From 790755e753c188750761d3ef603aa7c1f4425c56 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Tue, 30 Nov 2021 16:33:54 +0000 Subject: [PATCH 01/15] adding webserver as filter for sigma config --- tools/config/hawk.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tools/config/hawk.yml b/tools/config/hawk.yml index 6635c076c..384d57b21 100644 --- a/tools/config/hawk.yml +++ b/tools/config/hawk.yml @@ -13,6 +13,10 @@ logsources: product_name: - 'apache*' - 'httpd*' + webserver: + category: webserver + conditions: + vendor_type: 'Webserver' cisco: product: cisco conditions: From caf47a9e3d4dc8341da597056c1ab1d39d7ea220 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Wed, 1 Dec 2021 14:33:28 +0000 Subject: [PATCH 02/15] reducing score minus 5 for lows... will need a multitude --- tools/sigma/backends/hawk.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/tools/sigma/backends/hawk.py b/tools/sigma/backends/hawk.py index e0d846645..a9f0aa0cc 100644 --- a/tools/sigma/backends/hawk.py +++ b/tools/sigma/backends/hawk.py @@ -613,7 +613,6 @@ class HAWKBackend(SingleTextQueryBackend): except Exception as e: print("Failed to parse json: %s" % analytic_txt) raise Exception("Failed to parse json: %s" % analytic_txt) - # "rules","filter_name","actions_category_name","correlation_action","date_added","scores/53c9a74abfc386415a8b463e","enabled","public","group_name","score_id" cmt = "Sigma Rule: %s\n" % sigmaparser.parsedyaml['id'] cmt += "Author: %s\n" % sigmaparser.parsedyaml['author'] @@ -667,6 +666,6 @@ class HAWKBackend(SingleTextQueryBackend): elif self.sigmaparser.parsedyaml['level'].lower() == 'medium': record['correlation_action'] += 5.0; elif self.sigmaparser.parsedyaml['level'].lower() == 'low': - record['correlation_action'] += 2.0; + record['correlation_action'] -= 5.0; return json.dumps(record) From df315f5e08026de074c0a732adccfee004e14fa9 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Wed, 1 Dec 2021 15:51:22 +0000 Subject: [PATCH 03/15] enforcing snake case per hawk-analyticsd specs --- tools/sigma/backends/hawk.py | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/tools/sigma/backends/hawk.py b/tools/sigma/backends/hawk.py index a9f0aa0cc..403737c8a 100644 --- a/tools/sigma/backends/hawk.py +++ b/tools/sigma/backends/hawk.py @@ -52,7 +52,7 @@ class HAWKBackend(SingleTextQueryBackend): def cleanKey(self, key): if key == None: return "" - return self.sigmaparser.config.get_fieldmapping(key).resolve_fieldname(key, self.sigmaparser) + return self.snake_case( self.sigmaparser.config.get_fieldmapping(key).resolve_fieldname(key, self.sigmaparser) ) def cleanValue(self, value): """Remove quotes in text""" @@ -669,3 +669,14 @@ class HAWKBackend(SingleTextQueryBackend): record['correlation_action'] -= 5.0; return json.dumps(record) + + def snake_case(self, str): + res = [str[0].lower()] + for c in str[1:]: + if c in ('ABCDEFGHIJKLMNOPQRSTUVWXYZ'): + res.append('_') + res.append(c.lower()) + else: + res.append(c) + + return ''.join(res) From 621f629390a0fa04817ef28890b6dc7ee3672980 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Wed, 1 Dec 2021 16:10:13 +0000 Subject: [PATCH 04/15] adds support for begins and ends with --- tools/sigma/backends/hawk.py | 51 +++++++++++++++++++++++++++++++++--- 1 file changed, 47 insertions(+), 4 deletions(-) diff --git a/tools/sigma/backends/hawk.py b/tools/sigma/backends/hawk.py index 403737c8a..3f368230a 100644 --- a/tools/sigma/backends/hawk.py +++ b/tools/sigma/backends/hawk.py @@ -100,12 +100,21 @@ class HAWKBackend(SingleTextQueryBackend): value = value[:-2] value = re.escape(value) value = value.replace("EEEESTAREEE", ".*") + endsWith = False + startsWith = False if value[0:2] == ".*": value = value[2:] + endsWith = True if value[-2:] == ".*": value = value[:-2] - nodeRet['args']['str']['value'] = value - # return json.dumps(nodeRet) + startsWith = True + + if endsWith: + nodeRet['args']['str']['value'] = value + "$" + elif startsWith: + nodeRet['args']['str']['value'] = "^" + value + else: + nodeRet['args']['str']['value'] = value return nodeRet elif type(node) == list: return self.generateListNode(node, notNode) @@ -183,17 +192,28 @@ class HAWKBackend(SingleTextQueryBackend): value = value.replace("*", "EEEESTAREEE") value = re.escape(value) value = value.replace("EEEESTAREEE", ".*") + endsWith = False + startsWith = False if value[0:2] == ".*": value = value[2:] + endsWith = True if value[-2:] == ".*": value = value[:-2] + startsWith = True if notNode: nodeRet["args"]["comparison"]["value"] = "!=" else: nodeRet['args']['comparison']['value'] = "=" if value[-2:] == "\\\\": value = value[:-2] - nodeRet['args']['str']['value'] = value + + if endsWith: + nodeRet['args']['str']['value'] = value + "$" + elif startsWith: + nodeRet['args']['str']['value'] = "^" + value + else: + nodeRet['args']['str']['value'] = value + nodeRet['args']['str']['regex'] = "true" # return "%s regex %s" % (self.cleanKey(key), self.generateValueNode(value, True)) #return json.dumps(nodeRet) @@ -268,14 +288,25 @@ class HAWKBackend(SingleTextQueryBackend): item = item.replace("*", "EEEESTAREEE") item = re.escape(item) item = item.replace("EEEESTAREEE", ".*") + endsWith = False + startsWith = False if item[:2] == ".*": item = item[2:] + endsWith = True if item[-2:] == ".*": item = item[:-2] + startsWith = True if item[-2:] == "\\\\": item = item[:-2] - nodeRet['args']['str']['value'] = item + + if endsWith: + nodeRet['args']['str']['value'] = item + "$" + elif startsWith: + nodeRet['args']['str']['value'] = "^" + item + else: + nodeRet['args']['str']['value'] = item nodeRet['args']['str']['regex'] = "true" + if notNode: nodeRet["args"]["comparison"]["value"] = "!=" else: @@ -299,13 +330,25 @@ class HAWKBackend(SingleTextQueryBackend): value = value.replace("*", "EEEESTAREEE") value = re.escape(self.generateValueNode(value, True)) value = value.replace("EEEESTAREEE", ".*") + endsWith = False + startsWith = False if value[:2] == ".*": value = value[2:] + endsWith = True if value[-2:] == ".*": value = value[:-2] + startsWith = True # print(value) if value[-2:] == "\\\\": value = value[:-2] + + if endsWith: + nodeRet['args']['str']['value'] = value + "$" + elif startsWith: + nodeRet['args']['str']['value'] = "^" + value + else: + nodeRet['args']['str']['value'] = value + nodeRet['args']['str']['value'] = value nodeRet['args']['str']['regex'] = "true" if notNode: From e0e3e42c77a2ba3380e927749060a27d85951246 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Wed, 1 Dec 2021 16:39:25 +0000 Subject: [PATCH 05/15] adding fix to begins/ends with feature --- tools/sigma/backends/hawk.py | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/tools/sigma/backends/hawk.py b/tools/sigma/backends/hawk.py index 3f368230a..0ec7c6782 100644 --- a/tools/sigma/backends/hawk.py +++ b/tools/sigma/backends/hawk.py @@ -109,9 +109,9 @@ class HAWKBackend(SingleTextQueryBackend): value = value[:-2] startsWith = True - if endsWith: + if endsWith and not startsWith: nodeRet['args']['str']['value'] = value + "$" - elif startsWith: + elif startsWith and not endsWith: nodeRet['args']['str']['value'] = "^" + value else: nodeRet['args']['str']['value'] = value @@ -207,9 +207,9 @@ class HAWKBackend(SingleTextQueryBackend): if value[-2:] == "\\\\": value = value[:-2] - if endsWith: + if endsWith and not startsWith: nodeRet['args']['str']['value'] = value + "$" - elif startsWith: + elif startsWith and not endsWith: nodeRet['args']['str']['value'] = "^" + value else: nodeRet['args']['str']['value'] = value @@ -299,9 +299,9 @@ class HAWKBackend(SingleTextQueryBackend): if item[-2:] == "\\\\": item = item[:-2] - if endsWith: + if endsWith and not startsWith: nodeRet['args']['str']['value'] = item + "$" - elif startsWith: + elif startsWith and not endsWith: nodeRet['args']['str']['value'] = "^" + item else: nodeRet['args']['str']['value'] = item @@ -342,9 +342,9 @@ class HAWKBackend(SingleTextQueryBackend): if value[-2:] == "\\\\": value = value[:-2] - if endsWith: + if endsWith and not startsWith: nodeRet['args']['str']['value'] = value + "$" - elif startsWith: + elif startsWith and not endsWith: nodeRet['args']['str']['value'] = "^" + value else: nodeRet['args']['str']['value'] = value From 48f592fc41217ad64324791667220cfbd0c89486 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Wed, 1 Dec 2021 17:25:23 +0000 Subject: [PATCH 06/15] reducing scores for informational levels and adding field translation for user --- tools/config/hawk.yml | 1 + tools/sigma/backends/hawk.py | 2 ++ 2 files changed, 3 insertions(+) diff --git a/tools/config/hawk.yml b/tools/config/hawk.yml index 384d57b21..e07fdd009 100644 --- a/tools/config/hawk.yml +++ b/tools/config/hawk.yml @@ -448,3 +448,4 @@ fieldmappings: event_type_id: vendor_id eventtype: vendor_type destination.port: ip_dport + user: correlation_username diff --git a/tools/sigma/backends/hawk.py b/tools/sigma/backends/hawk.py index 0ec7c6782..0afa8fae3 100644 --- a/tools/sigma/backends/hawk.py +++ b/tools/sigma/backends/hawk.py @@ -710,6 +710,8 @@ class HAWKBackend(SingleTextQueryBackend): record['correlation_action'] += 5.0; elif self.sigmaparser.parsedyaml['level'].lower() == 'low': record['correlation_action'] -= 5.0; + elif self.sigmaparser.parsedyaml['level'].lower() == 'informational': + record['correlation_action'] -= 15.0; return json.dumps(record) From 07a0a372736118b2c6b5928d6483a21d11907df3 Mon Sep 17 00:00:00 2001 From: phantinuss Date: Thu, 2 Dec 2021 14:30:09 +0100 Subject: [PATCH 07/15] feat: discourage the usage of 'all of them' and migrate existing rules to use the preferred method 'all of selection*' --- rules-unsupported/sysmon_process_reimaging.yml | 3 ++- rules/cloud/gworkspace/gworkspace_mfa_disabled.yml | 8 ++++---- .../process_creation/macos_gui_input_capture.yml | 4 ++-- .../win_alert_active_directory_user_control.yml | 8 ++++---- ...win_invoke_obfuscation_var_services_security.yml | 6 +++--- .../powershell_suspicious_invocation_generic.yml | 9 +++++---- ...suspicious_invocation_generic_in_contextinfo.yml | 10 +++++----- .../powershell_automated_collection.yml | 4 ++-- .../powershell_script/powershell_detect_vm_env.yml | 4 ++-- .../powershell_ntfs_ads_access.yml | 8 ++++---- ...icious_invocation_generic_in_scriptblocktext.yml | 10 +++++----- .../powershell_suspicious_recon.yml | 4 ++-- .../process_creation_coti_sqlcmd.yml | 3 ++- .../process_creation/process_creation_susp_7z.yml | 3 ++- .../process_creation_susp_winzip.yml | 3 ++- .../sysmon_long_powershell_commandline.yml | 8 ++++---- .../sysmon_susp_service_modification.yml | 3 ++- .../win_malware_conti_shadowcopy.yml | 3 ++- .../process_creation/win_susp_disable_eventlog.yml | 4 ++-- .../win_susp_powershell_parent_process.yml | 4 ++-- .../win_susp_powershell_sam_access.yml | 3 ++- tests/test_rules.py | 13 +++++++++++++ 22 files changed, 73 insertions(+), 52 deletions(-) diff --git a/rules-unsupported/sysmon_process_reimaging.yml b/rules-unsupported/sysmon_process_reimaging.yml index 3caa875e8..89530befa 100644 --- a/rules-unsupported/sysmon_process_reimaging.yml +++ b/rules-unsupported/sysmon_process_reimaging.yml @@ -18,8 +18,9 @@ references: tags: - attack.defense_evasion date: 2019/10/25 +modified: 2021/12/02 detection: - condition: all of them + condition: all of selection* falsepositives: - unknown level: high diff --git a/rules/cloud/gworkspace/gworkspace_mfa_disabled.yml b/rules/cloud/gworkspace/gworkspace_mfa_disabled.yml index 1221d88e2..26b636d99 100644 --- a/rules/cloud/gworkspace/gworkspace_mfa_disabled.yml +++ b/rules/cloud/gworkspace/gworkspace_mfa_disabled.yml @@ -4,7 +4,7 @@ description: Detects when multi-factor authentication (MFA) is disabled. author: Austin Songer status: experimental date: 2021/08/26 -modified: 2021/08/29 +modified: 2021/12/02 references: - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3 - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION @@ -13,14 +13,14 @@ logsource: product: google_workspace service: google_workspace.admin detection: - selection: + selection_base: eventService: admin.googleapis.com eventName: - ENFORCE_STRONG_AUTHENTICATION - ALLOW_STRONG_AUTHENTICATION - eventValue: + selection_eventValue: new_value: 'false' - condition: all of them + condition: all of selection* level: medium tags: - attack.impact diff --git a/rules/linux/macos/process_creation/macos_gui_input_capture.yml b/rules/linux/macos/process_creation/macos_gui_input_capture.yml index 99a94a524..bb18b8a3a 100644 --- a/rules/linux/macos/process_creation/macos_gui_input_capture.yml +++ b/rules/linux/macos/process_creation/macos_gui_input_capture.yml @@ -4,7 +4,7 @@ status: experimental description: Detects attempts to use system dialog prompts to capture user credentials author: remotephone, oscd.community date: 2020/10/13 -modified: 2021/11/11 +modified: 2021/12/02 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md - https://scriptingosx.com/2018/08/user-interaction-from-bash-scripts/ @@ -31,7 +31,7 @@ detection: - 'pass' - 'password' - 'unlock' - condition: all of them + condition: all of selection* falsepositives: - Legitimate administration tools and activities level: low diff --git a/rules/windows/builtin/win_alert_active_directory_user_control.yml b/rules/windows/builtin/win_alert_active_directory_user_control.yml index a00a6162b..aa61b3585 100644 --- a/rules/windows/builtin/win_alert_active_directory_user_control.yml +++ b/rules/windows/builtin/win_alert_active_directory_user_control.yml @@ -6,18 +6,18 @@ author: '@neu5ron' references: - https://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/ date: 2017/07/30 -modified: 2021/11/27 +modified: 2021/12/02 logsource: product: windows service: security definition: 'Requirements: Audit Policy : Policy Change > Audit Authorization Policy Change, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Authorization Policy Change' detection: - selection: + selection_base: EventID: 4704 - keywords: + selection_keywords: PrivilegeList|contains: - 'SeEnableDelegationPrivilege' - condition: all of them + condition: all of selection* falsepositives: - Unknown level: high diff --git a/rules/windows/builtin/win_invoke_obfuscation_var_services_security.yml b/rules/windows/builtin/win_invoke_obfuscation_var_services_security.yml index 8b6aec83e..45ff52bd1 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_var_services_security.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_var_services_security.yml @@ -7,7 +7,7 @@ description: Detects Obfuscated use of Environment Variables to execute PowerShe status: experimental author: Jonathan Cheong, oscd.community date: 2020/10/15 -modified: 2021/09/17 +modified: 2021/12/02 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 24) tags: @@ -21,9 +21,9 @@ logsource: detection: selection_eventid: EventID: 4697 - selection: + selection_value: ServiceFileName|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' - condition: all of them + condition: all of selection* falsepositives: - Unknown level: high diff --git a/rules/windows/deprecated/powershell_suspicious_invocation_generic.yml b/rules/windows/deprecated/powershell_suspicious_invocation_generic.yml index d40dacc50..90cf7c75d 100644 --- a/rules/windows/deprecated/powershell_suspicious_invocation_generic.yml +++ b/rules/windows/deprecated/powershell_suspicious_invocation_generic.yml @@ -8,21 +8,22 @@ tags: - attack.t1086 #an old one author: Florian Roth (rule) date: 2017/03/12 +modified: 2021/12/02 logsource: product: windows service: powershell detection: - encoded: + selection_encoded: - ' -enc ' - ' -EncodedCommand ' - hidden: + selection_hidden: - ' -w hidden ' - ' -window hidden ' - ' -windowstyle hidden ' - noninteractive: + selection_noninteractive: - ' -noni ' - ' -noninteractive ' - condition: all of them + condition: all of selection* falsepositives: - Penetration tests - Very special / sneaky PowerShell scripts diff --git a/rules/windows/powershell/powershell_module/powershell_suspicious_invocation_generic_in_contextinfo.yml b/rules/windows/powershell/powershell_module/powershell_suspicious_invocation_generic_in_contextinfo.yml index 93e5ecb54..3281bd461 100644 --- a/rules/windows/powershell/powershell_module/powershell_suspicious_invocation_generic_in_contextinfo.yml +++ b/rules/windows/powershell/powershell_module/powershell_suspicious_invocation_generic_in_contextinfo.yml @@ -11,25 +11,25 @@ tags: - attack.t1086 #an old one author: Florian Roth (rule) date: 2017/03/12 -modified: 2021/10/18 +modified: 2021/12/02 logsource: product: windows category: ps_module detection: - encoded: + selection_encoded: ContextInfo|contains: - ' -enc ' - ' -EncodedCommand ' - hidden: + selection_hidden: ContextInfo|contains: - ' -w hidden ' - ' -window hidden ' - ' -windowstyle hidden ' - noninteractive: + selection_noninteractive: ContextInfo|contains: - ' -noni ' - ' -noninteractive ' - condition: all of them + condition: all of selection* falsepositives: - Penetration tests - Very special / sneaky PowerShell scripts diff --git a/rules/windows/powershell/powershell_script/powershell_automated_collection.yml b/rules/windows/powershell/powershell_script/powershell_automated_collection.yml index a56e163cb..e0a718d54 100644 --- a/rules/windows/powershell/powershell_script/powershell_automated_collection.yml +++ b/rules/windows/powershell/powershell_script/powershell_automated_collection.yml @@ -3,7 +3,7 @@ id: c1dda054-d638-4c16-afc8-53e007f3fbc5 status: experimental author: frack113 date: 2021/07/28 -modified: 2021/10/16 +modified: 2021/12/02 description: Once established within a system or network, an adversary may use automated techniques for collecting internal data. