Merge branch 'SigmaHQ:master' into nasbench-rule-devel

2022-12-30 11:49:08 +01:00
parent d4b9df608b aee5ca7afc
commit 261bb8758a
35 changed files with 267 additions and 75 deletions
@@ -46,3 +46,6 @@ fdbf0b9d-0182-4c43-893b-a1eaab92d085;Newly Registered Protocol Handler;.*
 37774c23-25a1-4adb-bb6d-8bb9fd59c0f8;Image Load of VSS Dll by Uncommon Executable;SetupFrontEnd\.exe
 1a31b18a-f00c-4061-9900-f735b96c99fc;Remote Access Tool Services Have Been Installed - System;ServiceName: TeamViewer
 c8b00925-926c-47e3-beea-298fd563728e;Remote Access Tool Services Have Been Installed - Security;ServiceName: TeamViewer
+b69888d4-380c-45ce-9cf9-d9ce46e67821;Executable in ADS;msedge\.exe 
+b69888d4-380c-45ce-9cf9-d9ce46e67821;Executable in ADS;firefox\.exe 
+b69888d4-380c-45ce-9cf9-d9ce46e67821;Executable in ADS;7z\.exe
@@ -6,7 +6,7 @@ references:
    - https://twitter.com/0xrawsec/status/1002478725605273600?s=21
 author: Florian Roth, @0xrawsec
 date: 2018/06/03
-modified: 2022/08/24
+modified: 2022/12/30
 tags:
    - attack.defense_evasion
    - attack.s0139
@@ -17,9 +17,9 @@ logsource:
    definition: 'Requirements: Sysmon config with Imphash logging activated'
 detection:
    selection:
-        Hashes|contains: 'IMPHASH='
+        Hash|contains: 'IMPHASH='
    filter:
-        Hashes|contains: 'IMPHASH=00000000000000000000000000000000'
+        Hash|contains: 'IMPHASH=00000000000000000000000000000000'
    condition: selection and not filter
 fields:
    - TargetFilename
@@ -6,7 +6,7 @@ references:
    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015
 author: Florian Roth
 date: 2022/08/24
-modified: 2022/11/12
+modified: 2022/12/30
 tags:
    - attack.defense_evasion
    - attack.s0139
@@ -108,7 +108,7 @@ detection:
            - 885c99ccfbe77d1cbfcb9c4e7c1a3313 # Forkatz
            - 22a22bc9e4e0d2f189f1ea01748816ac # PPLKiller
            - 7fa30e6bb7e8e8a69155636e50bf1b28 # PPLKiller
-        - Hashes|contains: # Sysmon field hashes contains all types
+        - Hash|contains: # Sysmon field hashes contains all types
            - IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932 # PetitPotam
            - IMPHASH=3A19059BD7688CB88E70005F18EFC439 # PetitPotam
            - IMPHASH=bf6223a49e45d99094406777eb6004ba # PetitPotam
@@ -6,6 +6,7 @@ references:
    - https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware
 author: Nasreddine Bencherchali
 date: 2022/12/16
+modified: 2022/12/30
 tags:
    - attack.privilege_escalation
    - attack.t1543
@@ -42,21 +43,21 @@ detection:
            - 'MD5=ee6b1a79cb6641aa44c762ee90786fe0'
            - 'MD5=909f3fc221acbe999483c87d9ead024a'
    selection_hash:
-        - SHA256:
+        - sha256:
            - '0440ef40c46fdd2b5d86e7feef8577a8591de862cfd7928cdbcc8f47b8fa3ffc'
            - '9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c'
            - '8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104'
            - 'd7c81b0f3c14844f6424e8bdd31a128e773cb96cccef6d05cbff473f0ccb9f9c'
            - '05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4'
            - 'c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497'
-        - SHA1:
+        - sha1:
            - '31cc8718894d6e6ce8c132f68b8caaba39b5ba7a'
            - 'a804ebec7e341b4d98d9e94f6e4860a55ea1638d'
            - '6debce728bcff73d9d1d334df0c6b1c3735e295c'
            - 'cc65bf60600b64feece5575f21ab89e03a728332'
            - '3ef30c95e40a854cc4ded94fc503d0c3dc3e620e'
            - 'b2f955b3e6107f831ebe67997f8586d4fe9f3e98'
-        - MD5:
+        - md5:
            - '10f3679384a03cb487bda9621ceb5f90'
            - '04a88f5974caa621cee18f34300fc08a'
            - '6fcf56f6ca3210ec397e55f727353c4a'
@@ -8,6 +8,7 @@ references:
    - https://github.com/winsiderss/systeminformer
 author: Florian Roth
 date: 2022/11/16
+modified: 2022/12/30
 tags:
    - attack.privilege_escalation
    - cve.2021.21551
