m http.server'  # Python 3
-        - 'import pty; pty.spawn*'
-        - 'socat exec:*'
-        - 'socat -O /tmp/*'
-        - 'socat tcp-connect*'
-        - '*echo binary >>*'
+    - 'wget * - http* | perl'
+    - 'wget * - http* | sh'
+    - 'wget * - http* | bash'
+    - 'python -m SimpleHTTPServer'
+    - '-m http.server'      # Python 3
+    - 'import pty; pty.spawn*'
+    - 'socat exec:*'
+    - 'socat -O /tmp/*'
+    - 'socat tcp-connect*'
+    - '*echo binary >>*'
        # Malware
-        - '*wget *; chmod +x*'
-        - '*wget *; chmod 777 *'
-        - '*cd /tmp || cd /var/run || cd /mnt*'
+    - '*wget *; chmod +x*'
+    - '*wget *; chmod 777 *'
+    - '*cd /tmp || cd /var/run || cd /mnt*'
        # Apache Struts in-the-wild exploit codes
-        - '*stop;service iptables stop;*'
-        - '*stop;SuSEfirewall2 stop;*'
-        - 'chmod 777 2020*'
-        - '*>>/etc/rc.local'
+    - '*stop;service iptables stop;*'
+    - '*stop;SuSEfirewall2 stop;*'
+    - 'chmod 777 2020*'
+    - '*>>/etc/rc.local'
        # Metasploit framework exploit codes
-        - '*base64 -d /tmp/*'
-        - '* | base64 -d *'
-        - '*/chmod u+s *'
-        - '*chmod +s /tmp/*'
-        - '*chmod u+s /tmp/*'
-        - '* /tmp/haxhax*'
-        - '* /tmp/ns_sploit*'
-        - 'nc -l -p *'
-        - 'cp /bin/ksh *'
-        - 'cp /bin/sh *'
-        - '* /tmp/*.b64 *'
-        - '*/tmp/ysocereal.jar*'
-        - '*/tmp/x *'
-        - '*; chmod +x /tmp/*'
-        - '*;chmod +x /tmp/*'
-    condition: keywords
+    - '*base64 -d /tmp/*'
+    - '* | base64 -d *'
+    - '*/chmod u+s *'
+    - '*chmod +s /tmp/*'
+    - '*chmod u+s /tmp/*'
+    - '* /tmp/haxhax*'
+    - '* /tmp/ns_sploit*'
+    - 'nc -l -p *'
+    - 'cp /bin/ksh *'
+    - 'cp /bin/sh *'
+    - '* /tmp/*.b64 *'
+    - '*/tmp/ysocereal.jar*'
+    - '*/tmp/x *'
+    - '*; chmod +x /tmp/*'
+    - '*;chmod +x /tmp/*'
+  condition: keywords
 falsepositives:
-    - Unknown
+  - Unknown
 level: high
 tags:
-    - attack.execution
-    - attack.t1059.004
+  - attack.execution
+  - attack.t1059.004
@@ -1,20 +1,21 @@
 title: Suspicious Log Entries
 id: f64b6e9a-5d9d-48a5-8289-e1dd2b3876e1
-status: experimental
+status: test
 description: Detects suspicious log entries in Linux log files
 author: Florian Roth
 date: 2017/03/25
+modified: 2021/11/27
 logsource:
-    product: linux
+  product: linux
 detection:
-    keywords:
-        - entered promiscuous mode
-        - Deactivating service
-        - Oversized packet received from
-        - imuxsock begins to drop messages
-    condition: keywords
+  keywords:
+    - entered promiscuous mode
+    - Deactivating service
+    - Oversized packet received from
+    - imuxsock begins to drop messages
+  condition: keywords
 falsepositives:
-    - Unknown
+  - Unknown
 level: medium
 tags:
-    - attack.impact
+  - attack.impact
@@ -1,44 +1,45 @@
 title: Suspicious Reverse Shell Command Line
 id: 738d9bcf-6999-4fdb-b4ac-3033037db8ab
-status: experimental
+status: test
 description: Detects suspicious shell commands or program code that may be executed or used in command line to establish a reverse shell
 author: Florian Roth
-date: 2019/04/02
 references:
-    - https://alamot.github.io/reverse_shells/
+  - https://alamot.github.io/reverse_shells/
+date: 2019/04/02
+modified: 2021/11/27
 logsource:
-    product: linux
+  product: linux
 detection:
-    keywords:
-        - 'BEGIN {s = "/inet/tcp/0/'
-        - 'bash -i >& /dev/tcp/'
-        - 'bash -i >& /dev/udp/'
-        - 'sh -i >$ /dev/udp/'
-        - 'sh -i >$ /dev/tcp/'
-        - '&& while read line 0<&5; do'
-        - '/bin/bash -c exec 5<>/dev/tcp/'
-        - '/bin/bash -c exec 5<>/dev/udp/'
-        - 'nc -e /bin/sh '
-        - '/bin/sh | nc'
-        - 'rm -f backpipe; mknod /tmp/backpipe p && nc '
-        - ';socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i))))'
-        - ';STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
-        - '/bin/sh -i <&3 >&3 2>&3'
-        - 'uname -a; w; id; /bin/bash -i'
-        - '$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()};'
-        - ";os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);os.putenv('HISTFILE','/dev/null');"
-        - '.to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
-        - ';while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print'
-        - "socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:"
-        - 'rm -f /tmp/p; mknod /tmp/p p &&'
-        - ' | /bin/bash | telnet '
-        - ',echo=0,raw tcp-listen:'
-        - 'nc -lvvp '
-        - 'xterm -display 1'
-    condition: keywords
+  keywords:
+    - 'BEGIN {s = "/inet/tcp/0/'
+    - 'bash -i >& /dev/tcp/'
+    - 'bash -i >& /dev/udp/'
+    - 'sh -i >$ /dev/udp/'
+    - 'sh -i >$ /dev/tcp/'
+    - '&& while read line 0<&5; do'
+    - '/bin/bash -c exec 5<>/dev/tcp/'
+    - '/bin/bash -c exec 5<>/dev/udp/'
+    - 'nc -e /bin/sh '
+    - '/bin/sh | nc'
+    - 'rm -f backpipe; mknod /tmp/backpipe p && nc '
+    - ';socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i))))'
+    - ';STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
+    - '/bin/sh -i <&3 >&3 2>&3'
+    - 'uname -a; w; id; /bin/bash -i'
+    - '$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()};'
+    - ";os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);os.putenv('HISTFILE','/dev/null');"
+    - '.to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
+    - ';while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print'
+    - "socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:"
+    - 'rm -f /tmp/p; mknod /tmp/p p &&'
+    - ' | /bin/bash | telnet '
+    - ',echo=0,raw tcp-listen:'
+    - 'nc -lvvp '
+    - 'xterm -display 1'
+  condition: keywords
 falsepositives:
-    - Unknown
+  - Unknown
 level: high
 tags:
-    - attack.execution