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md @@ -31,7 +31,7 @@ detection: - 'Get-ChildItem' - ' -Recurse ' - ' -Include ' - condition: all of them + condition: all of selection* falsepositives: - Unknown level: medium diff --git a/rules/windows/powershell/powershell_script/powershell_detect_vm_env.yml b/rules/windows/powershell/powershell_script/powershell_detect_vm_env.yml index 42e307279..331b1d12e 100644 --- a/rules/windows/powershell/powershell_script/powershell_detect_vm_env.yml +++ b/rules/windows/powershell/powershell_script/powershell_detect_vm_env.yml @@ -3,7 +3,7 @@ id: d93129cd-1ee0-479f-bc03-ca6f129882e3 status: experimental author: frack113 date: 2021/08/03 -modified: 2021/10/16 +modified: 2021/12/02 description: Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md @@ -22,7 +22,7 @@ detection: ScriptBlockText|contains: - MSAcpi_ThermalZoneTemperature - Win32_ComputerSystem - condition: all of them + condition: all of selection* falsepositives: - Unknown level: medium diff --git a/rules/windows/powershell/powershell_script/powershell_ntfs_ads_access.yml b/rules/windows/powershell/powershell_script/powershell_ntfs_ads_access.yml index f298d3d4d..7ba724b77 100644 --- a/rules/windows/powershell/powershell_script/powershell_ntfs_ads_access.yml +++ b/rules/windows/powershell/powershell_script/powershell_ntfs_ads_access.yml @@ -14,20 +14,20 @@ tags: - attack.t1086 # an old one author: Sami Ruohonen date: 2018/07/24 -modified: 2021/10/16 +modified: 2021/12/02 logsource: product: windows category: ps_script definition: Script block logging must be enabled detection: - content: + selection_content: ScriptBlockText|contains: - "set-content" - "add-content" - stream: + selection_stream: ScriptBlockText|contains: - "-stream" - condition: all of them + condition: all of selection* falsepositives: - unknown level: high diff --git a/rules/windows/powershell/powershell_script/powershell_suspicious_invocation_generic_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/powershell_suspicious_invocation_generic_in_scriptblocktext.yml index 94529b393..2c106649e 100644 --- a/rules/windows/powershell/powershell_script/powershell_suspicious_invocation_generic_in_scriptblocktext.yml +++ b/rules/windows/powershell/powershell_script/powershell_suspicious_invocation_generic_in_scriptblocktext.yml @@ -11,25 +11,25 @@ tags: - attack.t1086 #an old one author: Florian Roth (rule) date: 2017/03/12 -modified: 2021/10/18 +modified: 2021/12/02 logsource: product: windows category: ps_script detection: - encoded: + selection_encoded: ScriptBlockText|contains: - ' -enc ' - ' -EncodedCommand ' - hidden: + selection_hidden: ScriptBlockText|contains: - ' -w hidden ' - ' -window hidden ' - ' -windowstyle hidden ' - noninteractive: + selection_noninteractive: ScriptBlockText|contains: - ' -noni ' - ' -noninteractive ' - condition: all of them + condition: all of selection* falsepositives: - Penetration tests - Very special / sneaky PowerShell scripts diff --git a/rules/windows/powershell/powershell_script/powershell_suspicious_recon.yml b/rules/windows/powershell/powershell_script/powershell_suspicious_recon.yml index d7468b444..f22cc23ac 100644 --- a/rules/windows/powershell/powershell_script/powershell_suspicious_recon.yml +++ b/rules/windows/powershell/powershell_script/powershell_suspicious_recon.yml @@ -3,7 +3,7 @@ id: a9723fcc-881c-424c-8709-fd61442ab3c3 status: experimental author: frack113 date: 2021/07/30 -modified: 2021/10/16 +modified: 2021/12/02 description: Once established within a system or network, an adversary may use automated techniques for collecting internal data references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md @@ -22,7 +22,7 @@ detection: - 'Get-Process ' selection_redirect: ScriptBlockText|contains: '> $env:TEMP\' - condition: all of them + condition: all of selection* falsepositives: - Unknown level: medium diff --git a/rules/windows/process_creation/process_creation_coti_sqlcmd.yml b/rules/windows/process_creation/process_creation_coti_sqlcmd.yml index 2e18a0f15..51f19e6c2 100644 --- a/rules/windows/process_creation/process_creation_coti_sqlcmd.yml +++ b/rules/windows/process_creation/process_creation_coti_sqlcmd.yml @@ -3,6 +3,7 @@ id: 2f47f1fd-0901-466e-a770-3b7092834a1b status: experimental author: frack113 date: 2021/08/16 +modified: 2021/12/02 description: Detects a command used by conti to dump database references: - https://twitter.com/vxunderground/status/1423336151860002816?s=20 #the leak info not the files itself @@ -26,7 +27,7 @@ detection: - 'sys.sysprocesses' - 'master.dbo.sysdatabases' - 'BACKUP DATABASE' - condition: all of them + condition: all of selection* falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/process_creation_susp_7z.yml b/rules/windows/process_creation/process_creation_susp_7z.yml index 8a852dc02..db3093432 100644 --- a/rules/windows/process_creation/process_creation_susp_7z.yml +++ b/rules/windows/process_creation/process_creation_susp_7z.yml @@ -3,6 +3,7 @@ id: 9fbf5927-5261-4284-a71d-f681029ea574 status: experimental author: frack113 date: 2021/07/27 +modified: 2021/12/02 description: An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md @@ -23,7 +24,7 @@ detection: CommandLine|contains: - ' a ' - ' u ' - condition: all of them + condition: all of selection* falsepositives: - Command line parameter combinations that contain all included strings level: medium diff --git a/rules/windows/process_creation/process_creation_susp_winzip.yml b/rules/windows/process_creation/process_creation_susp_winzip.yml index 2e668c63e..28b69faf7 100644 --- a/rules/windows/process_creation/process_creation_susp_winzip.yml +++ b/rules/windows/process_creation/process_creation_susp_winzip.yml @@ -3,6 +3,7 @@ id: e2e80da2-8c66-4e00-ae3c-2eebd29f6b6d status: experimental author: frack113 date: 2021/07/27 +modified: 2021/12/02 description: An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md @@ -24,7 +25,7 @@ detection: CommandLine|contains: - ' -min ' - ' -a ' - condition: all of them + condition: all of selection* falsepositives: - Unknown level: medium diff --git a/rules/windows/process_creation/sysmon_long_powershell_commandline.yml b/rules/windows/process_creation/sysmon_long_powershell_commandline.yml index 52ffcbc05..6879195ee 100644 --- a/rules/windows/process_creation/sysmon_long_powershell_commandline.yml +++ b/rules/windows/process_creation/sysmon_long_powershell_commandline.yml @@ -9,20 +9,20 @@ tags: status: experimental author: oscd.community, Natalia Shornikova date: 2020/10/06 -modified: 2021/05/21 +modified: 2021/12/02 logsource: category: process_creation product: windows detection: - Powershell_selection: + selection_powershell: - CommandLine|contains: - 'powershell' - 'pwsh' - Description: 'Windows Powershell' - Product: 'PowerShell Core 6' - Length_selection: + selection_length: CommandLine|re: '.{1000,}' - condition: all of them + condition: all of selection* falsepositives: - Unknown level: medium diff --git a/rules/windows/process_creation/sysmon_susp_service_modification.yml b/rules/windows/process_creation/sysmon_susp_service_modification.yml index 7d54f7690..dbc592b76 100644 --- a/rules/windows/process_creation/sysmon_susp_service_modification.yml +++ b/rules/windows/process_creation/sysmon_susp_service_modification.yml @@ -3,6 +3,7 @@ id: 6783aa9e-0dc3-49d4-a94a-8b39c5fd700b status: experimental author: frack113 date: 2021/07/07 +modified: 2021/12/02 description: Adversaries may disable security tools to avoid possible detection of their tools and activities by stopping antivirus service references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md @@ -23,7 +24,7 @@ detection: - ' Trend Micro Deep Security Manager' - ' TMBMServer' # Feel free to add more service name - condition: all of them + condition: all of selection* fields: - ComputerName - User diff --git a/rules/windows/process_creation/win_malware_conti_shadowcopy.yml b/rules/windows/process_creation/win_malware_conti_shadowcopy.yml index 9c07e2c02..4d3de67a2 100644 --- a/rules/windows/process_creation/win_malware_conti_shadowcopy.yml +++ b/rules/windows/process_creation/win_malware_conti_shadowcopy.yml @@ -3,6 +3,7 @@ id: f57f8d16-1f39-4dcb-a604-6c73d9b54b3d description: Detects a command used by conti to access volume shadow backups author: Max Altgelt, Tobias Michalski date: 2021/08/09 +modified: 2021/12/02 status: experimental references: - https://twitter.com/vxunderground/status/1423336151860002816?s=20 @@ -19,7 +20,7 @@ detection: - '\\SYSTEM' - '\\SECURITY' - 'C:\\tmp\\log' - condition: all of them + condition: all of selection* falsepositives: - Some rare backup scenarios level: medium diff --git a/rules/windows/process_creation/win_susp_disable_eventlog.yml b/rules/windows/process_creation/win_susp_disable_eventlog.yml index edbdd25fb..664d3d691 100644 --- a/rules/windows/process_creation/win_susp_disable_eventlog.yml +++ b/rules/windows/process_creation/win_susp_disable_eventlog.yml @@ -11,7 +11,7 @@ tags: - attack.t1070.001 author: Florian Roth date: 2021/02/11 -modified: 2021/06/21 +modified: 2021/12/02 logsource: category: process_creation product: windows @@ -26,7 +26,7 @@ detection: selection_service: CommandLine|contains: - EventLog-System - condition: all of them + condition: all of selection* falsepositives: - Legitimate deactivation by administrative staff - Installer tools that disable services, e.g. before log collection agent installation diff --git a/rules/windows/process_creation/win_susp_powershell_parent_process.yml b/rules/windows/process_creation/win_susp_powershell_parent_process.yml index 020307ac0..f42ec99fc 100644 --- a/rules/windows/process_creation/win_susp_powershell_parent_process.yml +++ b/rules/windows/process_creation/win_susp_powershell_parent_process.yml @@ -6,7 +6,7 @@ author: Teymur Kheirkhabarov, Harish Segar (rule) references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=26 date: 2020/03/20 -modified: 2021/11/27 +modified: 2021/12/02 logsource: category: process_creation product: windows @@ -50,7 +50,7 @@ detection: - "pwsh" - Description: "Windows PowerShell" - Product: "PowerShell Core 6" - condition: all of them + condition: all of selection* falsepositives: - Other scripts level: high diff --git a/rules/windows/process_creation/win_susp_powershell_sam_access.yml b/rules/windows/process_creation/win_susp_powershell_sam_access.yml index 2b0b1ccd7..830281b0b 100644 --- a/rules/windows/process_creation/win_susp_powershell_sam_access.yml +++ b/rules/windows/process_creation/win_susp_powershell_sam_access.yml @@ -6,6 +6,7 @@ references: - https://twitter.com/splinter_code/status/1420546784250769408 author: Florian Roth date: 2021/07/29 +modified: 2021/12/02 tags: - attack.credential_access - attack.t1003.002 @@ -24,7 +25,7 @@ detection: - 'cpi $_.' - 'copy $_.' - '.File]::Copy(' - condition: all of them + condition: all of selection* falsepositives: - Some rare backup scenarios - PowerShell scripts fixing HiveNightmare / SeriousSAM ACLs diff --git a/tests/test_rules.py b/tests/test_rules.py index bae8bd869..be340f84d 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -184,6 +184,19 @@ class TestRules(unittest.TestCase): self.assertEqual(faulty_detections, [], Fore.RED + "There are rules using '1/all of them' style conditions but only have one condition") + def test_all_of_them_condition(self): + faulty_detections = [] + + for file in self.yield_next_rule_file_path(self.path_to_rules): + yaml = self.get_rule_yaml(file_path = file) + detection = self.get_rule_part(file_path = file, part_name = "detection") + + if "all of them" in detection["condition"]: + faulty_detections.append(file) + + self.assertEqual(faulty_detections, [], Fore.RED + + "There are rules using 'all of them'. Better use e.g. 'all of selection*' instead (and use the 'selection_' prefix as search-identifier).") + def test_duplicate_detections(self): def compare_detections(detection1:dict, detection2:dict) -> bool: From a38f98a3beeebd7805624b10ccae46e0665e2a5d Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Thu, 2 Dec 2021 20:35:25 +0000 Subject: [PATCH 08/15] adding translation of provider_name to channel --- tools/config/hawk.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/config/hawk.yml b/tools/config/hawk.yml index e07fdd009..583e4421c 100644 --- a/tools/config/hawk.yml +++ b/tools/config/hawk.yml @@ -449,3 +449,4 @@ fieldmappings: eventtype: vendor_type destination.port: ip_dport user: correlation_username + Provider_Name: channel From 4dbf10017d19bdc5f49a30e16ddf4607d5b48cdc Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Fri, 3 Dec 2021 17:31:59 +0100 Subject: [PATCH 09/15] Add FP on new windows 10 VM --- rules/windows/image_load/sysmon_uipromptforcreds_dlls.yml | 5 +++-- .../windows/process_access/sysmon_cred_dump_lsass_access.yml | 5 ++++- rules/windows/process_access/win_susp_proc_access_lsass.yml | 3 ++- rules/windows/process_creation/win_susp_svchost.yml | 3 ++- 4 files changed, 11 insertions(+), 5 deletions(-) diff --git a/rules/windows/image_load/sysmon_uipromptforcreds_dlls.yml b/rules/windows/image_load/sysmon_uipromptforcreds_dlls.yml index ff948cfcf..af89c15f0 100644 --- a/rules/windows/image_load/sysmon_uipromptforcreds_dlls.yml +++ b/rules/windows/image_load/sysmon_uipromptforcreds_dlls.yml @@ -3,7 +3,7 @@ id: 9ae01559-cf7e-4f8e-8e14-4c290a1b4784 description: Detects potential use of UIPromptForCredentials functions by looking for some of the DLLs needed for it. status: experimental date: 2020/10/20 -modified: 2021/11/25 +modified: 2021/12/03 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.credential_access @@ -32,7 +32,8 @@ detection: - 'C:\Users\\*\AppData\Local\Microsoft\OneDrive\\*\Microsoft.SharePoint.exe' - 'C:\Program Files (x86)\' - 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe' - - Image|endswith: '\opera_autoupdate.exe' + - 'C:\Users\\*\AppData\Local\Microsoft\OneDrive\OneDrive.exe' + - Image|endswith: '\opera_autoupdate.exe' condition: selection and not filter falsepositives: - other legitimate processes loading those DLLs in your environment. diff --git a/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml b/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml index c4936c79b..08fd0add2 100755 --- a/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml +++ b/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml @@ -5,7 +5,7 @@ description: Detects process access LSASS memory which is typical for credential author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community (update) date: 2017/02/16 -modified: 2021/12/02 +modified: 2021/12/03 references: - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html @@ -82,6 +82,9 @@ detection: GrantedAccess: - '0x1410' - '0x410' + filter_edge: # version in path 96.0.1054.43 + SourceImage|startswith: C:\Program Files (x86)\Microsoft\Edge\Application\ + SourceImage|endswith: \Installer\setup.exe # Old - too broad filter # SourceImage|endswith: # easy to bypass. need to implement supportive rule to detect bypass attempts # - '\wmiprvse.exe' diff --git a/rules/windows/process_access/win_susp_proc_access_lsass.yml b/rules/windows/process_access/win_susp_proc_access_lsass.yml index a6cbf5ca6..ffcf71b56 100644 --- a/rules/windows/process_access/win_susp_proc_access_lsass.yml +++ b/rules/windows/process_access/win_susp_proc_access_lsass.yml @@ -7,7 +7,7 @@ status: experimental description: Detects process access to LSASS memory with suspicious access flags author: Florian Roth date: 2021/11/22 -modified: 2021/11/30 +modified: 2021/12/03 references: - https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow @@ -59,6 +59,7 @@ detection: - 'C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\ctlrupdate\mbupdatr.exe' - 'C:\WINDOWS\system32\taskhostw.exe' - 'C:\Users\\*\AppData\Local\Programs\Microsoft VS Code\Code.exe' + - 'C:\Program Files\Windows Defender\MsMpEng.exe' # Windows Defender filter2: SourceImage|startswith: 'C:\ProgramData\Microsoft\Windows Defender\' diff --git a/rules/windows/process_creation/win_susp_svchost.yml b/rules/windows/process_creation/win_susp_svchost.yml index 12f3a7989..af0cdb025 100644 --- a/rules/windows/process_creation/win_susp_svchost.yml +++ b/rules/windows/process_creation/win_susp_svchost.yml @@ -8,7 +8,7 @@ tags: - attack.t1036 # an old one author: Florian Roth date: 2017/08/15 -modified: 2021/11/26 +modified: 2021/12/03 logsource: category: process_creation product: windows @@ -23,6 +23,7 @@ detection: - '\rpcnet.exe' - '\svchost.exe' - '\ngen.exe' + - '\TiWorker.exe' filter_null: ParentImage: null condition: selection and not filter and not filter_null From 0dea125a827be687acb7d33c6096e7962c0bffce Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Fri, 3 Dec 2021 16:53:20 +0000 Subject: [PATCH 10/15] Adding filter for calls using \WINDOWS\System32\sdiagnhost.exe, used rule 867613fb-fa60-4497-a017-a82df74a172c as filter reference --- .../pipe_created/sysmon_alternate_powershell_hosts_pipe.