Merge PR #5708 from @nasbench - Multiple updates and issue fixes

fix: Turla Group Commands May 2020 - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
fix: Potential Dtrack RAT Activity - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
fix: Potential Data Exfiltration Activity Via CommandLine Tools - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
fix: Suspicious Network Command - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
fix: Suspicious SYSTEM User Process Creation - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
fix: Potential Snatch Ransomware Activity - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
fix: Potential Devil Bait Malware Reconnaissance - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
fix: Mint Sandstorm - AsperaFaspex Suspicious Process Execution - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
fix: Mint Sandstorm - ManageEngine Suspicious Process Execution - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog.
update: Powershell Token Obfuscation - Powershell - Move to the TH folder in order to set the right FP expectations.
fix: Kerberoasting Activity - Initial Query - Fix issue with filter names and logic
chore: add sorting to the rule archiver script


---------

Thanks: KingKDot
Thanks: zambomarcell
Thanks: Koifman
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>

rules-emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_comrat_may20.yml

@@ -6,7 +6,7 @@ references:
     - https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf
 author: Florian Roth (Nextron Systems)
 date: 2020-05-26
-modified: 2021-11-27
+modified: 2025-10-19
 tags:
     - attack.privilege-escalation
     - attack.persistence
@@ -27,9 +27,8 @@ detection:
             - '.WSqmCons))|iex;'
             - 'Fr`omBa`se6`4Str`ing'
     selection_cli_2:
-        CommandLine|contains|all:
-            - 'net use https://docs.live.net'
-            - '@aol.co.uk'
+        CommandLine|re: 'net\s+use\s+https://docs.live.net'
+        CommandLine|contains: '@aol.co.uk'
     condition: 1 of selection_*
 falsepositives:
     - Unknown

rules-emerging-threats/2019/Malware/Dtrack-RAT/proc_creation_win_malware_dtrack.yml

@@ -10,7 +10,7 @@ references:
     - https://app.any.run/tasks/ce4deab5-3263-494f-93e3-afb2b9d79f14/
 author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
 date: 2019-10-30
-modified: 2023-02-03
+modified: 2025-10-19
 tags:
     - attack.impact
     - attack.t1490
@@ -20,21 +20,17 @@ logsource:
     product: windows
 detection:
     selection_ping:
-        CommandLine|contains|all:
-            - 'ping -n '
-            - ' echo EEEE > '
+        CommandLine|re:
+            - 'ping\s+-n '
+            - ' echo EEEE\s?>\s?'
     selection_ipconfig:
-        CommandLine|contains|all:
-            - 'ipconfig /all'
-            - '\temp\res.ip'
+        CommandLine|re: 'ipconfig\s+/all'
+        CommandLine|contains: '\temp\res.ip'
     selection_netsh:
         CommandLine|contains|all:
             - 'interface ip show config'
             - '\temp\netsh.res'
     condition: 1 of selection_*
-fields:
-    - CommandLine
-    - ParentCommandLine
 falsepositives:
     - Unlikely
 level: critical

rules-emerging-threats/2019/Malware/Snatch/proc_creation_win_malware_snatch_ransomware.yml

@@ -6,7 +6,7 @@ references:
     - https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/
 author: Florian Roth (Nextron Systems)
 date: 2020-08-26
-modified: 2023-02-13
+modified: 2025-10-19
 tags:
     - attack.execution
     - attack.t1204
@@ -16,14 +16,9 @@ logsource:
     product: windows
 detection:
     selection:
-        CommandLine|contains:
-            - 'shutdown /r /f /t 00' # Shutdown in safe mode immediately
-            - 'net stop SuperBackupMan'
+        - CommandLine|re: 'shutdown\s+/r /f /t 00' # Shutdown in safe mode immediately
+        - CommandLine|re: 'net\s+stop SuperBackupMan'
     condition: selection
-fields:
-    - ComputerName
-    - User
-    - Image
 falsepositives:
     - Scripts that shutdown the system immediately and reboot them in safe mode are unlikely
 level: high

rules-emerging-threats/2021/Malware/Devil-Bait/proc_creation_win_malware_devil_bait_output_redirect.yml

@@ -10,6 +10,7 @@ references:
     - https://www.virustotal.com/gui/file/fa71eee906a7849ba3f4bab74edb577bd1f1f8397ca428591b4a9872ce1f1e9b/behavior
 author: Nasreddine Bencherchali (Nextron Systems), NCSC (Idea)
 date: 2023-05-15
+modified: 2025-10-19
 tags:
     - attack.defense-evasion
     - attack.t1218
@@ -26,13 +27,13 @@ detection:
             - '.xml'
             - '.txt'
     selection_recon_cmd:
-        CommandLine|contains:
-            # Taken from a6f9043627f8be2452153b5dbf6278e9b91763c3b5c2aea537a859e0c8c6b504
-            # If you find samples using other commands please add them
-            - 'dir'
-            - 'ipconfig /all'
-            - 'systeminfo'
-            - 'tasklist'
+        - CommandLine|re: 'ipconfig\s+/all'
+        - CommandLine|contains:
+              # Taken from a6f9043627f8be2452153b5dbf6278e9b91763c3b5c2aea537a859e0c8c6b504
+              # If you find samples using other commands please add them
+              - 'dir'
+              - 'systeminfo'
+              - 'tasklist'
     condition: all of selection_*
 falsepositives:
     - Unlikely

rules-emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_aspera_faspex_susp_child_process.yml

