Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing

2021-12-03 19:03:14 +01:00
parent bcc5010e7e 6852e56ff5
commit 29cbdf80c2
59 changed files with 387 additions and 150 deletions
@@ -0,0 +1,29 @@
+title: Linux Capabilities Discovery
+id: fe10751f-1995-40a5-aaa2-c97ccb4123fe
+description: Detects attempts to discover the files with setuid/setgid capabilitiy on them. That would allow adversary to escalate their privileges.
+author: 'Pawel Mazur'
+status: experimental
+date: 2021/11/28
+references:
+   - https://man7.org/linux/man-pages/man8/getcap.8.html
+   - https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/
+   - https://mn3m.info/posts/suid-vs-capabilities/
+   - https://int0x33.medium.com/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099
+logsource:
+   product: linux
+   service: auditd
+detection:
+   getcap:
+       type: EXECVE
+       a0: getcap
+       a1: '-r'
+       a2: '/'
+   condition: getcap
+tags:
+   - attack.collection
+   - attack.privilege_escalation
+   - attack.t1123
+   - attack.t1548
+falsepositives:
+   - None
+level: low
@@ -6,7 +6,7 @@ author: Florian Roth, Markus Neis
 references:
  - Internal Research
 date: 2019/11/12
-modified: 2021/11/27
+modified: 2021/11/30
 logsource:
  category: proxy
 detection:
@@ -51,6 +51,7 @@ detection:
      - 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1;'    # Mustang Panda https://insights.oem.avira.com/new-wave-of-plugx-targets-hong-kong/
      - 'Mozilla/5.0 (X11; Linux i686; rv:22.0) Firefox/22.0'    # BackdoorDiplomacy https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/
      - 'Mozilla/5.0 Chrome/72.0.3626.109 Safari/537.36'    # SideWalk malware used by Sparkling Goblin
+      - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:FTS_06) Gecko/22.36.35.06 Firefox/2.0'  # LitePower stager used by WRITE https://securelist.com/wirtes-campaign-in-the-middle-east-living-off-the-land-since-at-least-2019/105044/
  condition: selection
 fields:
  - ClientIP
@@ -6,12 +6,13 @@ author: Florian Roth
 references:
  - https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/
 date: 2017/03/31
-modified: 2021/11/27
+modified: 2021/11/30
 logsource:
  product: windows
  service: system
 detection:
  selection:
+    Provider_Name: 'Service Control Manager'
    EventID: 7045
    ServiceName:
      - 'srservice'
@@ -18,13 +18,14 @@ tags:
    - attack.t1071 # an old one
    - attack.t1071.004
 date: 2018/03/23
-modified: 2021/09/19
+modified: 2021/11/30
 author: Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
 logsource:
    product: windows
    service: system
 detection:
    selection_service:
+        Provider_Name: 'Service Control Manager'
        EventID: 7045
        ServiceName:
            - 'SC Scheduled Scan'
@@ -6,12 +6,13 @@ author: Florian Roth
 references:
  - https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/
 date: 2017/03/07
-modified: 2021/11/27
+modified: 2021/11/30
 logsource:
  product: windows
  service: system
 detection:
  selection:
+    Provider_Name: 'Service Control Manager'
    EventID: 7045
    ServiceName: NtsSrv
    ServiceFileName|endswith: ' LocalService'
@@ -6,12 +6,13 @@ author: Florian Roth
 references:
  - https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/
 date: 2018/11/23
-modified: 2021/11/27
+modified: 2021/11/30
 logsource:
  product: windows
  service: system
 detection:
  selection:
+    Provider_Name: 'Service Control Manager'
    EventID: 7045
    ServiceName: 'WerFaultSvc'
  condition: selection
@@ -8,7 +8,7 @@ references:
    - https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/
    - https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
 date: 2021/05/26
-modified: 2021/09/21
+modified: 2021/09/30
 tags:
    - attack.execution
    - attack.privilege_escalation
@@ -21,6 +21,7 @@ logsource:
    service: system
 detection:
    selection_id:
+        Provider_Name: 'Service Control Manager'
        EventID: 7045
    selection1:
        ImagePath|contains|all: 
@@ -6,12 +6,13 @@ author: Omer Faruk Celik
 references:
  - https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/
 date: 2018/03/20
-modified: 2021/11/27
+modified: 2021/11/30
 logsource:
  product: windows
  service: system
 detection:
  service_installation:
+    Provider_Name: 'Service Control Manager'
    EventID: 7045
    ServiceName: 'BTOBTO'
    ServiceFileName|endswith: '\execute.bat'
@@ -4,7 +4,7 @@ description: Detects Obfuscated use of Clip.exe to execute PowerShell
 status: experimental
 author: Jonathan Cheong, oscd.community
 date: 2020/10/13
-modified: 2021/09/16
+modified: 2021/11/30
 references:
     - https://github.com/Neo23x0/sigma/issues/1009 #(Task 26)
 tags:
@@ -16,11 +16,11 @@ logsource:
    product: windows
    service: system
 detection:
-    selection_eventid:
-        EventID: 7045
    selection:
+        Provider_Name: 'Service Control Manager'
+        EventID: 7045
        ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"'
-    condition: selection and selection_eventid
+    condition: selection
 falsepositives:
    - Unknown
 level: high
@@ -7,7 +7,7 @@ description: Detects Obfuscated use of Clip.exe to execute PowerShell
 status: experimental
 author: Jonathan Cheong, oscd.community
 date: 2020/10/13
-modified: 2021/09/16
+modified: 2021/11/30
 references:
     - https://github.com/Neo23x0/sigma/issues/1009 #(Task 26)
 tags:
@@ -20,11 +20,11 @@ logsource:
    product: windows
    service: security
 detection:
-    selection_eventid:
-        EventID: 4697
    selection:
+        Provider_Name: 'Service Control Manager'
+        EventID: 4697
        ServiceFileName|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"'