-    - attack.t1059.004
+  - attack.execution
+  - attack.t1059.004
@@ -1,21 +1,22 @@
 title: Space After Filename
-id: 879c3015-c88b-4782-93d7-07adf92dbcb7 
-status: experimental
+id: 879c3015-c88b-4782-93d7-07adf92dbcb7
+status: test
 description: Detects space after filename
 author: Ömer Günal
-date: 2020/06/17
 references:
-    - https://attack.mitre.org/techniques/T1064
-level: low
+  - https://attack.mitre.org/techniques/T1064
+date: 2020/06/17
+modified: 2021/11/27
 logsource:
-    product: linux
+  product: linux
 detection:
-    selection1:
-        - 'echo "*" > * && chmod +x *'
-    selection2:
-        - 'mv * "* "'
-    condition: selection1 and selection2 
+  selection1:
+    - 'echo "*" > * && chmod +x *'
+  selection2:
+    - 'mv * "* "'
+  condition: selection1 and selection2
 falsepositives:
-    - Typos
+  - Typos
+level: low
 tags:
-    - attack.execution
+  - attack.execution
@@ -1,22 +1,23 @@
 title: JexBoss Command Sequence
 id: 8ec2c8b4-557a-4121-b87c-5dfb3a602fae
+status: test
 description: Detects suspicious command sequence that JexBoss
-status: experimental
 author: Florian Roth
-date: 2017/08/24
 references:
-    - https://www.us-cert.gov/ncas/analysis-reports/AR18-312A
+  - https://www.us-cert.gov/ncas/analysis-reports/AR18-312A
+date: 2017/08/24
+modified: 2021/11/27
 logsource:
-    product: linux
+  product: linux
 detection:
-    selection1:
-        - 'bash -c /bin/bash'
-    selection2:
-        - '&/dev/tcp/'
-    condition: selection1 and selection2
+  selection1:
+    - 'bash -c /bin/bash'
+  selection2:
+    - '&/dev/tcp/'
+  condition: selection1 and selection2
 falsepositives:
-    - Unknown
+  - Unknown
 level: high
 tags:
-    - attack.execution
-    - attack.t1059.004
+  - attack.execution
+  - attack.t1059.004
@@ -1,21 +1,22 @@
 title: Symlink Etc Passwd
 id: c67fc22a-0be5-4b4f-aad5-2b32c4b69523
-status: experimental
+status: test
 description: Detects suspicious command lines that look as if they would create symbolic links to /etc/passwd
 author: Florian Roth
-date: 2019/04/05
 references:
-    - https://www.qualys.com/2021/05/04/21nails/21nails.txt
+  - https://www.qualys.com/2021/05/04/21nails/21nails.txt
+date: 2019/04/05
+modified: 2021/11/27
 logsource:
-    product: linux
+  product: linux
 detection:
-    keywords:
-        - 'ln -s -f /etc/passwd'
-        - 'ln -s /etc/passwd'
-    condition: keywords
+  keywords:
+    - 'ln -s -f /etc/passwd'
+    - 'ln -s /etc/passwd'
+  condition: keywords
 falsepositives:
-    - Unknown
+  - Unknown
 level: high
 tags:
-    - attack.t1204.001 
-    - attack.execution
+  - attack.t1204.001
+  - attack.execution
@@ -1,12 +1,13 @@
 title: MacOS Emond Launch Daemon
 id: 23c43900-e732-45a4-8354-63e4a6c187ce
-status: experimental
+status: test
 description: Detects additions to the Emond Launch Daemon that adversaries may use to gain persistence and elevate privileges.
 author: Alejandro Ortuno, oscd.community
-date: 2020/10/23
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.014/T1546.014.md
-    - https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.014/T1546.014.md
+  - https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124
+date: 2020/10/23
+modified: 2021/11/27
 logsource:
  category: file_event
  product: macos
@@ -18,9 +19,9 @@ detection:
    TargetFilename|contains: '/private/var/db/emondClients/'
  condition: selection_1 or selection_2
 falsepositives:
-    - Legitimate administration activities
+  - Legitimate administration activities
 level: medium
 tags:
-    - attack.persistence
-    - attack.privilege_escalation
-    - attack.t1546.014
+  - attack.persistence
+  - attack.privilege_escalation
+  - attack.t1546.014
@@ -1,11 +1,12 @@
 title: Startup Items
 id: dfe8b941-4e54-4242-b674-6b613d521962
-status: experimental
+status: test
 description: Detects creation of startup item plist files that automatically get executed at boot initialization to establish persistence.
 author: Alejandro Ortuno, oscd.community
-date: 2020/10/14
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.005/T1037.005.md
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.005/T1037.005.md
+date: 2020/10/14
+modified: 2021/11/27
 logsource:
  category: file_event
  product: macos
@@ -16,9 +17,9 @@ detection:
    TargetFilename|endswith: '.plist'
  condition: selection_1 and selection_2
 falsepositives:
-    - Legitimate administration activities
+  - Legitimate administration activities
 level: low
 tags:
-    - attack.persistence
-    - attack.privilege_escalation
-    - attack.t1037.005
+  - attack.persistence
+  - attack.privilege_escalation
+  - attack.t1037.005
@@ -1,11 +1,12 @@
 title: MacOS Scripting Interpreter AppleScript
 id: 1bc2e6c5-0885-472b-bed6-be5ea8eace55
-status: experimental
+status: test
 description: Detects execution of AppleScript of the macOS scripting language AppleScript.
 author: Alejandro Ortuno, oscd.community
-date: 2020/10/21
 references:
  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.002/T1059.002.md
+date: 2020/10/21
+modified: 2021/11/27
 logsource:
  category: process_creation
  product: macos
@@ -1,11 +1,12 @@
 title: Decode Base64 Encoded Text
 id: 719c22d7-c11a-4f2c-93a6-2cfdd5412f68
-status: experimental
+status: test
 description: Detects usage of base64 utility to decode arbitrary base64-encoded text
 author: Daniil Yugoslavskiy, oscd.community
-date: 2020/10/19
 references:
  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md
+date: 2020/10/19
+modified: 2021/11/27
 logsource:
  category: process_creation
  product: macos
@@ -19,4 +20,4 @@ falsepositives:
 level: low
 tags:
  - attack.defense_evasion
-  - attack.t1027
+  - attack.t1027
@@ -1,33 +1,32 @@
 title: 'Binary Padding'
 id: 95361ce5-c891-4b0a-87ca-e24607884a96
-status: experimental
+status: test
 description: 'Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.'
