From 23a9f98eae7ed0c3ceb77485202f65da03321ccb Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 5 Apr 2023 02:34:37 +0200 Subject: [PATCH] chore: move more rules --- .../proc_creation_win_apt_lazarus_binary_masquerading.yml | 0 .../2019/EmpireMonkey}/proc_creation_win_apt_empiremonkey.yml | 0 .../proc_creation_win_apt_equationgroup_dll_u_load.yml | 0 .../2020/Evilnum}/proc_creation_win_apt_evilnum_jul20.yml | 0 .../2020/Greenbug}/proc_creation_win_apt_greenbug_may20.yml | 0 rules-unsupported/{ => cloud}/aws_ec2_download_userdata.yml | 0 rules-unsupported/{ => cloud}/aws_enum_backup.yml | 0 rules-unsupported/{ => cloud}/aws_enum_listing.yml | 0 rules-unsupported/{ => cloud}/aws_enum_network.yml | 0 rules-unsupported/{ => cloud}/aws_enum_storage.yml | 0 .../{ => cloud}/aws_lambda_function_created_or_invoked.yml | 0 rules-unsupported/{ => cloud}/aws_macic_evasion.yml | 0 rules-unsupported/{ => cloud}/aws_ses_messaging_enabled.yml | 0 .../azure_aad_secops_signin_failure_bad_password_threshold.yml | 0 .../{ => linux}/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml | 0 .../lnx_auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml | 0 rules-unsupported/{ => linux}/lnx_auditd_cve_2021_4034.yml | 0 rules-unsupported/{ => linux}/lnx_auditd_debugfs_usage.yml | 0 .../lnx_auditd_omigod_scx_runasprovider_executescript.yml | 0 .../{ => linux}/lnx_auth_susp_failed_logons_single_source.yml | 0 rules-unsupported/{ => linux}/lnx_shell_priv_esc_prep.yml | 0 rules-unsupported/{ => network}/net_dns_c2_detection.yml | 0 rules-unsupported/{ => network}/net_dns_high_bytes_out.yml | 0 .../{ => network}/net_dns_high_null_records_requests_rate.yml | 0 rules-unsupported/{ => network}/net_dns_high_requests_rate.yml | 0 rules-unsupported/{ => network}/net_dns_high_subdomain_rate.yml | 0 .../{ => network}/net_dns_high_txt_records_requests_rate.yml | 0 rules-unsupported/{ => network}/net_dns_large_domain_name.yml | 0 .../{ => network}/net_firewall_high_dns_bytes_out.yml | 0 .../{ => network}/net_firewall_high_dns_requests_rate.yml | 0 .../{ => network}/net_firewall_susp_network_scan_by_ip.yml | 0 .../{ => network}/net_firewall_susp_network_scan_by_port.yml | 0 rules-unsupported/{ => network}/net_possible_dns_rebinding.yml | 0 rules-unsupported/{ => other}/modsec_mulitple_blocks.yml | 0 .../{ => web}/web_multiple_susp_resp_codes_single_source.yml | 0 .../{ => windows}/dns_query_win_possible_dns_rebinding.yml | 0 .../driver_load_invoke_obfuscation_clip+_services.yml | 0 .../driver_load_invoke_obfuscation_obfuscated_iex_services.yml | 0 .../driver_load_invoke_obfuscation_stdin+_services.yml | 0 .../driver_load_invoke_obfuscation_var+_services.yml | 0 .../driver_load_invoke_obfuscation_via_compress_services.yml | 0 .../driver_load_invoke_obfuscation_via_rundll_services.yml | 0 .../driver_load_invoke_obfuscation_via_stdin_services.yml | 0 .../driver_load_invoke_obfuscation_via_use_clip_services.yml | 0 .../driver_load_invoke_obfuscation_via_use_mshta_services.yml | 0 .../driver_load_invoke_obfuscation_via_use_rundll32_services.yml | 0 .../driver_load_invoke_obfuscation_via_var++_services.yml | 0 ...meterpreter_or_cobaltstrike_getsystem_service_installation.yml | 0 .../{ => windows}/driver_load_tap_driver_installation.yml | 0 ...nt_executable_and_script_creation_by_office_using_file_ext.yml | 0 .../{ => windows}/image_load_mimikatz_inmemory_detection.yml | 0 .../{ => windows}/posh_ps_cl_invocation_lolscript_count.yml | 0 .../{ => windows}/posh_ps_cl_mutexverifiers_lolscript_count.yml | 0 .../proc_creation_win_correlation_apt_silence_downloader_v3.yml | 0 .../proc_creation_win_correlation_apt_turla_commands_medium.yml | 0 ...creation_win_correlation_dnscat2_powershell_implementation.yml | 0 .../proc_creation_win_correlation_multiple_susp_cli.yml | 0 .../proc_creation_win_correlation_susp_builtin_commands_recon.yml | 0 ..._elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml | 0 .../sysmon_always_install_elevated_parent_child_correlated.yml | 0 .../{ => windows}/sysmon_non_priv_program_files_move.yml | 0 rules-unsupported/{ => windows}/sysmon_process_reimaging.yml | 0 .../win_access_fake_files_with_stored_credentials.yml | 0 rules-unsupported/{ => windows}/win_apt_apt29_tor.yml | 0 .../{ => windows}/win_dumping_ntdsdit_via_dcsync.yml | 0 .../{ => windows}/win_dumping_ntdsdit_via_netsync.yml | 0 .../win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml | 0 rules-unsupported/{ => windows}/win_mal_service_installs.yml | 0 .../win_metasploit_or_impacket_smb_psexec_service_install.yml | 0 .../win_possible_privilege_escalation_using_rotten_potato.yml | 0 rules-unsupported/{ => windows}/win_remote_schtask.yml | 0 rules-unsupported/{ => windows}/win_remote_service.yml | 0 .../{ => windows}/win_security_global_catalog_enumeration.yml | 0 .../{ => windows}/win_security_rare_schtasks_creations.yml | 0 .../win_security_susp_failed_logons_explicit_credentials.yml | 0 .../win_security_susp_failed_logons_single_process.yml | 0 .../win_security_susp_failed_logons_single_source.yml | 0 .../win_security_susp_failed_logons_single_source2.yml | 0 .../win_security_susp_failed_logons_single_source_kerberos.yml | 0 .../win_security_susp_failed_logons_single_source_kerberos2.yml | 0 .../win_security_susp_failed_logons_single_source_kerberos3.yml | 0 .../win_security_susp_failed_logons_single_source_ntlm.yml | 0 .../win_security_susp_failed_logons_single_source_ntlm2.yml | 0 .../win_security_susp_failed_remote_logons_single_source.yml | 0 .../win_security_susp_multiple_files_renamed_or_deleted.yml | 0 