-    condition: selection and selection_eventid
+    condition: selection 
 falsepositives:
    - Unknown
 level: high
@@ -4,7 +4,7 @@ description: Detects Obfuscated use of stdin to execute PowerShell
 status: experimental
 author: Jonathan Cheong, oscd.community
 date: 2020/10/15
-modified: 2021/09/17
+modified: 2021/11/30
 references:
     - https://github.com/Neo23x0/sigma/issues/1009 #(Task 25)
 tags:
@@ -16,11 +16,11 @@ logsource:
    product: windows
    service: system
 detection:
-    selection_eventid:
-        EventID: 7045
    selection:
+        Provider_Name: 'Service Control Manager'
+        EventID: 7045
        ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"'
-    condition: selection and selection_eventid
+    condition: selection 
 falsepositives:
    - Unknown
 level: high
@@ -4,7 +4,7 @@ description: Detects Obfuscated use of Environment Variables to execute PowerShe
 status: experimental
 author: Jonathan Cheong, oscd.community
 date: 2020/10/15
-modified: 2021/09/17
+modified: 2021/11/30
 references:
     - https://github.com/Neo23x0/sigma/issues/1009 #(Task 24)
 tags:
@@ -16,11 +16,11 @@ logsource:
    product: windows
    service: system
 detection:
-    selection_eventid:
-        EventID: 7045
    selection:
+        Provider_Name: 'Service Control Manager'
+        EventID: 7045
        ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"'
-    condition: all of them
+    condition: selection
 falsepositives:
    - Unknown
 level: high
@@ -4,7 +4,7 @@ description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
 status: experimental
 author: Timur Zinniatullin, oscd.community
 date: 2020/10/18
-modified: 2021/08/09
+modified: 2021/11/30
 references:
    - https://github.com/Neo23x0/sigma/issues/1009 #(Task 19)
 tags:
@@ -19,8 +19,8 @@ logsource:
    product: windows
    service: system
 detection:
-    selection_eventid:
-        EventID: 7045
    selection:
+        Provider_Name: 'Service Control Manager'
+        EventID: 7045
        ImagePath|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend'
-    condition: selection and selection_eventid
+    condition: selection
@@ -4,7 +4,7 @@ description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
 status: experimental
 author: Timur Zinniatullin, oscd.community
 date: 2020/10/18
-modified: 2021/09/18
+modified: 2021/11/30
 references:
    - https://github.com/Neo23x0/sigma/issues/1009 #(Task 23)
 tags:
@@ -16,11 +16,11 @@ logsource:
    product: windows
    service: system
 detection:
-    selection_eventid:
-        EventID: 7045
    selection:
+        Provider_Name: 'Service Control Manager'
+        EventID: 7045
        ImagePath|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"'
-    condition: selection and selection_eventid
+    condition: selection
 falsepositives:
    - Unknown
 level: medium
@@ -4,7 +4,7 @@ description: Detects Obfuscated Powershell via Stdin in Scripts
 status: experimental
 author: Nikita Nazarov, oscd.community
 date: 2020/10/12
-modified: 2021/09/18
+modified: 2021/11/30
 references:
    - https://github.com/Neo23x0/sigma/issues/1009 #(Task28)
 tags:
@@ -16,11 +16,11 @@ logsource:
    product: windows
    service: system
 detection:
-    selection_eventid:
-        EventID: 7045
    selection:
+        Provider_Name: 'Service Control Manager'
+        EventID: 7045
        ImagePath|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"'
-    condition: selection and selection_eventid
+    condition: selection
 falsepositives:
    - Unknown
 level: high
@@ -4,7 +4,7 @@ description: Detects Obfuscated Powershell via use Clip.exe in Scripts
 status: experimental
 author: Nikita Nazarov, oscd.community
 date: 2020/10/09
-modified: 2021/09/18
+modified: 2021/11/30
 references:
    - https://github.com/Neo23x0/sigma/issues/1009 #(Task29)
 tags:
@@ -16,11 +16,11 @@ logsource:
    product: windows
    service: system
 detection:
-    selection_eventid:
-        EventID: 7045
    selection:
+        Provider_Name: 'Service Control Manager'
+        EventID: 7045
        ImagePath|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*'
-    condition: selection and selection_eventid
+    condition: selection 
 falsepositives:
    - Unknown
 level: high
@@ -4,7 +4,7 @@ description: Detects Obfuscated Powershell via use MSHTA in Scripts
 status: experimental
 author: Nikita Nazarov, oscd.community
 date: 2020/10/09
-modified: 2021/09/18
+modified: 2021/11/30
 references:
    - https://github.com/Neo23x0/sigma/issues/1009 #(Task31)
 tags:
@@ -16,11 +16,11 @@ logsource:
    product: windows
    service: system
 detection:
-    selection_eventid:
-        EventID: 7045
    selection:
+        Provider_Name: 'Service Control Manager'
+        EventID: 7045
        ImagePath|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"'
-    condition: selection and selection_eventid
+    condition: selection
 falsepositives:
    - Unknown
 level: high
@@ -4,7 +4,7 @@ description: Detects Obfuscated Powershell via use Rundll32 in Scripts
 status: experimental
 author: Nikita Nazarov, oscd.community
 date: 2020/10/09
-modified: 2021/09/18
+modified: 2021/11/30
 references:
    - https://github.com/Neo23x0/sigma/issues/1009 #(Task30)
 tags:
@@ -16,11 +16,11 @@ logsource:
    product: windows
    service: system
 detection:
-    selection_eventid:
-        EventID: 7045
    selection:
+        Provider_Name: 'Service Control Manager'
+        EventID: 7045
        ImagePath|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"'
-    condition: selection and selection_eventid
+    condition: selection
 falsepositives:
    - Unknown
 level: high
@@ -4,7 +4,7 @@ description: Detects Obfuscated Powershell via VAR++ LAUNCHER
