Added UUIDs to rules

2019-11-12 23:12:27 +01:00
parent ca53e937d9
commit 0592cbb67a
372 changed files with 940 additions and 549 deletions
@@ -1,4 +1,5 @@
 title: Python SQL Exceptions
+id: 19aefed0-ffd4-47dc-a7fc-f8b1425e84f9
 description: Generic rule for SQL exceptions in Python according to PEP 249
 author: Thomas Patzke
 references:
@@ -1,4 +1,5 @@
 title: Suspicious SQL Error Messages
+id: 8a670c6d-7189-4b1c-8017-a417ca84a086
 status: experimental
 description: Detects SQL error messages that indicate probing for an injection attack
 author: Bjoern Kimminich
@@ -1,4 +1,5 @@
 title: Django framework exceptions
+id: fd435618-981e-4a7c-81f8-f78ce480d616
 description: Detects suspicious Django web application framework exceptions that could indicate exploitation attempts
 author: Thomas Patzke
 references:
@@ -1,4 +1,5 @@
 title: Ruby on Rails framework exceptions
+id: 0d2c3d4c-4b48-4ac3-8f23-ea845746bb1a
 description: Detects suspicious Ruby on Rails exceptions that could indicate exploitation attempts
 author: Thomas Patzke
 references:
@@ -1,4 +1,5 @@
 title: Spring framework exceptions
+id: ae48ab93-45f7-4051-9dfe-5d30a3f78e33
 description: Detects suspicious Spring framework exceptions that could indicate exploitation attempts
 author: Thomas Patzke
 references:
@@ -1,5 +1,6 @@
-title: APT29 
-description: 'This method detects a suspicious powershell command line combination as used by APT29 in a campaign against US think tanks' 
+title: APT29
+id: 033fe7d6-66d1-4240-ac6b-28908009c71f
+description: This method detects a suspicious powershell command line combination as used by APT29 in a campaign against US think tanks
 references:
    - https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/
 tags:
@@ -1,7 +1,8 @@
---
 action: global
 title: APT29 Google Update Service Install
-description: 'This method detects malicious services mentioned in APT29 report by FireEye. The legitimate path for the Google update service is C:\Program Files (x86)\Google\Update\GoogleUpdate.exe so the service names and executable locations used by APT29 are specific enough to be detected in log files.' 
+id: c069f460-2b87-4010-8dcf-e45bab362624
+description: This method detects malicious services mentioned in APT29 report by FireEye. The legitimate path for the Google update service is C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
+    so the service names and executable locations used by APT29 are specific enough to be detected in log files.
 references:
    - https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html
 tags:
@@ -1,4 +1,5 @@
 title: Baby Shark Activity
+id: 2b30fa36-3a18-402f-a22d-bf4ce2189f35
 status: experimental
 description: Detects activity that could be related to Baby Shark malware
 references:
@@ -1,4 +1,5 @@
 title: Judgement Panda Exfil Activity
+id: b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee
 description: Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike
 references:
    - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
@@ -1,5 +1,6 @@
 title: Turla Service Install
-description: 'This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET' 
+id: 1df8b3da-b0ac-4d8a-b7c7-6cb7c24160e4
+description: This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET
 references:
    - https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/
 tags:
@@ -1,7 +1,7 @@
---
 action: global
 title: Chafer Activity
-description: Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018 
+id: 53ba33fd-3a50-4468-a5ef-c583635cfa92
+description: Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018
 references:
    - https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/
 tags:
@@ -1,4 +1,5 @@
 title: WMIExec VBS Script
+id: 966e4016-627f-44f7-8341-f394905c361f
 description: Detects suspicious file execution by wscript and cscript
 author: Florian Roth
 references:
@@ -1,8 +1,9 @@
-title: CrackMapExecWin 
+title: CrackMapExecWin
+id: 04d9079e-3905-4b70-ad37-6bdf11304965
 description: Detects CrackMapExecWin Activity as Described by NCSC
 status: experimental
 references:
-    - https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control 
+    - https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control
 tags:
    - attack.g0035
 author: Markus Neis
@@ -1,7 +1,8 @@
 title: Elise Backdoor
+id: e507feb7-5f73-4ef6-a970-91bb6f6d744f
 status: experimental
-description: Detects Elise backdoor acitivty as used by APT32 
-references: 
+description: Detects Elise backdoor acitivty as used by APT32
+references:
    - https://community.rsa.com/community/products/netwitness/blog/2018/01/30/apt32-continues-asean-targeting
 tags:
    - attack.g0030
@@ -1,4 +1,5 @@
 title: Emissary Panda Malware SLLauncher
+id: 9aa01d62-7667-4d3b-acb8-8cb5103e2014
 status: experimental
 description: Detects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27
 references:
@@ -1,7 +1,7 @@
---
 action: global
-title: Empire Monkey 
-description: Detects EmpireMonkey APT reported Activity 
+title: Empire Monkey
+id: 10152a7b-b566-438f-a33c-390b607d1c8d
+description: Detects EmpireMonkey APT reported Activity
 references:
    - https://app.any.run/tasks/a4107649-8cb0-41af-ad75-113152d4d57b
 tags:
@@ -1,8 +1,9 @@
 title: Equation Group C2 Communication
+id: 881834a4-6659-4773-821e-1c151789d873
 description: Detects communication to C2 servers mentioned in the operational notes of the ShadowBroker leak of EquationGroup C2 tools
 references:
-    - 'https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation'
-    - 'https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195'
+    - https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
+    - https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195
 tags:
    - attack.command_and_control
    - attack.g0020
@@ -1,4 +1,5 @@
 title: Equation Group DLL_U Load
+id: d465d1d8-27a2-4cca-9621-a800f37cf72e
 author: Florian Roth
 description: Detects a specific tool and export used by EquationGroup