rules-unsupported/{ => windows}/win_security_susp_samr_pwset.yml | 0 .../{ => windows}/win_susp_failed_hidden_share_mount.yml | 0 .../{ => windows}/win_suspicious_werfault_connection_outbound.yml | 0 .../{ => windows}/win_system_rare_service_installs.yml | 0 .../{ => windows}/win_taskscheduler_rare_schtask_creation.yml | 0 .../{ => zeek}/zeek_dce_rpc_domain_user_enumeration.yml | 0 .../{ => zeek}/zeek_http_exfiltration_compressed_files.yml | 0 92 files changed, 0 insertions(+), 0 deletions(-) rename {rules/windows/process_creation => rules-emerging-threats/2017/Lazarus}/proc_creation_win_apt_lazarus_binary_masquerading.yml (100%) rename {rules/windows/process_creation => rules-emerging-threats/2019/EmpireMonkey}/proc_creation_win_apt_empiremonkey.yml (100%) rename {rules/windows/process_creation => rules-emerging-threats/2019/EquationGroup}/proc_creation_win_apt_equationgroup_dll_u_load.yml (100%) mode change 100755 => 100644 rename {rules/windows/process_creation => rules-emerging-threats/2020/Evilnum}/proc_creation_win_apt_evilnum_jul20.yml (100%) rename {rules/windows/process_creation => rules-emerging-threats/2020/Greenbug}/proc_creation_win_apt_greenbug_may20.yml (100%) rename rules-unsupported/{ => cloud}/aws_ec2_download_userdata.yml (100%) rename rules-unsupported/{ => cloud}/aws_enum_backup.yml (100%) rename rules-unsupported/{ => cloud}/aws_enum_listing.yml (100%) rename rules-unsupported/{ => cloud}/aws_enum_network.yml (100%) rename rules-unsupported/{ => cloud}/aws_enum_storage.yml (100%) rename rules-unsupported/{ => cloud}/aws_lambda_function_created_or_invoked.yml (100%) rename rules-unsupported/{ => cloud}/aws_macic_evasion.yml (100%) rename rules-unsupported/{ => cloud}/aws_ses_messaging_enabled.yml (100%) rename rules-unsupported/{ => cloud}/azure_aad_secops_signin_failure_bad_password_threshold.yml (100%) rename rules-unsupported/{ => linux}/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml (100%) rename rules-unsupported/{ => linux}/lnx_auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml (100%) rename rules-unsupported/{ => linux}/lnx_auditd_cve_2021_4034.yml (100%) rename rules-unsupported/{ => linux}/lnx_auditd_debugfs_usage.yml (100%) rename rules-unsupported/{ => linux}/lnx_auditd_omigod_scx_runasprovider_executescript.yml (100%) rename rules-unsupported/{ => linux}/lnx_auth_susp_failed_logons_single_source.yml (100%) rename rules-unsupported/{ => linux}/lnx_shell_priv_esc_prep.yml (100%) rename rules-unsupported/{ => network}/net_dns_c2_detection.yml (100%) rename rules-unsupported/{ => network}/net_dns_high_bytes_out.yml (100%) rename rules-unsupported/{ => network}/net_dns_high_null_records_requests_rate.yml (100%) rename rules-unsupported/{ => network}/net_dns_high_requests_rate.yml (100%) rename rules-unsupported/{ => network}/net_dns_high_subdomain_rate.yml (100%) rename rules-unsupported/{ => network}/net_dns_high_txt_records_requests_rate.yml (100%) rename rules-unsupported/{ => network}/net_dns_large_domain_name.yml (100%) rename rules-unsupported/{ => network}/net_firewall_high_dns_bytes_out.yml (100%) rename rules-unsupported/{ => network}/net_firewall_high_dns_requests_rate.yml (100%) rename rules-unsupported/{ => network}/net_firewall_susp_network_scan_by_ip.yml (100%) rename rules-unsupported/{ => network}/net_firewall_susp_network_scan_by_port.yml (100%) rename rules-unsupported/{ => network}/net_possible_dns_rebinding.yml (100%) rename rules-unsupported/{ => other}/modsec_mulitple_blocks.yml (100%) rename rules-unsupported/{ => web}/web_multiple_susp_resp_codes_single_source.yml (100%) rename rules-unsupported/{ => windows}/dns_query_win_possible_dns_rebinding.yml (100%) rename rules-unsupported/{ => windows}/driver_load_invoke_obfuscation_clip+_services.yml (100%) rename rules-unsupported/{ => windows}/driver_load_invoke_obfuscation_obfuscated_iex_services.yml (100%) rename rules-unsupported/{ => windows}/driver_load_invoke_obfuscation_stdin+_services.yml (100%) rename rules-unsupported/{ => windows}/driver_load_invoke_obfuscation_var+_services.yml (100%) rename rules-unsupported/{ => windows}/driver_load_invoke_obfuscation_via_compress_services.yml (100%) rename rules-unsupported/{ => windows}/driver_load_invoke_obfuscation_via_rundll_services.yml (100%) rename rules-unsupported/{ => windows}/driver_load_invoke_obfuscation_via_stdin_services.yml (100%) rename rules-unsupported/{ => windows}/driver_load_invoke_obfuscation_via_use_clip_services.yml (100%) rename rules-unsupported/{ => windows}/driver_load_invoke_obfuscation_via_use_mshta_services.yml (100%) rename rules-unsupported/{ => windows}/driver_load_invoke_obfuscation_via_use_rundll32_services.yml (100%) rename rules-unsupported/{ => windows}/driver_load_invoke_obfuscation_via_var++_services.yml (100%) rename rules-unsupported/{ => windows}/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml (100%) rename rules-unsupported/{ => windows}/driver_load_tap_driver_installation.yml (100%) rename rules-unsupported/{ => windows}/file_event_executable_and_script_creation_by_office_using_file_ext.yml (100%) rename rules-unsupported/{ => windows}/image_load_mimikatz_inmemory_detection.yml (100%) rename rules-unsupported/{ => windows}/posh_ps_cl_invocation_lolscript_count.yml (100%) rename rules-unsupported/{ => windows}/posh_ps_cl_mutexverifiers_lolscript_count.yml (100%) rename rules-unsupported/{ => windows}/proc_creation_win_correlation_apt_silence_downloader_v3.yml (100%) rename rules-unsupported/{ => windows}/proc_creation_win_correlation_apt_turla_commands_medium.yml (100%) rename rules-unsupported/{ => windows}/proc_creation_win_correlation_dnscat2_powershell_implementation.yml (100%) rename rules-unsupported/{ => windows}/proc_creation_win_correlation_multiple_susp_cli.yml (100%) rename rules-unsupported/{ => windows}/proc_creation_win_correlation_susp_builtin_commands_recon.yml (100%) rename rules-unsupported/{ => windows}/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml (100%) rename rules-unsupported/{ => windows}/sysmon_always_install_elevated_parent_child_correlated.yml (100%) rename rules-unsupported/{ => windows}/sysmon_non_priv_program_files_move.yml (100%) rename rules-unsupported/{ => windows}/sysmon_process_reimaging.yml (100%) rename rules-unsupported/{ => windows}/win_access_fake_files_with_stored_credentials.yml (100%) rename rules-unsupported/{ => windows}/win_apt_apt29_tor.yml (100%) rename rules-unsupported/{ => windows}/win_dumping_ntdsdit_via_dcsync.yml (100%) rename rules-unsupported/{ => windows}/win_dumping_ntdsdit_via_netsync.yml (100%) rename rules-unsupported/{ => windows}/win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml (100%) rename rules-unsupported/{ => windows}/win_mal_service_installs.yml (100%) rename rules-unsupported/{ => windows}/win_metasploit_or_impacket_smb_psexec_service_install.yml (100%) rename rules-unsupported/{ => windows}/win_possible_privilege_escalation_using_rotten_potato.yml (100%) rename rules-unsupported/{ => windows}/win_remote_schtask.yml (100%) rename rules-unsupported/{ => windows}/win_remote_service.yml (100%) rename rules-unsupported/{ => windows}/win_security_global_catalog_enumeration.yml (100%) rename rules-unsupported/{ => windows}/win_security_rare_schtasks_creations.yml (100%) rename rules-unsupported/{ => windows}/win_security_susp_failed_logons_explicit_credentials.yml (100%) rename rules-unsupported/{ => windows}/win_security_susp_failed_logons_single_process.yml (100%) rename rules-unsupported/{ => windows}/win_security_susp_failed_logons_single_source.yml (100%) rename rules-unsupported/{ => windows}/win_security_susp_failed_logons_single_source2.yml (100%) rename rules-unsupported/{ => windows}/win_security_susp_failed_logons_single_source_kerberos.yml (100%) rename rules-unsupported/{ => windows}/win_security_susp_failed_logons_single_source_kerberos2.yml (100%) rename rules-unsupported/{ => windows}/win_security_susp_failed_logons_single_source_kerberos3.yml (100%) rename rules-unsupported/{ => windows}/win_security_susp_failed_logons_single_source_ntlm.yml (100%) rename rules-unsupported/{ => windows}/win_security_susp_failed_logons_single_source_ntlm2.yml (100%) rename rules-unsupported/{ => windows}/win_security_susp_failed_remote_logons_single_source.yml (100%) rename rules-unsupported/{ => windows}/win_security_susp_multiple_files_renamed_or_deleted.yml (100%) rename rules-unsupported/{ => windows}/win_security_susp_samr_pwset.yml (100%) rename rules-unsupported/{ => windows}/win_susp_failed_hidden_share_mount.yml (100%) rename rules-unsupported/{ => windows}/win_suspicious_werfault_connection_outbound.yml (100%) rename rules-unsupported/{ => windows}/win_system_rare_service_installs.yml (100%) rename rules-unsupported/{ => windows}/win_taskscheduler_rare_schtask_creation.yml (100%) rename rules-unsupported/{ => zeek}/zeek_dce_rpc_domain_user_enumeration.yml (100%) rename rules-unsupported/{ => zeek}/zeek_http_exfiltration_compressed_files.yml (100%) diff --git a/rules/windows/process_creation/proc_creation_win_apt_lazarus_binary_masquerading.yml b/rules-emerging-threats/2017/Lazarus/proc_creation_win_apt_lazarus_binary_masquerading.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_apt_lazarus_binary_masquerading.yml rename to rules-emerging-threats/2017/Lazarus/proc_creation_win_apt_lazarus_binary_masquerading.yml diff --git a/rules/windows/process_creation/proc_creation_win_apt_empiremonkey.yml b/rules-emerging-threats/2019/EmpireMonkey/proc_creation_win_apt_empiremonkey.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_apt_empiremonkey.yml rename to rules-emerging-threats/2019/EmpireMonkey/proc_creation_win_apt_empiremonkey.yml diff --git a/rules/windows/process_creation/proc_creation_win_apt_equationgroup_dll_u_load.yml b/rules-emerging-threats/2019/EquationGroup/proc_creation_win_apt_equationgroup_dll_u_load.yml old mode 100755 new mode 100644 similarity index 100% rename from rules/windows/process_creation/proc_creation_win_apt_equationgroup_dll_u_load.yml rename to rules-emerging-threats/2019/EquationGroup/proc_creation_win_apt_equationgroup_dll_u_load.yml diff --git a/rules/windows/process_creation/proc_creation_win_apt_evilnum_jul20.yml b/rules-emerging-threats/2020/Evilnum/proc_creation_win_apt_evilnum_jul20.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_apt_evilnum_jul20.yml rename to rules-emerging-threats/2020/Evilnum/proc_creation_win_apt_evilnum_jul20.yml diff --git a/rules/windows/process_creation/proc_creation_win_apt_greenbug_may20.yml b/rules-emerging-threats/2020/Greenbug/proc_creation_win_apt_greenbug_may20.