-    # For this rule to work you must enable audit of process execution in OpenBSM, see
-    # https://osquery.readthedocs.io/en/stable/deployment/process-auditing/#macos-process-socket-auditing
 author: 'Igor Fits, Mikhail Larin, oscd.community'
-date: 2020/10/19
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md
+date: 2020/10/19
+modified: 2021/11/27
 logsource:
-    product: macos
-    category: process_creation
+  product: macos
+  category: process_creation
 detection:
-    selection1:
-        Image|endswith:
-             - '/truncate'
-        CommandLine|contains:
-             - '-s'
-    selection2:
-        Image|endswith:
-             - '/dd'
-        CommandLine|contains:
-             - 'if='
-    filter:
-        CommandLine|contains: 'of='
-    condition: selection1 or (selection2 and not filter)
+  selection1:
+    Image|endswith:
+      - '/truncate'
+    CommandLine|contains:
+      - '-s'
+  selection2:
+    Image|endswith:
+      - '/dd'
+    CommandLine|contains:
+      - 'if='
+  filter:
+    CommandLine|contains: 'of='
+  condition: selection1 or (selection2 and not filter)
 falsepositives:
-    - 'Legitimate script work'
+  - 'Legitimate script work'
 level: high
 tags:
-    - attack.defense_evasion
-    - attack.t1027.001
+  - attack.defense_evasion
+  - attack.t1027.001
@@ -1,29 +1,28 @@
 title: 'File Time Attribute Change'
 id: 88c0f9d8-30a8-4120-bb6b-ebb54abcf2a0
-status: experimental
+status: test
 description: 'Detect file time attribute change to hide new or changes to existing files.'
-    # For this rule to work you must enable audit of process execution in OpenBSM, see
-    # https://osquery.readthedocs.io/en/stable/deployment/process-auditing/#macos-process-socket-auditing
 author: 'Igor Fits, Mikhail Larin, oscd.community'
-date: 2020/10/19
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md
+date: 2020/10/19
+modified: 2021/11/27
 logsource:
-    product: macos
-    category: process_creation
+  product: macos
+  category: process_creation
 detection:
-    selection1:
-        Image|endswith: '/touch'
-    selection2:
-        CommandLine|contains:
-         - '-t'
-         - '-acmr'
-         - '-d'
-         - '-r'
-    condition: selection1 and selection2
+  selection1:
+    Image|endswith: '/touch'
+  selection2:
+    CommandLine|contains:
+      - '-t'
+      - '-acmr'
+      - '-d'
+      - '-r'
+  condition: selection1 and selection2
 falsepositives:
-    - 'Unknown'
+  - 'Unknown'
 level: medium
 tags:
-    - attack.defense_evasion
-    - attack.t1070.006
+  - attack.defense_evasion
+  - attack.t1070.006
@@ -1,11 +1,12 @@
 title: Creation Of A Local User Account
 id: 51719bf5-e4fd-4e44-8ba8-b830e7ac0731
-status: experimental
+status: test
 description: Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.
 author: Alejandro Ortuno, oscd.community
-date: 2020/10/06
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md
+date: 2020/10/06
+modified: 2021/11/27
 logsource:
  category: process_creation
  product: macos
@@ -20,6 +21,6 @@ falsepositives:
  - Legitimate administration activities
 level: low
 tags:
-    - attack.t1136    # an old one
-    - attack.t1136.001
-    - attack.persistence
+  - attack.t1136      # an old one
+  - attack.t1136.001
+  - attack.persistence
@@ -1,11 +1,12 @@
 title: Hidden User Creation
 id: b22a5b36-2431-493a-8be1-0bae56c28ef3
-status: experimental
+status: test
 description: Detects creation of a hidden user account on macOS (UserID < 500) or with IsHidden option
 author: Daniil Yugoslavskiy, oscd.community
-date: 2020/10/10
 references:
  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md
+date: 2020/10/10
+modified: 2021/11/27
 logsource:
  category: process_creation
  product: macos
@@ -23,11 +24,10 @@ detection:
      - 'true'
      - 'yes'
      - '1'
-  condition: dscl_create and id_below_500 or
-             dscl_create and (ishidden_option_declaration and ishidden_option_confirmation)
+  condition: dscl_create and id_below_500 or dscl_create and (ishidden_option_declaration and ishidden_option_confirmation)
 falsepositives:
  - Legitimate administration activities
 level: medium
 tags:
  - attack.defense_evasion
-  - attack.t1564.002
+  - attack.t1564.002
@@ -1,29 +1,30 @@
 title: Credentials from Password Stores - Keychain
 id: b120b587-a4c2-4b94-875d-99c9807d6955
-status: experimental
+status: test
 description: Detects passwords dumps from Keychain
 author: Tim Ismilyaev, oscd.community, Florian Roth
-date: 2020/10/19
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md
-    - https://gist.github.com/Capybara/6228955
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md
+  - https://gist.github.com/Capybara/6228955
+date: 2020/10/19
+modified: 2021/11/27
 logsource:
-    category: process_creation
-    product: macos
+  category: process_creation
+  product: macos
 detection:
-    selection1:
-        Image: '/usr/bin/security'
-        CommandLine|contains:
-            - 'find-certificate'
-            - ' export '
-    selection2:
-        CommandLine|contains:
-            - ' dump-keychain '
-            - ' login-keychain '
-    condition: 1 of them
+  selection1:
+    Image: '/usr/bin/security'
+    CommandLine|contains:
+      - 'find-certificate'
+      - ' export '
+  selection2:
+    CommandLine|contains:
+      - ' dump-keychain '
+      - ' login-keychain '
+  condition: 1 of them
 falsepositives:
-    - Legitimate administration activities
+  - Legitimate administration activities
 level: medium
 tags:
-    - attack.credential_access
-    - attack.t1555.001
+  - attack.credential_access
+  - attack.t1555.001
@@ -1,11 +1,12 @@
 title: Disable Security Tools
 id: ff39f1a6-84ac-476f-a1af-37fcdf53d7c0
-status: experimental
+status: test
 description: Detects disabling security tools
 author: Daniil Yugoslavskiy, oscd.community
-date: 2020/10/19
 references:
  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
+date: 2020/10/19
+modified: 2021/11/27
 logsource:
  category: process_creation
  product: macos
@@ -39,4 +40,4 @@ falsepositives:
 level: medium
 tags:
  - attack.defense_evasion
-  - attack.t1562.001
+  - attack.t1562.001
@@ -1,11 +1,12 @@
 title: File and Directory Discovery
 id: 089dbdf6-b960-4bcc-90e3-ffc3480c20f6
-status: experimental
+status: test
 description: Detects usage of system utilities to discover files and directories
 author: Daniil Yugoslavskiy, oscd.community
-date: 2020/10/19
 references:
  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md
+date: 2020/10/19
+modified: 2021/11/27
 logsource:
  category: process_creation
  product: macos
@@ -28,4 +29,4 @@ falsepositives:
 level: informational
 tags:
  - attack.discovery
-  - attack.t1083
+  - attack.t1083
@@ -1,28 +1,27 @@
 title: 'Credentials In Files'
 id: 53b1b378-9b06-4992-b972-dde6e423d2b4
-status: experimental
+status: test
 description: 'Detecting attempts to extract passwords with grep and laZagne'
-    # For this rule to work you must enable audit of process execution in OpenBSM, see
-    # https://osquery.readthedocs.io/en/stable/deployment/process-auditing/#macos-process-socket-auditing
 author: 'Igor Fits, Mikhail Larin, oscd.community'
-date: 2020/10/19
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md
+date: 2020/10/19
+modified: 2021/11/27
 logsource:
-    product: macos
-    category: process_creation
+  product: macos
+  category: process_creation
 detection:
-    selection1:
-        Image|endswith:
-          - '/grep'
-        CommandLine|contains:
-          - 'password'
-    selection2:
-        CommandLine|contains: 'laZagne'
-    condition: selection1 or selection2
+  selection1:
+    Image|endswith:
+      - '/grep'
+    CommandLine|contains:
+      - 'password'
+  selection2:
+    CommandLine|contains: 'laZagne'
+  condition: selection1 or selection2
 falsepositives:
-    - 'Unknown'
+  - 'Unknown'
 level: high
 tags:
-    - attack.credential_access
-    - attack.t1552.001
+  - attack.credential_access
+  - attack.t1552.001
@@ -1,11 +1,12 @@
 title: Local System Accounts Discovery
 id: ddf36b67-e872-4507-ab2e-46bda21b842c
-status: experimental
+status: test
 description: Detects enumeration of local systeam accounts on MacOS
 author: Alejandro Ortuno, oscd.community
-date: 2020/10/08
 references:
  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md
+date: 2020/10/08
+modified: 2021/11/27
 logsource:
  category: process_creation
  product: macos
@@ -1,11 +1,12 @@
 title: Local Groups Discovery
 id: 89bb1f97-c7b9-40e8-b52b-7d6afbd67276
-status: experimental
+status: test
 description: Detects enumeration of local system groups
 author: Ömer Günal, Alejandro Ortuno, oscd.community
-date: 2020/10/11
 references:
  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md
+date: 2020/10/11
+modified: 2021/11/27
 logsource:
  category: process_creation
  product: macos
@@ -1,11 +1,12 @@
 title: MacOS Network Service Scanning
 id: 84bae5d4-b518-4ae0-b331-6d4afd34d00f
-status: experimental
+status: test
 description: Detects enumeration of local or remote network services.
 author: Alejandro Ortuno, oscd.community
-date: 2020/10/21
 references:
  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md
+date: 2020/10/21
+modified: 2021/11/27
 logsource:
  category: process_creation
  product: macos
@@ -20,7 +21,7 @@ detection:
      - '/telnet'
  filter:
    CommandLine|contains: 'l'
-  condition: (selection_1 and not filter) or selection_2 
+  condition: (selection_1 and not filter) or selection_2
 falsepositives:
  - Legitimate administration activities
 level: low
@@ -1,11 +1,12 @@
 title: Network Sniffing
 id: adc9bcc4-c39c-4f6b-a711-1884017bf043
-status: experimental
+status: test
 description: Detects the usage of tooling to sniff network traffic. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
 author: Alejandro Ortuno, oscd.community
-date: 2020/10/14
 references:
  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md
+date: 2020/10/14
+modified: 2021/11/27
 logsource:
  category: process_creation
  product: macos
@@ -1,11 +1,12 @@
 title: Macos Remote System Discovery
 id: 10227522-8429-47e6-a301-f2b2d014e7ad
-status: experimental
+status: test
 description: Detects the enumeration of other remote systems.
 author: Alejandro Ortuno, oscd.community
-date: 2020/10/22
 references:
  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md
+date: 2020/10/22
+modified: 2021/11/27
 logsource:
  category: process_creation
  product: macos
@@ -1,11 +1,12 @@
 title: Scheduled Cron Task/Job
 id: 7c3b43d8-d794-47d2-800a-d277715aa460
-status: experimental
+status: test
 description: Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.
