Merge branch 'master' into nasbench-rule-devel

rules/windows/builtin/openssh/win_sshd_openssh_server_listening_on_socket.yml

@@ -0,0 +1,27 @@
+title: OpenSSH Server Listening On Socket
+id: 3ce8e9a4-bc61-4c9b-8e69-d7e2492a8781
+status: experimental
+description: Detects scenarios where an attacker enables the OpenSSH server and server starts to listening on SSH socket.
+references:
+    - https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0008-Lateral%20Movement/T1021.004-Remote%20Service%20SSH
+    - https://winaero.com/enable-openssh-server-windows-10/
+    - https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse
+    - https://virtualizationreview.com/articles/2020/05/21/ssh-server-on-windows-10.aspx
+    - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
+author: mdecrevoisier
+date: 2022/10/25
+tags:
+    - attack.lateral_movement
+    - attack.t1021.004
+logsource:
+    product: windows
+    service: openssh
+detection:
+    selection:
+        EventID: 4
+        process: sshd
+        payload|startswith: 'Server listening on '
+    condition: selection
+falsepositives:
+    - Legitimate administrator activity
+level: medium

rules/windows/file/file_access/file_access_win_browser_credential_stealing.yml

@@ -14,6 +14,7 @@ tags:
 logsource:
     category: file_access
     product: windows
+    definition: file_access rules are using the Microsoft-Windows-Kernel-File ETW provider
 detection:
     selection:
         - FileName|contains:

rules/windows/file/file_access/file_access_win_credential_manager_stealing.yml

@@ -1,7 +1,9 @@
 title: Credential Manager Access
 id: 407aecb1-e762-4acf-8c7b-d087bcff3bb6
 status: experimental
-description: Detects suspicious processes based on name and location that access the windows credential manager and vault. Which can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::cred" function
+description: |
+  Detects suspicious processes based on name and location that access the windows credential manager and vault.
+  Which can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::cred" function
 references:
     - https://hunter2.gitbook.io/darthsidious/privilege-escalation/mimikatz
     - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
@@ -13,6 +15,7 @@ tags:
 logsource:
     category: file_access
     product: windows
+    definition: file_access rules are using the Microsoft-Windows-Kernel-File ETW provider
 detection:
     selection:
         FileName|contains:

rules/windows/file/file_access/file_access_win_dpapi_master_key_access.yml

@@ -1,7 +1,9 @@
 title: Suspicious Access To Windows DPAPI Master Keys
 id: 46612ae6-86be-4802-bc07-39b59feb1309
 status: experimental
-description: Detects suspicious processes based on name and location that access the Windows Data Protection API Master keys. Which can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::masterkey" function
+description: |
+  Detects suspicious processes based on name and location that access the Windows Data Protection API Master keys.
+  Which can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::masterkey" function
 references:
     - https://web.archive.org/web/20181130065817/http://www.harmj0y.net/blog/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/
     - https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords
@@ -13,6 +15,7 @@ tags:
 logsource:
     category: file_access
     product: windows
+    definition: file_access rules are using the Microsoft-Windows-Kernel-File ETW provider
 detection:
     selection:
         FileName|contains:

rules/windows/file/file_access/file_access_win_susp_cred_hist_access.yml

@@ -1,7 +1,9 @@
 title: Suspicious Access To Windows Credential History File
 id: 7a2a22ea-a203-4cd3-9abf-20eb1c5c6cd2
 status: experimental
-description: Detects suspicious processes based on name and location that access the Windows Credential History File. Which can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::credhist" function
+description: |
+  Detects suspicious processes based on name and location that access the Windows Credential History File.
+  Which can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::credhist" function
 references:
     - https://tools.thehacker.recipes/mimikatz/modules/dpapi/credhist
     - https://www.passcape.com/windows_password_recovery_dpapi_credhist
@@ -13,6 +15,7 @@ tags:
 logsource:
     category: file_access
     product: windows
+    definition: file_access rules are using the Microsoft-Windows-Kernel-File ETW provider
 detection:
     selection:
         FileName|endswith: '\Microsoft\Protect\CREDHIST'