 status: experimental
 author: Timur Zinniatullin, oscd.community
 date: 2020/10/13
-modified: 2021/09/18
+modified: 2021/11/30
 references:
    - https://github.com/Neo23x0/sigma/issues/1009 #(Task27)
 tags:
@@ -16,11 +16,11 @@ logsource:
    product: windows
    service: system
 detection:
-    selection_eventid:
-        EventID: 7045
    selection:
+        Provider_Name: 'Service Control Manager'
+        EventID: 7045
        ImagePath|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r
-    condition: selection and selection_eventid
+    condition: selection
 falsepositives:
    - Unknown
 level: high
@@ -6,7 +6,7 @@ author: Samir Bousseaden
 references:
  - https://twitter.com/menasec1/status/1104489274387451904
 date: 2019/04/03
-modified: 2021/11/27
+modified: 2021/12/01
 logsource:
  product: windows
  service: security
@@ -15,13 +15,12 @@ detection:
  selection1:
    EventID: 5145
    ShareName: \\\*\IPC$
-  selection2:
-    EventID: 5145
-    ShareName: \\\*\IPC$
+  false_positives:
    RelativeTargetName:
      - 'atsvc'
      - 'samr'
      - 'lsarpc'
+      - 'lsass'
      - 'winreg'
      - 'netlogon'
      - 'srvsvc'
@@ -36,7 +35,7 @@ detection:
      - 'HydraLsPipe'
      - 'TermSrv_API_service'
      - 'MsFteWds'
-  condition: selection1 and not selection2
+  condition: selection1 and not false_positives
 falsepositives:
  - update the excluded named pipe to filter out any newly observed legit named pipe
 level: high
@@ -4,7 +4,7 @@ description: Detects well-known credential dumping tools execution via service e
 status: experimental
 author: Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
 date: 2017/03/05
-modified: 2021/09/21
+modified: 2021/11/30
 references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
 tags:
@@ -24,6 +24,7 @@ logsource:
    service: system
 detection:
    selection:
+        Provider_Name: 'Service Control Manager'
        EventID: 7045
        ImagePath|contains:
            - 'fgexec'
@@ -4,7 +4,7 @@ description: Detects the use of getsystem Meterpreter/Cobalt Strike command by d
 status: experimental
 author: Teymur Kheirkhabarov, Ecco, Florian Roth
 date: 2019/10/26
-modified: 2021/09/21
+modified: 2021/11/30
 references:
    - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
    - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
@@ -18,6 +18,7 @@ logsource:
    service: system
 detection:
    selection_id:
+        Provider_Name: 'Service Control Manager'
        EventID: 7045
    selection:
        # meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a
@@ -4,7 +4,7 @@ description: Detects the use of Moriya rootkit as described in the securelist's
 status: experimental
 author: Bhabesh Raj
 date: 2021/05/06
-modified: 2021/09/21
+modified: 2021/11/30
 references:
    - https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831
 tags:
@@ -16,6 +16,7 @@ logsource:
    service: system
 detection:
    selection:
+        Provider_Name: 'Service Control Manager'
        EventID: 7045
        ServiceName: ZzNetSvc
    condition: selection
@@ -4,7 +4,7 @@ description: Detects powershell script installed as a Service
 status: experimental
 author: oscd.community, Natalia Shornikova
 date: 2020/10/06
-modified: 2021/09/21
+modified: 2021/11/30
 references:
    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
 tags:
@@ -15,12 +15,12 @@ logsource:
    service: system
 detection:
    service_creation:
+        Provider_Name: 'Service Control Manager'
        EventID: 7045
-    powershell_as_service:
        ImagePath|contains: 
          - 'powershell'
          - 'pwsh'
-    condition: service_creation and powershell_as_service
+    condition: service_creation
 falsepositives:
    - Unknown
 level: high
@@ -4,15 +4,16 @@ status: test
 description: Detects rare service installs that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious services
 author: Florian Roth
 date: 2017/03/08
-modified: 2021/11/27
+modified: 2021/11/30
 logsource:
  product: windows
  service: system
 detection:
  selection:
+    Provider_Name: 'Service Control Manager'
    EventID: 7045
  timeframe: 7d
-  condition: selection | count() by ServiceFileName < 5
+  condition: selection | count() by ServiceName < 5
 falsepositives:
  - Software installation
  - Software updates
@@ -8,8 +8,9 @@ references:
  - https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356
  - https://docs.microsoft.com/en-us/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script
  - https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997
+  - https://twitter.com/mattifestation/status/1326228491302563846
 date: 2019/02/22
-modified: 2021/11/27
+modified: 2021/12/01
 logsource:
  category: process_creation
  product: windows
@@ -25,6 +26,8 @@ detection:
      - '.xls'
      - '.doc'
      - '.zip'
+      - '.dll'
+      - '.exe'
  condition: selection1
 falsepositives:
  - False positives depend on scripts and administrative tools used in the monitored environment
@@ -33,3 +36,6 @@ tags:
  - attack.defense_evasion
  - attack.t1140
  - attack.t1218.005
+  - attack.execution
+  - attack.t1059.007
+  - cve.2020.1599
@@ -6,6 +6,7 @@ references:
    - https://twitter.com/1kwpeter/status/1397816101455765504
 author: Florian Roth
 date: 2021/05/27
+modified: 2021/11/30
 tags:
    - attack.execution
    - attack.privilege_escalation
@@ -16,6 +17,7 @@ logsource:
    service: system
 detection:
    selection:
+        Provider_Name: 'Service Control Manager'
        EventID: 7045
        ServiceName|startswith: 'ProcessHacker'
        AccountName: 'LocalSystem'
@@ -4,7 +4,7 @@ description: Well-known TAP software installation. Possible preparation for data