@@ -48,7 +49,7 @@ detection:
            - 'SHA256=E2606F272F7BA054DF16BE464FDA57211EF0D14A0D959F9C8DCB0575DF1186E4'
            - 'SHA256=3A9E1D17BEEB514F1B9B3BACAEE7420285DE5CBDCE89C5319A992C6CBD1DE138'
    selection_systeminformer_hashes:
-        SHA256:
+        sha256:
            - '8b9ad98944ac9886ea4cb07700e71b78be4a2740934bb7e46ca3b56a7c59ad24'
            - 'a41348bec147ca4d9ea2869817527eb5cea2e20202af599d2b30625433bcf454'
            - '38ee0a88af8535a11efe8d8da9c6812aa07067b75a64d99705a742589bdd846d'
@@ -6,7 +6,7 @@ references:
    - https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/
 author: Nasreddine Bencherchali
 date: 2022/07/28
-modified: 2022/08/24
+modified: 2022/12/30
 tags:
    - attack.privilege_escalation
    - attack.t1543.003
@@ -20,9 +20,9 @@ detection:
            - 'SHA1=5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4'
            - 'SHA256=4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1'
    selection_other:
-        - MD5: 'a179c4093d05a3e1ee73f6ff07f994aa'
-        - SHA1: '5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4'
-        - SHA256: '4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1'
+        - md5: 'a179c4093d05a3e1ee73f6ff07f994aa'
+        - sha1: '5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4'
+        - sha256: '4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1'
    driver_img:
        ImageLoaded|endswith: '\aswArPot.sys'
    driver_status:
@@ -6,7 +6,7 @@ references:
    - https://labs.sentinelone.com/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/
 author: Florian Roth
 date: 2021/05/05
-modified: 2022/11/10
+modified: 2022/12/30
 tags:
    - attack.privilege_escalation
    - cve.2021.21551
@@ -27,13 +27,13 @@ detection:
            - 'MD5=C996D7971C49252C582171D9380360F2'
            - 'MD5=D2FD132AB7BBC6BBB87A84F026FA0244'
    selection_hash:
-        - SHA256:
+        - sha256:
            - '0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5'
            - 'ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1'
-        - SHA1:
+        - sha1:
            - 'c948ae14761095e4d76b55d9de86412258be7afd'
            - '10b30bdee43b3a2ec4aa63375577ade650269d25'
-        - MD5:
+        - md5:
            - 'c996d7971c49252c582171d9380360f2'
            - 'd2fd132ab7bbc6bbb87a84f026fa0244'
    condition: 1 of selection*
@@ -21,7 +21,7 @@ references:
    - https://www.zscaler.com/blogs/security-research/technical-analysis-windows-clfs-zero-day-vulnerability-cve-2022-37969-part
 author: Nasreddine Bencherchali
 date: 2022/08/18
-modified: 2022/11/29
+modified: 2022/12/30
 tags:
    - attack.privilege_escalation
    - attack.t1543.003
@@ -556,7 +556,7 @@ detection:
            - 'SHA256=09b0e07af8b17db1d896b78da4dd3f55db76738ee1f4ced083a97d737334a184'
            - 'SHA256=2a4f4400402cdc475d39389645ca825bb0e775c3ecb7c527e30c5be44e24af7d'
    selection_other:
-        - SHA1:
+        - sha1:
            # The list below is from https://github.com/namazso/physmem_drivers and the SHA1 are from VT
            - '2261198385d62d2117f50f631652eded0ecc71db'
            - '8db869c0674221a2d3280143cbb0807fac08e0cc'
@@ -820,7 +820,7 @@ detection:
            - '3ccf1f3ac636a5e21b39ede48ff49fa23e05413f'
            - '755349d56cdd668ca22eebc4fc89f0cccef47327'
            - '56af49e030eb85528e82849d7d1b6147f3c4973e'
-        - SHA256:
+        - sha256:
            # The list below is from https://github.com/namazso/physmem_drivers
            - '04A85E359525D662338CAE86C1E59B1D7AA9BD12B920E8067503723DC1E03162'
            - '05F052C64D192CF69A462A5EC16DDA0D43CA5D0245900C9FCB9201685A2E7748'
@@ -10,7 +10,7 @@ references:
    - https://www.virustotal.com/gui/file/cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b/details
 author: Florian Roth
 date: 2022/07/25
-modified: 2022/07/26
+modified: 2022/12/30
 tags:
    - attack.privilege_escalation