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_apt_greenbug_may20.yml rename to rules-emerging-threats/2020/Greenbug/proc_creation_win_apt_greenbug_may20.yml diff --git a/rules-unsupported/aws_ec2_download_userdata.yml b/rules-unsupported/cloud/aws_ec2_download_userdata.yml similarity index 100% rename from rules-unsupported/aws_ec2_download_userdata.yml rename to rules-unsupported/cloud/aws_ec2_download_userdata.yml diff --git a/rules-unsupported/aws_enum_backup.yml b/rules-unsupported/cloud/aws_enum_backup.yml similarity index 100% rename from rules-unsupported/aws_enum_backup.yml rename to rules-unsupported/cloud/aws_enum_backup.yml diff --git a/rules-unsupported/aws_enum_listing.yml b/rules-unsupported/cloud/aws_enum_listing.yml similarity index 100% rename from rules-unsupported/aws_enum_listing.yml rename to rules-unsupported/cloud/aws_enum_listing.yml diff --git a/rules-unsupported/aws_enum_network.yml b/rules-unsupported/cloud/aws_enum_network.yml similarity index 100% rename from rules-unsupported/aws_enum_network.yml rename to rules-unsupported/cloud/aws_enum_network.yml diff --git a/rules-unsupported/aws_enum_storage.yml b/rules-unsupported/cloud/aws_enum_storage.yml similarity index 100% rename from rules-unsupported/aws_enum_storage.yml rename to rules-unsupported/cloud/aws_enum_storage.yml diff --git a/rules-unsupported/aws_lambda_function_created_or_invoked.yml b/rules-unsupported/cloud/aws_lambda_function_created_or_invoked.yml similarity index 100% rename from rules-unsupported/aws_lambda_function_created_or_invoked.yml rename to rules-unsupported/cloud/aws_lambda_function_created_or_invoked.yml diff --git a/rules-unsupported/aws_macic_evasion.yml b/rules-unsupported/cloud/aws_macic_evasion.yml similarity index 100% rename from rules-unsupported/aws_macic_evasion.yml rename to rules-unsupported/cloud/aws_macic_evasion.yml diff --git a/rules-unsupported/aws_ses_messaging_enabled.yml b/rules-unsupported/cloud/aws_ses_messaging_enabled.yml similarity index 100% rename from rules-unsupported/aws_ses_messaging_enabled.yml rename to rules-unsupported/cloud/aws_ses_messaging_enabled.yml diff --git a/rules-unsupported/azure_aad_secops_signin_failure_bad_password_threshold.yml b/rules-unsupported/cloud/azure_aad_secops_signin_failure_bad_password_threshold.yml similarity index 100% rename from rules-unsupported/azure_aad_secops_signin_failure_bad_password_threshold.yml rename to rules-unsupported/cloud/azure_aad_secops_signin_failure_bad_password_threshold.yml diff --git a/rules-unsupported/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml b/rules-unsupported/linux/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml similarity index 100% rename from rules-unsupported/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml rename to rules-unsupported/linux/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml diff --git a/rules-unsupported/lnx_auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml b/rules-unsupported/linux/lnx_auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml similarity index 100% rename from rules-unsupported/lnx_auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml rename to rules-unsupported/linux/lnx_auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml diff --git a/rules-unsupported/lnx_auditd_cve_2021_4034.yml b/rules-unsupported/linux/lnx_auditd_cve_2021_4034.yml similarity index 100% rename from rules-unsupported/lnx_auditd_cve_2021_4034.yml rename to rules-unsupported/linux/lnx_auditd_cve_2021_4034.yml diff --git a/rules-unsupported/lnx_auditd_debugfs_usage.yml b/rules-unsupported/linux/lnx_auditd_debugfs_usage.yml similarity index 100% rename from rules-unsupported/lnx_auditd_debugfs_usage.yml rename to rules-unsupported/linux/lnx_auditd_debugfs_usage.yml diff --git a/rules-unsupported/lnx_auditd_omigod_scx_runasprovider_executescript.yml b/rules-unsupported/linux/lnx_auditd_omigod_scx_runasprovider_executescript.yml similarity index 100% rename from rules-unsupported/lnx_auditd_omigod_scx_runasprovider_executescript.yml rename to rules-unsupported/linux/lnx_auditd_omigod_scx_runasprovider_executescript.yml diff --git a/rules-unsupported/lnx_auth_susp_failed_logons_single_source.yml b/rules-unsupported/linux/lnx_auth_susp_failed_logons_single_source.yml similarity index 100% rename from rules-unsupported/lnx_auth_susp_failed_logons_single_source.yml rename to rules-unsupported/linux/lnx_auth_susp_failed_logons_single_source.yml diff --git a/rules-unsupported/lnx_shell_priv_esc_prep.yml b/rules-unsupported/linux/lnx_shell_priv_esc_prep.yml similarity index 100% rename from rules-unsupported/lnx_shell_priv_esc_prep.yml rename to rules-unsupported/linux/lnx_shell_priv_esc_prep.yml diff --git a/rules-unsupported/net_dns_c2_detection.yml b/rules-unsupported/network/net_dns_c2_detection.yml similarity index 100% rename from rules-unsupported/net_dns_c2_detection.yml rename to rules-unsupported/network/net_dns_c2_detection.yml diff --git a/rules-unsupported/net_dns_high_bytes_out.yml b/rules-unsupported/network/net_dns_high_bytes_out.yml similarity index 100% rename from rules-unsupported/net_dns_high_bytes_out.yml rename to rules-unsupported/network/net_dns_high_bytes_out.yml diff --git a/rules-unsupported/net_dns_high_null_records_requests_rate.yml b/rules-unsupported/network/net_dns_high_null_records_requests_rate.yml similarity index 100% rename from rules-unsupported/net_dns_high_null_records_requests_rate.yml rename to rules-unsupported/network/net_dns_high_null_records_requests_rate.yml diff --git a/rules-unsupported/net_dns_high_requests_rate.yml b/rules-unsupported/network/net_dns_high_requests_rate.yml similarity index 100% rename from rules-unsupported/net_dns_high_requests_rate.yml rename to rules-unsupported/network/net_dns_high_requests_rate.yml diff --git a/rules-unsupported/net_dns_high_subdomain_rate.yml b/rules-unsupported/network/net_dns_high_subdomain_rate.yml similarity index 100% rename from rules-unsupported/net_dns_high_subdomain_rate.yml rename to