 status: experimental
 author: Daniil Yugoslavskiy, Ian Davis, oscd.community
 date: 2019/10/24
-modified: 2021/09/21
+modified: 2021/11/30
 tags:
    - attack.exfiltration
    - attack.t1048
@@ -13,6 +13,7 @@ logsource:
    service: system
 detection:
    selection:
+        Provider_Name: 'Service Control Manager'
        EventID: 7045
        ImagePath|contains: 'tap0901'
    condition: selection
@@ -6,12 +6,13 @@ author: Teymur Kheirkhabarov, oscd.community
 references:
  - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
 date: 2019/10/22
-modified: 2021/11/27
+modified: 2021/11/30
 logsource:
  product: windows
  service: security
 detection:
  selection:
+    Provider_Name: Microsoft-Windows-Security-Auditing
    EventID: 5145
    RelativeTargetName|contains:
      - '\mimidrv'
@@ -7,10 +7,11 @@ references:
  - https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/
  - https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/
 date: 2017/11/09
-modified: 2021/11/27
+modified: 2021/11/30
 logsource:
  product: windows
  service: driver-framework
+  definition: mapping Provider_Name 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
 detection:
  selection:
    EventID:
@@ -5,7 +5,7 @@ description: This rule triggers on user accounts that are added to the local Adm
 status: stable
 author: Florian Roth
 date: 2017/03/14
-modified: 2021/07/07
+modified: 2021/11/30
 tags:
    - attack.privilege_escalation
    - attack.t1078
@@ -16,6 +16,7 @@ logsource:
    service: security
 detection:
    selection:
+        provider_Name: Microsoft-Windows-Security-Auditing
        EventID: 4732
    selection_group1:
        TargetUserName|startswith: 'Administr'
@@ -11,12 +11,13 @@ tags:
    - attack.t1558.003
 author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community
 date: 2019/10/24
-modified: 2021/08/14
+modified: 2021/11/30
 logsource:
    product: windows
    service: security
 detection:
    selection:
+        Provider_Name: Microsoft-Windows-Security-Auditing
        EventID: 4673
        Service: 'LsaRegisterLogonProcess()'
        Keywords: '0x8010000000000000'     #failure
@@ -6,12 +6,13 @@ author: Patrick Bareiss
 references:
  - https://patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/
 date: 2019/04/18
-modified: 2021/11/27
+modified: 2021/11/30
 logsource:
  product: windows
  service: security
 detection:
  selection:
+    provider_Name: Microsoft-Windows-Security-Auditing
    EventID: 4720
  condition: selection
 fields:
@@ -7,12 +7,13 @@ references:
  - https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/
  - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673
 date: 2019/04/08
-modified: 2021/11/27
+modified: 2021/11/30
 logsource:
  product: windows
  service: security
 detection:
  selection_1:
+    Provider_Name: Microsoft-Windows-Security-Auditing
    EventID: 4673
    PrivilegeList: 'SeLoadDriverPrivilege'
    Service: '-'
@@ -3,7 +3,7 @@ id: e9faba72-4974-4ab2-a4c5-46e25ad59e9b
 description: Detects the registration of the security event source VSSAudit. It would usually trigger when volume shadow copy operations happen.
 status: experimental
 date: 2020/10/20
-modified: 2021/11/26
+modified: 2021/11/30
 author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)
 tags:
    - attack.credential_access
@@ -14,13 +14,13 @@ logsource:
    product: windows
    service: security
 detection:
-    selection_one: 
-        EventID: 4904
+    selection:
+        Provider_Name: Microsoft-Windows-Security-Auditing
        AuditSourceName: VSSAudit
-    selection_two: 
-        EventID: 4905
-        AuditSourceName: VSSAudit
-    condition: selection_one or selection_two
+        EventID: 
+            - 4904
+            - 4905
+    condition: selection
 falsepositives:
    - Legitimate use of VSSVC. Maybe backup operations. It would usually be done by C:\Windows\System32\VSSVC.exe.
 level: low
@@ -6,7 +6,7 @@ references:
    - https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc
 author: NVISO
 date: 2020/09/15
-modified: 2021/08/09
+modified: 2021/11/30
 tags:
    - attack.privilege_escalation
    - attack.t1548
@@ -15,6 +15,7 @@ logsource:
    service: system
 detection:
    selection:
+        Provider_Name: NetLogon  # Active Directory: NetLogon ETW GUID {F33959B4-DBEC-11D2-895B-00C04F79AB69}
        EventID: 5829
    condition: selection
 fields:
@@ -6,12 +6,13 @@ author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)
 references:
  - https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009173318.html
 date: 2020/10/12
-modified: 2021/11/27
+modified: 2021/11/30
 logsource:
  product: windows
  service: security
 detection:
  selection:
+    Provider_Name: Microsoft-Windows-Eventlog
    EventID: 5145
    RelativeTargetName|endswith: '\wbem\wbemcomn.dll'
  filter:
@@ -0,0 +1,23 @@
+title: NPPSpy Hacktool Usage
+id: cad1fe90-2406-44dc-bd03-59d0b58fe722
+status: experimental
+description: Detects the use of NPPSpy hacktool that stores cleartext passwords of users that logged in to a local file
+author: Florian Roth
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md#atomic-test-2---credential-dumping-with-nppspy
+    - https://twitter.com/0gtweet/status/1465282548494487554
+date: 2021/11/29
+tags:
+    - attack.credential_access
+logsource:
+    product: windows
+    category: file_event
+detection:
+    selection:
+        TargetFilename|endswith: 
+            - '\NPPSpy.txt'
+            - '\NPPSpy.dll'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
@@ -2,25 +2,26 @@ title: Suspicious desktop.ini Action
 id: 81315b50-6b60-4d8f-9928-3466e1022515
 status: test
 description: Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.