    - attack.t1543.003
@@ -27,13 +27,13 @@ detection:
            - 'SHA256=31F4CFB4C71DA44120752721103A16512444C13C2AC2D857A7E6F13CB679B427'
            - 'SHA256=CFC5C585DD4E592DD1A08887DED28B92D9A5820587B6F4F8FA4F56D60289259B'
    selection_other:
-        - MD5:
+        - md5:
            - '9ab9f3b75a2eb87fafb1b7361be9dfb3'
            - 'c832a4313ff082258240b61b88efa025'
-        - SHA1:
+        - sha1:
            - 'fe10018af723986db50701c8532df5ed98b17c39'
            - '1f1ce28c10453acbc9d3844b4604c59c0ab0ad46'
-        - SHA256:
+        - sha256:
            - '31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427'
            - 'cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b'
    condition: 1 of selection*
@@ -7,6 +7,7 @@ references:
    - https://www.virustotal.com/gui/file/6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5/details
 author: Florian Roth
 date: 2022/07/26
+modified: 2022/12/30
 tags:
    - attack.privilege_escalation
    - attack.t1543.003
@@ -28,15 +29,15 @@ detection:
            - 'MD5=376B1E8957227A3639EC1482900D9B97'
            - 'MD5=45C2D133D41D2732F3653ED615A745C8'
    selection_other:
-        - SHA256:
+        - sha256:
            - '4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8'
            - '55963284bbd5a3297f39f12f0d8a01ed99fe59d008561e3537bcd4db4b4268fa'
            - '6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5'
-        - SHA1:
+        - sha1:
            - '74e4e3006b644392f5fcea4a9bae1d9d84714b57'
            - '18f34a0005e82a9a1556ba40b997b0eae554d5fd'
            - '4e56e0b1d12664c05615c69697a2f5c5d893058a'
-        - MD5:
+        - md5:
            - '3247014ba35d406475311a2eab0c4657'
            - '376b1e8957227a3639ec1482900d9b97'
            - '45c2d133d41d2732f3653ed615a745c8'
@@ -7,6 +7,7 @@ references:
    - https://github.com/alfarom256/CVE-2022-3699/
 author: Florian Roth
 date: 2022/11/10
+modified: 2022/12/30
 tags:
    - attack.privilege_escalation
    - cve.2021.21551
@@ -21,9 +22,9 @@ detection:
            - 'SHA1=B89A8EEF5AEAE806AF5BA212A8068845CAFDAB6F'
            - 'MD5=B941C8364308990EE4CC6EADF7214E0F'
    selection_hash:
-        - SHA256: 'f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe'
-        - SHA1: 'b89a8eef5aeae806af5ba212a8068845cafdab6f'
-        - MD5: 'b941c8364308990ee4cc6eadf7214e0f'
+        - sha256: 'f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe'
+        - sha1: 'b89a8eef5aeae806af5ba212a8068845cafdab6f'
+        - md5: 'b941c8364308990ee4cc6eadf7214e0f'
    condition: 1 of selection*
 falsepositives:
    - Legitimate driver loads (old driver that didn't receive an update)
@@ -6,6 +6,7 @@ references:
    - https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/
 author: Nasreddine Bencherchali
 date: 2022/10/26
+modified: 2022/12/30
 tags:
    - attack.defense_evasion
    - attack.t1070
@@ -14,8 +15,8 @@ logsource:
    product: windows
 detection:
    selection:
-        FileName|startswith: '\Logging\CmdletInfra\LocalPowerShell\Cmdlet\'
-        FileName|contains: '_Cmdlet_'
+        TargetFilename|startswith: '\Logging\CmdletInfra\LocalPowerShell\Cmdlet\'
+        TargetFilename|contains: '_Cmdlet_'
    condition: selection
 falsepositives:
    - Possible FP during log rotation
@@ -6,6 +6,7 @@ references:
    - https://www.elastic.co/guide/en/security/current/webserver-access-logs-deleted.html
 author: Tim Rauch
 date: 2022/09/16
+modified: 2022/12/30
 tags:
    - attack.defense_evasion
    - attack.t1070
@@ -14,8 +15,8 @@ logsource:
    product: windows
 detection:
    selection:
-        FileName|startswith: 'C:\inetpub\logs\LogFiles\'
-        FileName|endswith: '.log'
+        TargetFilename|startswith: 'C:\inetpub\logs\LogFiles\'
+        TargetFilename|endswith: '.log'
    condition: selection
 falsepositives:
    - During uninstallation of the IIS service
@@ -6,7 +6,7 @@ references:
    - https://www.hybrid-analysis.com/sample/759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6?environmentId=100
 author: Florian Roth
 date: 2017/11/04
-modified: 2022/10/04
+modified: 2022/12/30
 tags:
    - attack.defense_evasion
    - attack.t1218.011
@@ -46,7 +46,7 @@ detection:
        - CommandLine|contains: 'PcaSvc.dll,PcaPatchSdbTask'
    filter_update_processes:
        ParentImage: 'C:\Windows\System32\svchost.exe'
-        RemoteAddress|endswith: ':443'
+        DestinationPort: 443
    condition: selection and not 1 of filter*
 falsepositives:
    - Communication to other corporate systems that use IP addresses from public address spaces
@@ -8,7 +8,7 @@ references:
    - https://adsecurity.org/?p=2604
 author: frack113
 date: 2021/10/20
-modified: 2022/12/02
+modified: 2022/12/30
 tags:
    - attack.execution
    - attack.t1059.001
@@ -25,8 +25,8 @@ detection:
            - 'bypass'
            - 'RemoteSigned'
    filter:
-        - ParentImage: 'C:\ProgramData\chocolatey\choco.exe'
-        - ScriptBlockText|contains:
+        # - ParentImage: 'C:\ProgramData\chocolatey\choco.exe' Powershell event id 4104 do not have ParentImage
+        ScriptBlockText|contains:
            - "(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1')"
            - "(New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1')"
            - '\AppData\Roaming\Code\'
@@ -13,7 +13,7 @@ references:
    - https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html
 author: Austin Songer @austinsonger
 date: 2021/10/12
-modified: 2022/10/11
+modified: 2022/12/30
 tags:
    - attack.defense_evasion
    - attack.t1562.004
@@ -23,12 +23,12 @@ logsource:
    definition: Script block logging must be enabled
 detection:
    selection_args:
-        CommandLine|contains|all:
+        ScriptBlockText|contains|all:
            - 'Set-NetFirewallProfile '
            - ' -Enabled '
            - ' False'
    selection_opt:
-        CommandLine|contains:
+        ScriptBlockText|contains:
            - ' -All '
            - 'Public'
            - 'Domain'
@@ -9,6 +9,7 @@ references:
    - https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html
 author: Tim Rauch
 date: 2022/09/14
+modified: 2022/12/30
 tags:
    - attack.defense_evasion
    - attack.t1562
@@ -21,7 +22,7 @@ detection:
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\powershell_ise.exe'
-        - OriginalFilename: 'PowerShell.EXE'
+        - OriginalFileName: 'PowerShell.EXE'
    selection_args:
        CommandLine|contains|all:
            - 'Set-NetFirewallProfile '
@@ -6,6 +6,7 @@ references:
    - http://www.gmer.net/
 author: Nasreddine Bencherchali
 date: 2022/10/05
+modified: 2022/10/30
 tags:
    - attack.defense_evasion
 logsource:
@@ -20,9 +21,9 @@ detection:
            - 'SHA1=539C228B6B332F5AA523E5CE358C16647D8BBE57'
            - 'SHA256=E8A3E804A96C716A3E9B69195DB6FFB0D33E2433AF871E4D4E1EAB3097237173'
    selection_other:
-        - MD5: 'e9dc058440d321aa17d0600b3ca0ab04'
-        - SHA1: '539c228b6b332f5aa523e5ce358c16647d8bbe57'
-        - SHA256: 'e8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173'
+        - md5: 'e9dc058440d321aa17d0600b3ca0ab04'
+        - sha1: '539c228b6b332f5aa523e5ce358c16647d8bbe57'
+        - sha256: 'e8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173'
    condition: 1 of selection_*
 falsepositives:
    - Unlikely
@@ -6,6 +6,7 @@ references:
    - https://www.elastic.co/guide/en/security/current/microsoft-iis-connection-strings-decryption.html
 author: Tim Rauch
 date: 2022/09/28
+modified: 2022/12/30
 tags:
    - attack.credential_access
    - attack.t1003
@@ -15,7 +16,7 @@ logsource:
 detection:
    selection_name:
        - Image|endswith: '\aspnet_regiis.exe'
-        - OriginalFilename: 'aspnet_regiis.exe'
+        - OriginalFileName: 'aspnet_regiis.exe'
    selection_args:
        CommandLine|contains|all:
            - 'connectionStrings'
@@ -8,7 +8,7 @@ references:
    - https://www.netspi.com/blog/technical/network-penetration-testing/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2/
 author: Tim Rauch, Janantha Marasinghe
 date: 2022/11/08
-modified: 2022/12/17
+modified: 2022/12/30
 tags:
    - attack.credential_access
    - attack.t1003
@@ -18,7 +18,7 @@ logsource:
 detection:
    selection_base_name:
        - Image|endswith: '\appcmd.exe'
-        - OriginalFilename: 'appcmd.exe'
+        - OriginalFileName: 'appcmd.exe'
    selection_base_list:
        CommandLine|contains: 'list '
    selection_standalone:
@@ -7,6 +7,7 @@ references:
    - https://github.com/sensepost/impersonate
 author: Sai Prashanth Pulisetti @pulisettis
 date: 2022/12/21
+modified: 2022/12/30
 tags:
    - attack.privilege_escalation
    - attack.defense_evasion
@@ -29,9 +30,9 @@ detection:
            - 'SHA256=E81CC96E2118DC4FBFE5BAD1604E0AC7681960143E2101E1A024D52264BB0A8A'
            - 'IMPHASH=0A358FFC1697B7A07D0E817AC740DF62'
    selection_hash_ext:
-        - MD5: '9520714AB576B0ED01D1513691377D01'
-        - SHA256: 'E81CC96E2118DC4FBFE5BAD1604E0AC7681960143E2101E1A024D52264BB0A8A'
-        - IMPHASH: '0A358FFC1697B7A07D0E817AC740DF62'
+        - md5: '9520714AB576B0ED01D1513691377D01'
+        - sha256: 'E81CC96E2118DC4FBFE5BAD1604E0AC7681960143E2101E1A024D52264BB0A8A'
+        - Imphash: '0A358FFC1697B7A07D0E817AC740DF62'
    condition: all of selection_commandline_* or 1 of selection_hash_*
 falsepositives:
    - Unknown
@@ -6,6 +6,7 @@ references:
    - https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md
 author: frack113
 date: 2022/08/28
+modified: 2022/12/30
 tags:
    - attack.command_and_control
    - attack.t1105
@@ -23,7 +24,7 @@ detection:
    selection_hash:
        - md5: 2DD44C3C29D667F5C0EF5F9D7C7FFB8B
        - sha256: F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559
-        - imphash: C07FDDD21D123EA9B3A08EEF44AAAC45
+        - Imphash: C07FDDD21D123EA9B3A08EEF44AAAC45
    condition: 1 of selection_*
 falsepositives:
    - Legitimate use of Nim on developer systems
@@ -9,6 +9,7 @@ references:
    - https://www.elastic.co/guide/en/security/current/privilege-escalation-via-named-pipe-impersonation.html
 author: Tim Rauch
 date: 2022/09/27
+modified: 2022/12/30
 tags:
    - attack.lateral_movement
    - attack.t1021
@@ -20,7 +21,7 @@ detection:
        - Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
-        - OriginalFilename:
+        - OriginalFileName:
            - 'Cmd.Exe'
            - 'PowerShell.EXE'
    selection_args:
@@ -7,6 +7,7 @@ references:
    - https://twitter.com/mrd0x/status/1511489821247684615
 author: Florian Roth
 date: 2022/04/06
+modified: 2022/12/30
 tags:
    - attack.defense_evasion
    - attack.t1036
@@ -17,7 +18,7 @@ logsource:
 detection:
    selection:
        - Image|endswith: '\DumpMinitool.exe'
-        - OriginalName: 'DumpMinitool.exe'
+        - OriginalFileName: 'DumpMinitool.exe'
    filter_folder:
        Image|contains:
            - '\Microsoft Visual Studio\'
@@ -12,6 +12,7 @@ references:
    - https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html
 author: Tim Rauch
 date: 2022/09/20
+modified: 2022/12/30
 tags:
    - attack.impact
    - attack.t1490
@@ -20,15 +21,15 @@ logsource:
    product: windows
 detection:
    selection_get:
-        ScriptBlockText|contains:
+        CommandLine|contains:
            - 'Get-WmiObject'
            - 'gwmi'
            - 'Get-CimInstance'
            - 'gcim'
    selection_shadowcopy:
-        ScriptBlockText|contains: 'Win32_Shadowcopy'
+        CommandLine|contains: 'Win32_Shadowcopy'
    selection_delete:
-        ScriptBlockText|contains:
+        CommandLine|contains:
            - '.Delete()'
            - 'Remove-WmiObject'
            - 'rwmi'
@@ -6,6 +6,7 @@ references:
    - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-e34e43eb5666427602ddf488b2bf3b545bd9aae81af3e6f6c7949f9652abdf18
 author: Tim Rauch (rule), Elastic (idea)
 date: 2022/10/21
+modified: 2022/12/30
 tags:
    - attack.t1566
    - attack.t1566.001
@@ -17,7 +18,7 @@ detection:
    selection_parent:
        ParentImage|endswith: '\onenote.exe'
    selection_opt_name:
-        - OriginalFilename:
+        - OriginalFileName:
            - 'RUNDLL32.exe'
            - 'REGSVR32.exe'
            - 'bitsadmin.exe'
@@ -9,7 +9,7 @@ references:
    - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-94a1964b682707e4e3f77dd61a3bfface5401d08d8cf81145f388e09614aceca
 author: Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community
 date: 2019/10/25
-modified: 2022/10/21
+modified: 2022/12/30
 tags:
    - attack.defense_evasion
    - attack.t1218.008
@@ -19,7 +19,7 @@ logsource:
 detection:
    selection_1_name:
        - Image|endswith: '\odbcconf.exe'
-        - OriginalFilename: 'odbcconf.exe'
+        - OriginalFileName: 'odbcconf.exe'
    selection_1_cli:
        CommandLine|contains:
            - '-a'
@@ -8,6 +8,7 @@ references:
    - https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/
 author: Florian Roth, Nasreddine Bencherchali
 date: 2022/10/10
+modified: 2022/12/30
 logsource:
    category: process_creation
    product: windows
@@ -39,7 +40,7 @@ detection:
        - sha256:
            - '2b214bddaab130c274de6204af6dba5aeec7433da99aa950022fa306421a6d32'
            - '55f041bf4e78e9bfa6d4ee68be40e496ce3a1353e1ca4306598589e19802522c'
-        - imphash:
+        - Imphash:
            - '444d210cea1ff8112f256a4997eed7ff'
            - '0479f44df47cfa2ef1ccc4416a538663'
    condition: 1 of selection*
@@ -8,7 +8,7 @@ references:
    - https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/
 author: Florian Roth
 date: 2022/10/10
-modified: 2022/11/16
+modified: 2022/12/30
 logsource:
    category: process_creation
    product: windows
@@ -47,7 +47,7 @@ detection:
        - sha256:
            - 'd4a0fe56316a2c45b9ba9ac1005363309a3edc7acf9e4df64d326a0ff273e80f'
            - 'bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4'
-        - imphash:
+        - Imphash:
            - '04de0ad9c37eb7bd52043d2ecac958df'
            - '3695333c60dedecdcaff1590409aa462'
    condition: 1 of selection*
@@ -7,6 +7,7 @@ references:
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/secedit
 author: Janantha Marasinghe
 date: 2022/11/18
+modified: 2022/12/30
 tags:
    - attack.discovery
    - attack.persistence
@@ -42,9 +43,9 @@ detection:
        CommandLine|contains|all:
            - '/configure'
            - '/db'
-    filter:
-        SubjectUserName|endswith: '$'
-    condition: selection_img and (1 of selection_flags_*) and not filter
+    #filter:
+    #    SubjectUserName|endswith: '$'  SubjectUserName is from event ID 4719 in the Windows Security log
+    condition: selection_img and (1 of selection_flags_*)
 falsepositives:
    - Legitimate administrative use
 level: medium
@@ -6,9 +6,9 @@ references:
    - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41120
    - https://twitter.com/filip_dragovic/status/1590052248260055041
    - https://twitter.com/filip_dragovic/status/1590104354727436290
-author: Florian Roth
+author: Florian Roth, Tim Shelton (fp werfault)
 date: 2022/11/10
-modified: 2022/12/15
+modified: 2022/12/30
 tag:
    - attack.privilege_escalation
    - attack.t1068
@@ -23,10 +23,12 @@ detection:
            - '\Sysmon64.exe'
    filter:
        - Image:
+            - 'C:\Windows\Sysmon.exe'
            - 'C:\Windows\Sysmon64.exe'
            - 'C:\Windows\System32\conhost.exe'
            - 'wevtutil.exe'
            - 'C:\WINDOWS\system32\wevtutil.exe'
+            - 'C:\Windows\System32\WerFault.exe' # When Sysmon crashes
        - Image|endswith: '\AppData\Local\Temp\Sysmon.exe' # When launching Sysmon 32bit version.