 references:
@@ -1,4 +1,5 @@
 title: Equation Group Indicators
+id: 41e5c73d-9983-4b69-bd03-e13b67e9623c
 description: Detects suspicious shell commands used in various Equation Group scripts and tools
 references:
    - https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
@@ -1,8 +1,9 @@
 title: Hurricane Panda Activity
+id: 0eb2107b-a596-422e-b123-b389d5594ed7
 author: Florian Roth
 status: experimental
-description: Detects Hurricane Panda Activity 
-references: 
+description: Detects Hurricane Panda Activity
+references:
    - https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/
 tags:
    - attack.privilege_escalation
@@ -1,4 +1,5 @@
 title: Judgement Panda Exfil Activity
+id: 03e2746e-2b31-42f1-ab7a-eb39365b2422
 description: Detects Judgement Panda activity as described in Global Threat Report 2019 by Crowdstrike
 references:
    - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
@@ -1,4 +1,5 @@
 title: OceanLotus Registry Activity
+id: 4ac5fc44-a601-4c06-955b-309df8c4e9d4
 status: experimental
 description: Detects registry keys created in OceanLotus (also known as APT32) attacks
 references:
@@ -1,6 +1,6 @@
---
 action: global
 title: Pandemic Registry Key
+id: 47e0852a-cf81-4494-a8e6-31864f8c86ed
 status: experimental
 description: Detects Pandemic Windows Implant
 references:
@@ -1,6 +1,6 @@
---
 action: global
 title: Defrag Deactivation
+id: 958d81aa-8566-4cea-a565-59ccd4df27b0
 author: Florian Roth
 description: Detects the deactivation of the Scheduled defragmentation task as seen by Slingshot APT group
 references:
@@ -1,8 +1,9 @@
 title: Sofacy Trojan Loader Activity
+id: ba778144-5e3d-40cf-8af9-e28fb1df1e20
 author: Florian Roth
 status: experimental
-description: Detects Trojan loader acitivty as used by APT28 
-references: 
+description: Detects Trojan loader acitivty as used by APT28
+references:
    - https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/
    - https://www.reverse.it/sample/e3399d4802f9e6d6d539e3ae57e7ea9a54610a7c4155a6541df8e94d67af086e?environmentId=100
    - https://twitter.com/ClearskySec/status/960924755355369472
@@ -1,4 +1,5 @@
 title: Sofacy Zebrocy
+id: 8545cb01-102e-41ee-babd-46bd24e8cb97
 author: Florian Roth
 description: Detects Sofacy's Zebrocy malware execution
 references:
@@ -1,5 +1,6 @@
 title: StoneDrill Service Install
-description: 'This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky'   
+id: 9e987c6c-4c1e-40d8-bd85-dd26fba8fdd6
+description: This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky
 author: Florian Roth
 references:
    - https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/
@@ -1,4 +1,5 @@
 title: Ps.exe Renamed SysInternals Tool
+id: 18da1007-3f26-470f-875d-f77faf1cab31
 description: Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report
 references:
    - https://www.us-cert.gov/ncas/alerts/TA17-293A
@@ -1,5 +1,6 @@
 title: TropicTrooper Campaign November 2018
-author: "@41thexplorer, Windows Defender ATP"
+id: 8c7090c3-e0a0-4944-bd08-08c3a0cecf79
+author: '@41thexplorer, Windows Defender ATP'
 status: stable
 description: Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia
 references:
@@ -1,8 +1,8 @@
---
 action: global
-title: Turla Group Lateral Movement 
+title: Turla Group Lateral Movement
+id: c601f20d-570a-4cde-a7d6-e17f99cb8e7f
 status: experimental
-description: Detects automated lateral movement by Turla group 
+description: Detects automated lateral movement by Turla group
 references:
    - https://securelist.com/the-epic-turla-operation/65545/
 tags:
@@ -1,4 +1,5 @@
-title: Turla Group Named Pipes 
+title: Turla Group Named Pipes
+id: 739915e4-1e70-4778-8b8a-17db02f66db1
 status: experimental
 description: Detects a named pipe used by Turla group samples
 references:
@@ -1,5 +1,6 @@
 title: Turla PNG Dropper Service
-description: 'This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018' 
+id: 1228f8e2-7e79-4dea-b0ad-c91f1d5016c1
+description: This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018
 references:
    - https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/
 author: Florian Roth
@@ -1,11 +1,12 @@
---
 action: global
 title: Unidentified Attacker November 2018
+id: 7453575c-a747-40b9-839b-125a0aae324b
 status: stable
-description: A sigma rule detecting an unidetefied attacker who used phishing emails to target high profile orgs on November 2018. The Actor shares some TTPs with YYTRIUM/APT29 campaign in 2016.
+description: A sigma rule detecting an unidetefied attacker who used phishing emails to target high profile orgs on November 2018. The Actor shares some TTPs with
+    YYTRIUM/APT29 campaign in 2016.
 references:
    - https://twitter.com/DrunkBinary/status/1063075530180886529
-author: "@41thexplorer, Windows Defender ATP"
+author: '@41thexplorer, Windows Defender ATP'
 date: 2018/11/20
 modified: 2018/12/11
 tags:
@@ -1,5 +1,6 @@
 title: ZxShell Malware
-description: Detects a ZxShell start by the called and well-known function name   
+id: f0b70adb-0075-43b0-9745-e82a1c608fcc
+description: Detects a ZxShell start by the called and well-known function name
 author: Florian Roth
 references:
    - https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100
@@ -1,4 +1,5 @@
 title: Fireball Archer Install
+id: 3d4aebe0-6d29-45b2-a8a4-3dfde586a26d
 status: experimental
 description: Detects Archer malware invocation via rundll32
 author: Florian Roth
@@ -1,109 +1,111 @@
 action: global
 title: Cleartext Protocol Usage
-description: Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels. Ensure that an encryption is used for all sensitive information in transit. Ensure that an encrypted channels is used  for all administrative account access.
+id: 7e4bfe58-4a47-4709-828d-d86c78b7cc1f
+description: Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels. Ensure that an encryption
+    is used for all sensitive information in transit. Ensure that an encrypted channels is used  for all administrative account access.