-author: Maxime Thiebaut (@0xThiebaut)
+author: Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO)
 references:
  - https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/
 date: 2020/03/19
-modified: 2021/11/27
+modified: 2021/12/03
 logsource:
  product: windows
  category: file_event
 detection:
-  filter:
-    Image:
-      - 'C:\Windows\explorer.exe'
-      - 'C:\Windows\System32\msiexec.exe'
-      - 'C:\Windows\System32\mmc.exe'
  selection:
    TargetFilename|endswith: '\desktop.ini'
+  filter:
+    Image|startswith:
+      - 'C:\Windows\'
+      - 'C:\Program Files\'
+      - 'C:\Program Files (x86)\'
  condition: selection and not filter
 falsepositives:
  - Operations performed through Windows SCCM or equivalent
+  - read only access list authority
 level: medium
 tags:
  - attack.persistence
@@ -3,7 +3,7 @@ id: 666ecfc7-229d-42b8-821e-1a8f8cb7057c
 description: A General detection for processes loading System.Drawing.ni.dll. This could be an indicator of potential Screen Capture.
 status: experimental
 date: 2020/05/02
-modified: 2021/11/27
+modified: 2021/12/03
 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 tags:
    - attack.collection
@@ -31,10 +31,12 @@ detection:
            - 'C:\Windows\System32\'
            - 'C:\Windows\Microsoft.NET\'
            - 'C:\Windows\ImmersiveControlPanel\'
-            - 'C:\Windows\System32\NhNotifSys.exe'
+    filter2:
+        Image:
            - 'C:\Users\\*\AppData\Local\NhNotifSys\nahimic\nahimicNotifSys.exe'
            - 'C:\Users\\*\GitHubDesktop\Update.exe'
-    condition: selection and not filter
+            - 'C:\Windows\System32\NhNotifSys.exe'
+    condition: selection and not 1 of filter*
 falsepositives:
    - unknown
 level: medium
@@ -5,7 +5,7 @@ description: Detects a Powershell process that opens network connections - check
    extend filters with company's ip range')
 author: Florian Roth
 date: 2017/03/13
-modified: 2021/06/14
+modified: 2021/12/01
 references:
    - https://www.youtube.com/watch?v=DLtJTxMWZ2o
 tags:
@@ -41,7 +41,6 @@ detection:
            - '172.30.'
            - '172.31.'
            - '127.0.0.1'
-        DestinationIsIpv6: 'false'
        User: 'NT AUTHORITY\SYSTEM'
        User|contains|all:  # other languages
            - 'AUT'
@@ -6,7 +6,7 @@ author: Ilyas Ochkov, oscd.community
 references:
  - https://github.com/GhostPack/Rubeus
 date: 2019/10/24
-modified: 2021/11/27
+modified: 2021/12/02
 logsource:
  category: network_connection
  product: windows
@@ -20,6 +20,7 @@ detection:
      - '\opera.exe'
      - '\chrome.exe'
      - '\firefox.exe'
+      - '\tomcat\bin\tomcat8.exe'
  condition: selection and not filter
 falsepositives:
  - Other browsers
@@ -10,7 +10,7 @@ tags:
    - attack.t1086  #an old one
 author: Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update), oscd.community (update)
 date: 2017/03/05
-modified: 2021/10/16
+modified: 2021/11/29
 logsource:
    product: windows
    category: ps_script
@@ -114,7 +114,9 @@ detection:
            - "Invoke-Mimikittenz"
            - "Invoke-AllChecks"
    false_positives:
-        ScriptBlockText|contains: Get-SystemDriveInfo  # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1
+        ScriptBlockText|contains:
+            - Get-SystemDriveInfo  # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1
+            - C:\ProgramData\Amazon\EC2-Windows\Launch\Module\Scripts\Set-Wallpaper.ps1  # false positive form Amazon EC2
    condition: select_Malicious and not false_positives
 falsepositives:
    - Penetration testing
@@ -5,7 +5,7 @@ description: Detects process access LSASS memory which is typical for credential
 author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov,
    oscd.community (update)
 date: 2017/02/16
-modified: 2021/11/30
+modified: 2021/12/02
 references:
    - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
    - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
@@ -68,6 +68,13 @@ detection:
        GrantedAccess: 
            - '0x1410'
            - '0x410'
+    filter8:
+        SourceImage|endswith:
+            - '\thor.exe'
+            - '\thor64.exe'
+        GrantedAccess: 
+            - '0x40'
+            - '0x1010'
    filter_generic:
        SourceImage|startswith: 
            - 'C:\Program Files\'
@@ -3,7 +3,7 @@ id: 204b17ae-4007-471b-917b-b917b315c5db
 status: experimental
 description: suspicious command line to remove exe or dll
 author: frack113
-date: 2021/10/26
+date: 2021/12/02
 references:
    - https://www.joesandbox.com/analysis/509330/0/html#1044F3BDBE3BB6F734E357235F4D5898582D
 tags:
@@ -15,17 +15,15 @@ logsource:
 detection:
    susp_del_exe:
        CommandLine|contains|all:
-            - 'del '
+            - 'del *.exe'
            - '/f '
            - '/q '
-            - '.exe'
    susp_del_dll:
        CommandLine|contains|all:
-            - 'del '
+            - 'del *.dll'
            - 'C:\ProgramData\'
-            - '.dll'
    condition: susp_del_exe or susp_del_dll
 #cmd.exe (PID: 1044 cmdline: 'C:\Windows\System32\cmd.exe' /c taskkill /im A8D4.exe /f & timeout /t 6 & del /f /q 'C:\Users\user~1\AppData\Local\Temp\A8D4.exe' & del C:\ProgramData\*.dll & exit 
 falsepositives:
    - unknown
-level: medium
+level: medium
@@ -6,7 +6,7 @@ author: Tom Ueltschi (@c_APT_ure)
 references:
  - https://attack.mitre.org/techniques/T1037/
 date: 2019/01/12
-modified: 2021/11/27
+modified: 2021/11/29
 logsource:
  category: process_creation