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml b/rules/windows/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml index aff2804f7..7bfba45ee 100644 --- a/rules/windows/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml +++ b/rules/windows/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml @@ -6,7 +6,7 @@ author: Roberto Rodriguez @Cyb3rWard0g references: - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html date: 2019/09/12 -modified: 2021/11/27 +modified: 2021/12/03 logsource: product: windows category: pipe_created @@ -17,6 +17,7 @@ detection: Image|endswith: - '\powershell.exe' - '\powershell_ise.exe' + - '\WINDOWS\System32\sdiagnhost.exe' filter2: Image: condition: selection and not filter1 and not filter2 From 2707122de8057c9120bb045b6a4a9c17e87176ba Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Fri, 3 Dec 2021 18:24:33 +0100 Subject: [PATCH 11/15] fix FP mscorsvw.exe --- .../image_load_wsman_provider_image_load.yml | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/rules/windows/image_load/image_load_wsman_provider_image_load.yml b/rules/windows/image_load/image_load_wsman_provider_image_load.yml index 30ac5364c..c337292d7 100644 --- a/rules/windows/image_load/image_load_wsman_provider_image_load.yml +++ b/rules/windows/image_load/image_load_wsman_provider_image_load.yml @@ -28,7 +28,10 @@ detection: - WsmSvc.dll - WSMANAUTOMATION.DLL - Microsoft.WSMan.Management.dll - filter: + respond_server: + Image|endswith: '\svchost.exe' + OriginalFileName: 'WsmWmiPl.dll' + filter_general: Image|endswith: - '\powershell.exe' - 'C:\Windows\System32\sdiagnhost.exe' @@ -36,10 +39,10 @@ detection: CommandLine|contains: - 'svchost.exe -k netsvcs -p -s BITS' - 'svchost.exe -k GraphicsPerfSvcGroup -s GraphicsPerfSvc' - respond_server: - Image|endswith: '\svchost.exe' - OriginalFileName: 'WsmWmiPl.dll' - condition: ( request_client or respond_server ) and not filter and not filter_svchost + filter_mscorsvw: #Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe + Image|startswith: C:\Windows\Microsoft.NET\Framework64\ + Image|endswith: \mscorsvw.exe + condition: ( request_client or respond_server ) and not all of filter_* falsepositives: - Unknown level: medium From 47653faa71b4959d7a9d0a2a737080180a982628 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Fri, 3 Dec 2021 18:25:55 +0100 Subject: [PATCH 12/15] update modified --- .../windows/image_load/image_load_wsman_provider_image_load.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/image_load/image_load_wsman_provider_image_load.yml b/rules/windows/image_load/image_load_wsman_provider_image_load.yml index c337292d7..ccf2a3e89 100644 --- a/rules/windows/image_load/image_load_wsman_provider_image_load.yml +++ b/rules/windows/image_load/image_load_wsman_provider_image_load.yml @@ -3,7 +3,7 @@ id: ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94 description: Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution. status: experimental date: 2020/06/24 -modified: 2021/11/27 +modified: 2021/12/03 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.execution From 18d35e6477927f331b44a5e290173fe227e06833 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sat, 4 Dec 2021 08:12:23 +0100 Subject: [PATCH 13/15] Use 1 of filter --- .../windows/image_load/image_load_wsman_provider_image_load.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/image_load/image_load_wsman_provider_image_load.yml b/rules/windows/image_load/image_load_wsman_provider_image_load.yml index ccf2a3e89..68b638a4c 100644 --- a/rules/windows/image_load/image_load_wsman_provider_image_load.yml +++ b/rules/windows/image_load/image_load_wsman_provider_image_load.yml @@ -42,7 +42,7 @@ detection: filter_mscorsvw: #Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe Image|startswith: C:\Windows\Microsoft.NET\Framework64\ Image|endswith: \mscorsvw.exe - condition: ( request_client or respond_server ) and not all of filter_* + condition: ( request_client or respond_server ) and not 1 of filter* falsepositives: - Unknown level: medium From e215f4606b72c2dff332475d1034fa506ed83804 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sat, 4 Dec 2021 10:07:07 +0100 Subject: [PATCH 14/15] Order rules --- rules/windows/builtin/{ => application}/win_audit_cve.yml | 0 .../builtin/{ => application}/win_av_relevant_match.yml | 0 .../win_software_atera_rmm_agent_install.yml | 0 .../builtin/{ => application}/win_susp_backup_delete.yml | 0 .../builtin/{ => application}/win_susp_msmpeng_crash.yml | 0 .../builtin/{ => application}/win_vul_cve_2020_0688.yml | 0 .../builtin/{ => application}/win_vul_cve_2021_41379.yml | 0 .../win_aadhealth_mon_agent_regkey_access.yml | 0 .../win_aadhealth_svc_agent_regkey_access.yml | 0 .../{ => security}/win_account_backdoor_dcsync_rights.yml | 0 .../builtin/{ => security}/win_account_discovery.yml | 0 .../{ => security}/win_ad_object_writedac_access.yml | 0 .../win_ad_replication_non_machine_account.yml | 0 .../builtin/{ => security}/win_ad_user_enumeration.yml | 0 ...cs_certificate_template_configuration_vulnerability.yml | 0 ...ertificate_template_configuration_vulnerability_eku.yml | 0 .../windows/builtin/{ => security}/win_admin_rdp_login.yml | 0 .../builtin/{ => security}/win_admin_share_access.yml | 0 .../win_alert_active_directory_user_control.yml | 0 .../builtin/{ => security}/win_alert_ad_user_backdoors.yml | 0 .../{ => security}/win_alert_enable_weak_encryption.yml | 0 rules/windows/builtin/{ => security}/win_alert_ruler.yml | 0 .../{ => security}/win_apt_chafer_mar18_security.yml | 0 rules/windows/builtin/{ => security}/win_apt_slingshot.yml | 0 rules/windows/builtin/{ => security}/win_apt_wocao.yml | 0 .../win_arbitrary_shell_execution_via_settingcontent.yml | 0 .../{ => security}/win_asr_bypass_via_appvlp_re.yml | 0 rules/windows/builtin/{ => security}/win_atsvc_task.yml | 0 .../{ => security}/win_camera_microphone_access.yml | 0 .../{ => security}/win_dce_rpc_smb_spoolss_named_pipe.yml | 0 .../{ => security}/win_dcom_iertutil_dll_hijack.yml | 0 rules/windows/builtin/{ => security}/win_dcsync.yml | 0 .../{other => builtin/security}/win_defender_bypass.yml | 0 .../builtin/{ => security}/win_disable_event_logging.yml | 0 .../win_dpapi_domain_backupkey_extraction.yml | 0 .../win_dpapi_domain_masterkey_backup_attempt.yml | 0 .../builtin/{ => security}/win_etw_modification.yml | 0 .../builtin/{ => security}/win_event_log_cleared.yml | 0 .../win_exploit_cve_2021_1675_printspooler_security.yml | 0 .../windows/builtin/{ => security}/win_external_device.yml | 0 .../{ => security}/win_global_catalog_enumeration.yml | 0 .../builtin/{ => security}/win_gpo_scheduledtasks.yml | 0 .../builtin/{ => security}/win_hidden_user_creation.yml | 0 .../win_hybridconnectionmgr_svc_installation.yml | 0 .../windows/builtin/{ => security}/win_impacket_psexec.yml | 0 .../builtin/{ => security}/win_impacket_secretdump.yml | 0 .../win_invoke_obfuscation_clip_services_security.yml | 0 ...invoke_obfuscation_obfuscated_iex_services_security.yml | 0 .../win_invoke_obfuscation_stdin_services_security.yml | 0 .../win_invoke_obfuscation_var_services_security.yml | 0 ...n_invoke_obfuscation_via_compress_services_security.yml | 0 ...win_invoke_obfuscation_via_rundll_services_security.yml | 0 .../win_invoke_obfuscation_via_stdin_services_security.yml | 0 ...n_invoke_obfuscation_via_use_clip_services_security.yml | 0 ..._invoke_obfuscation_via_use_mshta_services_security.yml | 0 ...voke_obfuscation_via_use_rundll32_services_security.yml | 0 .../win_invoke_obfuscation_via_var_services_security.yml | 0 rules/windows/builtin/{ => security}/win_iso_mount.yml | 0 .../security}/win_lateral_movement_condrv.yml | 0 rules/windows/builtin/{ => security}/win_lm_namedpipe.yml | 0 .../{ => security}/win_lolbas_execution_of_nltest.yml | 0 .../{ => security}/win_lsass_access_non_system_account.yml | 0 .../windows/builtin/{ => security}/win_mal_wceaux_dll.yml | 0 .../{ => security}/win_metasploit_authentication.yml | 0 .../builtin/{ => security}/win_net_ntlm_downgrade.yml | 0 .../win_new_or_renamed_user_account_with_dollar_sign.yml | 0 .../builtin/{ => security}/win_not_allowed_rdp_access.yml | 0 .../builtin/{ => security}/win_overpass_the_hash.yml | 0 rules/windows/builtin/{ => security}/win_pass_the_hash.yml | 0 .../windows/builtin/{ => security}/win_pass_the_hash_2.yml | 0 .../{ => security}/win_petitpotam_network_share.yml | 0 .../{ => security}/win_petitpotam_susp_tgt_request.yml | 0 .../builtin/{ => security}/win_possible_dc_shadow.yml | 0 .../builtin/{ => security}/win_privesc_cve_2020_1472.yml | 0 .../win_protected_storage_service_access.yml | 0 .../builtin/{ => security}/win_rare_schtasks_creations.yml | 0 .../{ => security}/win_rdp_bluekeep_poc_scanner.yml | 0 .../builtin/{ => security}/win_rdp_localhost_login.yml | 0 .../builtin/{ => security}/win_rdp_reverse_tunnel.yml | 0 .../win_register_new_logon_process_by_rubeus.yml | 0 .../{ => security}/win_remote_powershell_session.yml | 0 .../win_remote_registry_management_using_reg_utility.yml | 0 .../win_sam_registry_hive_handle_request.yml | 0 .../builtin/{ => security}/win_scheduled_task_deletion.yml | 0 .../{ => security}/win_scm_database_handle_failure.yml | 0 .../win_scm_database_privileged_operation.yml | 0 .../win_scrcons_remote_wmi_scripteventconsumer.yml | 0 .../win_security_cobaltstrike_service_installs.yml | 0 .../builtin/{ => security}/win_security_mal_creddumper.yml | 0 .../{ => security}/win_security_mal_service_installs.yml | 0 ...y_metasploit_or_impacket_smb_psexec_service_install.yml | 0 ...terpreter_or_cobaltstrike_getsystem_service_install.yml | 0 ...win_security_powershell_script_installed_as_service.yml | 0 .../win_security_tap_driver_installation.yml | 0 .../security}/win_security_wmi_persistence.yml | 0 .../{ => security}/win_smb_file_creation_admin_shares.yml | 0 .../builtin/{ => security}/win_susp_add_domain_trust.yml | 0 .../builtin/{ => security}/win_susp_add_sid_history.yml | 0 .../win_susp_codeintegrity_check_failure.yml | 0 .../{ => security}/win_susp_dsrm_password_change.yml | 0 .../builtin/{ => security}/win_susp_eventlog_cleared.yml | 0 .../{ => security}/win_susp_failed_logon_reasons.yml | 0 .../{ => security}/win_susp_failed_logon_source.yml | 0 .../win_susp_failed_logons_explicit_credentials.yml | 0 .../win_susp_failed_logons_single_process.yml | 0 .../win_susp_failed_logons_single_source.yml | 0 .../win_susp_failed_logons_single_source2.yml | 0 .../win_susp_failed_logons_single_source_kerberos.yml | 0 .../win_susp_failed_logons_single_source_kerberos2.yml | 0 .../win_susp_failed_logons_single_source_kerberos3.yml | 0 .../win_susp_failed_logons_single_source_ntlm.yml | 0 .../win_susp_failed_logons_single_source_ntlm2.yml | 0 .../win_susp_failed_remote_logons_single_source.yml | 0 .../builtin/{ => security}/win_susp_interactive_logons.yml | 0 .../{ => security}/win_susp_kerberos_manipulation.yml | 0 .../builtin/{ => security}/win_susp_ldap_dataexchange.yml | 0 .../{ => security}/win_susp_local_anon_logon_created.yml | 0 .../{ => security}/win_susp_logon_explicit_credentials.yml | 0 .../windows/builtin/{ => security}/win_susp_lsass_dump.yml | 0 .../builtin/{ => security}/win_susp_lsass_dump_generic.yml | 0 .../win_susp_multiple_files_renamed_or_deleted.yml | 0 .../builtin/{ => security}/win_susp_net_recon_activity.yml | 0 rules/windows/builtin/{ => security}/win_susp_psexec.yml | 0 .../{ => security}/win_susp_raccess_sensitive_fext.yml | 0 .../builtin/{ => security}/win_susp_rc4_kerberos.yml | 0 .../builtin/{ => security}/win_susp_rottenpotato.yml | 0 .../windows/builtin/{ => security}/win_susp_samr_pwset.yml | 0 rules/windows/builtin/{ => security}/win_susp_sdelete.yml | 0 .../builtin/{ => security}/win_susp_time_modification.yml | 0 .../windows/builtin/{ => security}/win_susp_wmi_login.yml | 0 .../win_suspicious_outbound_kerberos_connection.yml | 0 .../builtin/{ => security}/win_svcctl_remote_service.yml | 0 .../builtin/{ => security}/win_syskey_registry_access.yml | 0 .../win_sysmon_channel_reference_deletion.yml | 0 ...rring_files_with_credential_data_via_network_shares.yml | 0 .../win_user_added_to_local_administrators.yml | 0 ...dnt_call_privileged_service_lsaregisterlogonprocess.yml | 0 rules/windows/builtin/{ => security}/win_user_creation.yml | 0 .../builtin/{ => security}/win_user_driver_loaded.yml | 0 .../win_vssaudit_secevent_source_registration.yml | 0 .../{ => security}/win_wmiprvse_wbemcomn_dll_hijack.yml | 0 .../builtin/{ => system}/win_apt_carbonpaper_turla.yml | 0 .../builtin/{ => system}/win_apt_chafer_mar18_system.yml | 0 rules/windows/builtin/{ => system}/win_apt_stonedrill.yml | 0 .../builtin/{ => system}/win_apt_turla_service_png.yml | 0 .../{ => system}/win_cobaltstrike_service_installs.yml | 0 rules/windows/builtin/{ => system}/win_hack_smbexec.yml | 0 .../{ => system}/win_invoke_obfuscation_clip_services.yml | 0 .../win_invoke_obfuscation_obfuscated_iex_services.yml | 0 .../{ => system}/win_invoke_obfuscation_stdin_services.yml | 0 .../{ => system}/win_invoke_obfuscation_var_services.yml | 0 .../win_invoke_obfuscation_via_compress_services.yml | 0 .../win_invoke_obfuscation_via_rundll_services.yml | 0 .../win_invoke_obfuscation_via_stdin_services.yml | 0 .../win_invoke_obfuscation_via_use_clip_services.yml | 0 .../win_invoke_obfuscation_via_use_mshta_services.yml | 0 .../win_invoke_obfuscation_via_use_rundll32_services.yml | 0 .../win_invoke_obfuscation_via_var_services.yml | 0 rules/windows/builtin/{ => system}/win_mal_creddumper.yml | 0 ...eter_or_cobaltstrike_getsystem_service_installation.yml | 0 rules/windows/builtin/{ => system}/win_moriya_rootkit.yml | 0 .../windows/builtin/{ => system}/win_ntfs_vuln_exploit.yml | 0 .../windows/{other => builtin/system}/win_pcap_drivers.yml | 0 ...ssible_zerologon_exploitation_using_wellknown_tools.yml | 0 .../win_powershell_script_installed_as_service.yml | 0 .../win_quarkspwdump_clearing_hive_access_history.yml | 0 .../builtin/{ => system}/win_rare_service_installs.yml | 0 .../{ => system}/win_rdp_potential_cve_2019_0708.yml | 0 .../windows/builtin/{ => system}/win_susp_dhcp_config.yml | 0 .../builtin/{ => system}/win_susp_dhcp_config_failed.yml | 0 .../windows/builtin/{ => system}/win_susp_proceshacker.yml | 0 rules/windows/builtin/{ => system}/win_susp_sam_dump.yml | 0 .../system}/win_system_defender_disabled.yml | 0 .../{ => system}/win_system_susp_eventlog_cleared.yml | 0 .../builtin/{ => system}/win_tap_driver_installation.yml | 0 .../windows/{other => builtin/system}/win_tool_psexec.yml | 0 .../builtin/{ => system}/win_volume_shadow_copy_mount.yml | 0 .../windows/builtin/{ => system}/win_vul_cve_2020_1472.yml | 0 .../win_applocker_file_was_not_allowed_to_run.yml | 0 .../{builtin => other/dns_server}/win_apt_gallium.yml | 0 .../{builtin => other/dns_server}/win_susp_dns_config.yml | 0 .../driverframeworks}/win_usb_device_plugged.yml | 0 rules/windows/other/{ => ldap}/win_ldap_recon.yml | 0 .../other/{ => msexchange}/win_exchange_cve_2021_42321.yml | 0 .../win_exchange_proxylogon_oabvirtualdir.yml | 0 .../win_exchange_proxyshell_certificate_generation.yml | 0 .../win_exchange_proxyshell_mailbox_export.yml | 0 .../win_exchange_proxyshell_remove_mailbox_export.yml | 0 .../msexchange}/win_exchange_transportagent.yml | 0 .../win_exchange_transportagent_failed.yml | 0 .../win_set_oabvirtualdirectory_externalurl.yml | 0 .../windows/{builtin => other/ntlm}/win_susp_ntlm_auth.yml | 0 .../windows/{builtin => other/ntlm}/win_susp_ntlm_rdp.yml | 0 .../win_exploit_cve_2021_1675_printspooler.yml | 0 .../win_exploit_cve_2021_1675_printspooler_operational.yml | 0 .../servicebus}/win_hybridconnectionmgr_svc_running.yml | 0 .../smbclient}/win_susp_failed_guest_logon.yml | 0 .../{ => taskscheduler}/win_rare_schtask_creation.yml | 0 .../windefend}/win_alert_lsass_access.yml | 0 .../other/{ => windefend}/win_defender_amsi_trigger.yml | 0 .../other/{ => windefend}/win_defender_disabled.yml | 0 .../other/{ => windefend}/win_defender_exclusions.yml | 0 .../other/{ => windefend}/win_defender_history_delete.yml | 0 .../other/{ => windefend}/win_defender_psexec_wmi_asr.yml | 0 .../win_defender_tamper_protection_trigger.yml | 0 .../windows/other/{ => windefend}/win_defender_threat.yml | 0 rules/windows/other/{ => wmi}/win_wmi_persistence.yml | 0 .../powershell_script}/win_root_certificate_installed.yml | 7 +++---- .../win_mmc20_lateral_movement.yml | 0 .../win_net_use_admin_share.yml | 0 .../win_susp_mshta_execution.yml | 0 211 files changed, 3 insertions(+), 4 deletions(-) rename rules/windows/builtin/{ => application}/win_audit_cve.yml (100%) rename rules/windows/builtin/{ => application}/win_av_relevant_match.yml (100%) rename rules/windows/builtin/{ => application}/win_software_atera_rmm_agent_install.yml (100%) rename rules/windows/builtin/{ => application}/win_susp_backup_delete.yml (100%) rename rules/windows/builtin/{ => application}/win_susp_msmpeng_crash.yml (100%) rename rules/windows/builtin/{ => application}/win_vul_cve_2020_0688.yml (100%) rename rules/windows/builtin/{ => application}/win_vul_cve_2021_41379.yml (100%) rename rules/windows/builtin/{ => security}/win_aadhealth_mon_agent_regkey_access.yml (100%) rename rules/windows/builtin/{ => security}/win_aadhealth_svc_agent_regkey_access.yml (100%) rename rules/windows/builtin/{ => security}/win_account_backdoor_dcsync_rights.yml (100%) rename rules/windows/builtin/{ => security}/win_account_discovery.yml (100%) rename rules/windows/builtin/{ => security}/win_ad_object_writedac_access.yml (100%) rename rules/windows/builtin/{ => security}/win_ad_replication_non_machine_account.yml (100%) rename rules/windows/builtin/{ => security}/win_ad_user_enumeration.yml (100%) rename rules/windows/builtin/{ => security}/win_adcs_certificate_template_configuration_vulnerability.yml (100%) rename rules/windows/builtin/{ => security}/win_adcs_certificate_template_configuration_vulnerability_eku.yml (100%) rename rules/windows/builtin/{ => security}/win_admin_rdp_login.yml (100%) rename rules/windows/builtin/{ => security}/win_admin_share_access.yml (100%) rename rules/windows/builtin/{ => security}/win_alert_active_directory_user_control.yml (100%) rename rules/windows/builtin/{ => security}/win_alert_ad_user_backdoors.yml (100%) rename rules/windows/builtin/{ => security}/win_alert_enable_weak_encryption.yml (100%) rename rules/windows/builtin/{ => security}/win_alert_ruler.yml (100%) rename rules/windows/builtin/{ => security}/win_apt_chafer_mar18_security.yml (100%) rename rules/windows/builtin/{ => security}/win_apt_slingshot.yml (100%) rename rules/windows/builtin/{ => security}/win_apt_wocao.yml (100%) rename rules/windows/builtin/{ => security}/win_arbitrary_shell_execution_via_settingcontent.yml (100%) rename rules/windows/builtin/{ => security}/win_asr_bypass_via_appvlp_re.yml (100%) rename rules/windows/builtin/{ => security}/win_atsvc_task.yml (100%) rename rules/windows/builtin/{ => security}/win_camera_microphone_access.yml (100%) rename rules/windows/builtin/{ => security}/win_dce_rpc_smb_spoolss_named_pipe.yml (100%) rename rules/windows/builtin/{ => security}/win_dcom_iertutil_dll_hijack.yml (100%) rename rules/windows/builtin/{ => security}/win_dcsync.yml (100%) rename rules/windows/{other => builtin/security}/win_defender_bypass.yml (100%) rename rules/windows/builtin/{ => security}/win_disable_event_logging.yml (100%) rename rules/windows/builtin/{ => security}/win_dpapi_domain_backupkey_extraction.yml (100%) rename rules/windows/builtin/{ => security}/win_dpapi_domain_masterkey_backup_attempt.yml (100%) rename rules/windows/builtin/{ => security}/win_etw_modification.yml (100%) rename rules/windows/builtin/{ => security}/win_event_log_cleared.yml (100%) rename rules/windows/builtin/{ => security}/win_exploit_cve_2021_1675_printspooler_security.yml (100%) rename rules/windows/builtin/{ => security}/win_external_device.yml (100%) rename rules/windows/builtin/{ => security}/win_global_catalog_enumeration.yml (100%) rename rules/windows/builtin/{ => security}/win_gpo_scheduledtasks.yml (100%) rename rules/windows/builtin/{ => security}/win_hidden_user_creation.yml (100%) rename rules/windows/builtin/{ => security}/win_hybridconnectionmgr_svc_installation.yml (100%) rename rules/windows/builtin/{ => security}/win_impacket_psexec.yml (100%) rename rules/windows/builtin/{ => security}/win_impacket_secretdump.yml (100%) rename rules/windows/builtin/{ => security}/win_invoke_obfuscation_clip_services_security.yml (100%) rename rules/windows/builtin/{ => security}/win_invoke_obfuscation_obfuscated_iex_services_security.yml (100%) rename rules/windows/builtin/{ => security}/win_invoke_obfuscation_stdin_services_security.yml (100%) rename rules/windows/builtin/{ => security}/win_invoke_obfuscation_var_services_security.yml (100%) rename rules/windows/builtin/{ => security}/win_invoke_obfuscation_via_compress_services_security.yml (100%) rename rules/windows/builtin/{ => security}/win_invoke_obfuscation_via_rundll_services_security.yml (100%) rename rules/windows/builtin/{ => security}/win_invoke_obfuscation_via_stdin_services_security.yml (100%) rename rules/windows/builtin/{ => security}/win_invoke_obfuscation_via_use_clip_services_security.yml (100%) rename rules/windows/builtin/{ => security}/win_invoke_obfuscation_via_use_mshta_services_security.yml (100%) rename rules/windows/builtin/{ => security}/win_invoke_obfuscation_via_use_rundll32_services_security.yml (100%) rename rules/windows/builtin/{ => security}/win_invoke_obfuscation_via_var_services_security.yml (100%) rename rules/windows/builtin/{ => security}/win_iso_mount.yml (100%) rename rules/windows/{other => builtin/security}/win_lateral_movement_condrv.yml (100%) rename rules/windows/builtin/{ => security}/win_lm_namedpipe.yml (100%) rename rules/windows/builtin/{ => security}/win_lolbas_execution_of_nltest.yml (100%) rename rules/windows/builtin/{ => security}/win_lsass_access_non_system_account.yml (100%) rename rules/windows/builtin/{ => security}/win_mal_wceaux_dll.yml (100%) rename rules/windows/builtin/{ => security}/win_metasploit_authentication.yml (100%) rename rules/windows/builtin/{ => security}/win_net_ntlm_downgrade.yml (100%) rename rules/windows/builtin/{ => security}/win_new_or_renamed_user_account_with_dollar_sign.yml (100%) rename rules/windows/builtin/{ => security}/win_not_allowed_rdp_access.yml (100%) rename rules/windows/builtin/{ => security}/win_overpass_the_hash.yml (100%) rename rules/windows/builtin/{ => security}/win_pass_the_hash.yml (100%) rename rules/windows/builtin/{ => security}/win_pass_the_hash_2.yml (100%) rename rules/windows/builtin/{ => security}/win_petitpotam_network_share.yml (100%) rename rules/windows/builtin/{ => security}/win_petitpotam_susp_tgt_request.yml (100%) rename rules/windows/builtin/{ => security}/win_possible_dc_shadow.yml (100%) rename rules/windows/builtin/{ => security}/win_privesc_cve_2020_1472.yml (100%) rename rules/windows/builtin/{ => security}/win_protected_storage_service_access.yml (100%) rename rules/windows/builtin/{ => security}/win_rare_schtasks_creations.yml (100%) rename rules/windows/builtin/{ => security}/win_rdp_bluekeep_poc_scanner.yml (100%) rename rules/windows/builtin/{ => security}/win_rdp_localhost_login.yml (100%) rename rules/windows/builtin/{ => security}/win_rdp_reverse_tunnel.yml (100%) rename rules/windows/builtin/{ => security}/win_register_new_logon_process_by_rubeus.yml (100%) rename rules/windows/builtin/{ => security}/win_remote_powershell_session.yml (100%) rename rules/windows/builtin/{ => security}/win_remote_registry_management_using_reg_utility.yml (100%) rename rules/windows/builtin/{ => security}/win_sam_registry_hive_handle_request.yml (100%) rename rules/windows/builtin/{ => security}/win_scheduled_task_deletion.yml (100%) rename rules/windows/builtin/{ => security}/win_scm_database_handle_failure.yml (100%) rename rules/windows/builtin/{ => security}/win_scm_database_privileged_operation.yml (100%) rename rules/windows/builtin/{ => security}/win_scrcons_remote_wmi_scripteventconsumer.yml (100%) rename rules/windows/builtin/{ => security}/win_security_cobaltstrike_service_installs.yml (100%) rename rules/windows/builtin/{ => security}/win_security_mal_creddumper.yml (100%) rename rules/windows/builtin/{ => security}/win_security_mal_service_installs.yml (100%) rename rules/windows/builtin/{ => security}/win_security_metasploit_or_impacket_smb_psexec_service_install.yml (100%) rename rules/windows/builtin/{ => security}/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml (100%) rename rules/windows/builtin/{ => security}/win_security_powershell_script_installed_as_service.yml (100%) rename rules/windows/builtin/{ => security}/win_security_tap_driver_installation.yml (100%) rename rules/windows/{other => builtin/security}/win_security_wmi_persistence.yml (100%) rename rules/windows/builtin/{ => security}/win_smb_file_creation_admin_shares.yml (100%) rename rules/windows/builtin/{ => security}/win_susp_add_domain_trust.yml (100%) rename rules/windows/builtin/{ => security}/win_susp_add_sid_history.yml (100%) rename rules/windows/builtin/{ => security}/win_susp_codeintegrity_check_failure.yml (100%) rename rules/windows/builtin/{ => security}/win_susp_dsrm_password_change.yml (100%) rename rules/windows/builtin/{ => security}/win_susp_eventlog_cleared.yml (100%) rename rules/windows/builtin/{ => security}/win_susp_failed_logon_reasons.yml (100%) rename rules/windows/builtin/{ => security}/win_susp_failed_logon_source.yml (100%) rename rules/windows/builtin/{ => security}/win_susp_failed_logons_explicit_credentials.yml (100%) rename rules/windows/builtin/{ => security}/win_susp_failed_logons_single_process.yml (100%) rename rules/windows/builtin/{ => security}/win_susp_failed_logons_single_source.yml (100%) rename rules/windows/builtin/{ => security}/win_susp_failed_logons_single_source2.yml (100%) rename rules/windows/builtin/{ => security}/win_susp_failed_logons_single_source_kerberos.yml (100%) rename rules/windows/builtin/{ => security}/win_susp_failed_logons_single_source_kerberos2.yml (100%) rename rules/windows/builtin/{ => security}/win_susp_failed_logons_single_source_kerberos3.yml (100%) rename rules/windows/builtin/{ => security}/win_susp_failed_logons_single_source_ntlm.yml (100%) rename rules/windows/builtin/{ => security}/win_susp_failed_logons_single_source_ntlm2.yml (100%) rename rules/windows/builtin/{ => security}/win_susp_failed_remote_logons_single_source.yml (100%) rename rules/windows/builtin/{ => security}/win_susp_interactive_logons.yml (100%) rename rules/windows/builtin/{ => security}/win_susp_kerberos_manipulation.yml (100%) rename rules/windows/builtin/{ => security}/win_susp_ldap_dataexchange.yml (100%) rename rules/windows/builtin/{ => security}/win_susp_local_anon_logon_created.yml (100%) rename rules/windows/builtin/{ => security}/win_susp_logon_explicit_credentials.yml (100%) rename rules/windows/builtin/{ => security}/win_susp_lsass_dump.yml (100%) rename rules/windows/builtin/{ => security}/win_susp_lsass_dump_generic.yml (100%) rename rules/windows/builtin/{ => security}/win_susp_multiple_files_renamed_or_deleted.yml (100%) rename rules/windows/builtin/{ => security}/win_susp_net_recon_activity.yml (100%) rename rules/windows/builtin/{ => security}/win_susp_psexec.yml (100%) rename rules/windows/builtin/{ => security}/win_susp_raccess_sensitive_fext.yml (100%) rename rules/windows/builtin/{ => security}/win_susp_rc4_kerberos.yml (100%) rename rules/windows/builtin/{ => security}/win_susp_rottenpotato.yml (100%) rename rules/windows/builtin/{ => security}/win_susp_samr_pwset.yml (100%) rename rules/windows/builtin/{ => security}/win_susp_sdelete.yml (100%) rename rules/windows/builtin/{ => security}/win_susp_time_modification.yml (100%) rename rules/windows/builtin/{ => security}/win_susp_wmi_login.yml (100%) rename rules/windows/builtin/{ => security}/win_suspicious_outbound_kerberos_connection.yml (100%) rename rules/windows/builtin/{ => security}/win_svcctl_remote_service.yml (100%) rename rules/windows/builtin/{ => security}/win_syskey_registry_access.yml (100%) rename rules/windows/builtin/{ => security}/win_sysmon_channel_reference_deletion.yml (100%) rename rules/windows/builtin/{ => security}/win_transferring_files_with_credential_data_via_network_shares.yml (100%) rename rules/windows/builtin/{ => security}/win_user_added_to_local_administrators.yml (100%) rename rules/windows/builtin/{ => security}/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml (100%) rename rules/windows/builtin/{ => security}/win_user_creation.yml (100%) rename rules/windows/builtin/{ => security}/win_user_driver_loaded.yml (100%) rename rules/windows/builtin/{ => security}/win_vssaudit_secevent_source_registration.yml (100%) rename rules/windows/builtin/{ => security}/win_wmiprvse_wbemcomn_dll_hijack.yml (100%) rename rules/windows/builtin/{ => system}/win_apt_carbonpaper_turla.yml (100%) rename rules/windows/builtin/{ => system}/win_apt_chafer_mar18_system.yml (100%) rename rules/windows/builtin/{ => system}/win_apt_stonedrill.yml (100%) rename rules/windows/builtin/{ => system}/win_apt_turla_service_png.yml (100%) rename rules/windows/builtin/{ => system}/win_cobaltstrike_service_installs.yml (100%) rename rules/windows/builtin/{ => system}/win_hack_smbexec.yml (100%) rename rules/windows/builtin/{ => system}/win_invoke_obfuscation_clip_services.yml (100%) rename rules/windows/builtin/{ => system}/win_invoke_obfuscation_obfuscated_iex_services.yml (100%) rename rules/windows/builtin/{ => system}/win_invoke_obfuscation_stdin_services.yml (100%) rename rules/windows/builtin/{ => system}/win_invoke_obfuscation_var_services.yml (100%) rename rules/windows/builtin/{ => system}/win_invoke_obfuscation_via_compress_services.yml (100%) rename rules/windows/builtin/{ => system}/win_invoke_obfuscation_via_rundll_services.yml (100%) rename rules/windows/builtin/{ => system}/win_invoke_obfuscation_via_stdin_services.yml (100%) rename rules/windows/builtin/{ => system}/win_invoke_obfuscation_via_use_clip_services.yml (100%) rename rules/windows/builtin/{ => system}/win_invoke_obfuscation_via_use_mshta_services.yml (100%) rename rules/windows/builtin/{ => system}/win_invoke_obfuscation_via_use_rundll32_services.yml (100%) rename rules/windows/builtin/{ => system}/win_invoke_obfuscation_via_var_services.yml (100%) rename rules/windows/builtin/{ => system}/win_mal_creddumper.yml (100%) rename rules/windows/builtin/{ => system}/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml (100%) rename rules/windows/builtin/{ => system}/win_moriya_rootkit.yml (100%) rename rules/windows/builtin/{ => system}/win_ntfs_vuln_exploit.yml (100%) rename rules/windows/{other => builtin/system}/win_pcap_drivers.yml (100%) rename rules/windows/{other => builtin/system}/win_possible_zerologon_exploitation_using_wellknown_tools.yml (100%) rename rules/windows/builtin/{ => system}/win_powershell_script_installed_as_service.yml (100%) rename rules/windows/builtin/{ => system}/win_quarkspwdump_clearing_hive_access_history.yml (100%) rename rules/windows/builtin/{ => system}/win_rare_service_installs.yml (100%) rename rules/windows/builtin/{ => system}/win_rdp_potential_cve_2019_0708.yml (100%) rename rules/windows/builtin/{ => system}/win_susp_dhcp_config.yml (100%) rename rules/windows/builtin/{ => system}/win_susp_dhcp_config_failed.yml (100%) rename rules/windows/builtin/{ => system}/win_susp_proceshacker.yml (100%) rename rules/windows/builtin/{ => system}/win_susp_sam_dump.yml (100%) rename rules/windows/{other => builtin/system}/win_system_defender_disabled.yml (100%) rename rules/windows/builtin/{ => system}/win_system_susp_eventlog_cleared.yml (100%) rename rules/windows/builtin/{ => system}/win_tap_driver_installation.yml (100%) rename rules/windows/{other => builtin/system}/win_tool_psexec.yml (100%) rename rules/windows/builtin/{ => system}/win_volume_shadow_copy_mount.yml (100%) rename rules/windows/builtin/{ => system}/win_vul_cve_2020_1472.yml (100%) rename rules/windows/{builtin => other/applocker}/win_applocker_file_was_not_allowed_to_run.yml (100%) rename rules/windows/{builtin => other/dns_server}/win_apt_gallium.yml (100%) rename rules/windows/{builtin => other/dns_server}/win_susp_dns_config.yml (100%) rename rules/windows/{builtin => other/driverframeworks}/win_usb_device_plugged.yml (100%) rename rules/windows/other/{ => ldap}/win_ldap_recon.yml (100%) rename rules/windows/other/{ => msexchange}/win_exchange_cve_2021_42321.yml (100%) rename rules/windows/other/{ => msexchange}/win_exchange_proxylogon_oabvirtualdir.yml (100%) rename rules/windows/other/{ => msexchange}/win_exchange_proxyshell_certificate_generation.yml (100%) rename rules/windows/other/{ => msexchange}/win_exchange_proxyshell_mailbox_export.yml (100%) rename rules/windows/other/{ => msexchange}/win_exchange_proxyshell_remove_mailbox_export.yml (100%) rename rules/windows/{builtin => other/msexchange}/win_exchange_transportagent.yml (100%) rename rules/windows/other/{ => msexchange}/win_exchange_transportagent_failed.yml (100%) rename rules/windows/{builtin => other/msexchange}/win_set_oabvirtualdirectory_externalurl.yml (100%) rename rules/windows/{builtin => other/ntlm}/win_susp_ntlm_auth.yml (100%) rename rules/windows/{builtin => other/ntlm}/win_susp_ntlm_rdp.yml (100%) rename rules/windows/{builtin => other/printservice}/win_exploit_cve_2021_1675_printspooler.yml (100%) rename rules/windows/{builtin => other/printservice}/win_exploit_cve_2021_1675_printspooler_operational.yml (100%) rename rules/windows/{builtin => other/servicebus}/win_hybridconnectionmgr_svc_running.yml (100%) rename rules/windows/{builtin => other/smbclient}/win_susp_failed_guest_logon.yml (100%) rename rules/windows/other/{ => taskscheduler}/win_rare_schtask_creation.yml (100%) rename rules/windows/{builtin => other/windefend}/win_alert_lsass_access.yml (100%) rename rules/windows/other/{ => windefend}/win_defender_amsi_trigger.yml (100%) rename rules/windows/other/{ => windefend}/win_defender_disabled.yml (100%) rename rules/windows/other/{ => windefend}/win_defender_exclusions.yml (100%) rename rules/windows/other/{ => windefend}/win_defender_history_delete.yml (100%) rename rules/windows/other/{ => windefend}/win_defender_psexec_wmi_asr.yml (100%) rename rules/windows/other/{ => windefend}/win_defender_tamper_protection_trigger.yml (100%) rename rules/windows/other/{ => windefend}/win_defender_threat.yml (100%) rename rules/windows/other/{ => wmi}/win_wmi_persistence.yml (100%) rename rules/windows/{builtin => powershell/powershell_script}/win_root_certificate_installed.yml (85%) rename rules/windows/{builtin => process_creation}/win_mmc20_lateral_movement.yml (100%) rename rules/windows/{builtin => process_creation}/win_net_use_admin_share.yml (100%) rename rules/windows/{builtin => process_creation}/win_susp_mshta_execution.yml (100%) diff --git a/rules/windows/builtin/win_audit_cve.yml b/rules/windows/builtin/application/win_audit_cve.yml similarity index 100% rename from rules/windows/builtin/win_audit_cve.yml rename to rules/windows/builtin/application/win_audit_cve.yml diff --git a/rules/windows/builtin/win_av_relevant_match.yml b/rules/windows/builtin/application/win_av_relevant_match.yml similarity index 100% rename from rules/windows/builtin/win_av_relevant_match.yml rename to rules/windows/builtin/application/win_av_relevant_match.yml diff --git a/rules/windows/builtin/win_software_atera_rmm_agent_install.yml b/rules/windows/builtin/application/win_software_atera_rmm_agent_install.yml similarity index 100% rename from rules/windows/builtin/win_software_atera_rmm_agent_install.yml rename to rules/windows/builtin/application/win_software_atera_rmm_agent_install.yml diff --git a/rules/windows/builtin/win_susp_backup_delete.yml b/rules/windows/builtin/application/win_susp_backup_delete.yml similarity index 100% rename from rules/windows/builtin/win_susp_backup_delete.yml rename to rules/windows/builtin/application/win_susp_backup_delete.yml diff --git a/rules/windows/builtin/win_susp_msmpeng_crash.yml b/rules/windows/builtin/application/win_susp_msmpeng_crash.yml similarity index 100% rename from rules/windows/builtin/win_susp_msmpeng_crash.yml rename to rules/windows/builtin/application/win_susp_msmpeng_crash.yml diff --git a/rules/windows/builtin/win_vul_cve_2020_0688.yml b/rules/windows/builtin/application/win_vul_cve_2020_0688.yml similarity index 100% rename from rules/windows/builtin/win_vul_cve_2020_0688.yml rename to rules/windows/builtin/application/win_vul_cve_2020_0688.yml diff --git a/rules/windows/builtin/win_vul_cve_2021_41379.yml b/rules/windows/builtin/application/win_vul_cve_2021_41379.yml similarity index 100% rename from rules/windows/builtin/win_vul_cve_2021_41379.yml rename to rules/windows/builtin/application/win_vul_cve_2021_41379.yml diff --git a/rules/windows/builtin/win_aadhealth_mon_agent_regkey_access.yml b/rules/windows/builtin/security/win_aadhealth_mon_agent_regkey_access.yml similarity index 100% rename from rules/windows/builtin/win_aadhealth_mon_agent_regkey_access.yml rename to rules/windows/builtin/security/win_aadhealth_mon_agent_regkey_access.yml diff --git a/rules/windows/builtin/win_aadhealth_svc_agent_regkey_access.yml b/rules/windows/builtin/security/win_aadhealth_svc_agent_regkey_access.yml similarity index 100% rename from rules/windows/builtin/win_aadhealth_svc_agent_regkey_access.yml rename to rules/windows/builtin/security/win_aadhealth_svc_agent_regkey_access.yml diff --git a/rules/windows/builtin/win_account_backdoor_dcsync_rights.yml b/rules/windows/builtin/security/win_account_backdoor_dcsync_rights.yml similarity index 100% rename from rules/windows/builtin/win_account_backdoor_dcsync_rights.yml rename to rules/windows/builtin/security/win_account_backdoor_dcsync_rights.yml diff --git a/rules/windows/builtin/win_account_discovery.yml b/rules/windows/builtin/security/win_account_discovery.yml similarity index 100% rename from rules/windows/builtin/win_account_discovery.yml rename to rules/windows/builtin/security/win_account_discovery.yml diff --git a/rules/windows/builtin/win_ad_object_writedac_access.yml b/rules/windows/builtin/security/win_ad_object_writedac_access.yml similarity index 100% rename from rules/windows/builtin/win_ad_object_writedac_access.yml rename to rules/windows/builtin/security/win_ad_object_writedac_access.yml diff --git a/rules/windows/builtin/win_ad_replication_non_machine_account.yml b/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml similarity index 100% rename from rules/windows/builtin/win_ad_replication_non_machine_account.yml rename to rules/windows/builtin/security/win_ad_replication_non_machine_account.yml diff --git a/rules/windows/builtin/win_ad_user_enumeration.yml b/rules/windows/builtin/security/win_ad_user_enumeration.yml similarity index 100% rename from rules/windows/builtin/win_ad_user_enumeration.yml rename to rules/windows/builtin/security/win_ad_user_enumeration.yml diff --git a/rules/windows/builtin/win_adcs_certificate_template_configuration_vulnerability.yml b/rules/windows/builtin/security/win_adcs_certificate_template_configuration_vulnerability.yml similarity index 100% rename from rules/windows/builtin/win_adcs_certificate_template_configuration_vulnerability.yml rename to rules/windows/builtin/security/win_adcs_certificate_template_configuration_vulnerability.yml diff --git a/rules/windows/builtin/win_adcs_certificate_template_configuration_vulnerability_eku.yml b/rules/windows/builtin/security/win_adcs_certificate_template_configuration_vulnerability_eku.yml similarity index 100% rename from rules/windows/builtin/win_adcs_certificate_template_configuration_vulnerability_eku.yml rename to rules/windows/builtin/security/win_adcs_certificate_template_configuration_vulnerability_eku.yml diff --git a/rules/windows/builtin/win_admin_rdp_login.yml b/rules/windows/builtin/security/win_admin_rdp_login.yml similarity index 100% rename from rules/windows/builtin/win_admin_rdp_login.yml rename to rules/windows/builtin/security/win_admin_rdp_login.yml diff --git a/rules/windows/builtin/win_admin_share_access.yml b/rules/windows/builtin/security/win_admin_share_access.yml similarity index 100% rename from rules/windows/builtin/win_admin_share_access.yml rename to rules/windows/builtin/security/win_admin_share_access.yml diff --git a/rules/windows/builtin/win_alert_active_directory_user_control.yml b/rules/windows/builtin/security/win_alert_active_directory_user_control.yml similarity index 100% rename from rules/windows/builtin/win_alert_active_directory_user_control.yml rename to rules/windows/builtin/security/win_alert_active_directory_user_control.yml diff --git a/rules/windows/builtin/win_alert_ad_user_backdoors.yml b/rules/windows/builtin/security/win_alert_ad_user_backdoors.yml similarity index 100% rename from rules/windows/builtin/win_alert_ad_user_backdoors.yml rename to rules/windows/builtin/security/win_alert_ad_user_backdoors.yml diff --git a/rules/windows/builtin/win_alert_enable_weak_encryption.yml b/rules/windows/builtin/security/win_alert_enable_weak_encryption.yml similarity index 100% rename from rules/windows/builtin/win_alert_enable_weak_encryption.yml rename to rules/windows/builtin/security/win_alert_enable_weak_encryption.yml diff --git a/rules/windows/builtin/win_alert_ruler.yml b/rules/windows/builtin/security/win_alert_ruler.yml similarity index 100% rename from rules/windows/builtin/win_alert_ruler.yml rename to rules/windows/builtin/security/win_alert_ruler.yml diff --git a/rules/windows/builtin/win_apt_chafer_mar18_security.yml b/rules/windows/builtin/security/win_apt_chafer_mar18_security.yml similarity index 100% rename from rules/windows/builtin/win_apt_chafer_mar18_security.yml rename to rules/windows/builtin/security/win_apt_chafer_mar18_security.yml diff --git a/rules/windows/builtin/win_apt_slingshot.yml b/rules/windows/builtin/security/win_apt_slingshot.yml similarity index 100% rename from rules/windows/builtin/win_apt_slingshot.yml rename to rules/windows/builtin/security/win_apt_slingshot.yml diff --git a/rules/windows/builtin/win_apt_wocao.yml b/rules/windows/builtin/security/win_apt_wocao.yml similarity index 100% rename from rules/windows/builtin/win_apt_wocao.yml rename to rules/windows/builtin/security/win_apt_wocao.yml diff --git a/rules/windows/builtin/win_arbitrary_shell_execution_via_settingcontent.yml b/rules/windows/builtin/security/win_arbitrary_shell_execution_via_settingcontent.yml similarity index 100% rename from rules/windows/builtin/win_arbitrary_shell_execution_via_settingcontent.yml rename to rules/windows/builtin/security/win_arbitrary_shell_execution_via_settingcontent.yml diff --git a/rules/windows/builtin/win_asr_bypass_via_appvlp_re.yml b/rules/windows/builtin/security/win_asr_bypass_via_appvlp_re.yml similarity index 100% rename from rules/windows/builtin/win_asr_bypass_via_appvlp_re.yml rename to rules/windows/builtin/security/win_asr_bypass_via_appvlp_re.yml diff --git a/rules/windows/builtin/win_atsvc_task.yml b/rules/windows/builtin/security/win_atsvc_task.yml similarity index 100% rename from rules/windows/builtin/win_atsvc_task.yml rename to rules/windows/builtin/security/win_atsvc_task.yml diff --git a/rules/windows/builtin/win_camera_microphone_access.yml b/rules/windows/builtin/security/win_camera_microphone_access.yml similarity index 100% rename from rules/windows/builtin/win_camera_microphone_access.yml rename to rules/windows/builtin/security/win_camera_microphone_access.yml diff --git a/rules/windows/builtin/win_dce_rpc_smb_spoolss_named_pipe.yml b/rules/windows/builtin/security/win_dce_rpc_smb_spoolss_named_pipe.yml similarity index 100% rename from rules/windows/builtin/win_dce_rpc_smb_spoolss_named_pipe.yml rename to rules/windows/builtin/security/win_dce_rpc_smb_spoolss_named_pipe.yml diff --git a/rules/windows/builtin/win_dcom_iertutil_dll_hijack.yml b/rules/windows/builtin/security/win_dcom_iertutil_dll_hijack.yml similarity index 100% rename from rules/windows/builtin/win_dcom_iertutil_dll_hijack.yml rename to rules/windows/builtin/security/win_dcom_iertutil_dll_hijack.yml diff --git a/rules/windows/builtin/win_dcsync.yml b/rules/windows/builtin/security/win_dcsync.yml similarity index 100% rename from rules/windows/builtin/win_dcsync.yml rename to rules/windows/builtin/security/win_dcsync.yml diff --git a/rules/windows/other/win_defender_bypass.yml b/rules/windows/builtin/security/win_defender_bypass.yml similarity index 100% rename from rules/windows/other/win_defender_bypass.yml rename to rules/windows/builtin/security/win_defender_bypass.yml diff --git a/rules/windows/builtin/win_disable_event_logging.yml b/rules/windows/builtin/security/win_disable_event_logging.yml similarity index 100% rename from rules/windows/builtin/win_disable_event_logging.yml rename to rules/windows/builtin/security/win_disable_event_logging.yml diff --git a/rules/windows/builtin/win_dpapi_domain_backupkey_extraction.yml b/rules/windows/builtin/security/win_dpapi_domain_backupkey_extraction.yml similarity index 100% rename from rules/windows/builtin/win_dpapi_domain_backupkey_extraction.yml rename to rules/windows/builtin/security/win_dpapi_domain_backupkey_extraction.yml diff --git a/rules/windows/builtin/win_dpapi_domain_masterkey_backup_attempt.yml b/rules/windows/builtin/security/win_dpapi_domain_masterkey_backup_attempt.yml similarity index 100% rename from rules/windows/builtin/win_dpapi_domain_masterkey_backup_attempt.yml rename to rules/windows/builtin/security/win_dpapi_domain_masterkey_backup_attempt.yml diff --git a/rules/windows/builtin/win_etw_modification.yml b/rules/windows/builtin/security/win_etw_modification.yml similarity index 100% rename from rules/windows/builtin/win_etw_modification.yml rename to rules/windows/builtin/security/win_etw_modification.yml diff --git a/rules/windows/builtin/win_event_log_cleared.yml b/rules/windows/builtin/security/win_event_log_cleared.yml similarity index 100% rename from rules/windows/builtin/win_event_log_cleared.yml rename to rules/windows/builtin/security/win_event_log_cleared.yml diff --git a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_security.yml b/rules/windows/builtin/security/win_exploit_cve_2021_1675_printspooler_security.yml similarity index 100% rename from rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_security.yml rename to rules/windows/builtin/security/win_exploit_cve_2021_1675_printspooler_security.yml diff --git a/rules/windows/builtin/win_external_device.yml b/rules/windows/builtin/security/win_external_device.yml similarity index 100% rename from rules/windows/builtin/win_external_device.yml rename to rules/windows/builtin/security/win_external_device.yml diff --git a/rules/windows/builtin/win_global_catalog_enumeration.yml b/rules/windows/builtin/security/win_global_catalog_enumeration.yml similarity index 100% rename from rules/windows/builtin/win_global_catalog_enumeration.yml rename to rules/windows/builtin/security/win_global_catalog_enumeration.yml diff --git a/rules/windows/builtin/win_gpo_scheduledtasks.yml b/rules/windows/builtin/security/win_gpo_scheduledtasks.yml similarity index 100% rename from rules/windows/builtin/win_gpo_scheduledtasks.yml rename to rules/windows/builtin/security/win_gpo_scheduledtasks.yml diff --git a/rules/windows/builtin/win_hidden_user_creation.yml b/rules/windows/builtin/security/win_hidden_user_creation.yml similarity index 100% rename from rules/windows/builtin/win_hidden_user_creation.yml rename to rules/windows/builtin/security/win_hidden_user_creation.yml diff --git a/rules/windows/builtin/win_hybridconnectionmgr_svc_installation.yml b/rules/windows/builtin/security/win_hybridconnectionmgr_svc_installation.yml similarity index 100% rename from rules/windows/builtin/win_hybridconnectionmgr_svc_installation.yml rename to rules/windows/builtin/security/win_hybridconnectionmgr_svc_installation.yml diff --git a/rules/windows/builtin/win_impacket_psexec.yml b/rules/windows/builtin/security/win_impacket_psexec.yml similarity index 100% rename from rules/windows/builtin/win_impacket_psexec.yml rename to rules/windows/builtin/security/win_impacket_psexec.yml diff --git a/rules/windows/builtin/win_impacket_secretdump.yml b/rules/windows/builtin/security/win_impacket_secretdump.yml similarity index 100% rename from rules/windows/builtin/win_impacket_secretdump.yml rename to rules/windows/builtin/security/win_impacket_secretdump.yml diff --git a/rules/windows/builtin/win_invoke_obfuscation_clip_services_security.yml b/rules/windows/builtin/security/win_invoke_obfuscation_clip_services_security.yml similarity index 100% rename from rules/windows/builtin/win_invoke_obfuscation_clip_services_security.yml rename to rules/windows/builtin/security/win_invoke_obfuscation_clip_services_security.yml diff --git a/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services_security.yml b/rules/windows/builtin/security/win_invoke_obfuscation_obfuscated_iex_services_security.yml similarity index 100% rename from rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services_security.yml rename to rules/windows/builtin/security/win_invoke_obfuscation_obfuscated_iex_services_security.yml diff --git a/rules/windows/builtin/win_invoke_obfuscation_stdin_services_security.yml b/rules/windows/builtin/security/win_invoke_obfuscation_stdin_services_security.yml similarity index 100% rename from rules/windows/builtin/win_invoke_obfuscation_stdin_services_security.yml rename to rules/windows/builtin/security/win_invoke_obfuscation_stdin_services_security.yml diff --git a/rules/windows/builtin/win_invoke_obfuscation_var_services_security.yml b/rules/windows/builtin/security/win_invoke_obfuscation_var_services_security.yml similarity index 100% rename from rules/windows/builtin/win_invoke_obfuscation_var_services_security.yml rename to rules/windows/builtin/security/win_invoke_obfuscation_var_services_security.yml diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_compress_services_security.yml b/rules/windows/builtin/security/win_invoke_obfuscation_via_compress_services_security.yml similarity index 100% rename from rules/windows/builtin/win_invoke_obfuscation_via_compress_services_security.yml rename to rules/windows/builtin/security/win_invoke_obfuscation_via_compress_services_security.yml diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services_security.yml b/rules/windows/builtin/security/win_invoke_obfuscation_via_rundll_services_security.yml similarity index 100% rename from rules/windows/builtin/win_invoke_obfuscation_via_rundll_services_security.yml rename to rules/windows/builtin/security/win_invoke_obfuscation_via_rundll_services_security.yml diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_stdin_services_security.yml b/rules/windows/builtin/security/win_invoke_obfuscation_via_stdin_services_security.yml similarity index 100% rename from rules/windows/builtin/win_invoke_obfuscation_via_stdin_services_security.yml rename to rules/windows/builtin/security/win_invoke_obfuscation_via_stdin_services_security.yml diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services_security.yml b/rules/windows/builtin/security/win_invoke_obfuscation_via_use_clip_services_security.yml similarity index 100% rename from rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services_security.yml rename to rules/windows/builtin/security/win_invoke_obfuscation_via_use_clip_services_security.yml diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_use_mshta_services_security.yml b/rules/windows/builtin/security/win_invoke_obfuscation_via_use_mshta_services_security.yml similarity index 100% rename from rules/windows/builtin/win_invoke_obfuscation_via_use_mshta_services_security.yml rename to rules/windows/builtin/security/win_invoke_obfuscation_via_use_mshta_services_security.yml diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services_security.yml b/rules/windows/builtin/security/win_invoke_obfuscation_via_use_rundll32_services_security.yml similarity index 100% rename from rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services_security.yml rename to rules/windows/builtin/security/win_invoke_obfuscation_via_use_rundll32_services_security.yml diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_var_services_security.yml b/rules/windows/builtin/security/win_invoke_obfuscation_via_var_services_security.yml similarity index 100% rename from rules/windows/builtin/win_invoke_obfuscation_via_var_services_security.yml rename to rules/windows/builtin/security/win_invoke_obfuscation_via_var_services_security.yml diff --git a/rules/windows/builtin/win_iso_mount.yml b/rules/windows/builtin/security/win_iso_mount.yml similarity index 100% rename from rules/windows/builtin/win_iso_mount.yml rename to rules/windows/builtin/security/win_iso_mount.yml diff --git a/rules/windows/other/win_lateral_movement_condrv.yml b/rules/windows/builtin/security/win_lateral_movement_condrv.yml similarity index 100% rename from rules/windows/other/win_lateral_movement_condrv.yml rename to rules/windows/builtin/security/win_lateral_movement_condrv.yml diff --git a/rules/windows/builtin/win_lm_namedpipe.yml b/rules/windows/builtin/security/win_lm_namedpipe.yml similarity index 100% rename from rules/windows/builtin/win_lm_namedpipe.yml rename to rules/windows/builtin/security/win_lm_namedpipe.yml diff --git a/rules/windows/builtin/win_lolbas_execution_of_nltest.yml b/rules/windows/builtin/security/win_lolbas_execution_of_nltest.yml similarity index 100% rename from rules/windows/builtin/win_lolbas_execution_of_nltest.yml rename to rules/windows/builtin/security/win_lolbas_execution_of_nltest.yml diff --git a/rules/windows/builtin/win_lsass_access_non_system_account.yml b/rules/windows/builtin/security/win_lsass_access_non_system_account.yml similarity index 100% rename from rules/windows/builtin/win_lsass_access_non_system_account.yml rename to rules/windows/builtin/security/win_lsass_access_non_system_account.yml diff --git a/rules/windows/builtin/win_mal_wceaux_dll.yml b/rules/windows/builtin/security/win_mal_wceaux_dll.yml similarity index 100% rename from rules/windows/builtin/win_mal_wceaux_dll.yml rename to rules/windows/builtin/security/win_mal_wceaux_dll.yml diff --git a/rules/windows/builtin/win_metasploit_authentication.yml b/rules/windows/builtin/security/win_metasploit_authentication.yml similarity index 100% rename from rules/windows/builtin/win_metasploit_authentication.yml rename to rules/windows/builtin/security/win_metasploit_authentication.yml diff --git a/rules/windows/builtin/win_net_ntlm_downgrade.yml b/rules/windows/builtin/security/win_net_ntlm_downgrade.yml similarity index 100% rename from rules/windows/builtin/win_net_ntlm_downgrade.yml rename to rules/windows/builtin/security/win_net_ntlm_downgrade.yml diff --git a/rules/windows/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml b/rules/windows/builtin/security/win_new_or_renamed_user_account_with_dollar_sign.yml similarity index 100% rename from rules/windows/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml rename to rules/windows/builtin/security/win_new_or_renamed_user_account_with_dollar_sign.yml diff --git a/rules/windows/builtin/win_not_allowed_rdp_access.yml b/rules/windows/builtin/security/win_not_allowed_rdp_access.yml similarity index 100% rename from rules/windows/builtin/win_not_allowed_rdp_access.yml rename to rules/windows/builtin/security/win_not_allowed_rdp_access.yml diff --git a/rules/windows/builtin/win_overpass_the_hash.yml b/rules/windows/builtin/security/win_overpass_the_hash.yml similarity index 100% rename from rules/windows/builtin/win_overpass_the_hash.yml rename to rules/windows/builtin/security/win_overpass_the_hash.yml diff --git a/rules/windows/builtin/win_pass_the_hash.yml b/rules/windows/builtin/security/win_pass_the_hash.yml similarity index 100% rename from rules/windows/builtin/win_pass_the_hash.yml rename to rules/windows/builtin/security/win_pass_the_hash.yml diff --git a/rules/windows/builtin/win_pass_the_hash_2.yml b/rules/windows/builtin/security/win_pass_the_hash_2.yml similarity index 100% rename from rules/windows/builtin/win_pass_the_hash_2.yml rename to rules/windows/builtin/security/win_pass_the_hash_2.yml diff --git a/rules/windows/builtin/win_petitpotam_network_share.yml b/rules/windows/builtin/security/win_petitpotam_network_share.yml similarity index 100% rename from rules/windows/builtin/win_petitpotam_network_share.yml rename to rules/windows/builtin/security/win_petitpotam_network_share.yml diff --git a/rules/windows/builtin/win_petitpotam_susp_tgt_request.yml b/rules/windows/builtin/security/win_petitpotam_susp_tgt_request.yml similarity index 100% rename from rules/windows/builtin/win_petitpotam_susp_tgt_request.yml rename to rules/windows/builtin/security/win_petitpotam_susp_tgt_request.yml diff --git a/rules/windows/builtin/win_possible_dc_shadow.yml b/rules/windows/builtin/security/win_possible_dc_shadow.yml similarity index 100% rename from rules/windows/builtin/win_possible_dc_shadow.yml rename to rules/windows/builtin/security/win_possible_dc_shadow.yml diff --git a/rules/windows/builtin/win_privesc_cve_2020_1472.yml b/rules/windows/builtin/security/win_privesc_cve_2020_1472.yml similarity index 100% rename from rules/windows/builtin/win_privesc_cve_2020_1472.yml rename to rules/windows/builtin/security/win_privesc_cve_2020_1472.yml diff --git a/rules/windows/builtin/win_protected_storage_service_access.yml b/rules/windows/builtin/security/win_protected_storage_service_access.yml similarity index 100% rename from rules/windows/builtin/win_protected_storage_service_access.yml rename to rules/windows/builtin/security/win_protected_storage_service_access.yml diff --git a/rules/windows/builtin/win_rare_schtasks_creations.yml b/rules/windows/builtin/security/win_rare_schtasks_creations.yml similarity index 100% rename from rules/windows/builtin/win_rare_schtasks_creations.yml rename to rules/windows/builtin/security/win_rare_schtasks_creations.yml diff --git a/rules/windows/builtin/win_rdp_bluekeep_poc_scanner.yml b/rules/windows/builtin/security/win_rdp_bluekeep_poc_scanner.yml similarity index 100% rename from rules/windows/builtin/win_rdp_bluekeep_poc_scanner.yml rename to rules/windows/builtin/security/win_rdp_bluekeep_poc_scanner.yml diff --git a/rules/windows/builtin/win_rdp_localhost_login.yml b/rules/windows/builtin/security/win_rdp_localhost_login.yml similarity index 100% rename from rules/windows/builtin/win_rdp_localhost_login.yml rename to rules/windows/builtin/security/win_rdp_localhost_login.yml diff --git a/rules/windows/builtin/win_rdp_reverse_tunnel.yml b/rules/windows/builtin/security/win_rdp_reverse_tunnel.yml similarity index 100% rename from rules/windows/builtin/win_rdp_reverse_tunnel.yml rename to rules/windows/builtin/security/win_rdp_reverse_tunnel.yml diff --git a/rules/windows/builtin/win_register_new_logon_process_by_rubeus.yml b/rules/windows/builtin/security/win_register_new_logon_process_by_rubeus.yml similarity index 100% rename from rules/windows/builtin/win_register_new_logon_process_by_rubeus.yml rename to rules/windows/builtin/security/win_register_new_logon_process_by_rubeus.yml diff --git a/rules/windows/builtin/win_remote_powershell_session.yml b/rules/windows/builtin/security/win_remote_powershell_session.yml similarity index 100% rename from rules/windows/builtin/win_remote_powershell_session.yml rename to rules/windows/builtin/security/win_remote_powershell_session.yml diff --git a/rules/windows/builtin/win_remote_registry_management_using_reg_utility.yml b/rules/windows/builtin/security/win_remote_registry_management_using_reg_utility.yml similarity index 100% rename from rules/windows/builtin/win_remote_registry_management_using_reg_utility.yml rename to rules/windows/builtin/security/win_remote_registry_management_using_reg_utility.yml diff --git a/rules/windows/builtin/win_sam_registry_hive_handle_request.yml b/rules/windows/builtin/security/win_sam_registry_hive_handle_request.yml similarity index 100% rename from rules/windows/builtin/win_sam_registry_hive_handle_request.yml rename to rules/windows/builtin/security/win_sam_registry_hive_handle_request.yml diff --git a/rules/windows/builtin/win_scheduled_task_deletion.yml b/rules/windows/builtin/security/win_scheduled_task_deletion.yml similarity index 100% rename from rules/windows/builtin/win_scheduled_task_deletion.yml rename to rules/windows/builtin/security/win_scheduled_task_deletion.yml diff --git a/rules/windows/builtin/win_scm_database_handle_failure.yml b/rules/windows/builtin/security/win_scm_database_handle_failure.yml similarity index 100% rename from rules/windows/builtin/win_scm_database_handle_failure.yml rename to rules/windows/builtin/security/win_scm_database_handle_failure.yml diff --git a/rules/windows/builtin/win_scm_database_privileged_operation.yml b/rules/windows/builtin/security/win_scm_database_privileged_operation.yml similarity index 100% rename from rules/windows/builtin/win_scm_database_privileged_operation.yml rename to rules/windows/builtin/security/win_scm_database_privileged_operation.yml diff --git a/rules/windows/builtin/win_scrcons_remote_wmi_scripteventconsumer.yml b/rules/windows/builtin/security/win_scrcons_remote_wmi_scripteventconsumer.yml similarity index 100% rename from rules/windows/builtin/win_scrcons_remote_wmi_scripteventconsumer.yml rename to rules/windows/builtin/security/win_scrcons_remote_wmi_scripteventconsumer.yml diff --git a/rules/windows/builtin/win_security_cobaltstrike_service_installs.yml b/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml similarity index 100% rename from rules/windows/builtin/win_security_cobaltstrike_service_installs.yml rename to rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml diff --git a/rules/windows/builtin/win_security_mal_creddumper.yml b/rules/windows/builtin/security/win_security_mal_creddumper.yml similarity index 100% rename from rules/windows/builtin/win_security_mal_creddumper.yml rename to rules/windows/builtin/security/win_security_mal_creddumper.yml diff --git a/rules/windows/builtin/win_security_mal_service_installs.yml b/rules/windows/builtin/security/win_security_mal_service_installs.yml similarity index 100% rename from rules/windows/builtin/win_security_mal_service_installs.yml rename to rules/windows/builtin/security/win_security_mal_service_installs.yml diff --git a/rules/windows/builtin/win_security_metasploit_or_impacket_smb_psexec_service_install.yml b/rules/windows/builtin/security/win_security_metasploit_or_impacket_smb_psexec_service_install.yml similarity index 100% rename from rules/windows/builtin/win_security_metasploit_or_impacket_smb_psexec_service_install.yml rename to rules/windows/builtin/security/win_security_metasploit_or_impacket_smb_psexec_service_install.yml diff --git a/rules/windows/builtin/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml b/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml similarity index 100% rename from rules/windows/builtin/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml rename to rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml diff --git a/rules/windows/builtin/win_security_powershell_script_installed_as_service.yml b/rules/windows/builtin/security/win_security_powershell_script_installed_as_service.yml similarity index 100% rename from rules/windows/builtin/win_security_powershell_script_installed_as_service.yml rename to rules/windows/builtin/security/win_security_powershell_script_installed_as_service.yml diff --git a/rules/windows/builtin/win_security_tap_driver_installation.yml b/rules/windows/builtin/security/win_security_tap_driver_installation.yml similarity index 100% rename from rules/windows/builtin/win_security_tap_driver_installation.yml rename to rules/windows/builtin/security/win_security_tap_driver_installation.yml diff --git a/rules/windows/other/win_security_wmi_persistence.yml b/rules/windows/builtin/security/win_security_wmi_persistence.yml similarity index 100% rename from rules/windows/other/win_security_wmi_persistence.yml rename to rules/windows/builtin/security/win_security_wmi_persistence.yml diff --git a/rules/windows/builtin/win_smb_file_creation_admin_shares.yml b/rules/windows/builtin/security/win_smb_file_creation_admin_shares.yml similarity index 100% rename from rules/windows/builtin/win_smb_file_creation_admin_shares.yml rename to rules/windows/builtin/security/win_smb_file_creation_admin_shares.yml diff --git a/rules/windows/builtin/win_susp_add_domain_trust.yml b/rules/windows/builtin/security/win_susp_add_domain_trust.yml similarity index 100% rename from rules/windows/builtin/win_susp_add_domain_trust.yml rename to rules/windows/builtin/security/win_susp_add_domain_trust.yml diff --git a/rules/windows/builtin/win_susp_add_sid_history.yml b/rules/windows/builtin/security/win_susp_add_sid_history.yml similarity index 100% rename from rules/windows/builtin/win_susp_add_sid_history.yml rename to rules/windows/builtin/security/win_susp_add_sid_history.yml diff --git a/rules/windows/builtin/win_susp_codeintegrity_check_failure.yml b/rules/windows/builtin/security/win_susp_codeintegrity_check_failure.yml similarity index 100% rename from rules/windows/builtin/win_susp_codeintegrity_check_failure.yml rename to rules/windows/builtin/security/win_susp_codeintegrity_check_failure.yml diff --git a/rules/windows/builtin/win_susp_dsrm_password_change.yml b/rules/windows/builtin/security/win_susp_dsrm_password_change.yml similarity index 100% rename from rules/windows/builtin/win_susp_dsrm_password_change.yml rename to rules/windows/builtin/security/win_susp_dsrm_password_change.yml diff --git a/rules/windows/builtin/win_susp_eventlog_cleared.yml b/rules/windows/builtin/security/win_susp_eventlog_cleared.yml similarity index 100% rename from rules/windows/builtin/win_susp_eventlog_cleared.yml rename to rules/windows/builtin/security/win_susp_eventlog_cleared.yml diff --git a/rules/windows/builtin/win_susp_failed_logon_reasons.yml b/rules/windows/builtin/security/win_susp_failed_logon_reasons.yml similarity index 100% rename from rules/windows/builtin/win_susp_failed_logon_reasons.yml rename to rules/windows/builtin/security/win_susp_failed_logon_reasons.yml diff --git a/rules/windows/builtin/win_susp_failed_logon_source.yml b/rules/windows/builtin/security/win_susp_failed_logon_source.yml similarity index 100% rename from rules/windows/builtin/win_susp_failed_logon_source.yml rename to rules/windows/builtin/security/win_susp_failed_logon_source.yml diff --git a/rules/windows/builtin/win_susp_failed_logons_explicit_credentials.yml b/rules/windows/builtin/security/win_susp_failed_logons_explicit_credentials.yml similarity index 100% rename from rules/windows/builtin/win_susp_failed_logons_explicit_credentials.yml rename to rules/windows/builtin/security/win_susp_failed_logons_explicit_credentials.yml diff --git a/rules/windows/builtin/win_susp_failed_logons_single_process.yml b/rules/windows/builtin/security/win_susp_failed_logons_single_process.yml similarity index 100% rename from rules/windows/builtin/win_susp_failed_logons_single_process.yml rename to rules/windows/builtin/security/win_susp_failed_logons_single_process.yml diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source.yml b/rules/windows/builtin/security/win_susp_failed_logons_single_source.yml similarity index 100% rename from rules/windows/builtin/win_susp_failed_logons_single_source.yml rename to rules/windows/builtin/security/win_susp_failed_logons_single_source.yml diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source2.yml b/rules/windows/builtin/security/win_susp_failed_logons_single_source2.yml similarity index 100% rename from rules/windows/builtin/win_susp_failed_logons_single_source2.yml rename to rules/windows/builtin/security/win_susp_failed_logons_single_source2.yml diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos.yml b/rules/windows/builtin/security/win_susp_failed_logons_single_source_kerberos.yml similarity index 100% rename from rules/windows/builtin/win_susp_failed_logons_single_source_kerberos.yml rename to rules/windows/builtin/security/win_susp_failed_logons_single_source_kerberos.yml diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos2.yml b/rules/windows/builtin/security/win_susp_failed_logons_single_source_kerberos2.yml similarity index 100% rename from rules/windows/builtin/win_susp_failed_logons_single_source_kerberos2.yml rename to rules/windows/builtin/security/win_susp_failed_logons_single_source_kerberos2.yml diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos3.yml b/rules/windows/builtin/security/win_susp_failed_logons_single_source_kerberos3.yml similarity index 100% rename from rules/windows/builtin/win_susp_failed_logons_single_source_kerberos3.yml rename to rules/windows/builtin/security/win_susp_failed_logons_single_source_kerberos3.yml diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source_ntlm.yml b/rules/windows/builtin/security/win_susp_failed_logons_single_source_ntlm.yml similarity index 100% rename from rules/windows/builtin/win_susp_failed_logons_single_source_ntlm.yml rename to rules/windows/builtin/security/win_susp_failed_logons_single_source_ntlm.yml diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source_ntlm2.yml b/rules/windows/builtin/security/win_susp_failed_logons_single_source_ntlm2.yml