 references:
- https://www.cisecurity.org/controls/cis-controls-list/
- https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
- https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
+    - https://www.cisecurity.org/controls/cis-controls-list/
+    - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
+    - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
 author: Alexandr Yampolskyi, SOC Prime
 status: stable
 date: 2019/03/26
 falsepositives:
- unknown
+    - unknown
 level: low
 tags:
- CSC4
- CSC4.5
- CSC14
- CSC14.4
- CSC16
- CSC16.5
- NIST CSF 1.1 PR.AT-2
- NIST CSF 1.1 PR.MA-2
- NIST CSF 1.1 PR.PT-3
- NIST CSF 1.1 PR.AC-1
- NIST CSF 1.1 PR.AC-4
- NIST CSF 1.1 PR.AC-5
- NIST CSF 1.1 PR.AC-6
- NIST CSF 1.1 PR.AC-7
- NIST CSF 1.1 PR.DS-1
- NIST CSF 1.1 PR.DS-2
- NIST CSF 1.1 PR.PT-3
- NIST CSF 1.1 PR.PT-3
- ISO 27002-2013 A.9.2.1
- ISO 27002-2013 A.9.2.2
- ISO 27002-2013 A.9.2.3
- ISO 27002-2013 A.9.2.4
- ISO 27002-2013 A.9.2.5
- ISO 27002-2013 A.9.2.6
- ISO 27002-2013 A.9.3.1
- ISO 27002-2013 A.9.4.1
- ISO 27002-2013 A.9.4.2
- ISO 27002-2013 A.9.4.3
- ISO 27002-2013 A.9.4.4
- ISO 27002-2013 A.8.3.1
- ISO 27002-2013 A.9.1.1
- ISO 27002-2013 A.10.1.1
- PCI DSS 3.2 2.1
- PCI DSS 3.2 8.1
- PCI DSS 3.2 8.2
- PCI DSS 3.2 8.3
- PCI DSS 3.2 8.7
- PCI DSS 3.2 8.8
- PCI DSS 3.2 1.3
- PCI DSS 3.2 1.4
- PCI DSS 3.2 4.3
- PCI DSS 3.2 7.1
- PCI DSS 3.2 7.2
- PCI DSS 3.2 7.3
+    - CSC4
+    - CSC4.5
+    - CSC14
+    - CSC14.4
+    - CSC16
+    - CSC16.5
+    - NIST CSF 1.1 PR.AT-2
+    - NIST CSF 1.1 PR.MA-2
+    - NIST CSF 1.1 PR.PT-3
+    - NIST CSF 1.1 PR.AC-1
+    - NIST CSF 1.1 PR.AC-4
+    - NIST CSF 1.1 PR.AC-5
+    - NIST CSF 1.1 PR.AC-6
+    - NIST CSF 1.1 PR.AC-7
+    - NIST CSF 1.1 PR.DS-1
+    - NIST CSF 1.1 PR.DS-2
+    - NIST CSF 1.1 PR.PT-3
+    - NIST CSF 1.1 PR.PT-3
+    - ISO 27002-2013 A.9.2.1
+    - ISO 27002-2013 A.9.2.2
+    - ISO 27002-2013 A.9.2.3
+    - ISO 27002-2013 A.9.2.4
+    - ISO 27002-2013 A.9.2.5
+    - ISO 27002-2013 A.9.2.6
+    - ISO 27002-2013 A.9.3.1
+    - ISO 27002-2013 A.9.4.1
+    - ISO 27002-2013 A.9.4.2
+    - ISO 27002-2013 A.9.4.3
+    - ISO 27002-2013 A.9.4.4
+    - ISO 27002-2013 A.8.3.1
+    - ISO 27002-2013 A.9.1.1
+    - ISO 27002-2013 A.10.1.1
+    - PCI DSS 3.2 2.1
+    - PCI DSS 3.2 8.1
+    - PCI DSS 3.2 8.2
+    - PCI DSS 3.2 8.3
+    - PCI DSS 3.2 8.7
+    - PCI DSS 3.2 8.8
+    - PCI DSS 3.2 1.3
+    - PCI DSS 3.2 1.4
+    - PCI DSS 3.2 4.3
+    - PCI DSS 3.2 7.1
+    - PCI DSS 3.2 7.2
+    - PCI DSS 3.2 7.3
 ---
 logsource:
-  product: netflow
+    product: netflow
 detection:
-  selection:
-    destination.port:
-    - 8080
-    - 21
-    - 80
-    - 23
-    - 50000
-    - 1521
-    - 27017
-    - 1433
-    - 11211
-    - 3306
-    - 15672
-    - 5900
-    - 5901
-    - 5902
-    - 5903
-    - 5904
-  condition: selection
+    selection:
+        destination.port:
+            - 8080
+            - 21
+            - 80
+            - 23
+            - 50000
+            - 1521
+            - 27017
+            - 1433
+            - 11211
+            - 3306
+            - 15672
+            - 5900
+            - 5901
+            - 5902
+            - 5903
+            - 5904
+    condition: selection
 ---
 logsource:
-  product: firewall
+    product: firewall
 detection:
-  selection1:
-    destination.port:
-    - 8080
-    - 21
-    - 80
-    - 23
-    - 50000
-    - 1521
-    - 27017
-    - 3306
-    - 1433
-    - 11211
-    - 15672
-    - 5900
-    - 5901
-    - 5902
-    - 5903
-    - 5904
-  selection2:
-    action:
-    - forward
-    - accept
-    - 2
-  condition: selection1 AND selection2
+    selection1:
+        destination.port:
+            - 8080
+            - 21
+            - 80
+            - 23
+            - 50000
+            - 1521
+            - 27017
+            - 3306
+            - 1433
+            - 11211
+            - 15672
+            - 5900
+            - 5901
+            - 5902
+            - 5903
+            - 5904
+    selection2:
+        action:
+            - forward
+            - accept
+            - 2
+    condition: selection1 AND selection2
@@ -1,107 +1,109 @@
 title: Default Credentials Usage
-description: Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts. Sigma detects default credentials usage. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management.
+id: 1a395cbc-a84a-463a-9086-ed8a70e573c7
+description: Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts. Sigma detects default credentials
+    usage. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management.
 author: Alexandr Yampolskyi, SOC Prime
 status: stable
 references:
- https://www.cisecurity.org/controls/cis-controls-list/
- https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
- https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
- https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists
+    - https://www.cisecurity.org/controls/cis-controls-list/
+    - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
+    - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
+    - https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists
 date: 2019/03/26
 logsource:
-  product: qualys
+    product: qualys
 detection:
-  selection:
-    host.scan.vuln:
-    - 10693
-    - 11507
-    - 11633
-    - 11804
-    - 11821
-    - 11847
-    - 11867
-    - 11931
-    - 11935
-    - 11950
-    - 12541
-    - 12558
-    - 12559
-    - 12560
-    - 12562
-    - 12563
-    - 12565
-    - 12587
-    - 12590
-    - 12599
-    - 12702
-    - 12705
-    - 12706
-    - 12907
-    - 12928
-    - 12929
-    - 13053
-    - 13178
-    - 13200
-    - 13218
-    - 13241
-    - 13253
-    - 13274
-    - 13296
-    - 13301
-    - 13327
-    - 13373
-    - 13374
-    - 13409
-    - 13530
-    - 13532
-    - 20065
-    - 20073
-    - 20081
-    - 27202
-    - 27358
-    - 38702
-    - 38719
-    - 42045
-    - 42417
-    - 43029
-    - 43220
-    - 43221
-    - 43222
-    - 43223
-    - 43225
-    - 43246
-    - 43431
-    - 43484
-    - 86857
-    - 87098
-    - 87106
-  condition: selection
+    selection:
+        host.scan.vuln:
+            - 10693
+            - 11507
+            - 11633
+            - 11804
+            - 11821
+            - 11847
+            - 11867
+            - 11931
+            - 11935