  product: windows
@@ -17,7 +17,7 @@ detection:
    Image|endswith: '\explorer.exe'
  exec_exclusion2:
    CommandLine|contains:
-      - 'netlogon.bat'
+      - 'netlogon*.bat'
      - 'UsrLogon.cmd'
  create_keywords_cli:
    CommandLine|contains: 'UserInitMprLogonScript'
@@ -1,4 +1,4 @@
-title: Command Line Path Traversial Evasion
+title: Command Line Path Traversal Evasion
 status: experimental
 id: 1327381e-6ab0-4f38-b583-4c1b8346a56b
 author: Christian Burkard
@@ -0,0 +1,22 @@
+title: Suspicious Regsvr32 Execution With Image Extension
+id: 089fc3d2-71e8-4763-a8a5-c97fbb0a403e
+status: experimental
+description: utilizes REGSVR32.exe to execute this DLL masquerading as a Image file
+references:
+    - https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/
+tags:
+    - attack.defense_evasion
+    - attack.t1218.010 
+author: frack113
+date: 2021/11/29
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith: '\regsvr32.exe'
+        CommandLine|endswith: '.jpg' # can add other 
+    condition: selection
+falsepositives:
+    - unknown
+level: high
@@ -7,7 +7,7 @@ references:
  - https://eqllib.readthedocs.io/en/latest/analytics/ec5180c9-721a-460f-bddc-27539a284273.html
  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md
 date: 2018/10/30
-modified: 2021/11/27
+modified: 2021/12/03
 logsource:
  category: process_creation
  product: windows
@@ -22,7 +22,7 @@ fields:
  - CommandLine
 falsepositives:
  - Unknown
-level: medium
+level: high
 tags:
  - attack.defense_evasion
  - attack.persistence
@@ -17,7 +17,10 @@ detection:
      - "bxor"
      - "join"
      - "char"
-  condition: selection and filter
+  false_positives:
+    ParentImage: 
+      - C:\Program Files\Amazon\SSM\ssm-document-worker.exe
+  condition: selection and filter and not false_positives
 falsepositives:
  - unknown
 level: medium
@@ -8,7 +8,7 @@ references:
  - https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html
  - https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html
 date: 2019/06/15
-modified: 2021/11/27
+modified: 2021/12/01
 logsource:
  category: process_creation
  product: windows
@@ -16,6 +16,7 @@ detection:
  selection:
    OriginalFileName:
      - 'cmd.exe'
+      - 'CONHOST.EXE'
      - 'powershell.exe'
      - 'powershell_ise.exe'
      - 'psexec.exe'
@@ -38,6 +39,7 @@ detection:
  filter:
    Image|endswith:
      - '\cmd.exe'
+      - '\conhost.exe'
      - '\powershell.exe'
      - '\powershell_ise.exe'
      - '\psexec.exe'
@@ -4,7 +4,7 @@ description: Detects a windows service to be stopped
 status: experimental
 author: Jakob Weinzettl, oscd.community
 date: 2019/10/23
-modified: 2021/08/14
+modified: 2021/11/30
 tags:
    - attack.impact
    - attack.t1489
@@ -18,7 +18,12 @@ detection:
            - '\net.exe'
            - '\net1.exe'
        CommandLine|contains: 'stop'
-    condition: selection
+    filter:
+        CommandLine: 'sc  stop KSCWebConsoleMessageQueue' # kaspersky Security Center Web Console double space between sc and stop
+        User|startswith: 
+            - 'NT AUTHORITY\SYSTEM'
+            - 'AUTORITE NT\Sys' # French language settings
+    condition: selection and not filter
 fields:
    - ComputerName
    - User
@@ -2,21 +2,19 @@ title: Suspicious Copy From or To System32
 id: fff9d2b7-e11c-4a69-93d3-40ef66189767
 status: test
 description: Detects a suspicious copy command that copies a system program from System32 to another directory on disk - sometimes used to use LOLBINs like certutil or desktopimgdownldr to a different location with a different name
-author: Florian Roth, Markus Neis
+author: Florian Roth, Markus Neis, Tim Shelton (HAWK.IO)
 references:
  - https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120
 date: 2020/07/03
-modified: 2021/11/27
+modified: 2021/12/30
 logsource:
  category: process_creation
  product: windows
 detection:
  selection:
    CommandLine|contains:
-      - ' /c copy'
-      - 'xcopy'
-    CommandLine|contains|all:
-      - '\System32\'
+      - 'xcopy*\System32\'
+      - 'cmd.exe*/c*copy*\System32\'
  condition: selection
 fields:
  - CommandLine
@@ -24,6 +22,7 @@ fields:
 falsepositives:
  - False positives depend on scripts and administrative tools used in the monitored environment
  - Admin scripts like https://www.itexperience.net/sccm-batch-files-and-32-bits-processes-on-64-bits-os/
+  - False positive when cmd.exe and xcopy.exe are called directly #  C:\Windows\System32\cmd.exe /c copy file1 file2
 level: medium
 tags:
  - attack.defense_evasion
@@ -1,13 +1,14 @@
-title: Suspicious TSCON Start
+title: Suspicious TSCON Start as SYSTEM
 id: 9847f263-4a81-424f-970c-875dab15b79b
 status: experimental
 description: Detects a tscon.exe start as LOCAL SYSTEM
 references:
    - http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html
    - https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6
+    - https://www.ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement
 author: Florian Roth
 date: 2018/03/17
-modified: 2021/08/26
+modified: 2021/11/29
 tags:
    - attack.command_and_control
    - attack.t1219
@@ -6,7 +6,7 @@ author: Timur Zinniatullin, oscd.community
 references:
  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md
 date: 2019/10/21
-modified: 2021/11/27
+modified: 2021/11/29
 logsource:
  category: process_creation
  product: windows
@@ -15,10 +15,22 @@ detection:
    - Image|endswith: '\wmic.exe'
      CommandLine|contains: '/format'     # wmic process list /FORMAT /?