 author: Alejandro Ortuno, oscd.community
-date: 2020/10/06
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md
+date: 2020/10/06
+modified: 2021/11/27
 logsource:
  category: process_creation
  product: macos
@@ -17,10 +18,10 @@ detection:
      - '/tmp/'
  condition: selection
 falsepositives:
-    - Legitimate administration activities
+  - Legitimate administration activities
 level: medium
 tags:
-    - attack.execution
-    - attack.persistence
-    - attack.privilege_escalation
-    - attack.t1053.003
+  - attack.execution
+  - attack.persistence
+  - attack.privilege_escalation
+  - attack.t1053.003
@@ -1,22 +1,23 @@
 title: Screen Capture - macOS
 id: 0877ed01-da46-4c49-8476-d49cdd80dfa7
-status: experimental
+status: test
 description: Detects attempts to use screencapture to collect macOS screenshots
 author: remotephone, oscd.community
-date: 2020/10/13
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md
-    - https://github.com/BC-SECURITY/Empire/blob/master/lib/modules/python/collection/osx/screenshot.py
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md
+  - https://github.com/BC-SECURITY/Empire/blob/master/lib/modules/python/collection/osx/screenshot.py
+date: 2020/10/13
+modified: 2021/11/27
 logsource:
-    product: macos
-    category: process_creation
+  product: macos
+  category: process_creation
 detection:
-    selection:
-        Image: '/usr/sbin/screencapture'
-    condition: selection
+  selection:
+    Image: '/usr/sbin/screencapture'
+  condition: selection
 falsepositives:
-    - Legitimate user activity taking screenshots
+  - Legitimate user activity taking screenshots
 level: low
 tags:
-    - attack.collection
-    - attack.t1113
+  - attack.collection
+  - attack.t1113
@@ -1,11 +1,12 @@
 title: Security Software Discovery
 id: 0ed75b9c-c73b-424d-9e7d-496cd565fbe0
-status: experimental
+status: test
 description: Detects usage of system utilities (only grep for now) to discover security software discovery
 author: Daniil Yugoslavskiy, oscd.community
-date: 2020/10/19
 references:
  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md
+date: 2020/10/19
+modified: 2021/11/27
 logsource:
  category: process_creation
  product: macos
@@ -29,11 +30,10 @@ detection:
    CommandLine|contains|all:
      - 'Little'
      - 'Snitch'
-  condition: grep_execution and security_services_and_processes or
-             grep_execution and little_snitch_process
+  condition: grep_execution and security_services_and_processes or grep_execution and little_snitch_process
 falsepositives:
  - Legitimate activities
 level: medium
 tags:
  - attack.discovery
-  - attack.t1518.001
+  - attack.t1518.001
@@ -1,23 +1,22 @@
 title: 'Split A File Into Pieces'
 id: 7f2bb9d5-6395-4de5-969c-70c11fbe6b12
-status: experimental
+status: test
 description: 'Detection use of the command "split" to split files into parts and possible transfer.'
-    # For this rule to work you must enable audit of process execution in OpenBSM, see link
-    # https://osquery.readthedocs.io/en/stable/deployment/process-auditing/#macos-process-socket-auditing
 author: 'Igor Fits, Mikhail Larin, oscd.community'
-date: 2020/10/15
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md
+date: 2020/10/15
+modified: 2021/11/27
 logsource:
-    product: macos
-    category: process_creation
+  product: macos
+  category: process_creation
 detection:
-    selection:
-        Image|endswith: '/split'
-    condition: selection
+  selection:
+    Image|endswith: '/split'
+  condition: selection
 falsepositives:
-    - 'Legitimate administrative activity'
+  - 'Legitimate administrative activity'
 level: low
 tags:
-    - attack.exfiltration
-    - attack.t1030
+  - attack.exfiltration
+  - attack.t1030
@@ -1,33 +1,29 @@
 title: 'Suspicious History File Operations'
 id: 508a9374-ad52-4789-b568-fc358def2c65
-status: experimental
+status: test
 description: 'Detects commandline operations on shell history files'
-    # Rule detects presence of various shell history files in process commandline
-    # Normally user expected to view own history with dedicated 'history' command and not some other tools
-    # There is a possibility for rule to trigger, when T1070.003 techinuque is used (history file cleared)
-    # For this rule to work you must enable audit of process execution in OpenBSM, see
-    # https://osquery.readthedocs.io/en/stable/deployment/process-auditing/#macos-process-socket-auditing
 author: 'Mikhail Larin, oscd.community'
-date: 2020/10/17
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md
+date: 2020/10/17
+modified: 2021/11/27
 logsource:
-    product: macos
-    category: process_creation
+  product: macos
+  category: process_creation
 detection:
-    selection:
-        CommandLine|contains:
-            - '.bash_history'
-            - '.zsh_history'
-            - '.zhistory'
-            - '.history'
-            - '.sh_history'
-            - 'fish_history'
-    condition: selection
+  selection:
+    CommandLine|contains:
+      - '.bash_history'
+      - '.zsh_history'
+      - '.zhistory'
+      - '.history'
+      - '.sh_history'
+      - 'fish_history'
+  condition: selection
 falsepositives:
-    - 'Legitimate administrative activity'
-    - 'Ligitimate software, cleaning hist file'
+  - 'Legitimate administrative activity'
+  - 'Ligitimate software, cleaning hist file'
 level: medium
 tags:
-    - attack.credential_access
-    - attack.t1552.003
+  - attack.credential_access
+  - attack.t1552.003
@@ -1,11 +1,12 @@
 title: System Network Connections Discovery
 id: 9a7a0393-2144-4626-9bf1-7c2f5a7321db
-status: experimental
+status: test
 description: Detects usage of system utilities to discover system network connections
 author: Daniil Yugoslavskiy, oscd.community
-date: 2020/10/19
 references:
  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md
+date: 2020/10/19
+modified: 2021/11/27
 logsource:
  category: process_creation
  product: macos
@@ -23,4 +24,4 @@ falsepositives:
 level: informational
 tags:
  - attack.discovery
-  - attack.t1049
+  - attack.t1049
@@ -1,32 +1,33 @@
 title: System Network Discovery - macOS
 id: 58800443-f9fc-4d55-ae0c-98a3966dfb97
-status: experimental
+status: test
 description: Detects enumeration of local network configuration
 author: remotephone, oscd.community
-date: 2020/10/06
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md
+date: 2020/10/06
+modified: 2021/11/27
 logsource:
-    product: macos
-    category: process_creation
+  product: macos
+  category: process_creation
 detection:
-    selection1:
-        Image:
-            - '/usr/sbin/netstat'
-            - '/sbin/ifconfig'
-            - '/usr/sbin/ipconfig'
-            - '/usr/libexec/ApplicationFirewall/socketfilterfw'
-            - '/usr/sbin/networksetup'
-            - '/usr/sbin/arp'
-    selection2:
-        Image: '/usr/bin/defaults'
-        CommandLine|contains|all:
-            - 'read'
-            - '/Library/Preferences/com.apple.alf'
-    condition: selection1 or selection2
+  selection1:
+    Image:
+      - '/usr/sbin/netstat'
+      - '/sbin/ifconfig'
+      - '/usr/sbin/ipconfig'
+      - '/usr/libexec/ApplicationFirewall/socketfilterfw'
+      - '/usr/sbin/networksetup'
+      - '/usr/sbin/arp'
+  selection2:
+    Image: '/usr/bin/defaults'
+    CommandLine|contains|all:
+      - 'read'
+      - '/Library/Preferences/com.apple.alf'
+  condition: selection1 or selection2
 falsepositives:
-    - Legitimate administration activities
+  - Legitimate administration activities
 level: informational
 tags:
-    - attack.discovery
-    - attack.t1016
+  - attack.discovery
+  - attack.t1016
@@ -1,26 +1,25 @@
 title: 'System Shutdown/Reboot'
 id: 40b1fbe2-18ea-4ee7-be47-0294285811de
-status: experimental
+status: test
 description: 'Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.'