similarity index 100% rename from rules/windows/builtin/win_susp_failed_logons_single_source_ntlm2.yml rename to rules/windows/builtin/security/win_susp_failed_logons_single_source_ntlm2.yml diff --git a/rules/windows/builtin/win_susp_failed_remote_logons_single_source.yml b/rules/windows/builtin/security/win_susp_failed_remote_logons_single_source.yml similarity index 100% rename from rules/windows/builtin/win_susp_failed_remote_logons_single_source.yml rename to rules/windows/builtin/security/win_susp_failed_remote_logons_single_source.yml diff --git a/rules/windows/builtin/win_susp_interactive_logons.yml b/rules/windows/builtin/security/win_susp_interactive_logons.yml similarity index 100% rename from rules/windows/builtin/win_susp_interactive_logons.yml rename to rules/windows/builtin/security/win_susp_interactive_logons.yml diff --git a/rules/windows/builtin/win_susp_kerberos_manipulation.yml b/rules/windows/builtin/security/win_susp_kerberos_manipulation.yml similarity index 100% rename from rules/windows/builtin/win_susp_kerberos_manipulation.yml rename to rules/windows/builtin/security/win_susp_kerberos_manipulation.yml diff --git a/rules/windows/builtin/win_susp_ldap_dataexchange.yml b/rules/windows/builtin/security/win_susp_ldap_dataexchange.yml similarity index 100% rename from rules/windows/builtin/win_susp_ldap_dataexchange.yml rename to rules/windows/builtin/security/win_susp_ldap_dataexchange.yml diff --git a/rules/windows/builtin/win_susp_local_anon_logon_created.yml b/rules/windows/builtin/security/win_susp_local_anon_logon_created.yml similarity index 100% rename from rules/windows/builtin/win_susp_local_anon_logon_created.yml rename to rules/windows/builtin/security/win_susp_local_anon_logon_created.yml diff --git a/rules/windows/builtin/win_susp_logon_explicit_credentials.yml b/rules/windows/builtin/security/win_susp_logon_explicit_credentials.yml similarity index 100% rename from rules/windows/builtin/win_susp_logon_explicit_credentials.yml rename to rules/windows/builtin/security/win_susp_logon_explicit_credentials.yml diff --git a/rules/windows/builtin/win_susp_lsass_dump.yml b/rules/windows/builtin/security/win_susp_lsass_dump.yml similarity index 100% rename from rules/windows/builtin/win_susp_lsass_dump.yml rename to rules/windows/builtin/security/win_susp_lsass_dump.yml diff --git a/rules/windows/builtin/win_susp_lsass_dump_generic.yml b/rules/windows/builtin/security/win_susp_lsass_dump_generic.yml similarity index 100% rename from rules/windows/builtin/win_susp_lsass_dump_generic.yml rename to rules/windows/builtin/security/win_susp_lsass_dump_generic.yml diff --git a/rules/windows/builtin/win_susp_multiple_files_renamed_or_deleted.yml b/rules/windows/builtin/security/win_susp_multiple_files_renamed_or_deleted.yml similarity index 100% rename from rules/windows/builtin/win_susp_multiple_files_renamed_or_deleted.yml rename to rules/windows/builtin/security/win_susp_multiple_files_renamed_or_deleted.yml diff --git a/rules/windows/builtin/win_susp_net_recon_activity.yml b/rules/windows/builtin/security/win_susp_net_recon_activity.yml similarity index 100% rename from rules/windows/builtin/win_susp_net_recon_activity.yml rename to rules/windows/builtin/security/win_susp_net_recon_activity.yml diff --git a/rules/windows/builtin/win_susp_psexec.yml b/rules/windows/builtin/security/win_susp_psexec.yml similarity index 100% rename from rules/windows/builtin/win_susp_psexec.yml rename to rules/windows/builtin/security/win_susp_psexec.yml diff --git a/rules/windows/builtin/win_susp_raccess_sensitive_fext.yml b/rules/windows/builtin/security/win_susp_raccess_sensitive_fext.yml similarity index 100% rename from rules/windows/builtin/win_susp_raccess_sensitive_fext.yml rename to rules/windows/builtin/security/win_susp_raccess_sensitive_fext.yml diff --git a/rules/windows/builtin/win_susp_rc4_kerberos.yml b/rules/windows/builtin/security/win_susp_rc4_kerberos.yml similarity index 100% rename from rules/windows/builtin/win_susp_rc4_kerberos.yml rename to rules/windows/builtin/security/win_susp_rc4_kerberos.yml diff --git a/rules/windows/builtin/win_susp_rottenpotato.yml b/rules/windows/builtin/security/win_susp_rottenpotato.yml similarity index 100% rename from rules/windows/builtin/win_susp_rottenpotato.yml rename to rules/windows/builtin/security/win_susp_rottenpotato.yml diff --git a/rules/windows/builtin/win_susp_samr_pwset.yml b/rules/windows/builtin/security/win_susp_samr_pwset.yml similarity index 100% rename from rules/windows/builtin/win_susp_samr_pwset.yml rename to rules/windows/builtin/security/win_susp_samr_pwset.yml diff --git a/rules/windows/builtin/win_susp_sdelete.yml b/rules/windows/builtin/security/win_susp_sdelete.yml similarity index 100% rename from rules/windows/builtin/win_susp_sdelete.yml rename to rules/windows/builtin/security/win_susp_sdelete.yml diff --git a/rules/windows/builtin/win_susp_time_modification.yml b/rules/windows/builtin/security/win_susp_time_modification.yml similarity index 100% rename from rules/windows/builtin/win_susp_time_modification.yml rename to rules/windows/builtin/security/win_susp_time_modification.yml diff --git a/rules/windows/builtin/win_susp_wmi_login.yml b/rules/windows/builtin/security/win_susp_wmi_login.yml similarity index 100% rename from rules/windows/builtin/win_susp_wmi_login.yml rename to rules/windows/builtin/security/win_susp_wmi_login.yml diff --git a/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml b/rules/windows/builtin/security/win_suspicious_outbound_kerberos_connection.yml similarity index 100% rename from rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml rename to rules/windows/builtin/security/win_suspicious_outbound_kerberos_connection.yml diff --git a/rules/windows/builtin/win_svcctl_remote_service.yml b/rules/windows/builtin/security/win_svcctl_remote_service.yml similarity index 100% rename from rules/windows/builtin/win_svcctl_remote_service.yml rename to rules/windows/builtin/security/win_svcctl_remote_service.yml diff --git a/rules/windows/builtin/win_syskey_registry_access.yml b/rules/windows/builtin/security/win_syskey_registry_access.yml similarity index 100% rename from rules/windows/builtin/win_syskey_registry_access.yml rename to rules/windows/builtin/security/win_syskey_registry_access.yml diff --git a/rules/windows/builtin/win_sysmon_channel_reference_deletion.yml b/rules/windows/builtin/security/win_sysmon_channel_reference_deletion.yml similarity index 100% rename from rules/windows/builtin/win_sysmon_channel_reference_deletion.yml rename to rules/windows/builtin/security/win_sysmon_channel_reference_deletion.yml diff --git a/rules/windows/builtin/win_transferring_files_with_credential_data_via_network_shares.yml b/rules/windows/builtin/security/win_transferring_files_with_credential_data_via_network_shares.yml similarity index 100% rename from rules/windows/builtin/win_transferring_files_with_credential_data_via_network_shares.yml rename to rules/windows/builtin/security/win_transferring_files_with_credential_data_via_network_shares.yml diff --git a/rules/windows/builtin/win_user_added_to_local_administrators.yml b/rules/windows/builtin/security/win_user_added_to_local_administrators.yml similarity index 100% rename from rules/windows/builtin/win_user_added_to_local_administrators.yml rename to rules/windows/builtin/security/win_user_added_to_local_administrators.yml diff --git a/rules/windows/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml b/rules/windows/builtin/security/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml similarity index 100% rename from rules/windows/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml rename to rules/windows/builtin/security/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml diff --git a/rules/windows/builtin/win_user_creation.yml b/rules/windows/builtin/security/win_user_creation.yml similarity index 100% rename from rules/windows/builtin/win_user_creation.yml rename to rules/windows/builtin/security/win_user_creation.yml diff --git a/rules/windows/builtin/win_user_driver_loaded.yml b/rules/windows/builtin/security/win_user_driver_loaded.yml similarity index 100% rename from rules/windows/builtin/win_user_driver_loaded.yml rename to rules/windows/builtin/security/win_user_driver_loaded.yml diff --git a/rules/windows/builtin/win_vssaudit_secevent_source_registration.yml b/rules/windows/builtin/security/win_vssaudit_secevent_source_registration.yml similarity index 100% rename from rules/windows/builtin/win_vssaudit_secevent_source_registration.yml rename to rules/windows/builtin/security/win_vssaudit_secevent_source_registration.yml diff --git a/rules/windows/builtin/win_wmiprvse_wbemcomn_dll_hijack.yml b/rules/windows/builtin/security/win_wmiprvse_wbemcomn_dll_hijack.yml similarity index 100% rename from rules/windows/builtin/win_wmiprvse_wbemcomn_dll_hijack.yml rename to rules/windows/builtin/security/win_wmiprvse_wbemcomn_dll_hijack.yml diff --git a/rules/windows/builtin/win_apt_carbonpaper_turla.yml b/rules/windows/builtin/system/win_apt_carbonpaper_turla.yml similarity index 100% rename from rules/windows/builtin/win_apt_carbonpaper_turla.yml rename to rules/windows/builtin/system/win_apt_carbonpaper_turla.yml diff --git a/rules/windows/builtin/win_apt_chafer_mar18_system.yml b/rules/windows/builtin/system/win_apt_chafer_mar18_system.yml similarity index 100% rename from rules/windows/builtin/win_apt_chafer_mar18_system.yml rename to rules/windows/builtin/system/win_apt_chafer_mar18_system.yml diff --git a/rules/windows/builtin/win_apt_stonedrill.yml b/rules/windows/builtin/system/win_apt_stonedrill.yml similarity index 100% rename from rules/windows/builtin/win_apt_stonedrill.yml rename to rules/windows/builtin/system/win_apt_stonedrill.yml diff --git a/rules/windows/builtin/win_apt_turla_service_png.yml b/rules/windows/builtin/system/win_apt_turla_service_png.yml similarity index 100% rename from rules/windows/builtin/win_apt_turla_service_png.yml rename to rules/windows/builtin/system/win_apt_turla_service_png.yml diff --git a/rules/windows/builtin/win_cobaltstrike_service_installs.yml b/rules/windows/builtin/system/win_cobaltstrike_service_installs.yml similarity index 100% rename from rules/windows/builtin/win_cobaltstrike_service_installs.yml rename to rules/windows/builtin/system/win_cobaltstrike_service_installs.yml diff --git a/rules/windows/builtin/win_hack_smbexec.yml b/rules/windows/builtin/system/win_hack_smbexec.yml similarity index 100% rename from rules/windows/builtin/win_hack_smbexec.yml rename to rules/windows/builtin/system/win_hack_smbexec.yml diff --git a/rules/windows/builtin/win_invoke_obfuscation_clip_services.yml b/rules/windows/builtin/system/win_invoke_obfuscation_clip_services.yml similarity index 100% rename from rules/windows/builtin/win_invoke_obfuscation_clip_services.yml rename to rules/windows/builtin/system/win_invoke_obfuscation_clip_services.yml diff --git a/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml b/rules/windows/builtin/system/win_invoke_obfuscation_obfuscated_iex_services.yml similarity index 100% rename from rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml rename to rules/windows/builtin/system/win_invoke_obfuscation_obfuscated_iex_services.yml diff --git a/rules/windows/builtin/win_invoke_obfuscation_stdin_services.yml b/rules/windows/builtin/system/win_invoke_obfuscation_stdin_services.yml similarity index 100% rename from rules/windows/builtin/win_invoke_obfuscation_stdin_services.yml rename to rules/windows/builtin/system/win_invoke_obfuscation_stdin_services.yml diff --git a/rules/windows/builtin/win_invoke_obfuscation_var_services.yml b/rules/windows/builtin/system/win_invoke_obfuscation_var_services.yml similarity index 100% rename from rules/windows/builtin/win_invoke_obfuscation_var_services.yml rename to rules/windows/builtin/system/win_invoke_obfuscation_var_services.yml diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_compress_services.yml b/rules/windows/builtin/system/win_invoke_obfuscation_via_compress_services.yml similarity index 100% rename from rules/windows/builtin/win_invoke_obfuscation_via_compress_services.yml rename to rules/windows/builtin/system/win_invoke_obfuscation_via_compress_services.yml diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml b/rules/windows/builtin/system/win_invoke_obfuscation_via_rundll_services.yml similarity index 100% rename from rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml rename to rules/windows/builtin/system/win_invoke_obfuscation_via_rundll_services.yml diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_stdin_services.yml b/rules/windows/builtin/system/win_invoke_obfuscation_via_stdin_services.yml similarity index 100% rename from rules/windows/builtin/win_invoke_obfuscation_via_stdin_services.yml rename to rules/windows/builtin/system/win_invoke_obfuscation_via_stdin_services.yml diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml b/rules/windows/builtin/system/win_invoke_obfuscation_via_use_clip_services.yml similarity index 100% rename from rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml rename to rules/windows/builtin/system/win_invoke_obfuscation_via_use_clip_services.yml diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_use_mshta_services.yml b/rules/windows/builtin/system/win_invoke_obfuscation_via_use_mshta_services.yml similarity index 100% rename from rules/windows/builtin/win_invoke_obfuscation_via_use_mshta_services.yml rename to rules/windows/builtin/system/win_invoke_obfuscation_via_use_mshta_services.yml diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml b/rules/windows/builtin/system/win_invoke_obfuscation_via_use_rundll32_services.yml similarity index 100% rename from rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml rename to rules/windows/builtin/system/win_invoke_obfuscation_via_use_rundll32_services.yml diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_var_services.yml b/rules/windows/builtin/system/win_invoke_obfuscation_via_var_services.yml similarity index 100% rename from rules/windows/builtin/win_invoke_obfuscation_via_var_services.yml rename to rules/windows/builtin/system/win_invoke_obfuscation_via_var_services.yml diff --git a/rules/windows/builtin/win_mal_creddumper.yml b/rules/windows/builtin/system/win_mal_creddumper.yml similarity index 100% rename from rules/windows/builtin/win_mal_creddumper.yml rename to rules/windows/builtin/system/win_mal_creddumper.yml diff --git a/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/rules/windows/builtin/system/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml similarity index 100% rename from rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml rename to rules/windows/builtin/system/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml diff --git a/rules/windows/builtin/win_moriya_rootkit.yml b/rules/windows/builtin/system/win_moriya_rootkit.yml similarity index 100% rename from rules/windows/builtin/win_moriya_rootkit.yml rename to rules/windows/builtin/system/win_moriya_rootkit.yml diff --git a/rules/windows/builtin/win_ntfs_vuln_exploit.yml b/rules/windows/builtin/system/win_ntfs_vuln_exploit.yml similarity index 100% rename from rules/windows/builtin/win_ntfs_vuln_exploit.yml rename to rules/windows/builtin/system/win_ntfs_vuln_exploit.yml diff --git a/rules/windows/other/win_pcap_drivers.yml b/rules/windows/builtin/system/win_pcap_drivers.yml similarity index 100% rename from rules/windows/other/win_pcap_drivers.yml rename to rules/windows/builtin/system/win_pcap_drivers.yml diff --git a/rules/windows/other/win_possible_zerologon_exploitation_using_wellknown_tools.yml b/rules/windows/builtin/system/win_possible_zerologon_exploitation_using_wellknown_tools.yml similarity index 100% rename from rules/windows/other/win_possible_zerologon_exploitation_using_wellknown_tools.yml rename to rules/windows/builtin/system/win_possible_zerologon_exploitation_using_wellknown_tools.yml diff --git a/rules/windows/builtin/win_powershell_script_installed_as_service.yml b/rules/windows/builtin/system/win_powershell_script_installed_as_service.yml similarity index 100% rename from rules/windows/builtin/win_powershell_script_installed_as_service.yml rename to rules/windows/builtin/system/win_powershell_script_installed_as_service.yml diff --git a/rules/windows/builtin/win_quarkspwdump_clearing_hive_access_history.yml b/rules/windows/builtin/system/win_quarkspwdump_clearing_hive_access_history.yml similarity index 100% rename from rules/windows/builtin/win_quarkspwdump_clearing_hive_access_history.yml rename to rules/windows/builtin/system/win_quarkspwdump_clearing_hive_access_history.yml diff --git a/rules/windows/builtin/win_rare_service_installs.yml b/rules/windows/builtin/system/win_rare_service_installs.yml similarity index 100% rename from rules/windows/builtin/win_rare_service_installs.yml rename to rules/windows/builtin/system/win_rare_service_installs.yml diff --git a/rules/windows/builtin/win_rdp_potential_cve_2019_0708.yml b/rules/windows/builtin/system/win_rdp_potential_cve_2019_0708.yml similarity index 100% rename from rules/windows/builtin/win_rdp_potential_cve_2019_0708.yml rename to rules/windows/builtin/system/win_rdp_potential_cve_2019_0708.yml diff --git