    - Image|endswith: '\msxsl.exe'
-  condition: selection
+  false_positives:
+    CommandLine|contains:
+      - '/Format:List'
+      - '/Format:htable'
+      - '/Format:hform'
+      - '/Format:table'
+      - '/Format:mof'
+      - '/Format:value'
+      - '/Format:rawxml'
+      - '/Format:xml'
+      - '/Format:csv'
+  condition: selection and not false_positives
 falsepositives:
  - WMIC.exe FP depend on scripts and administrative methods used in the monitored environment.
  - msxsl.exe is not installed by default, so unlikely.
+  - Static format arguments - https://petri.com/command-line-wmi-part-3
 level: medium
 tags:
  - attack.defense_evasion
@@ -7,7 +7,7 @@ references:
    - https://attack.mitre.org/techniques/T1546/015/
 author: Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien
 date: 2020/04/14
-modified: 2021/09/16
+modified: 2021/11/30
 tags:
    - attack.persistence
    - attack.t1546.015
@@ -39,7 +39,9 @@ detection:
        Details|contains|all:
            - '\AppData\Roaming\Dropbox\'
            - '\DropboxExt64.*.dll'
-    condition: selection and not ( filter1 or ( filterOneDrive and filterOneDrive2 ) or filter2 or filter3 )
+    filter4:
+        Details|endswith: TmopIEPlg.dll #TrendMicro osce
+    condition: selection and not ( filter1 or ( filterOneDrive and filterOneDrive2 ) or filter2 or filter3 or filter4 )
 falsepositives:
    - Some installed utilities (i.e. OneDrive) may serve new COM objects at user-level
 level: medium
@@ -4,7 +4,7 @@ description: Someone try to hide from Sysmon
 status: experimental
 author: frack113
 date: 2021/06/04
-modified: 2021/11/12
+modified: 2021/12/02
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
    - https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html
@@ -20,8 +20,8 @@ detection:
            - 'Failed to open service configuration with error'
            - 'Failed to connect to the driver to update configuration'
    selection_filter:
-        Description: 'Failed to open service configuration with error 19'
-    condition: selection_error
+        Description: 'Failed to open service configuration with error 19 - Last error: The media is write protected.'
+    condition: selection_error and not selection_filter
 falsepositives:
    - legitimate administrative action
-level: high 
+level: high 
@@ -0,0 +1,94 @@
+title: Zircolite
+order: 20
+backends:
+  - sqlite
+logsources:
+  windows-application:
+    product: windows
+    service: application
+    conditions:
+      Channel: Application
+  windows-security:
+    product: windows
+    service: security
+    conditions:
+      Channel: Security
+  windows-system:
+    product: windows
+    service: system
+    conditions:
+      Channel: System
+  windows-sysmon:
+    product: windows
+    service: sysmon
+    conditions:
+      Channel: 'Microsoft-Windows-Sysmon/Operational'
+  windows-powershell:
+    product: windows
+    service: powershell
+    conditions:
+      Channel: 'Microsoft-Windows-PowerShell/Operational'
+  windows-classicpowershell:
+    product: windows
+    service: powershell-classic
+    conditions:
+      Channel: 'Windows PowerShell'
+  windows-dns-server:
+    product: windows
+    service: dns-server
+    conditions:
+      Channel: 'DNS Server'
+  windows-driver-framework:
+    product: windows
+    service: driver-framework
+    conditions:
+      Provider_Name: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
+  windows-dhcp:
+    product: windows
+    service: dhcp
+    conditions:
+      Provider_Name: 'Microsoft-Windows-DHCP-Server/Operational'
+  windows-ntlm:
+    product: windows
+    service: ntlm
+    conditions:
+      Provider_Name: 'Microsoft-Windows-NTLM/Operational'
+  windows-defender:
+    product: windows
+    service: windefend
+    conditions:
+      Channel: 'Microsoft-Windows-Windows Defender/Operational'
+  windows-printservice-admin:
+    product: windows
+    service: printservice-admin
+    conditions:
+      Channel: 'Microsoft-Windows-PrintService/Admin'
+  windows-printservice-operational:
+    product: windows
+    service: printservice-operational
+    conditions:
+      Channel: 'Microsoft-Windows-PrintService/Operational'
+  windows-smbclient-security:
+    product: windows
+    service: smbclient-security
+    conditions:
+      Channel: 'Microsoft-Windows-SmbClient/Security'
+  windows-applocker:
+    product: windows
+    service: applocker
+    conditions:
+      Channel:
+        - 'Microsoft-Windows-AppLocker/MSI and Script'
+        - 'Microsoft-Windows-AppLocker/EXE and DLL'
+        - 'Microsoft-Windows-AppLocker/Packaged app-Deployment'
+        - 'Microsoft-Windows-AppLocker/Packaged app-Execution'
+  windows-msexchange-management:
+    product: windows
+    service: msexchange-management
+    conditions:
+      Channel: 'MSExchange Management'
+  microsoft-servicebus-client:
+    product: windows
+    service: microsoft-servicebus-client
+    conditions:
+      Channel: 'Microsoft-ServiceBus-Client'
@@ -61,6 +61,7 @@ class HAWKBackend(SingleTextQueryBackend):
    def generateNode(self, node, notNode=False):
        #print(type(node))
        #print(node)
+        #print("Not: ", notNode)
        if type(node) == sigma.parser.condition.ConditionAND:
            return self.generateANDNode(node, notNode)
        elif type(node) == sigma.parser.condition.ConditionOR:
@@ -95,6 +96,8 @@ class HAWKBackend(SingleTextQueryBackend):
            nodeRet['description'] = key
            nodeRet['rule_id'] = str(uuid.uuid4())
            value = self.generateValueNode(node, False).replace("*", "EEEESTAREEE")
+            if value[-2:] == "\\\\":
+                value = value[:-2]
            value = re.escape(value)
            value = value.replace("EEEESTAREEE", ".*")
            if value[0:2] == ".*":  
@@ -110,16 +113,6 @@ class HAWKBackend(SingleTextQueryBackend):
            raise TypeError("Node type %s was not expected in Sigma parse tree" % (str(type(node))))