    condition: selection and not filter
 falsepositives:
@@ -7,6 +7,7 @@ references:
    - https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf
 author: frack113
 date: 2022/07/17
+modified: 2022/12/30
 tags:
    - attack.defense_evasion
    - attack.t1112
@@ -17,7 +18,7 @@ detection:
    selection:
        TargetObject: HKLM\System\CurrentControlSet\Services\Fax\ObjectName
    filter:
-        details|contains: NetworkService
+        Details|contains: NetworkService
    condition: selection and not filter
 falsepositives:
    - Unknown
@@ -7,6 +7,7 @@ references:
    - https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf
 author: frack113
 date: 2022/07/17
+modified: 2022/12/30
 tags:
    - attack.defense_evasion
    - attack.t1112
@@ -19,7 +20,7 @@ detection:
            - '\Software\Microsoft\Fax\Device Providers\'
            - '\ImageName'
    filter:
-        details: '%systemroot%\system32\fxst30.dll' #Windows 10
+        Details: '%systemroot%\system32\fxst30.dll' #Windows 10
    condition: selection and not filter
 falsepositives:
    - Unknown
@@ -0,0 +1,170 @@
+#!/usr/bin/env python3
+"""
+Checks for logsource or fieldname errors on all rules
+
+WIP version
+
+Run using the command
+# python test_rules.py
+"""
+
+import os
+import unittest
+import yaml
+import re
+from attackcti import attack_client
+from colorama import init
+from colorama import Fore
+import collections
+
+
+class TestRules(unittest.TestCase):
+
+    path_to_rules = "rules"
+    
+    windows_category={
+        "process_creation": ["CommandLine","Company","CurrentDirectory","Description","FileVersion","Hashes","Image","IntegrityLevel","LogonGuid","LogonId","OriginalFileName","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","ParentUser","ProcessGuid","ProcessId","Product","TerminalSessionId","User"],
+        "file_change": ["CreationUtcTime","Image","PreviousCreationUtcTime","ProcessGuid","ProcessId","TargetFilename","User"],
+        "network_connection": ["DestinationHostname","DestinationIp","DestinationIsIpv6","DestinationPort","DestinationPortName","Image","Initiated","ProcessGuid","ProcessId","Protocol","SourceHostname","SourceIp","SourceIsIpv6","SourcePort","SourcePortName","User"],
+        "sysmon_status": ["Configuration","ConfigurationFileHash","SchemaVersion","State","Version"],
+        "process_termination":["Image","ProcessGuid","ProcessId","User"],
+        "driver_load":["Hashes","ImageLoaded","Signature","SignatureStatus","Signed"],
+        "image_load":["Company","Description","FileVersion","Hashes","Image","ImageLoaded","OriginalFileName","ProcessGuid","ProcessId","Product","Signature","SignatureStatus","Signed","User"],
+        "create_remote_thread":["NewThreadId","SourceImage","SourceProcessGuid","SourceProcessId","SourceUser","StartAddress","StartFunction","StartModule","TargetImage","TargetProcessGuid","TargetProcessId","TargetUser"],
+        "raw_access_thread":["Device","Image","ProcessGuid","ProcessId","User"],
+        "process_access":["CallTrace","GrantedAccess","SourceImage","SourceProcessGUID","SourceProcessId","SourceThreadId","SourceUser","TargetImage","TargetProcessGUID","TargetProcessId","TargetUser"],
+        "raw_access_read":["CreationUtcTime","Image","ProcessGuid","ProcessId","TargetFilename","User"],
+        "file_event":["ProcessGuid","ProcessId","Image","TargetFilename","CreationUtcTime","User"],
+        "registry_add":["EventType","ProcessGuid","ProcessId","Image","TargetObject","User"],
+        "registry_delete":["Details","EventType","Image","ProcessGuid","ProcessId","TargetObject",],
+        "registry_set":["Details","EventType","Image","ProcessGuid","ProcessId","TargetObject","User"],
+        "registry_rename":["EventType","Image","NewName","ProcessGuid","ProcessId","TargetObject","User"],
+        "registry_event":["Details","EventType","Image","NewName","ProcessGuid","ProcessId","TargetObject","User"],
+        "create_stream_hash":["Contents","CreationUtcTime","Hash","Image","ProcessGuid","ProcessId","TargetFilename","User"],
+        "pipe_created":["EventType","Image","PipeName","ProcessGuid","ProcessId","User"],
+        "wmi_event":["Consumer","Destination","EventNamespace","EventType","Filter","Name","Operation","Query","Type","User"],
+        "dns_query":["Image","ProcessGuid","ProcessId","QueryName","QueryResults","QueryStatus","User"],
+        "file_delete":["Archived","Hashes","Image","IsExecutable","ProcessGuid","ProcessId","TargetFilename","User"],
+        "clipboard_capture":["Archived","ClientInfo","Hashes","Image","ProcessGuid","ProcessId","Session","User"],
+        "process_tampering":["Image","ProcessGuid","ProcessId","Type","User"],
+        "file_block":["Hashes","Image","ProcessGuid","ProcessId","TargetFilename","User"], #SYSMONEVENT_FILE_BLOCK_SHREDDING add IsExecutable
+        "ps_module":["ContextInfo","UserData","Payload"],
+        "ps_script":["MessageNumber","MessageTotal","ScriptBlockText","ScriptBlockId","Path"],
+    }
+    
+    # Calculate once use many times
+    windows_category_keys = windows_category.keys()
+    
+    # Aurora FP
+    windows_category["process_creation"] += ["GrandparentCommandLine"]
+    windows_category["network_connection"] += ["CommandLine","ParentImage"]