@@ -6,7 +6,7 @@ references:
     - https://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/
 author: Nasreddine Bencherchali (Nextron Systems), MSTIC (idea)
 date: 2023-04-20
-modified: 2023-04-25
+modified: 2025-10-19
 tags:
     - attack.execution
     - detection.emerging-threats
@@ -43,10 +43,7 @@ detection:
               - 'Invoke-Expression'
               - 'Invoke-WebRequest'
               - 'localgroup administrators'
-              - 'net group'
-              - 'net user'
               - 'o365accountconfiguration'
-              - 'query session'
               - 'samaccountname='
               - 'set-MpPreference'
               - 'svhost.exe'
@@ -55,7 +52,11 @@ detection:
               - 'usoprivate'
               - 'usoshared'
               - 'whoami'
-        - CommandLine|re: '[-/–][Ee^]{1,2}[ncodema^]*\s[A-Za-z0-9+/=]{15,}'
+        - CommandLine|re:
+              - '[-/–][Ee^]{1,2}[ncodema^]*\s[A-Za-z0-9+/=]{15,}'
+              - 'net\s+user'
+              - 'net\s+group'
+              - 'query\s+session'
     selection_special_child_lsass_1:
         CommandLine|contains: 'lsass'
     selection_special_child_lsass_2:

rules-emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_manage_engine_susp_child_process.yml

@@ -6,7 +6,7 @@ references:
     - https://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/
 author: Nasreddine Bencherchali (Nextron Systems), MSTIC (idea)
 date: 2023-04-20
-modified: 2023-04-25
+modified: 2025-10-19
 tags:
     - attack.execution
     - detection.emerging-threats
@@ -45,10 +45,7 @@ detection:
               - 'Invoke-Expression'
               - 'Invoke-WebRequest'
               - 'localgroup administrators'
-              - 'net group'
-              - 'net user'
               - 'o365accountconfiguration'
-              - 'query session'
               - 'samaccountname='
               - 'set-MpPreference'
               - 'svhost.exe'
@@ -58,6 +55,9 @@ detection:
               - 'usoshared'
               - 'whoami'
         - CommandLine|re: '[-/–][Ee^]{1,2}[ncodema^]*\s[A-Za-z0-9+/=]{15,}'
+        - CommandLine|re: 'net\s+user'
+        - CommandLine|re: 'net\s+group'
+        - CommandLine|re: 'query\ssession'
     selection_special_child_lsass_1:
         CommandLine|contains: 'lsass'
     selection_special_child_lsass_2:

rules-threat-hunting/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml

@@ -4,15 +4,19 @@ related:
     - id: deb9b646-a508-44ee-b7c9-d8965921c6b6
       type: similar
 status: test
-description: Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation
+description: |
+    Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation in Powershell scripts.
+    Use this rule as a threat-hunting baseline to find obfuscated scripts in your environment.
+    Once tested and tuned, consider deploying a production detection rule based on this hunting rule.
 references:
     - https://github.com/danielbohannon/Invoke-Obfuscation
 author: frack113
 date: 2022-12-27
-modified: 2023-03-24
+modified: 2025-10-19
 tags:
     - attack.defense-evasion
     - attack.t1027.009
+    - detection.threat-hunting
 logsource:
     product: windows
     category: ps_script
@@ -40,5 +44,5 @@ detection:
         ScriptBlockText|contains: '`r`n'
     condition: selection and not 1 of filter_*
 falsepositives:
-    - Unknown
-level: high
+    - Edge case might be possible with heavy use of string formatting or obfuscation in legitimate scripts.
+level: medium

rules/windows/builtin/security/win_security_kerberoasting_activity.yml

@@ -10,6 +10,7 @@ references:
     - https://adsecurity.org/?p=3513
 author: '@kostastsale'
 date: 2022-01-21
+modified: 2025-10-19
 tags:
     - attack.credential-access
     - attack.t1558.003
@@ -21,10 +22,11 @@ detection:
         EventID: 4769
         Status: '0x0' # Translated as status from failure code field. Query only for successes
         TicketEncryptionType: '0x17' # RC4 ticket encryption type
-    filter_main_:
+    filter_main_krbtgt:
         ServiceName|endswith:
             - 'krbtgt' # Ignore requests for the krbtgt service
             - '$' # Ignore requests from service names that end with $ which are associated with genuine kerberos traffic
+    filter_main_machine_accounts:
         TargetUserName|contains: '$@' # Ignore requests from machines
     condition: selection and not 1 of filter_main_*
 falsepositives:

rules/windows/process_creation/proc_creation_win_susp_data_exfiltration_via_cli.yml