+            - 11950
+            - 12541
+            - 12558
+            - 12559
+            - 12560
+            - 12562
+            - 12563
+            - 12565
+            - 12587
+            - 12590
+            - 12599
+            - 12702
+            - 12705
+            - 12706
+            - 12907
+            - 12928
+            - 12929
+            - 13053
+            - 13178
+            - 13200
+            - 13218
+            - 13241
+            - 13253
+            - 13274
+            - 13296
+            - 13301
+            - 13327
+            - 13373
+            - 13374
+            - 13409
+            - 13530
+            - 13532
+            - 20065
+            - 20073
+            - 20081
+            - 27202
+            - 27358
+            - 38702
+            - 38719
+            - 42045
+            - 42417
+            - 43029
+            - 43220
+            - 43221
+            - 43222
+            - 43223
+            - 43225
+            - 43246
+            - 43431
+            - 43484
+            - 86857
+            - 87098
+            - 87106
+    condition: selection
 falsepositives:
- unknown
+    - unknown
 level: medium
 tags:
- CSC4
- CSC4.2
- NIST CSF 1.1 PR.AC-4
- NIST CSF 1.1 PR.AT-2
- NIST CSF 1.1 PR.MA-2
- NIST CSF 1.1 PR.PT-3
- ISO 27002-2013 A.9.1.1
- ISO 27002-2013 A.9.2.2
- ISO 27002-2013 A.9.2.3
- ISO 27002-2013 A.9.2.4
- ISO 27002-2013 A.9.2.5
- ISO 27002-2013 A.9.2.6
- ISO 27002-2013 A.9.3.1
- ISO 27002-2013 A.9.4.1
- ISO 27002-2013 A.9.4.2
- ISO 27002-2013 A.9.4.3
- ISO 27002-2013 A.9.4.4
- PCI DSS 3.2 2.1
- PCI DSS 3.2 7.1
- PCI DSS 3.2 7.2
- PCI DSS 3.2 7.3
- PCI DSS 3.2 8.1
- PCI DSS 3.2 8.2
- PCI DSS 3.2 8.3
- PCI DSS 3.2 8.7
+    - CSC4
+    - CSC4.2
+    - NIST CSF 1.1 PR.AC-4
+    - NIST CSF 1.1 PR.AT-2
+    - NIST CSF 1.1 PR.MA-2
+    - NIST CSF 1.1 PR.PT-3
+    - ISO 27002-2013 A.9.1.1
+    - ISO 27002-2013 A.9.2.2
+    - ISO 27002-2013 A.9.2.3
+    - ISO 27002-2013 A.9.2.4
+    - ISO 27002-2013 A.9.2.5
+    - ISO 27002-2013 A.9.2.6
+    - ISO 27002-2013 A.9.3.1
+    - ISO 27002-2013 A.9.4.1
+    - ISO 27002-2013 A.9.4.2
+    - ISO 27002-2013 A.9.4.3
+    - ISO 27002-2013 A.9.4.4
+    - PCI DSS 3.2 2.1
+    - PCI DSS 3.2 7.1
+    - PCI DSS 3.2 7.2
+    - PCI DSS 3.2 7.3
+    - PCI DSS 3.2 8.1
+    - PCI DSS 3.2 8.2
+    - PCI DSS 3.2 8.3
+    - PCI DSS 3.2 8.7
@@ -1,57 +1,61 @@
 title: Group Modification Logging
-description: Configure systems to issue a log entry and alert when an account is added to or removed from any group assigned administrative privileges. Sigma detects Event ID 4728 indicates a ‘Member is added to a Security Group’. Event ID 4729 indicates a ‘Member is removed from a Security enabled-group’. Event ID 4730 indicates a‘Security Group is deleted’. The case is not applicable for Unix OS. Supported OS - Windows 2008 R2 and 7, Windows 2012 R2 and 8.1, Windows 2016 and 10 Windows Server 2019, Windows Server 2000, Windows 2003 and XP.
+id: 9cf01b6c-e723-4841-a868-6d7f8245ca6e
+description: "Configure systems to issue a log entry and alert when an account is added to or removed from any group assigned administrative privileges. Sigma detects\
+    \ Event ID 4728 indicates a \u2018Member is added to a Security Group\u2019. Event ID 4729 indicates a \u2018Member is removed from a Security enabled-group\u2019\
+    . Event ID 4730 indicates a\u2018Security Group is deleted\u2019. The case is not applicable for Unix OS. Supported OS - Windows 2008 R2 and 7, Windows 2012 R2\
+    \ and 8.1, Windows 2016 and 10 Windows Server 2019, Windows Server 2000, Windows 2003 and XP."
 author: Alexandr Yampolskyi, SOC Prime
 status: stable
 references:
- https://www.cisecurity.org/controls/cis-controls-list/
- https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
- https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634
+    - https://www.cisecurity.org/controls/cis-controls-list/
+    - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
+    - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
+    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728
+    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729
+    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730
+    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633
+    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632
+    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634
 date: 2019/03/26
 logsource:
-  product: windows
-  service: security
+    product: windows
+    service: security
 detection:
-  selection:
-    EventID:
-    - 4728
-    - 4729
-    - 4730
-    - 633
-    - 632
-    - 634
-  condition: selection
+    selection:
+        EventID:
+            - 4728
+            - 4729
+            - 4730
+            - 633
+            - 632
+            - 634
+    condition: selection
 falsepositives:
- unknown
+    - unknown
 level: low
 tags:
- CSC4
- CSC4.8
- NIST CSF 1.1 PR.AC-4
- NIST CSF 1.1 PR.AT-2
- NIST CSF 1.1 PR.MA-2
- NIST CSF 1.1 PR.PT-3
- ISO 27002-2013 A.9.1.1
- ISO 27002-2013 A.9.2.2
- ISO 27002-2013 A.9.2.3
- ISO 27002-2013 A.9.2.4
- ISO 27002-2013 A.9.2.5
- ISO 27002-2013 A.9.2.6
- ISO 27002-2013 A.9.3.1
- ISO 27002-2013 A.9.4.1
- ISO 27002-2013 A.9.4.2
- ISO 27002-2013 A.9.4.3
- ISO 27002-2013 A.9.4.4
- PCI DSS 3.2 2.1
- PCI DSS 3.2 7.1
- PCI DSS 3.2 7.2
- PCI DSS 3.2 7.3
- PCI DSS 3.2 8.1
- PCI DSS 3.2 8.2
- PCI DSS 3.2 8.3
- PCI DSS 3.2 8.7
+    - CSC4
+    - CSC4.8
+    - NIST CSF 1.1 PR.AC-4
+    - NIST CSF 1.1 PR.AT-2
+    - NIST CSF 1.1 PR.MA-2
+    - NIST CSF 1.1 PR.PT-3
+    - ISO 27002-2013 A.9.1.1
+    - ISO 27002-2013 A.9.2.2
+    - ISO 27002-2013 A.9.2.3
+    - ISO 27002-2013 A.9.2.4
+    - ISO 27002-2013 A.9.2.5
+    - ISO 27002-2013 A.9.2.6
+    - ISO 27002-2013 A.9.3.1
+    - ISO 27002-2013 A.9.4.1
+    - ISO 27002-2013 A.9.4.2
+    - ISO 27002-2013 A.9.4.3
+    - ISO 27002-2013 A.9.4.4
+    - PCI DSS 3.2 2.1
+    - PCI DSS 3.2 7.1
+    - PCI DSS 3.2 7.2
+    - PCI DSS 3.2 7.3
+    - PCI DSS 3.2 8.1
+    - PCI DSS 3.2 8.2
+    - PCI DSS 3.2 8.3
+    - PCI DSS 3.2 8.7
@@ -1,29 +1,30 @@
 title: Host Without Firewall
+id: 6b2066c8-3dc7-4db7-9db0-6cc1d7b0dde9
 description: Host Without Firewall. Alert means not complied. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management.