-    # For this rule to work you must enable audit of process execution in OpenBSM, see
-    # https://osquery.readthedocs.io/en/stable/deployment/process-auditing/#macos-process-socket-auditing
 author: 'Igor Fits, Mikhail Larin, oscd.community'
-date: 2020/10/19
 references:
-    - hhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md
+  - hhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md
+date: 2020/10/19
+modified: 2021/11/27
 logsource:
-    product: macos
-    category: process_creation
+  product: macos
+  category: process_creation
 detection:
-    selection:
-        Image|endswith:
-              - '/shutdown'
-              - '/reboot'
-              - '/halt'
-    condition: selection
+  selection:
+    Image|endswith:
+      - '/shutdown'
+      - '/reboot'
+      - '/halt'
+  condition: selection
 falsepositives:
-    - 'Legitimate administrative activity'
+  - 'Legitimate administrative activity'
 level: informational
 tags:
-    - attack.impact
-    - attack.t1529
+  - attack.impact
+  - attack.t1529
@@ -1,18 +1,19 @@
 title: Gatekeeper Bypass via Xattr
 id: f5141b6d-9f42-41c6-a7bf-2a780678b29b
-status: experimental
+status: test
 description: Detects macOS Gatekeeper bypass via xattr utility
 author: Daniil Yugoslavskiy, oscd.community
-date: 2020/10/19
 references:
  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.001/T1553.001.md
+date: 2020/10/19
+modified: 2021/11/27
 logsource:
  category: process_creation
  product: macos
 detection:
  selection:
    Image|endswith: '/xattr'
-    CommandLine|contains|all: 
+    CommandLine|contains|all:
      - '-r'
      - 'com.apple.quarantine'
  condition: selection
@@ -21,4 +22,4 @@ falsepositives:
 level: low
 tags:
  - attack.defense_evasion
-  - attack.t1553.001
+  - attack.t1553.001
@@ -1,21 +1,22 @@
 title: SSHD Error Message CVE-2018-15473
 id: 4c9d903d-4939-4094-ade0-3cb748f4d7da
-status: experimental
+status: test
 description: Detects exploitation attempt using public exploit code for CVE-2018-15473
 author: Florian Roth
-date: 2017/08/24
 references:
-    - https://github.com/Rhynorater/CVE-2018-15473-Exploit
+  - https://github.com/Rhynorater/CVE-2018-15473-Exploit
+date: 2017/08/24
+modified: 2021/11/27
 logsource:
-    product: linux
-    service: sshd
+  product: linux
+  service: sshd
 detection:
-    keywords:
-        - 'error: buffer_get_ret: trying to get more bytes 1907 than in buffer 308 [preauth]'
-    condition: keywords
+  keywords:
+    - 'error: buffer_get_ret: trying to get more bytes 1907 than in buffer 308 [preauth]'
+  condition: keywords
 falsepositives:
-    - Unknown
+  - Unknown
 level: medium
 tags:
-    - attack.reconnaissance
-    - attack.t1589
+  - attack.reconnaissance
+  - attack.t1589
@@ -1,24 +1,25 @@
 title: Failed Logins with Different Accounts from Single Source System
 id: fc947f8e-ea81-4b14-9a7b-13f888f94e18
-status: experimental
+status: test
 description: Detects suspicious failed logins with different user accounts from a single source system
 author: Florian Roth
 date: 2017/02/16
+modified: 2021/11/27
 logsource:
-    product: linux
-    service: auth
+  product: linux
+  service: auth
 detection:
-    selection:
-        pam_message: authentication failure
-        pam_user: '*'
-        pam_rhost: '*'
-    timeframe: 24h
-    condition: selection | count(pam_user) by pam_rhost > 3
+  selection:
+    pam_message: authentication failure
+    pam_user: '*'
+    pam_rhost: '*'
+  timeframe: 24h
+  condition: selection | count(pam_user) by pam_rhost > 3
 falsepositives:
-    - Terminal servers
-    - Jump servers
-    - Workstations with frequently changing users
+  - Terminal servers
+  - Jump servers
+  - Workstations with frequently changing users
 level: medium
 tags:
-    - attack.credential_access 
-    - attack.t1110 
+  - attack.credential_access
+  - attack.t1110
@@ -1,21 +1,22 @@
 title: Guacamole Two Users Sharing Session Anomaly
 id: 1edd77db-0669-4fef-9598-165bda82826d
-status: experimental
+status: test
 description: Detects suspicious session with two users present
 author: Florian Roth
-date: 2020/07/03
 references:
-    - https://research.checkpoint.com/2020/apache-guacamole-rce/
+  - https://research.checkpoint.com/2020/apache-guacamole-rce/
+date: 2020/07/03
+modified: 2021/11/27
 logsource:
-    product: linux
-    service: guacamole
+  product: linux
+  service: guacamole
 detection:
-    selection:
-        - '(2 users now present)'
-    condition: selection
+  selection:
+    - '(2 users now present)'
+  condition: selection
 falsepositives:
-    - Unknown
+  - Unknown
 level: high
 tags:
-    - attack.credential_access
-    - attack.t1212 
+  - attack.credential_access
+  - attack.t1212
@@ -1,23 +1,24 @@
 title: Suspicious Named Error