    def generateANDNode(self, node, notNode=False):
-        """
-        generated = [ self.generateNode(val) for val in node ]
-        filtered = [ g for g in generated if g is not None ]
-        if filtered:
-            if self.sort_condition_lists:
-                filtered = sorted(filtered)
-            return self.andToken.join(filtered)
-        else:
-            return None
-        """
        ret = { "id" : "and", "key": "And", "children" : [ ] }
        generated = [ self.generateNode(val, notNode) for val in node ]
        filtered = [ g for g in generated if g is not None ]
@@ -127,7 +120,6 @@ class HAWKBackend(SingleTextQueryBackend):
            if self.sort_condition_lists:
                filtered = sorted(filtered)
            ret['children'] = filtered
-            # return json.dumps(ret)# self.orToken.join(filtered)
            return ret
        else:
            return None
@@ -187,7 +179,7 @@ class HAWKBackend(SingleTextQueryBackend):
            nodeRet['description'] = key
            if key.lower() in ("logname","source"):
                self.logname = value
-            elif type(value) == str and "*" in value:
+            if type(value) == str and "*" in value:
                value = value.replace("*", "EEEESTAREEE")
                value = re.escape(value)
                value = value.replace("EEEESTAREEE", ".*")
@@ -199,32 +191,44 @@ class HAWKBackend(SingleTextQueryBackend):
                    nodeRet["args"]["comparison"]["value"] = "!="
                else:
                    nodeRet['args']['comparison']['value'] = "="
+                if value[-2:] == "\\\\":
+                    value = value[:-2]
                nodeRet['args']['str']['value'] = value
                nodeRet['args']['str']['regex'] = "true"
                # return "%s regex %s" % (self.cleanKey(key), self.generateValueNode(value, True))
                #return json.dumps(nodeRet)
                return nodeRet
            elif type(value) is str:
-                #return self.mapExpression % (self.cleanKey(key), self.generateValueNode(value, True))
+                if notNode:
+                    nodeRet["args"]["comparison"]["value"] = "!="
+                else:
+                    nodeRet['args']['comparison']['value'] = "="
                nodeRet['args']['str']['value'] = value
                # return json.dumps(nodeRet)
                return nodeRet
            elif type(value) is int:
                nodeRet['return'] = "int"
                nodeRet['args']['int'] = { "value" : value }
+                if notNode:
+                    nodeRet["args"]["comparison"]["value"] = "!="
+                else:
+                    nodeRet['args']['comparison']['value'] = "="
                del nodeRet['args']['str'] 
                #return self.mapExpression % (self.cleanKey(key), self.generateValueNode(value, True))
                #return json.dumps(nodeRet)
                return nodeRet
            else:
-                #return self.mapExpression % (self.cleanKey(key), self.generateNode(value))
                nodeRet['args']['str']['value'] = value
+                if notNode:
+                    nodeRet["args"]["comparison"]["value"] = "!="
+                else:
+                    nodeRet['args']['comparison']['value'] = "="
                #return json.dumps(nodeRet)
                return nodeRet
        elif type(value) == list:
            return self.generateMapItemListNode(key, value, notNode)
        elif isinstance(value, SigmaTypeModifier):
-            return self.generateMapItemTypedNode(key, value)
+            return self.generateMapItemTypedNode(key, value, notNode)
        elif value is None:
            #return self.nullExpression % (key, )
            #print("Performing null")
@@ -253,6 +257,10 @@ class HAWKBackend(SingleTextQueryBackend):
            nodeRet['key'] = self.cleanKey(key).lower()
            nodeRet['description'] = key
            nodeRet['rule_id'] = str(uuid.uuid4())
+            if notNode:
+                nodeRet['args']['comparison']['value'] = "!="
+            else:
+                nodeRet['args']['comparison']['value'] = "="
            if item is None:
                nodeRet['args']['str']['value'] = 'null'
                ret['children'].append( nodeRet )
@@ -264,12 +272,15 @@ class HAWKBackend(SingleTextQueryBackend):
                    item = item[2:]
                if item[-2:] == ".*":
                    item = item[:-2]
-                nodeRet['args']['str']['value'] = item # self.generateValueNode(item, True)
+                if item[-2:] == "\\\\":
+                    item = item[:-2]
+                nodeRet['args']['str']['value'] = item 
                nodeRet['args']['str']['regex'] = "true"
                if notNode:
                    nodeRet["args"]["comparison"]["value"] = "!="
                else:
                    nodeRet['args']['comparison']['value'] = "="
+                #print(item)
                ret['children'].append( nodeRet )
            else:
                nodeRet['args']['str']['value'] = self.generateValueNode(item, True)
@@ -292,6 +303,9 @@ class HAWKBackend(SingleTextQueryBackend):
                value = value[2:]
            if value[-2:] == ".*":
                value = value[:-2]
+            # print(value)
+            if value[-2:] == "\\\\":
+                value = value[:-2]
            nodeRet['args']['str']['value'] = value
            nodeRet['args']['str']['regex'] = "true"
            if notNode:
@@ -534,12 +548,6 @@ class HAWKBackend(SingleTextQueryBackend):
    def generateQuery(self, parsed, sigmaparser):
        self.sigmaparser = sigmaparser
        result = self.generateNode(parsed.parsedSearch)
-        """
-        if any("flow" in i for i in self.parsedlogsource):
-            aql_database = "flows"
-        else:
-            aql_database = "events"
-        """
        prefix = ""
        ret = '[ { "id" : "and", "key": "And", "children" : ['
        ret2 = ' ] } ]'