 author: Alexandr Yampolskyi, SOC Prime
 references:
- https://www.cisecurity.org/controls/cis-controls-list/
- https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
- https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
+    - https://www.cisecurity.org/controls/cis-controls-list/
+    - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
+    - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
 date: 2019/03/19
 status: stable
 level: low
 logsource:
-  product: Qualys
+    product: Qualys
 detection:
-  selection:
-    event.category: Security Policy
-    host.scan.vuln_name: Firewall Product Not Detected*
-  condition: selection
+    selection:
+        event.category: Security Policy
+        host.scan.vuln_name: Firewall Product Not Detected*
+    condition: selection
 tags:
- CSC9
- CSC9.4
- NIST CSF 1.1 PR.AC-5
- NIST CSF 1.1 PR.AC-6
- NIST CSF 1.1 PR.AC-7
- NIST CSF 1.1 DE.AE-1
- ISO 27002-2013 A.9.1.2
- ISO 27002-2013 A.13.2.1
- ISO 27002-2013 A.13.2.2
- ISO 27002-2013 A.14.1.2
- PCI DSS 3.2 1.4
+    - CSC9
+    - CSC9.4
+    - NIST CSF 1.1 PR.AC-5
+    - NIST CSF 1.1 PR.AC-6
+    - NIST CSF 1.1 PR.AC-7
+    - NIST CSF 1.1 DE.AE-1
+    - ISO 27002-2013 A.9.1.2
+    - ISO 27002-2013 A.13.2.1
+    - ISO 27002-2013 A.13.2.2
+    - ISO 27002-2013 A.14.1.2
+    - PCI DSS 3.2 1.4
@@ -1,45 +1,47 @@
 title: Locked Workstation
-description: Automatically lock workstation sessions after a standard period of inactivity. The case is not applicable for Unix OS. Supported OS - Windows 2008 R2 and 7, Windows 2012 R2 and 8.1, Windows 2016 and 10 Windows Server 2019.
+id: 411742ad-89b0-49cb-a7b0-3971b5c1e0a4
+description: Automatically lock workstation sessions after a standard period of inactivity. The case is not applicable for Unix OS. Supported OS - Windows 2008 R2
+    and 7, Windows 2012 R2 and 8.1, Windows 2016 and 10 Windows Server 2019.
 author: Alexandr Yampolskyi, SOC Prime
 status: stable
 references:
- https://www.cisecurity.org/controls/cis-controls-list/
- https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
- https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4800
+    - https://www.cisecurity.org/controls/cis-controls-list/
+    - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
+    - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
+    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4800
 date: 2019/03/26
 logsource:
-  product: windows
-  service: security
+    product: windows
+    service: security
 detection:
-  selection:
-    EventID:
-    - 4800
-  condition: selection
+    selection:
+        EventID:
+            - 4800
+    condition: selection
 falsepositives:
- unknown
+    - unknown
 level: low
 tags:
- CSC16
- CSC16.11
- ISO27002-2013 A.9.1.1
- ISO27002-2013 A.9.2.1
- ISO27002-2013 A.9.2.2
- ISO27002-2013 A.9.2.3
- ISO27002-2013 A.9.2.4
- ISO27002-2013 A.9.2.5
- ISO27002-2013 A.9.2.6
- ISO27002-2013 A.9.3.1
- ISO27002-2013 A.9.4.1
- ISO27002-2013 A.9.4.3
- ISO27002-2013 A.11.2.8
- PCI DSS 3.1 7.1
- PCI DSS 3.1 7.2
- PCI DSS 3.1 7.3
- PCI DSS 3.1 8.7
- PCI DSS 3.1 8.8
- NIST CSF 1.1 PR.AC-1
- NIST CSF 1.1 PR.AC-4
- NIST CSF 1.1 PR.AC-6
- NIST CSF 1.1 PR.AC-7
- NIST CSF 1.1 PR.PT-3
+    - CSC16
+    - CSC16.11
+    - ISO27002-2013 A.9.1.1
+    - ISO27002-2013 A.9.2.1
+    - ISO27002-2013 A.9.2.2
+    - ISO27002-2013 A.9.2.3
+    - ISO27002-2013 A.9.2.4
+    - ISO27002-2013 A.9.2.5
+    - ISO27002-2013 A.9.2.6
+    - ISO27002-2013 A.9.3.1
+    - ISO27002-2013 A.9.4.1
+    - ISO27002-2013 A.9.4.3
+    - ISO27002-2013 A.11.2.8
+    - PCI DSS 3.1 7.1
+    - PCI DSS 3.1 7.2
+    - PCI DSS 3.1 7.3
+    - PCI DSS 3.1 8.7
+    - PCI DSS 3.1 8.8
+    - NIST CSF 1.1 PR.AC-1
+    - NIST CSF 1.1 PR.AC-4
+    - NIST CSF 1.1 PR.AC-6
+    - NIST CSF 1.1 PR.AC-7
+    - NIST CSF 1.1 PR.PT-3
@@ -1,4 +1,5 @@
 title: Detects Suspicious edit of .bash_profile and .bashrc on Linux systems
+id: e74e15cc-c4b6-4c80-b7eb-dfe49feb7fe9
 status: experimental
 description: Detects change of user environment. Adversaries can insert code into these files to gain persistence each time a user logs in or opens a new shell.
 references:
@@ -1,6 +1,8 @@
 title: Masquerading as Linux crond process
+id: 9d4548fa-bba0-4e88-bd66-5d5bf516cda0
 status: experimental
-description: Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed.