+    windows_category["create_remote_thread"] += ["User","SourceCommandLine","SourceParentProcessId","SourceParentImage","SourceParentCommandLine","TargetCommandLine","TargetParentProcessId","TargetParentImage","TargetParentCommandLine","IsInitialThread","RemoteCreation"]
+    windows_category["file_delete"] += ["CommandLine","ParentImage","ParentCommandLine"]
+    windows_category["file_event"] += ["CommandLine","ParentImage","ParentCommandLine","MagicHeader"]
+    windows_category["image_load"] += ["CommandLine"]
+    windows_category["process_access"] += ["SourceCommandLine","CallTraceExtended"]
+
+
+    windows_commun = ["EventID","Provider_Name"]
+    
+    # Helper functions
+    def yield_next_rule_file_path(self, path_to_rules: str) -> str:
+        for root, _, files in os.walk(path_to_rules):
+            for file in files:
+                yield os.path.join(root, file)
+
+    def get_rule_yaml(self, file_path: str) -> dict:
+        data = []
+
+        with open(file_path, encoding='utf-8') as f:
+            yaml_parts = yaml.safe_load_all(f)
+            for part in yaml_parts:
+                data.append(part)
+
+        return data
+        
+    def get_rule_part(self, file_path: str, part_name: str):
+        yaml_dicts = self.get_rule_yaml(file_path)
+        for yaml_part in yaml_dicts:
+            if part_name in yaml_part.keys():
+                return yaml_part[part_name]
+
+        return None
+
+    def get_detection_field(self,detection: dict):
+        data = []
+        
+        def get_field_name(selection: dict):
+            name = []
+            for field in selection:
+                if "|" in field:
+                    name.append(field.split('|')[0])
+                else:
+                    name.append(field)
+            return name
+
+        for search_identifier in detection:
+            if isinstance(detection[search_identifier], dict):
+                data += get_field_name(detection[search_identifier])
+            if isinstance(detection[search_identifier], list):
+               for list_value in detection[search_identifier]:
+                    if isinstance(list_value, dict):
+                        data += get_field_name(list_value)
+
+        return data        
+
+    def fill_logsource(self,logsource: dict) -> dict:
+        data = {"product":"","category":"","service":""}
+        
+        data["product"] = logsource["product"] if "product" in logsource.keys() else ""
+        data["category"] = logsource["category"] if "category" in logsource.keys() else ""
+        data["service"] = logsource["service"] if "service" in logsource.keys() else ""
+        
+        return data
+
+    def add_hash(self):
+        for key in self.windows_category_keys:
+            if "Hashes" in self.windows_category[key]:
+                self.windows_category[key].append("md5")
+                self.windows_category[key].append("sha1")
+                self.windows_category[key].append("sha256")
+                self.windows_category[key].append("Imphash")
+            if "Hash" in self.windows_category[key]: # Sysmon 15 create_stream_hash
+                self.windows_category[key].append("md5")
+                self.windows_category[key].append("sha1")
+                self.windows_category[key].append("sha256")
+                self.windows_category[key].append("Imphash")
+
+    #
+    # test functions
+    #
+    def test_fieldname_case(self):
+        files_with_fieldname_issues = []
+        
+        self.add_hash()
+        
+        for file in self.yield_next_rule_file_path(self.path_to_rules):
+            logsource = self.get_rule_part(file_path=file, part_name="logsource")
+            detection = self.get_rule_part(file_path=file, part_name="detection")
+            
+            if logsource and detection :
+                full_logsource = self.fill_logsource(logsource)
+
+                if full_logsource['product'] == "windows":
+                    if full_logsource['category'] in self.windows_category_keys:
+                        for field in self.get_detection_field(detection):
+                            list_field = self.windows_category[full_logsource['category']] + self.windows_commun
+                            
+                            if not field in list_field:
+                                print(
+                                    Fore.RED + "Rule {} has the invalid field <{}>".format(file, field))
+                                files_with_fieldname_issues.append(file)
+                    
+        self.assertEqual(files_with_fieldname_issues, [], Fore.RED +
+                         "There are rule files which contains unkown field or with case error")        
+
+
+if __name__ == "__main__":
+    init(autoreset=True)
+    # Run the tests
+    unittest.main()
@@ -805,11 +805,9 @@ fieldmappings:
  CommandLine: command
  ProcessCommandLine: command
  ParentCommandLine: parent_command
-  IMPHASH: file_hash_imphash
  Imphash: file_hash_imphash
-  SHA256: file_hash_sha256
-  MD5: file_hash_md5
-  SHA1: file_hash_sha1
+  sha256: file_hash_sha256
+  md5: file_hash_md5
  sha1: file_hash_sha1
  SubjectUserSid: correlation_session_id
  SubjectSid: correlation_session_id