 id: c8e35e96-19ce-4f16-aeb6-fd5588dc5365
-status: experimental
+status: test
 description: Detects suspicious DNS error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
 author: Florian Roth
-date: 2018/02/20
 references:
-    - https://github.com/ossec/ossec-hids/blob/master/etc/rules/named_rules.xml
+  - https://github.com/ossec/ossec-hids/blob/master/etc/rules/named_rules.xml
+date: 2018/02/20
+modified: 2021/11/27
 logsource:
-    product: linux
-    service: syslog
+  product: linux
+  service: syslog
 detection:
-    keywords:
-        - '* dropping source port zero packet from *'
-        - '* denied AXFR from *'
-        - '* exiting (due to fatal error)*'
-    condition: keywords
+  keywords:
+    - '* dropping source port zero packet from *'
+    - '* denied AXFR from *'
+    - '* exiting (due to fatal error)*'
+  condition: keywords
 falsepositives:
-    - Unknown
+  - Unknown
 level: high
 tags:
-    - attack.initial_access
-    - attack.t1190
+  - attack.initial_access
+  - attack.t1190
@@ -1,33 +1,33 @@
 title: Suspicious OpenSSH Daemon Error
 id: e76b413a-83d0-4b94-8e4c-85db4a5b8bdc
-status: experimental
+status: test
 description: Detects suspicious SSH / SSHD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
 author: Florian Roth
-date: 2017/06/30
-modified: 2020/05/15
 references:
-    - https://github.com/openssh/openssh-portable/blob/master/ssherr.c
-    - https://github.com/ossec/ossec-hids/blob/master/etc/rules/sshd_rules.xml
+  - https://github.com/openssh/openssh-portable/blob/master/ssherr.c
+  - https://github.com/ossec/ossec-hids/blob/master/etc/rules/sshd_rules.xml
+date: 2017/06/30
+modified: 2021/11/27
 logsource:
-    product: linux
-    service: sshd
+  product: linux
+  service: sshd
 detection:
-    keywords:
-        - '*unexpected internal error*'
-        - '*unknown or unsupported key type*'
-        - '*invalid certificate signing key*'
-        - '*invalid elliptic curve value*'
-        - '*incorrect signature*'
-        - '*error in libcrypto*'
-        - '*unexpected bytes remain after decoding*'
-        - '*fatal: buffer_get_string: bad string*'
-        - '*Local: crc32 compensation attack*'
-        - '*bad client public DH value*'
-        - '*Corrupted MAC on input*'
-    condition: keywords
+  keywords:
+    - '*unexpected internal error*'
+    - '*unknown or unsupported key type*'
+    - '*invalid certificate signing key*'
+    - '*invalid elliptic curve value*'
+    - '*incorrect signature*'
+    - '*error in libcrypto*'
+    - '*unexpected bytes remain after decoding*'
+    - '*fatal: buffer_get_string: bad string*'
+    - '*Local: crc32 compensation attack*'
+    - '*bad client public DH value*'
+    - '*Corrupted MAC on input*'
+  condition: keywords
 falsepositives:
-    - Unknown
+  - Unknown
 level: medium
 tags:
-    - attack.initial_access
-    - attack.t1190
+  - attack.initial_access
+  - attack.t1190
@@ -1,37 +1,38 @@
 title: Suspicious VSFTPD Error Messages
 id: 377f33a1-4b36-4ee1-acee-1dbe4b43cfbe
-status: experimental
+status: test
 description: Detects suspicious VSFTPD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
 author: Florian Roth
-date: 2017/07/05
 references:
-    - https://github.com/dagwieers/vsftpd/
+  - https://github.com/dagwieers/vsftpd/
+date: 2017/07/05
+modified: 2021/11/27
 logsource:
-    product: linux
-    service: vsftpd
+  product: linux
+  service: vsftpd
 detection:
-    keywords:
-        - 'Connection refused: too many sessions for this address.'
-        - 'Connection refused: tcp_wrappers denial.'
-        - 'Bad HTTP verb.'
-        - 'port and pasv both active'
-        - 'pasv and port both active'
-        - 'Transfer done (but failed to open directory).'
-        - 'Could not set file modification time.'
-        - 'bug: pid active in ptrace_sandbox_free'
-        - 'PTRACE_SETOPTIONS failure'
-        - 'weird status:'
-        - "couldn't handle sandbox event"
-        - 'syscall * out of bounds'
-        - 'syscall not permitted:'
-        - 'syscall validate failed:'
-        - 'Input line too long.'
-        - 'poor buffer accounting in str_netfd_alloc'
-        - 'vsf_sysutil_read_loop'
-    condition: keywords
+  keywords:
+    - 'Connection refused: too many sessions for this address.'
+    - 'Connection refused: tcp_wrappers denial.'
+    - 'Bad HTTP verb.'
+    - 'port and pasv both active'
+    - 'pasv and port both active'
+    - 'Transfer done (but failed to open directory).'
+    - 'Could not set file modification time.'
+    - 'bug: pid active in ptrace_sandbox_free'
+    - 'PTRACE_SETOPTIONS failure'
+    - 'weird status:'
+    - "couldn't handle sandbox event"
+    - 'syscall * out of bounds'
+    - 'syscall not permitted:'
+    - 'syscall validate failed:'
+    - 'Input line too long.'