+description: Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and
+    observation. Several different variations of this technique have been observed.
 author: Timur Zinniatullin, oscd.community
 date: 2019/10/21
 references:
@@ -1,8 +1,9 @@
 title: Detects Suspicious Commands on Linux systems
+id: 1543ae20-cbdf-4ec1-8d12-7664d667a825
 status: experimental
 description: Detects relevant commands often related to malware or hacking activity
 references:
-    - 'Internal Research - mostly derived from exploit code including code in MSF'
+    - Internal Research - mostly derived from exploit code including code in MSF
 date: 2017/12/12
 author: Florian Roth
 logsource:
@@ -1,8 +1,9 @@
 title: Program Executions in Suspicious Folders
+id: a39d7fa7-3fbd-4dc2-97e1-d87f546b1bbc
 status: experimental
 description: Detects program executions in suspicious non-program folders related to malware or hacking activity
 references:
-    - 'Internal Research'
+    - Internal Research
 date: 2018/01/23
 author: Florian Roth
 logsource:
@@ -1,6 +1,8 @@
 title: System Owner or User Discovery
+id: 9a0d8ca0-2385-4020-b6c6-cb6153ca56f3
 status: experimental
-description: Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
+description: Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not
+    the adversary fully infects the target and/or attempts specific actions.
 author: Timur Zinniatullin, oscd.community
 date: 2019/10/21
 references:
@@ -1,10 +1,7 @@
 title: Webshell Remote Command Execution
+id: c0d3734d-330f-4a03-aae2-65dacc6a8222
 status: experimental
 description: Detects posible command execution by web application/web shell
-# You need to add to the config auditd.conf: 
-# -a always,exit -F arch=b32 -S execve -F euid=33 -k detect_execve_www
-# -a always,exit -F arch=b64 -S execve -F euid=33 -k detect_execve_www
-# change 33 to id you webserver user. default: www-data:x:33:33
 tags:
    - attack.persistence
    - attack.t1100
@@ -1,6 +1,8 @@
 title: Data Compressed
+id: a3b5e3e9-1b49-4119-8b8e-0344a01f21ee
 status: experimental
-description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network
+description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount
+    of data sent over the network
 author: Timur Zinniatullin, oscd.community
 date: 2019/10/21
 modified: 2019/11/04
@@ -1,6 +1,8 @@
 title: Network Sniffing
+id: f4d3748a-65d1-4806-bd23-e25728081d01
 status: experimental
-description: Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
+description: Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary
+    may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
 author: Timur Zinniatullin, oscd.community
 date: 2019/10/21
 modified: 2019/11/04
@@ -1,4 +1,5 @@
 title: Buffer Overflow Attempts
+id: 18b042f0-2ecd-4b6e-9f8d-aa7a7e7de781
 description: Detects buffer overflow attempts in Unix system log files
 references:
    - https://github.com/ossec/ossec-hids/blob/master/etc/rules/attack_rules.xml
@@ -1,4 +1,5 @@
 title: Relevant ClamAV Message
+id: 36aa86ca-fd9d-4456-814e-d3b1b8e1e0bb
 description: Detects relevant ClamAV messages
 references:
    - https://github.com/ossec/ossec-hids/blob/master/etc/rules/clam_av_rules.xml
@@ -1,6 +1,7 @@
 title: Clear Command History
+id: fdc88d25-96fb-4b7c-9633-c0e417fdbd4e
 status: experimental
-description: Clear command history in linux which is used for defense evasion. 
+description: Clear command history in linux which is used for defense evasion.
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1146/T1146.yaml
    - https://attack.mitre.org/techniques/T1146/
@@ -1,4 +1,5 @@
-title: Privilege Escalation Preparation 
+title: Privilege Escalation Preparation
+id: 444ade84-c362-4260-b1f3-e45e20e1a905
 status: experimental
 description: Detects suspicious shell commands indicating the information gathering phase as preparation for the Privilege Escalation.
 references:
@@ -1,4 +1,5 @@
 title: Suspicious Activity in Shell Commands
+id: 2aa1440c-9ae9-4d92-84a7-a9e5f5e31695
 description: Detects suspicious shell commands used in various exploit codes (see references)
 references:
    - http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html
@@ -1,16 +1,15 @@
 title: Suspicious Log Entries
+id: f64b6e9a-5d9d-48a5-8289-e1dd2b3876e1
 description: Detects suspicious log entries in Linux log files
 author: Florian Roth
 logsource:
    product: linux
 detection:
    keywords:
-        # Generic suspicious log lines
-        - 'entered promiscuous mode'
-        # OSSEC https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml
-        - 'Deactivating service'
-        - 'Oversized packet received from'  
-        - 'imuxsock begins to drop messages'      
+        - entered promiscuous mode
+        - Deactivating service
+        - Oversized packet received from
+        - imuxsock begins to drop messages
    condition: keywords
 falsepositives:
    - Unknown
@@ -1,4 +1,5 @@
 title: Suspicious Reverse Shell Command Line
+id: 738d9bcf-6999-4fdb-b4ac-3033037db8ab
 status: experimental
 description: Detects suspicious shell commands or program code that may be exected or used in command line to establish a reverse shell
 references:
@@ -1,4 +1,5 @@
 title: Shellshock Expression
+id: c67e0c98-4d39-46ee-8f6b-437ebf6b950e
 description: Detects shellshock expressions in log files
 references:
    - http://rubular.com/r/zxBfjWfFYs
@@ -1,4 +1,5 @@
 title: SSHD Error Message CVE-2018-15473
+id: 4c9d903d-4939-4094-ade0-3cb748f4d7da
 description: Detects exploitation attempt using public exploit code for CVE-2018-15473
 references:
    - https://github.com/Rhynorater/CVE-2018-15473-Exploit
@@ -1,6 +1,6 @@
---
 action: global
 title: Sudo Privilege Escalation CVE-2019-14287
+id: f74107df-b6c6-4e80-bf00-4170b658162b
 status: experimental
 description: Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287
 references:
@@ -1,18 +1,18 @@
 title: Multiple Failed Logins with Different Accounts from Single Source System
+id: fc947f8e-ea81-4b14-9a7b-13f888f94e18
 description: Detects suspicious failed logins with different user accounts from a single source system
 logsource:
    product: linux
    service: auth
 detection:
    selection:
-        pam_message: "authentication failure"
+        pam_message: authentication failure
        pam_user: '*'
        pam_rhost: '*'
-    timeframe: 24h 
+    timeframe: 24h
    condition: selection | count(pam_user) by pam_rhost > 3
 falsepositives:
    - Terminal servers
    - Jump servers
-    - Workstations with frequently changing users 
+    - Workstations with frequently changing users
 level: medium
-
@@ -1,4 +1,5 @@
 title: JexBoss Command Sequence
+id: 8ec2c8b4-557a-4121-b87c-5dfb3a602fae
 description: Detects suspicious command sequence that JexBoss
 references:
    - https://www.us-cert.gov/ncas/analysis-reports/AR18-312A
@@ -1,6 +1,7 @@
 title: Suspicious Named Error
+id: c8e35e96-19ce-4f16-aeb6-fd5588dc5365
 status: experimental
-description: Detects suspicious DNS error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts 
+description: Detects suspicious DNS error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
 references:
    - https://github.com/ossec/ossec-hids/blob/master/etc/rules/named_rules.xml
 author: Florian Roth
@@ -1,5 +1,6 @@
 title: Suspicious SSHD Error
-description: Detects suspicious SSH / SSHD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts 
+id: e76b413a-83d0-4b94-8e4c-85db4a5b8bdc
+description: Detects suspicious SSH / SSHD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
 references:
    - https://github.com/openssh/openssh-portable/blob/master/ssherr.c
    - https://github.com/ossec/ossec-hids/blob/master/etc/rules/sshd_rules.xml
@@ -1,5 +1,6 @@
 title: Suspicious VSFTPD Error Messages
-description: Detects suspicious VSFTPD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts 
+id: 377f33a1-4b36-4ee1-acee-1dbe4b43cfbe
+description: Detects suspicious VSFTPD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
 references:
    - https://github.com/dagwieers/vsftpd/
 author: Florian Roth
@@ -1,5 +1,6 @@
 title: Multiple Modsecurity Blocks
-description: Detects multiple blocks by the mod_security module (Web Application Firewall) 
+id: a06eea10-d932-4aa6-8ba9-186df72c8d23
+description: Detects multiple blocks by the mod_security module (Web Application Firewall)
 logsource:
    product: linux
    service: modsecurity
@@ -1,6 +1,8 @@
 title: Possible DNS Tunneling
+id: 1ec4b281-aa65-46a2-bdae-5fd830ed914e
 status: experimental
-description: Normally, DNS logs contain a limited amount of different dns queries for a single domain. This rule detects a high amount of queries for a single domain, which can be an indicator that DNS is used to transfer data. 