rules-unsupported/network/net_dns_high_subdomain_rate.yml diff --git a/rules-unsupported/net_dns_high_txt_records_requests_rate.yml b/rules-unsupported/network/net_dns_high_txt_records_requests_rate.yml similarity index 100% rename from rules-unsupported/net_dns_high_txt_records_requests_rate.yml rename to rules-unsupported/network/net_dns_high_txt_records_requests_rate.yml diff --git a/rules-unsupported/net_dns_large_domain_name.yml b/rules-unsupported/network/net_dns_large_domain_name.yml similarity index 100% rename from rules-unsupported/net_dns_large_domain_name.yml rename to rules-unsupported/network/net_dns_large_domain_name.yml diff --git a/rules-unsupported/net_firewall_high_dns_bytes_out.yml b/rules-unsupported/network/net_firewall_high_dns_bytes_out.yml similarity index 100% rename from rules-unsupported/net_firewall_high_dns_bytes_out.yml rename to rules-unsupported/network/net_firewall_high_dns_bytes_out.yml diff --git a/rules-unsupported/net_firewall_high_dns_requests_rate.yml b/rules-unsupported/network/net_firewall_high_dns_requests_rate.yml similarity index 100% rename from rules-unsupported/net_firewall_high_dns_requests_rate.yml rename to rules-unsupported/network/net_firewall_high_dns_requests_rate.yml diff --git a/rules-unsupported/net_firewall_susp_network_scan_by_ip.yml b/rules-unsupported/network/net_firewall_susp_network_scan_by_ip.yml similarity index 100% rename from rules-unsupported/net_firewall_susp_network_scan_by_ip.yml rename to rules-unsupported/network/net_firewall_susp_network_scan_by_ip.yml diff --git a/rules-unsupported/net_firewall_susp_network_scan_by_port.yml b/rules-unsupported/network/net_firewall_susp_network_scan_by_port.yml similarity index 100% rename from rules-unsupported/net_firewall_susp_network_scan_by_port.yml rename to rules-unsupported/network/net_firewall_susp_network_scan_by_port.yml diff --git a/rules-unsupported/net_possible_dns_rebinding.yml b/rules-unsupported/network/net_possible_dns_rebinding.yml similarity index 100% rename from rules-unsupported/net_possible_dns_rebinding.yml rename to rules-unsupported/network/net_possible_dns_rebinding.yml diff --git a/rules-unsupported/modsec_mulitple_blocks.yml b/rules-unsupported/other/modsec_mulitple_blocks.yml similarity index 100% rename from rules-unsupported/modsec_mulitple_blocks.yml rename to rules-unsupported/other/modsec_mulitple_blocks.yml diff --git a/rules-unsupported/web_multiple_susp_resp_codes_single_source.yml b/rules-unsupported/web/web_multiple_susp_resp_codes_single_source.yml similarity index 100% rename from rules-unsupported/web_multiple_susp_resp_codes_single_source.yml rename to rules-unsupported/web/web_multiple_susp_resp_codes_single_source.yml diff --git a/rules-unsupported/dns_query_win_possible_dns_rebinding.yml b/rules-unsupported/windows/dns_query_win_possible_dns_rebinding.yml similarity index 100% rename from rules-unsupported/dns_query_win_possible_dns_rebinding.yml rename to rules-unsupported/windows/dns_query_win_possible_dns_rebinding.yml diff --git a/rules-unsupported/driver_load_invoke_obfuscation_clip+_services.yml b/rules-unsupported/windows/driver_load_invoke_obfuscation_clip+_services.yml similarity index 100% rename from rules-unsupported/driver_load_invoke_obfuscation_clip+_services.yml rename to rules-unsupported/windows/driver_load_invoke_obfuscation_clip+_services.yml diff --git a/rules-unsupported/driver_load_invoke_obfuscation_obfuscated_iex_services.yml b/rules-unsupported/windows/driver_load_invoke_obfuscation_obfuscated_iex_services.yml similarity index 100% rename from rules-unsupported/driver_load_invoke_obfuscation_obfuscated_iex_services.yml rename to rules-unsupported/windows/driver_load_invoke_obfuscation_obfuscated_iex_services.yml diff --git a/rules-unsupported/driver_load_invoke_obfuscation_stdin+_services.yml b/rules-unsupported/windows/driver_load_invoke_obfuscation_stdin+_services.yml similarity index 100% rename from rules-unsupported/driver_load_invoke_obfuscation_stdin+_services.yml rename to rules-unsupported/windows/driver_load_invoke_obfuscation_stdin+_services.yml diff --git a/rules-unsupported/driver_load_invoke_obfuscation_var+_services.yml b/rules-unsupported/windows/driver_load_invoke_obfuscation_var+_services.yml similarity index 100% rename from rules-unsupported/driver_load_invoke_obfuscation_var+_services.yml rename to rules-unsupported/windows/driver_load_invoke_obfuscation_var+_services.yml diff --git a/rules-unsupported/driver_load_invoke_obfuscation_via_compress_services.yml b/rules-unsupported/windows/driver_load_invoke_obfuscation_via_compress_services.yml similarity index 100% rename from rules-unsupported/driver_load_invoke_obfuscation_via_compress_services.yml rename to rules-unsupported/windows/driver_load_invoke_obfuscation_via_compress_services.yml diff --git a/rules-unsupported/driver_load_invoke_obfuscation_via_rundll_services.yml b/rules-unsupported/windows/driver_load_invoke_obfuscation_via_rundll_services.yml similarity index 100% rename from rules-unsupported/driver_load_invoke_obfuscation_via_rundll_services.yml rename to rules-unsupported/windows/driver_load_invoke_obfuscation_via_rundll_services.yml diff --git a/rules-unsupported/driver_load_invoke_obfuscation_via_stdin_services.yml b/rules-unsupported/windows/driver_load_invoke_obfuscation_via_stdin_services.yml similarity index 100% rename from rules-unsupported/driver_load_invoke_obfuscation_via_stdin_services.yml rename to rules-unsupported/windows/driver_load_invoke_obfuscation_via_stdin_services.yml diff --git