@@ -6,7 +6,7 @@ references:
     - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022-08-02
-modified: 2025-07-18
+modified: 2025-10-19
 tags:
     - attack.execution
     - attack.t1059.001
@@ -45,17 +45,18 @@ detection:
             - '--post-data'
             - '--post-file'
     payloads:
+        - CommandLine|re:
+              - 'net\s+view'
+              - 'sc\s+query'
         - CommandLine|contains:
               - 'Get-Content'
               - 'GetBytes'
               - 'hostname'
               - 'ifconfig'
               - 'ipconfig'
-              - 'net view'
               - 'netstat'
               - 'nltest'
               - 'qprocess'
-              - 'sc query'
               - 'systeminfo'
               - 'tasklist'
               - 'ToBase64String'

rules/windows/process_creation/proc_creation_win_susp_network_command.yml

@@ -6,7 +6,7 @@ references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-1---system-network-configuration-discovery-on-windows
 author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'
 date: 2021-12-07
-modified: 2022-04-11
+modified: 2025-10-19
 tags:
     - attack.discovery
     - attack.t1016
@@ -15,13 +15,13 @@ logsource:
     product: windows
 detection:
     selection:
-        CommandLine|contains:
-            - 'ipconfig /all'
-            - 'netsh interface show interface'
-            - 'arp -a'
-            - 'nbtstat -n'
-            - 'net config'
-            - 'route print'
+        CommandLine|re:
+            - 'ipconfig\s+/all'
+            - 'netsh\s+interface show interface'
+            - 'arp\s+-a'
+            - 'nbtstat\s+-n'
+            - 'net\s+config'
+            - 'route\s+print'
     condition: selection
 falsepositives:
     - Administrator, hotline ask to user

rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml

@@ -7,7 +7,7 @@ references:
     - https://tools.thehacker.recipes/mimikatz/modules
 author: Florian Roth (Nextron Systems), David ANDRE (additional keywords)
 date: 2021-12-20
-modified: 2024-12-01
+modified: 2025-10-19
 tags:
     - attack.credential-access
     - attack.defense-evasion
@@ -35,6 +35,7 @@ detection:
               - '\mshta.exe'
               - '\ping.exe'
               - '\wscript.exe'
+        - CommandLine|re: 'net\s+user\s+'
         - CommandLine|contains:
               # - 'sc stop ' # stops a system service # causes FPs
               - ' -NoP '  # Often used in malicious PowerShell commands
@@ -74,7 +75,6 @@ detection:
               - ' p::d '  # Mimikatz
               - ';iex('  # PowerShell IEX
               - 'MiniDump'  # Process dumping method apart from procdump
-              - 'net user '
     filter_main_ping:
         CommandLine|contains|all:
             - 'ping'

tests/reference-archiver.py

@@ -9,6 +9,7 @@ import requests
 import yaml
 import os
 from datetime import datetime
+from typing import Generator
 
 
 WEB_ARCHIVE_SAVE_URL = "https://web.archive.org/save/"
@@ -27,7 +28,7 @@ path_to_rules = [
 
 
 # Helper functions
-def yield_next_rule_file_path(path_to_rules: list) -> str:
+def yield_next_rule_file_path(path_to_rules: list) -> Generator[str, None, None]:
     for path_ in path_to_rules:
         for root, _, files in os.walk(path_):
             for file in files:
@@ -103,6 +104,26 @@ def archive_references(ref_list):
     return already_archived, newly_archived_references, error_archiving
 
 
+def sort_references(file_path: str):
+    """Sort the references in the rule-references.txt file alphabetically."""
+    try:
+        with open(file_path, "r") as f:
+            references = [line.strip() for line in f.readlines() if line.strip()]
+        
+        # Sort references alphabetically (case-insensitive)
+        references.sort(key=str.lower)
+        
+        # Write the sorted references back to the file
+        with open(file_path, "w") as f:
+            for ref in references:
+                f.write(ref + "\n")
+        
+        print("References sorted successfully.")
+        
+    except Exception as e:
+        print(f"Error sorting references: {e}")
+
+
 if __name__ == "__main__":
     print("Archiving references ...\n")
 
@@ -124,6 +145,10 @@ if __name__ == "__main__":
             f.write(ref)
             f.write("\n")
 
+    # Sort the references alphabetically at the end
+    print("Sorting references...")
+    sort_references("tests/rule-references.txt")
+
     # Write markdown output to open the issue
     with open(".github/latest_archiver_output.md", "w") as f:
         f.write(f"# Reference Archiver Results\n\n")