+description: Normally, DNS logs contain a limited amount of different dns queries for a single domain. This rule detects a high amount of queries for a single domain,
+    which can be an indicator that DNS is used to transfer data.
 references:
    - https://zeltser.com/c2-dns-tunneling/
    - https://patrick-bareiss.com/detect-c2-traffic-over-dns-using-sigma/
@@ -1,4 +1,5 @@
 title: Cobalt Strike DNS Beaconing
+id: 2975af79-28c4-4d2f-a951-9095f229df29
 status: experimental
 description: Detects suspicious DNS queries known from Cobalt Strike beacons
 references:
@@ -1,4 +1,5 @@
-title: Suspicious DNS Query with B64 Encoded String   
+title: Suspicious DNS Query with B64 Encoded String
+id: 4153a907-2451-4e4f-a578-c52bb6881432
 status: experimental
 description: Detects suspicious DNS queries using base64 encoding
 references:
@@ -1,6 +1,7 @@
-title: DNS TXT Answer with possible execution strings    
+title: DNS TXT Answer with possible execution strings
+id: 8ae51330-899c-4641-8125-e39f2e07da72
 status: experimental
-description: Detects strings used in command execution in DNS TXT Answer 
+description: Detects strings used in command execution in DNS TXT Answer
 references:
    - https://twitter.com/stvemillertime/status/1024707932447854592
    - https://github.com/samratashok/nishang/blob/master/Backdoors/DNS_TXT_Pwnage.ps1
@@ -1,4 +1,5 @@
 title: Network Scans
+id: fab0ddf0-b8a9-4d70-91ce-a20547209afb
 description: Detects many failed connection attempts to different ports or hosts
 author: Thomas Patzke
 logsource:
@@ -1,4 +1,5 @@
 title: Telegram Bot API Request
+id: c64c5175-5189-431b-a55e-6d9882158251
 status: experimental
 description: Detects suspicious DNS queries to api.telegram.org used by Telegram Bots of any kind
 references:
@@ -1,4 +1,5 @@
 title: APT40 Dropbox Tool User Agent
+id: 5ba715b6-71b7-44fd-8245-f66893e81b3d
 status: experimental
 description: Detects suspicious user agent string of APT40 Dropbox tool
 references:
@@ -1,4 +1,5 @@
 title: Chafer Malware URL Pattern
+id: fb502828-2db0-438e-93e6-801c7548686d
 status: experimental
 description: Detects HTTP requests used by Chafer malware
 references:
@@ -1,6 +1,7 @@
 title: CobaltStrike Malleable Amazon browsing traffic profile
+id: 953b895e-5cc9-454b-b183-7f3db555452e
 status: experimental
-description: Detects Malleable Amazon Profile 
+description: Detects Malleable Amazon Profile
 references:
    - https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/amazon.profile
    - https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100
@@ -1,4 +1,5 @@
 title: CobaltStrike Malleable (OCSP) Profile
+id: 37325383-740a-403d-b1a2-b2b4ab7992e7
 status: experimental
 description: Detects Malleable (OCSP) Profile with Typo (OSCP) in URL
 references:
@@ -1,8 +1,9 @@
 title: CobaltStrike Malleable OneDrive browsing traffic profile
+id: c9b33401-cc6a-4cf6-83bb-57ddcb2407fc
 status: experimental
-description: Detects Malleable OneDrive Profile 
+description: Detects Malleable OneDrive Profile
 references:
-    - https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/onedrive_getonly.profile    
+    - https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/onedrive_getonly.profile
 author: Markus Neis
 tags:
    - attack.t1102
@@ -1,4 +1,5 @@
 title: Download from Suspicious Dyndns Hosts
+id: 195c1119-ef07-4909-bb12-e66f5e07bf3c
 status: experimental
 description: Detects download of certain file types from hosts with dynamic DNS names (selected list)
 references:
@@ -1,6 +1,7 @@
 title: Download from Suspicious TLD
+id: 00d0b5ab-1f55-4120-8e83-487c0a7baf19
 status: experimental
-description: Detects download of certain file types from hosts in suspicious TLDs 
+description: Detects download of certain file types from hosts in suspicious TLDs
 references:
    - https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap
    - https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf
@@ -1,4 +1,5 @@
 title: Download EXE from Suspicious TLD
+id: b5de2919-b74a-4805-91a7-5049accbaefe
 status: experimental
 description: Detects executable downloads from suspicious remote systems
 author: Florian Roth
@@ -1,4 +1,5 @@
 title: Windows WebDAV User Agent
+id: e09aed7a-09e0-4c9a-90dd-f0d52507347e
 status: experimental
 description: Detects WebDav DownloadCradle
 references:
@@ -1,4 +1,5 @@
 title: Empty User Agent
+id: 21e44d78-95e7-421b-a464-ffd8395659c4
 status: experimental
 description: Detects suspicious empty user agent strings in proxy logs
 references:
@@ -1,4 +1,5 @@
 title: iOS Implant URL Pattern
+id: e06ac91d-b9e6-443d-8e5b-af749e7aa6b6
 status: experimental
 description: Detects URL pattern used by iOS Implant
 references:
@@ -1,4 +1,5 @@
 title: Windows PowerShell User Agent
+id: c8557060-9221-4448-8794-96320e6f3e74
 status: experimental
 description: Detects Windows PowerShell Web Access
 references:
@@ -1,4 +1,5 @@
 title: Flash Player Update from Suspicious Location
+id: 4922a5dd-6743-4fc2-8e81-144374280997
 status: experimental
 description: Detects a flashplayer update from an unofficial location
 references:
@@ -1,4 +1,5 @@
 title: Telegram API Access
+id: b494b165-6634-483d-8c47-2026a6c52372
 status: experimental
 description: Detects suspicious requests to Telegram API without the usual Telegram User-Agent
 references:
@@ -1,4 +1,5 @@