a/rules/windows/builtin/win_susp_dhcp_config.yml b/rules/windows/builtin/system/win_susp_dhcp_config.yml similarity index 100% rename from rules/windows/builtin/win_susp_dhcp_config.yml rename to rules/windows/builtin/system/win_susp_dhcp_config.yml diff --git a/rules/windows/builtin/win_susp_dhcp_config_failed.yml b/rules/windows/builtin/system/win_susp_dhcp_config_failed.yml similarity index 100% rename from rules/windows/builtin/win_susp_dhcp_config_failed.yml rename to rules/windows/builtin/system/win_susp_dhcp_config_failed.yml diff --git a/rules/windows/builtin/win_susp_proceshacker.yml b/rules/windows/builtin/system/win_susp_proceshacker.yml similarity index 100% rename from rules/windows/builtin/win_susp_proceshacker.yml rename to rules/windows/builtin/system/win_susp_proceshacker.yml diff --git a/rules/windows/builtin/win_susp_sam_dump.yml b/rules/windows/builtin/system/win_susp_sam_dump.yml similarity index 100% rename from rules/windows/builtin/win_susp_sam_dump.yml rename to rules/windows/builtin/system/win_susp_sam_dump.yml diff --git a/rules/windows/other/win_system_defender_disabled.yml b/rules/windows/builtin/system/win_system_defender_disabled.yml similarity index 100% rename from rules/windows/other/win_system_defender_disabled.yml rename to rules/windows/builtin/system/win_system_defender_disabled.yml diff --git a/rules/windows/builtin/win_system_susp_eventlog_cleared.yml b/rules/windows/builtin/system/win_system_susp_eventlog_cleared.yml similarity index 100% rename from rules/windows/builtin/win_system_susp_eventlog_cleared.yml rename to rules/windows/builtin/system/win_system_susp_eventlog_cleared.yml diff --git a/rules/windows/builtin/win_tap_driver_installation.yml b/rules/windows/builtin/system/win_tap_driver_installation.yml similarity index 100% rename from rules/windows/builtin/win_tap_driver_installation.yml rename to rules/windows/builtin/system/win_tap_driver_installation.yml diff --git a/rules/windows/other/win_tool_psexec.yml b/rules/windows/builtin/system/win_tool_psexec.yml similarity index 100% rename from rules/windows/other/win_tool_psexec.yml rename to rules/windows/builtin/system/win_tool_psexec.yml diff --git a/rules/windows/builtin/win_volume_shadow_copy_mount.yml b/rules/windows/builtin/system/win_volume_shadow_copy_mount.yml similarity index 100% rename from rules/windows/builtin/win_volume_shadow_copy_mount.yml rename to rules/windows/builtin/system/win_volume_shadow_copy_mount.yml diff --git a/rules/windows/builtin/win_vul_cve_2020_1472.yml b/rules/windows/builtin/system/win_vul_cve_2020_1472.yml similarity index 100% rename from rules/windows/builtin/win_vul_cve_2020_1472.yml rename to rules/windows/builtin/system/win_vul_cve_2020_1472.yml diff --git a/rules/windows/builtin/win_applocker_file_was_not_allowed_to_run.yml b/rules/windows/other/applocker/win_applocker_file_was_not_allowed_to_run.yml similarity index 100% rename from rules/windows/builtin/win_applocker_file_was_not_allowed_to_run.yml rename to rules/windows/other/applocker/win_applocker_file_was_not_allowed_to_run.yml diff --git a/rules/windows/builtin/win_apt_gallium.yml b/rules/windows/other/dns_server/win_apt_gallium.yml similarity index 100% rename from rules/windows/builtin/win_apt_gallium.yml rename to rules/windows/other/dns_server/win_apt_gallium.yml diff --git a/rules/windows/builtin/win_susp_dns_config.yml b/rules/windows/other/dns_server/win_susp_dns_config.yml similarity index 100% rename from rules/windows/builtin/win_susp_dns_config.yml rename to rules/windows/other/dns_server/win_susp_dns_config.yml diff --git a/rules/windows/builtin/win_usb_device_plugged.yml b/rules/windows/other/driverframeworks/win_usb_device_plugged.yml similarity index 100% rename from rules/windows/builtin/win_usb_device_plugged.yml rename to rules/windows/other/driverframeworks/win_usb_device_plugged.yml diff --git a/rules/windows/other/win_ldap_recon.yml b/rules/windows/other/ldap/win_ldap_recon.yml similarity index 100% rename from rules/windows/other/win_ldap_recon.yml rename to rules/windows/other/ldap/win_ldap_recon.yml diff --git a/rules/windows/other/win_exchange_cve_2021_42321.yml b/rules/windows/other/msexchange/win_exchange_cve_2021_42321.yml similarity index 100% rename from rules/windows/other/win_exchange_cve_2021_42321.yml rename to rules/windows/other/msexchange/win_exchange_cve_2021_42321.yml diff --git a/rules/windows/other/win_exchange_proxylogon_oabvirtualdir.yml b/rules/windows/other/msexchange/win_exchange_proxylogon_oabvirtualdir.yml similarity index 100% rename from rules/windows/other/win_exchange_proxylogon_oabvirtualdir.yml rename to rules/windows/other/msexchange/win_exchange_proxylogon_oabvirtualdir.yml diff --git a/rules/windows/other/win_exchange_proxyshell_certificate_generation.yml b/rules/windows/other/msexchange/win_exchange_proxyshell_certificate_generation.yml similarity index 100% rename from rules/windows/other/win_exchange_proxyshell_certificate_generation.yml rename to rules/windows/other/msexchange/win_exchange_proxyshell_certificate_generation.yml diff --git a/rules/windows/other/win_exchange_proxyshell_mailbox_export.yml b/rules/windows/other/msexchange/win_exchange_proxyshell_mailbox_export.yml similarity index 100% rename from rules/windows/other/win_exchange_proxyshell_mailbox_export.yml rename to rules/windows/other/msexchange/win_exchange_proxyshell_mailbox_export.yml diff --git a/rules/windows/other/win_exchange_proxyshell_remove_mailbox_export.yml b/rules/windows/other/msexchange/win_exchange_proxyshell_remove_mailbox_export.yml similarity index 100% rename from rules/windows/other/win_exchange_proxyshell_remove_mailbox_export.yml rename to rules/windows/other/msexchange/win_exchange_proxyshell_remove_mailbox_export.yml diff --git a/rules/windows/builtin/win_exchange_transportagent.yml b/rules/windows/other/msexchange/win_exchange_transportagent.yml similarity index 100% rename from rules/windows/builtin/win_exchange_transportagent.yml rename to rules/windows/other/msexchange/win_exchange_transportagent.yml diff --git a/rules/windows/other/win_exchange_transportagent_failed.yml b/rules/windows/other/msexchange/win_exchange_transportagent_failed.yml similarity index 100% rename from rules/windows/other/win_exchange_transportagent_failed.yml rename to rules/windows/other/msexchange/win_exchange_transportagent_failed.yml diff --git a/rules/windows/builtin/win_set_oabvirtualdirectory_externalurl.yml b/rules/windows/other/msexchange/win_set_oabvirtualdirectory_externalurl.yml similarity index 100% rename from rules/windows/builtin/win_set_oabvirtualdirectory_externalurl.yml rename to rules/windows/other/msexchange/win_set_oabvirtualdirectory_externalurl.yml diff --git a/rules/windows/builtin/win_susp_ntlm_auth.yml b/rules/windows/other/ntlm/win_susp_ntlm_auth.yml similarity index 100% rename from rules/windows/builtin/win_susp_ntlm_auth.yml rename to rules/windows/other/ntlm/win_susp_ntlm_auth.yml diff --git a/rules/windows/builtin/win_susp_ntlm_rdp.yml b/rules/windows/other/ntlm/win_susp_ntlm_rdp.yml similarity index 100% rename from rules/windows/builtin/win_susp_ntlm_rdp.yml rename to rules/windows/other/ntlm/win_susp_ntlm_rdp.yml diff --git a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler.yml b/rules/windows/other/printservice/win_exploit_cve_2021_1675_printspooler.yml similarity index 100% rename from rules/windows/builtin/win_exploit_cve_2021_1675_printspooler.yml rename to rules/windows/other/printservice/win_exploit_cve_2021_1675_printspooler.yml diff --git a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_operational.yml b/rules/windows/other/printservice/win_exploit_cve_2021_1675_printspooler_operational.yml similarity index 100% rename from rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_operational.yml rename to rules/windows/other/printservice/win_exploit_cve_2021_1675_printspooler_operational.yml diff --git a/rules/windows/builtin/win_hybridconnectionmgr_svc_running.yml b/rules/windows/other/servicebus/win_hybridconnectionmgr_svc_running.yml similarity index 100% rename from rules/windows/builtin/win_hybridconnectionmgr_svc_running.yml rename to rules/windows/other/servicebus/win_hybridconnectionmgr_svc_running.yml diff --git a/rules/windows/builtin/win_susp_failed_guest_logon.yml b/rules/windows/other/smbclient/win_susp_failed_guest_logon.yml similarity index 100% rename from rules/windows/builtin/win_susp_failed_guest_logon.yml rename to rules/windows/other/smbclient/win_susp_failed_guest_logon.yml diff --git a/rules/windows/other/win_rare_schtask_creation.yml b/rules/windows/other/taskscheduler/win_rare_schtask_creation.yml similarity index 100% rename from rules/windows/other/win_rare_schtask_creation.yml rename to rules/windows/other/taskscheduler/win_rare_schtask_creation.yml diff --git a/rules/windows/builtin/win_alert_lsass_access.yml b/rules/windows/other/windefend/win_alert_lsass_access.yml similarity index 100% rename from rules/windows/builtin/win_alert_lsass_access.yml rename to rules/windows/other/windefend/win_alert_lsass_access.yml diff --git a/rules/windows/other/win_defender_amsi_trigger.yml b/rules/windows/other/windefend/win_defender_amsi_trigger.yml similarity index 100% rename from rules/windows/other/win_defender_amsi_trigger.yml rename to rules/windows/other/windefend/win_defender_amsi_trigger.yml diff --git a/rules/windows/other/win_defender_disabled.yml b/rules/windows/other/windefend/win_defender_disabled.yml similarity index 100% rename from rules/windows/other/win_defender_disabled.yml rename to rules/windows/other/windefend/win_defender_disabled.yml diff --git a/rules/windows/other/win_defender_exclusions.yml b/rules/windows/other/windefend/win_defender_exclusions.yml similarity index 100% rename from rules/windows/other/win_defender_exclusions.yml rename to rules/windows/other/windefend/win_defender_exclusions.yml diff --git a/rules/windows/other/win_defender_history_delete.yml b/rules/windows/other/windefend/win_defender_history_delete.yml similarity index 100% rename from rules/windows/other/win_defender_history_delete.yml rename to rules/windows/other/windefend/win_defender_history_delete.yml diff --git a/rules/windows/other/win_defender_psexec_wmi_asr.yml b/rules/windows/other/windefend/win_defender_psexec_wmi_asr.yml similarity index 100% rename from rules/windows/other/win_defender_psexec_wmi_asr.yml rename to rules/windows/other/windefend/win_defender_psexec_wmi_asr.yml diff --git a/rules/windows/other/win_defender_tamper_protection_trigger.yml b/rules/windows/other/windefend/win_defender_tamper_protection_trigger.yml similarity index 100% rename from rules/windows/other/win_defender_tamper_protection_trigger.yml rename to rules/windows/other/windefend/win_defender_tamper_protection_trigger.yml diff --git a/rules/windows/other/win_defender_threat.yml b/rules/windows/other/windefend/win_defender_threat.yml similarity index 100% rename from rules/windows/other/win_defender_threat.yml rename to rules/windows/other/windefend/win_defender_threat.yml diff --git a/rules/windows/other/win_wmi_persistence.yml b/rules/windows/other/wmi/win_wmi_persistence.yml similarity index 100% rename from rules/windows/other/win_wmi_persistence.yml rename to rules/windows/other/wmi/win_wmi_persistence.yml diff --git a/rules/windows/builtin/win_root_certificate_installed.yml b/rules/windows/powershell/powershell_script/win_root_certificate_installed.yml similarity index 85% rename from rules/windows/builtin/win_root_certificate_installed.yml rename to rules/windows/powershell/powershell_script/win_root_certificate_installed.yml index 5c2557e04..1dfe52048 100644 --- a/rules/windows/builtin/win_root_certificate_installed.yml +++ b/rules/windows/powershell/powershell_script/win_root_certificate_installed.yml @@ -6,21 +6,20 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md author: 'oscd.community, @redcanary, Zach Stanford @svch0st' date: 2020/10/10 -modified: 2021/09/21 +modified: 2021/12/04 tags: - attack.defense_evasion - attack.t1553.004 logsource: product: windows - service: powershell + category: ps_script + definition: Script block logging must be enabled detection: selection1: - EventID: 4104 ScriptBlockText|contains|all: - 'Move-Item' - 'Cert:\LocalMachine\Root' selection2: - EventID: 4104 ScriptBlockText|contains|all: - 'Import-Certificate' - 'Cert:\LocalMachine\Root' diff --git a/rules/windows/builtin/win_mmc20_lateral_movement.yml b/rules/windows/process_creation/win_mmc20_lateral_movement.yml similarity index 100% rename from rules/windows/builtin/win_mmc20_lateral_movement.yml rename to rules/windows/process_creation/win_mmc20_lateral_movement.yml diff --git a/rules/windows/builtin/win_net_use_admin_share.yml b/rules/windows/process_creation/win_net_use_admin_share.yml similarity index 100% rename from rules/windows/builtin/win_net_use_admin_share.yml rename to rules/windows/process_creation/win_net_use_admin_share.yml diff --git a/rules/windows/builtin/win_susp_mshta_execution.yml b/rules/windows/process_creation/win_susp_mshta_execution.yml similarity index 100% rename from rules/windows/builtin/win_susp_mshta_execution.yml rename to rules/windows/process_creation/win_susp_mshta_execution.yml From c8aa02c1214f8170f6e78b2a55b5f271f532a63b Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sat, 4 Dec 2021 10:59:24 +0100 Subject: [PATCH 15/15] fix rule directory --- Makefile | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/Makefile b/Makefile index 7c42ef03a..ca904ac4d 100644 --- a/Makefile +++ b/Makefile @@ -103,11 +103,11 @@ test-sigmac: $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/hawk.yml -t hawk rules/ > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t grep rules/ > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t fieldlist rules/ > /dev/null - $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t xpack-watcher -c tools/config/winlogbeat.yml -O output=plain -O es=es -O foobar rules/windows/builtin/win_susp_failed_logons_single_source.yml > /dev/null + $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t xpack-watcher -c tools/config/winlogbeat.yml -O output=plain -O es=es -O foobar rules/windows/builtin/security/win_susp_failed_logons_single_source.yml > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t kibana -c tests/config-multiple_mapping.yml -c tests/config-multiple_mapping-2.yml tests/mapping-conditional-multi.yml > /dev/null - $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t xpack-watcher -c tools/config/winlogbeat.yml -O output=json -O es=es -O foobar rules/windows/builtin/win_susp_failed_logons_single_source.yml > /dev/null + $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t xpack-watcher -c tools/config/winlogbeat.yml -O output=json -O es=es -O foobar rules/windows/builtin/security/win_susp_failed_logons_single_source.yml > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml -o $(TMPOUT) - < tests/collection_repeat.yml > /dev/null - ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t xpack-watcher -c tools/config/winlogbeat.yml -O output=foobar -O es=es -O foobar rules/windows/builtin/win_susp_failed_logons_single_source.yml > /dev/null + ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t xpack-watcher -c tools/config/winlogbeat.yml -O output=foobar -O es=es -O foobar rules/windows/builtin/security/win_susp_failed_logons_single_source.yml > /dev/null ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/not_existing.yml > /dev/null ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/invalid_yaml.badyml > /dev/null ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/invalid_sigma-no_identifiers.yml > /dev/null @@ -115,11 +115,11 @@ test-sigmac: ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/invalid_sigma-invalid_identifier_reference.yml > /dev/null ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/invalid_sigma-invalid_aggregation.yml > /dev/null ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/invalid_sigma-wrong_identifier_definition.yml > /dev/null - ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml rules/windows/builtin/win_susp_failed_logons_single_source.yml - ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml -o /not_possible rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml - ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c not_existing rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml - ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tests/invalid_yaml.badyml rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml - ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tests/invalid_config.yml rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml + ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml rules/windows/builtin/security/win_susp_failed_logons_single_source.yml + ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml -o /not_possible rules/windows/deprecated/sysmon_mimikatz_detection_lsass.yml + ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c not_existing rules/windows/deprecated/sysmon_mimikatz_detection_lsass.yml + ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tests/invalid_yaml.badyml rules/windows/deprecated/sysmon_mimikatz_detection_lsass.yml + ! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tests/invalid_config.yml rules/windows/deprecated/sysmon_mimikatz_detection_lsass.yml test-merge: tests/test-merge.sh