+    - 'poor buffer accounting in str_netfd_alloc'
+    - 'vsf_sysutil_read_loop'
+  condition: keywords
 falsepositives:
-    - Unknown
+  - Unknown
 level: medium
 tags:
-    - attack.initial_access
-    - attack.t1190
+  - attack.initial_access
+  - attack.t1190
@@ -1,11 +1,12 @@
 title: Decode Base64 Encoded Text
 id: e2072cab-8c9a-459b-b63c-40ae79e27031
-status: experimental
+status: test
 description: Detects usage of base64 utility to decode arbitrary base64-encoded text
 author: Daniil Yugoslavskiy, oscd.community
-date: 2020/10/19
 references:
  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md
+date: 2020/10/19
+modified: 2021/11/27
 logsource:
  category: process_creation
  product: linux
@@ -19,4 +20,4 @@ falsepositives:
 level: low
 tags:
  - attack.defense_evasion
-  - attack.t1027
+  - attack.t1027
@@ -1,11 +1,12 @@
 title: File and Directory Discovery
 id: d3feb4ee-ff1d-4d3d-bd10-5b28a238cc72
-status: experimental
+status: test
 description: Detects usage of system utilities to discover files and directories
 author: Daniil Yugoslavskiy, oscd.community
-date: 2020/10/19
 references:
  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md
+date: 2020/10/19
+modified: 2021/11/27
 logsource:
  category: process_creation
  product: linux
@@ -26,4 +27,4 @@ falsepositives:
 level: informational
 tags:
  - attack.discovery
-  - attack.t1083
+  - attack.t1083
@@ -1,23 +1,24 @@
 title: Install Root Certificate
 id: 78a80655-a51e-4669-bc6b-e9d206a462ee
+status: test
 description: Detects installed new certificate
-status: experimental
 author: Ömer Günal, oscd.community
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md
 date: 2020/10/05
-tags:
-    - attack.defense_evasion
-    - attack.t1553.004
-level: low
+modified: 2021/11/27
 logsource:
-    product: linux
-    category: process_creation
+  product: linux
+  category: process_creation
 detection:
-    selection:
-         Image|endswith:
-          - '/update-ca-certificates'
-          - '/update-ca-trust'
-    condition: selection
+  selection:
+    Image|endswith:
+      - '/update-ca-certificates'
+      - '/update-ca-trust'
+  condition: selection
 falsepositives:
-    - Legitimate administration activities
+  - Legitimate administration activities
+level: low
+tags:
+  - attack.defense_evasion
+  - attack.t1553.004
@@ -1,11 +1,12 @@
 title: Local System Accounts Discovery
 id: b45e3d6f-42c6-47d8-a478-df6bd6cf534c
-status: experimental
+status: test
 description: Detects enumeration of local systeam accounts
 author: Alejandro Ortuno, oscd.community
-date: 2020/10/08
 references:
  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md
+date: 2020/10/08
+modified: 2021/11/27
 logsource:
  category: process_creation
  product: linux
@@ -1,11 +1,12 @@
 title: Local Groups Discovery
 id: 676381a6-15ca-4d73-a9c8-6a22e970b90d
-status: experimental
+status: test
 description: Detects enumeration of local system groups
 author: Ömer Günal, Alejandro Ortuno, oscd.community
-date: 2020/10/11
 references:
  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md
+date: 2020/10/11
+modified: 2021/11/27
 logsource:
  category: process_creation
  product: linux
@@ -1,11 +1,12 @@
 title: Linux Remote System Discovery
 id: 11063ec2-de63-4153-935e-b1a8b9e616f1
-status: experimental
+status: test
 description: Detects the enumeration of other remote systems.
 author: Alejandro Ortuno, oscd.community
-date: 2020/10/22
 references:
  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md
+date: 2020/10/22
+modified: 2021/11/27
 logsource:
  category: process_creation
  product: linux
@@ -1,11 +1,12 @@
 title: Scheduled Cron Task/Job
 id: 6b14bac8-3e3a-4324-8109-42f0546a347f
-status: experimental
+status: test
 description: Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.
 author: Alejandro Ortuno, oscd.community
-date: 2020/10/06
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md
+date: 2020/10/06
+modified: 2021/11/27
 logsource:
  category: process_creation
  product: linux
@@ -17,10 +18,10 @@ detection:
      - '/tmp/'
  condition: selection
 falsepositives:
-    - Legitimate administration activities
+  - Legitimate administration activities
 level: medium
 tags:
-    - attack.execution
-    - attack.persistence
-    - attack.privilege_escalation
-    - attack.t1053.003
+  - attack.execution
+  - attack.persistence
+  - attack.privilege_escalation
+  - attack.t1053.003
@@ -1,11 +1,12 @@
 title: Security Software Discovery
 id: c9d8b7fd-78e4-44fe-88f6-599135d46d60
-status: experimental
+status: test
 description: Detects usage of system utilities (only grep for now) to discover security software discovery
 author: Daniil Yugoslavskiy, oscd.community
-date: 2020/10/19
 references:
  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md
+date: 2020/10/19
+modified: 2021/11/27
 logsource:
  category: process_creation
  product: linux
@@ -13,7 +14,7 @@ detection:
  grep_execution:
    Image|endswith: '/grep'
  security_services_and_processes:
-    CommandLine|contains: 
+    CommandLine|contains:
      - 'nessusd'        # nessus vulnerability scanner
      - 'td-agent'       # fluentd log shipper
      - 'packetbeat'     # elastic network logger/shipper
@@ -28,4 +29,4 @@ falsepositives:
 level: low
 tags:
  - attack.discovery
-  - attack.t1518.001
+  - attack.t1518.001
@@ -1,17 +1,18 @@
 title: System Network Connections Discovery
 id: 4c519226-f0cd-4471-bd2f-6fbb2bb68a79
-status: experimental
+status: test
 description: Detects usage of system utilities to discover system network connections
 author: Daniil Yugoslavskiy, oscd.community
-date: 2020/10/19
 references:
  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md
+date: 2020/10/19
+modified: 2021/11/27
 logsource:
  category: process_creation
  product: linux
 detection:
  selection:
-    Image|endswith: 
+    Image|endswith:
      - '/who'
      - '/w'
      - '/last'
@@ -23,4 +24,4 @@ falsepositives:
 level: low
 tags:
  - attack.discovery
-  - attack.t1049
+  - attack.t1049
@@ -1,32 +1,33 @@
 title: System Network Discovery - Linux
 id: e7bd1cfa-b446-4c88-8afb-403bcd79e3fa
-status: experimental
+status: test
 description: Detects enumeration of local network configuration
 author: Ömer Günal and remotephone, oscd.community
-date: 2020/10/06
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md
+date: 2020/10/06
+modified: 2021/11/27
 logsource:
-    category: process_creation
-    product: linux
+  category: process_creation
+  product: linux
 detection:
-    selection1:
-        Image|endswith:
-            - '/firewall-cmd'
-            - '/ufw'
-            - '/iptables'
-            - '/netstat'
-            - '/ss'
-            - '/ip'
-            - '/ifconfig'
-            - '/systemd-resolve'
-            - '/route'
-    selection2:
-        CommandLine|contains: '/etc/resolv.conf'
-    condition: selection1 or selection2
+  selection1:
+    Image|endswith:
+      - '/firewall-cmd'
+      - '/ufw'
+      - '/iptables'
+      - '/netstat'
+      - '/ss'
+      - '/ip'
+      - '/ifconfig'
+      - '/systemd-resolve'
+      - '/route'
+  selection2:
+    CommandLine|contains: '/etc/resolv.conf'
+  condition: selection1 or selection2
 falsepositives:
-    - Legitimate administration activities
+  - Legitimate administration activities
 level: informational
 tags:
-    - attack.discovery
-    - attack.t1016
+  - attack.discovery
+  - attack.t1016