a/rules-unsupported/driver_load_invoke_obfuscation_via_use_clip_services.yml b/rules-unsupported/windows/driver_load_invoke_obfuscation_via_use_clip_services.yml similarity index 100% rename from rules-unsupported/driver_load_invoke_obfuscation_via_use_clip_services.yml rename to rules-unsupported/windows/driver_load_invoke_obfuscation_via_use_clip_services.yml diff --git a/rules-unsupported/driver_load_invoke_obfuscation_via_use_mshta_services.yml b/rules-unsupported/windows/driver_load_invoke_obfuscation_via_use_mshta_services.yml similarity index 100% rename from rules-unsupported/driver_load_invoke_obfuscation_via_use_mshta_services.yml rename to rules-unsupported/windows/driver_load_invoke_obfuscation_via_use_mshta_services.yml diff --git a/rules-unsupported/driver_load_invoke_obfuscation_via_use_rundll32_services.yml b/rules-unsupported/windows/driver_load_invoke_obfuscation_via_use_rundll32_services.yml similarity index 100% rename from rules-unsupported/driver_load_invoke_obfuscation_via_use_rundll32_services.yml rename to rules-unsupported/windows/driver_load_invoke_obfuscation_via_use_rundll32_services.yml diff --git a/rules-unsupported/driver_load_invoke_obfuscation_via_var++_services.yml b/rules-unsupported/windows/driver_load_invoke_obfuscation_via_var++_services.yml similarity index 100% rename from rules-unsupported/driver_load_invoke_obfuscation_via_var++_services.yml rename to rules-unsupported/windows/driver_load_invoke_obfuscation_via_var++_services.yml diff --git a/rules-unsupported/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/rules-unsupported/windows/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml similarity index 100% rename from rules-unsupported/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml rename to rules-unsupported/windows/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml diff --git a/rules-unsupported/driver_load_tap_driver_installation.yml b/rules-unsupported/windows/driver_load_tap_driver_installation.yml similarity index 100% rename from rules-unsupported/driver_load_tap_driver_installation.yml rename to rules-unsupported/windows/driver_load_tap_driver_installation.yml diff --git a/rules-unsupported/file_event_executable_and_script_creation_by_office_using_file_ext.yml b/rules-unsupported/windows/file_event_executable_and_script_creation_by_office_using_file_ext.yml similarity index 100% rename from rules-unsupported/file_event_executable_and_script_creation_by_office_using_file_ext.yml rename to rules-unsupported/windows/file_event_executable_and_script_creation_by_office_using_file_ext.yml diff --git a/rules-unsupported/image_load_mimikatz_inmemory_detection.yml b/rules-unsupported/windows/image_load_mimikatz_inmemory_detection.yml similarity index 100% rename from rules-unsupported/image_load_mimikatz_inmemory_detection.yml rename to rules-unsupported/windows/image_load_mimikatz_inmemory_detection.yml diff --git a/rules-unsupported/posh_ps_cl_invocation_lolscript_count.yml b/rules-unsupported/windows/posh_ps_cl_invocation_lolscript_count.yml similarity index 100% rename from rules-unsupported/posh_ps_cl_invocation_lolscript_count.yml rename to rules-unsupported/windows/posh_ps_cl_invocation_lolscript_count.yml diff --git a/rules-unsupported/posh_ps_cl_mutexverifiers_lolscript_count.yml b/rules-unsupported/windows/posh_ps_cl_mutexverifiers_lolscript_count.yml similarity index 100% rename from rules-unsupported/posh_ps_cl_mutexverifiers_lolscript_count.yml rename to rules-unsupported/windows/posh_ps_cl_mutexverifiers_lolscript_count.yml diff --git a/rules-unsupported/proc_creation_win_correlation_apt_silence_downloader_v3.yml b/rules-unsupported/windows/proc_creation_win_correlation_apt_silence_downloader_v3.yml similarity index 100% rename from rules-unsupported/proc_creation_win_correlation_apt_silence_downloader_v3.yml rename to rules-unsupported/windows/proc_creation_win_correlation_apt_silence_downloader_v3.yml diff --git a/rules-unsupported/proc_creation_win_correlation_apt_turla_commands_medium.yml b/rules-unsupported/windows/proc_creation_win_correlation_apt_turla_commands_medium.yml similarity index 100% rename from rules-unsupported/proc_creation_win_correlation_apt_turla_commands_medium.yml rename to rules-unsupported/windows/proc_creation_win_correlation_apt_turla_commands_medium.yml diff --git a/rules-unsupported/proc_creation_win_correlation_dnscat2_powershell_implementation.yml b/rules-unsupported/windows/proc_creation_win_correlation_dnscat2_powershell_implementation.yml similarity index 100% rename from rules-unsupported/proc_creation_win_correlation_dnscat2_powershell_implementation.yml rename to rules-unsupported/windows/proc_creation_win_correlation_dnscat2_powershell_implementation.yml diff --git a/rules-unsupported/proc_creation_win_correlation_multiple_susp_cli.yml b/rules-unsupported/windows/proc_creation_win_correlation_multiple_susp_cli.yml similarity index 100% rename from rules-unsupported/proc_creation_win_correlation_multiple_susp_cli.yml rename to rules-unsupported/windows/proc_creation_win_correlation_multiple_susp_cli.yml diff --git a/rules-unsupported/proc_creation_win_correlation_susp_builtin_commands_recon.yml b/rules-unsupported/windows/proc_creation_win_correlation_susp_builtin_commands_recon.yml similarity index 100% rename from rules-unsupported/proc_creation_win_correlation_susp_builtin_commands_recon.yml rename to rules-unsupported/windows/proc_creation_win_correlation_susp_builtin_commands_recon.yml diff --git a/rules-unsupported/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml b/rules-unsupported/windows/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml similarity index 100% rename from rules-unsupported/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml rename to rules-unsupported/windows/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml diff --git a/rules-unsupported/sysmon_always_install_elevated_parent_child_correlated.yml b/rules-unsupported/windows/sysmon_always_install_elevated_parent_child_correlated.yml similarity index 100% rename from rules-unsupported/sysmon_always_install_elevated_parent_child_correlated.yml rename to rules-unsupported/windows/sysmon_always_install_elevated_parent_child_correlated.yml diff --git a/rules-unsupported/sysmon_non_priv_program_files_move.yml b/rules-unsupported/windows/sysmon_non_priv_program_files_move.yml similarity index 100% rename from rules-unsupported/sysmon_non_priv_program_files_move.yml rename to rules-unsupported/windows/sysmon_non_priv_program_files_move.yml diff --git a/rules-unsupported/sysmon_process_reimaging.yml b/rules-unsupported/windows/sysmon_process_reimaging.yml similarity index 100% rename from rules-unsupported/sysmon_process_reimaging.yml rename to rules-unsupported/windows/sysmon_process_reimaging.yml diff --git a/rules-unsupported/win_access_fake_files_with_stored_credentials.yml b/rules-unsupported/windows/win_access_fake_files_with_stored_credentials.yml similarity index 100% rename from rules-unsupported/win_access_fake_files_with_stored_credentials.yml rename to rules-unsupported/windows/win_access_fake_files_with_stored_credentials.yml diff --git a/rules-unsupported/win_apt_apt29_tor.yml b/rules-unsupported/windows/win_apt_apt29_tor.yml similarity index 100% rename from rules-unsupported/win_apt_apt29_tor.yml rename to rules-unsupported/windows/win_apt_apt29_tor.yml diff --git a/rules-unsupported/win_dumping_ntdsdit_via_dcsync.yml b/rules-unsupported/windows/win_dumping_ntdsdit_via_dcsync.yml similarity index 100% rename from rules-unsupported/win_dumping_ntdsdit_via_dcsync.yml rename to rules-unsupported/windows/win_dumping_ntdsdit_via_dcsync.yml diff --git a/rules-unsupported/win_dumping_ntdsdit_via_netsync.yml b/rules-unsupported/windows/win_dumping_ntdsdit_via_netsync.yml similarity index 100% rename from rules-unsupported/win_dumping_ntdsdit_via_netsync.yml rename to rules-unsupported/windows/win_dumping_ntdsdit_via_netsync.yml diff --git a/rules-unsupported/win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml b/rules-unsupported/windows/win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml similarity index 100% rename from rules-unsupported/win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml rename to rules-unsupported/windows/win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml diff --git a/rules-unsupported/win_mal_service_installs.yml b/rules-unsupported/windows/win_mal_service_installs.yml similarity index 100% rename from rules-unsupported/win_mal_service_installs.yml rename to rules-unsupported/windows/win_mal_service_installs.yml diff --git a/rules-unsupported/win_metasploit_or_impacket_smb_psexec_service_install.yml b/rules-unsupported/windows/win_metasploit_or_impacket_smb_psexec_service_install.yml similarity index 100% rename from rules-unsupported/win_metasploit_or_impacket_smb_psexec_service_install.yml rename to rules-unsupported/windows/win_metasploit_or_impacket_smb_psexec_service_install.yml diff --git a/rules-unsupported/win_possible_privilege_escalation_using_rotten_potato.yml b/rules-unsupported/windows/win_possible_privilege_escalation_using_rotten_potato.yml similarity index 100% rename from rules-unsupported/win_possible_privilege_escalation_using_rotten_potato.yml rename to rules-unsupported/windows/win_possible_privilege_escalation_using_rotten_potato.yml diff --git a/rules-unsupported/win_remote_schtask.yml b/rules-unsupported/windows/win_remote_schtask.yml similarity index 100% rename from rules-unsupported/win_remote_schtask.yml rename to rules-unsupported/windows/win_remote_schtask.yml diff --git a/rules-unsupported/win_remote_service.yml b/rules-unsupported/windows/win_remote_service.yml similarity index 100% rename from rules-unsupported/win_remote_service.yml rename to rules-unsupported/windows/win_remote_service.yml diff --git a/rules-unsupported/win_security_global_catalog_enumeration.yml b/rules-unsupported/windows/win_security_global_catalog_enumeration.yml similarity index 100% rename from rules-unsupported/win_security_global_catalog_enumeration.yml rename to rules-unsupported/windows/win_security_global_catalog_enumeration.yml diff --git a/rules-unsupported/win_security_rare_schtasks_creations.yml b/rules-unsupported/windows/win_security_rare_schtasks_creations.yml similarity index 100% rename from rules-unsupported/win_security_rare_schtasks_creations.yml rename to rules-unsupported/windows/win_security_rare_schtasks_creations.yml diff --git a/rules-unsupported/win_security_susp_failed_logons_explicit_credentials.yml b/rules-unsupported/windows/win_security_susp_failed_logons_explicit_credentials.yml similarity index 100% rename from rules-unsupported/win_security_susp_failed_logons_explicit_credentials.yml rename to rules-unsupported/windows/win_security_susp_failed_logons_explicit_credentials.yml diff --git a/rules-unsupported/win_security_susp_failed_logons_single_process.yml b/rules-unsupported/windows/win_security_susp_failed_logons_single_process.yml similarity index 100% rename from rules-unsupported/win_security_susp_failed_logons_single_process.yml rename to