 title: APT User Agent
+id: 6ec820f2-e963-4801-9127-d8b2dce4d31b
 status: experimental
 description: Detects suspicious user agent strings used in APT malware in proxy logs
 references:
@@ -1,8 +1,7 @@
 title: Bitsadmin to Uncommon TLD
+id: 9eb68894-7476-4cd6-8752-23b51f5883a7
 status: experimental
-description: Detects Bitsadmin connections to domains with uncommon TLDs 
-    - https://twitter.com/jhencinski/status/1102695118455349248
-    - https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/
+description: Detects Bitsadmin connections to domains with uncommon TLDs - https://twitter.com/jhencinski/status/1102695118455349248 - https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/
 author: Florian Roth
 date: 2019/03/07
 logsource:
@@ -1,4 +1,5 @@
 title: Crypto Miner User Agent
+id: fa935401-513b-467b-81f4-f9e77aa0dd78
 status: experimental
 description: Detects suspicious user agent strings used by crypto miners in proxy logs
 references:
@@ -1,4 +1,5 @@
 title: Exploit Framework User Agent
+id: fdd1bfb5-f60b-4a35-910e-f36ed3d0b32f
 status: experimental
 description: Detects suspicious user agent strings used by exploit / pentest framworks like Metasploit in proxy logs
 references:
@@ -1,4 +1,5 @@
 title: Hack Tool User Agent
+id: c42a3073-30fb-48ae-8c99-c23ada84b103
 status: experimental
 description: Detects suspicious user agent strings user by hack tools in proxy logs
 references:
@@ -1,4 +1,5 @@
 title: Malware User Agent
+id: 5c84856b-55a5-45f1-826f-13f37250cf4e
 status: experimental
 description: Detects suspicious user agent strings used by malware in proxy logs
 references:
@@ -1,4 +1,5 @@
 title: Suspicious User Agent
+id: 7195a772-4b3f-43a4-a210-6a003d65caa1
 status: experimental
 description: Detects suspicious malformed user agent strings in proxy logs
 references:
@@ -1,5 +1,6 @@
 title: Apache Segmentation Fault
-description: Detects a segmentation fault error message caused by a creashing apacke worker process 
+id: 1da8ce0b-855d-4004-8860-7d64d42063b1
+description: Detects a segmentation fault error message caused by a creashing apacke worker process
 author: Florian Roth
 references:
    - http://www.securityfocus.com/infocus/1633
@@ -1,4 +1,5 @@
 title: Apache Threading Error
+id: e9a2b582-3f6a-48ac-b4a1-6849cdc50b3c
 status: experimental
 description: Detects an issue in apache logs that reports threading related errors
 author: Florian Roth
@@ -1,9 +1,10 @@
 title: Oracle WebLogic Exploit
+id: 37e8369b-43bb-4bf8-83b6-6dd43bda2000
 description: Detects access to a webshell droped into a keytore folder on the WebLogic server
 author: Florian Roth
 date: 2018/07/22
 status: experimental
-references: 
+references:
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2894
    - https://twitter.com/pyn3rd/status/1020620932967223296
    - https://github.com/LandGrey/CVE-2018-2894
@@ -1,4 +1,5 @@
 title: Multiple suspicious Response Codes caused by Single Client
+id: 6fdfc796-06b3-46e8-af08-58f3505318af
 description: Detects possible exploitation activity or bugs in a web application
 author: Thomas Patzke
 logsource:
@@ -1,9 +1,10 @@
 title: Source Code Enumeration Detection by Keyword
+id: 953d460b-f810-420a-97a2-cfca4c98e602
 description: Detects source code enumeration that use GET requests by keyword searches in URL strings
 author: James Ahearn
-references: 
-    - 'https://pentester.land/tutorials/2018/10/25/source-code-disclosure-via-exposed-git-folder.html'
-    - 'https://medium.com/@logicbomb_1/bugbounty-how-i-was-able-to-download-the-source-code-of-indias-largest-telecom-service-52cf5c5640a1'
+references:
+    - https://pentester.land/tutorials/2018/10/25/source-code-disclosure-via-exposed-git-folder.html
+    - https://medium.com/@logicbomb_1/bugbounty-how-i-was-able-to-download-the-source-code-of-indias-largest-telecom-service-52cf5c5640a1
 logsource:
    category: webserver
 detection:
@@ -1,13 +1,14 @@
 title: Webshell Detection by Keyword
+id: 7ff9db12-1b94-4a79-ba68-a2402c5d6729
 description: Detects webshells that use GET requests by keyword searches in URL strings
 author: Florian Roth
 logsource:
    category: webserver
 detection:
    keywords:
-        - '=whoami'
-        - '=net%20user'
-        - '=cmd%20/c%20'
+        - =whoami
+        - =net%20user
+        - =cmd%20/c%20
    condition: keywords
 fields:
    - client_ip
@@ -1,4 +1,5 @@
 title: Persistence and Execution at scale via GPO scheduled task
+id: a8f29a7b-b137-4446-80a0-b804272f3da2
 description: Detect lateral movement using GPO scheduled task, ususally used to deploy ransomware at scale
 author: Samir Bousseaden
 references:
@@ -1,5 +1,7 @@
 title: Powerview Add-DomainObjectAcl DCSync AD Extend Right
-description: backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer
+id: 2c99737c-585d-4431-b61a-c911d86ff32f
+description: backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\Add-DomainObjectAcl DCSync
+    Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer
 status: experimental
 date: 2019/04/03
 author: Samir Bousseaden
@@ -1,4 +1,5 @@
 title: AD Privileged Users or Groups Reconnaissance
+id: 35ba1d85-724d-42a3-889f-2e2362bcaf23
 description: Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs
 references:
    - https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html
--- a/Show More
+++ b/Show More