rules-unsupported/windows/win_security_susp_failed_logons_single_process.yml diff --git a/rules-unsupported/win_security_susp_failed_logons_single_source.yml b/rules-unsupported/windows/win_security_susp_failed_logons_single_source.yml similarity index 100% rename from rules-unsupported/win_security_susp_failed_logons_single_source.yml rename to rules-unsupported/windows/win_security_susp_failed_logons_single_source.yml diff --git a/rules-unsupported/win_security_susp_failed_logons_single_source2.yml b/rules-unsupported/windows/win_security_susp_failed_logons_single_source2.yml similarity index 100% rename from rules-unsupported/win_security_susp_failed_logons_single_source2.yml rename to rules-unsupported/windows/win_security_susp_failed_logons_single_source2.yml diff --git a/rules-unsupported/win_security_susp_failed_logons_single_source_kerberos.yml b/rules-unsupported/windows/win_security_susp_failed_logons_single_source_kerberos.yml similarity index 100% rename from rules-unsupported/win_security_susp_failed_logons_single_source_kerberos.yml rename to rules-unsupported/windows/win_security_susp_failed_logons_single_source_kerberos.yml diff --git a/rules-unsupported/win_security_susp_failed_logons_single_source_kerberos2.yml b/rules-unsupported/windows/win_security_susp_failed_logons_single_source_kerberos2.yml similarity index 100% rename from rules-unsupported/win_security_susp_failed_logons_single_source_kerberos2.yml rename to rules-unsupported/windows/win_security_susp_failed_logons_single_source_kerberos2.yml diff --git a/rules-unsupported/win_security_susp_failed_logons_single_source_kerberos3.yml b/rules-unsupported/windows/win_security_susp_failed_logons_single_source_kerberos3.yml similarity index 100% rename from rules-unsupported/win_security_susp_failed_logons_single_source_kerberos3.yml rename to rules-unsupported/windows/win_security_susp_failed_logons_single_source_kerberos3.yml diff --git a/rules-unsupported/win_security_susp_failed_logons_single_source_ntlm.yml b/rules-unsupported/windows/win_security_susp_failed_logons_single_source_ntlm.yml similarity index 100% rename from rules-unsupported/win_security_susp_failed_logons_single_source_ntlm.yml rename to rules-unsupported/windows/win_security_susp_failed_logons_single_source_ntlm.yml diff --git a/rules-unsupported/win_security_susp_failed_logons_single_source_ntlm2.yml b/rules-unsupported/windows/win_security_susp_failed_logons_single_source_ntlm2.yml similarity index 100% rename from rules-unsupported/win_security_susp_failed_logons_single_source_ntlm2.yml rename to rules-unsupported/windows/win_security_susp_failed_logons_single_source_ntlm2.yml diff --git a/rules-unsupported/win_security_susp_failed_remote_logons_single_source.yml b/rules-unsupported/windows/win_security_susp_failed_remote_logons_single_source.yml similarity index 100% rename from rules-unsupported/win_security_susp_failed_remote_logons_single_source.yml rename to rules-unsupported/windows/win_security_susp_failed_remote_logons_single_source.yml diff --git a/rules-unsupported/win_security_susp_multiple_files_renamed_or_deleted.yml b/rules-unsupported/windows/win_security_susp_multiple_files_renamed_or_deleted.yml similarity index 100% rename from rules-unsupported/win_security_susp_multiple_files_renamed_or_deleted.yml rename to rules-unsupported/windows/win_security_susp_multiple_files_renamed_or_deleted.yml diff --git a/rules-unsupported/win_security_susp_samr_pwset.yml b/rules-unsupported/windows/win_security_susp_samr_pwset.yml similarity index 100% rename from rules-unsupported/win_security_susp_samr_pwset.yml rename to rules-unsupported/windows/win_security_susp_samr_pwset.yml diff --git a/rules-unsupported/win_susp_failed_hidden_share_mount.yml b/rules-unsupported/windows/win_susp_failed_hidden_share_mount.yml similarity index 100% rename from rules-unsupported/win_susp_failed_hidden_share_mount.yml rename to rules-unsupported/windows/win_susp_failed_hidden_share_mount.yml diff --git a/rules-unsupported/win_suspicious_werfault_connection_outbound.yml b/rules-unsupported/windows/win_suspicious_werfault_connection_outbound.yml similarity index 100% rename from rules-unsupported/win_suspicious_werfault_connection_outbound.yml rename to rules-unsupported/windows/win_suspicious_werfault_connection_outbound.yml diff --git a/rules-unsupported/win_system_rare_service_installs.yml b/rules-unsupported/windows/win_system_rare_service_installs.yml similarity index 100% rename from rules-unsupported/win_system_rare_service_installs.yml rename to rules-unsupported/windows/win_system_rare_service_installs.yml diff --git a/rules-unsupported/win_taskscheduler_rare_schtask_creation.yml b/rules-unsupported/windows/win_taskscheduler_rare_schtask_creation.yml similarity index 100% rename from rules-unsupported/win_taskscheduler_rare_schtask_creation.yml rename to rules-unsupported/windows/win_taskscheduler_rare_schtask_creation.yml diff --git a/rules-unsupported/zeek_dce_rpc_domain_user_enumeration.yml b/rules-unsupported/zeek/zeek_dce_rpc_domain_user_enumeration.yml similarity index 100% rename from rules-unsupported/zeek_dce_rpc_domain_user_enumeration.yml rename to rules-unsupported/zeek/zeek_dce_rpc_domain_user_enumeration.yml diff --git a/rules-unsupported/zeek_http_exfiltration_compressed_files.yml b/rules-unsupported/zeek/zeek_http_exfiltration_compressed_files.yml similarity index 100% rename from rules-unsupported/zeek_http_exfiltration_compressed_files.yml rename to rules-unsupported/zeek/zeek_http_exfiltration_compressed_files.yml