rules/windows/file/file_change/file_change_win_2022_timestomping.yml

@@ -2,13 +2,13 @@ title: File Creation Date Changed to Another Year
 id: 558eebe5-f2ba-4104-b339-36f7902bcc1a
 status: experimental
 description: |
-  Attackers may change the file creation time of a backdoor to make it look like it was installed with the operating system.
-  Note that many processes legitimately change the creation time of a file; it does not necessarily indicate malicious activity.
+    Attackers may change the file creation time of a backdoor to make it look like it was installed with the operating system.
+    Note that many processes legitimately change the creation time of a file; it does not necessarily indicate malicious activity.
 references:
     - https://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html
 author: frack113, Florian Roth
 date: 2022/08/12
-modified: 2022/09/09
+modified: 2022/10/25
 tags:
     - attack.t1070.006
     - attack.defense_evasion
@@ -33,6 +33,10 @@ detection:
         - TargetFilename|endswith:
             - '.tmp'
             - '.temp'
+    gen_filter_tiworker:
+        Image|startswith: 'C:\WINDOWS\'
+        Image|endswith: '\TiWorker.exe'
+        TargetFilename|endswith: '.cab'
     condition: (( selection1 and not filter1 ) or ( selection2 and not filter2 )) and not 1 of gen_filter*
 falsepositives:
     - Changes made to or by the local NTP service

rules/windows/file/file_change/file_change_win_unusual_modification_by_dns_exe.yml

@@ -1,11 +1,11 @@
 title: Unusual File Modification by dns.exe
 id: 9f383dc0-fdeb-4d56-acbc-9f9f4f8f20f3
 status: experimental
-author: Tim Rauch
-date: 2022/09/27
 description: Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
 references:
     - https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns.exe.html
+author: Tim Rauch
+date: 2022/09/27
 tags:
     - attack.initial_access
     - attack.t1133

rules/windows/file/file_delete/file_delete_win_delete_appli_log.yml

@@ -2,10 +2,13 @@ title: Delete Log from Application
 id: b1decb61-ed83-4339-8e95-53ea51901720
 status: experimental
 description: Deletion of log files is a known anti-forensic technique
-author: frack113
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md
+author: frack113
 date: 2022/01/16
+tags:
+    - attack.defense_evasion
+    - attack.t1070.004
 logsource:
     product: windows
     category: file_delete
@@ -19,6 +22,3 @@ detection:
 falsepositives:
     - Unknown
 level: low
-tags:
-    - attack.defense_evasion
-    - attack.t1070.004

rules/windows/file/file_delete/file_delete_win_delete_backup_file.yml

@@ -2,11 +2,14 @@ title: Deletes Backup Files
 id: 06125661-3814-4e03-bfa2-1e4411c60ac3
 status: experimental
 description: Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.
-author: frack113
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-6---windows---delete-backup-files
+author: frack113
 date: 2022/01/02
 modified: 2022/06/02
+tags:
+    - attack.impact
+    - attack.t1490
 logsource:
     product: windows
     category: file_delete
@@ -26,6 +29,3 @@ detection:
 falsepositives:
     - Legitime usage
 level: medium
-tags:
-    - attack.impact
-    - attack.t1490

rules/windows/file/file_delete/file_delete_win_delete_prefetch.yml

@@ -2,7 +2,6 @@ title: Prefetch File Deletion
 id: 0a1f9d29-6465-4776-b091-7f43b26e4c89
 status: experimental
 description: Detects the deletion of a prefetch file (AntiForensic)
-level: high
 author: Cedric MAURUGEON
 date: 2021/09/29
 modified: 2022/05/27
@@ -24,3 +23,4 @@ detection:
     condition: selection and not exception
 falsepositives:
     - Unknown
+level: high

rules/windows/file/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml

@@ -2,12 +2,15 @@ title: Sysinternals SDelete File Deletion
 id: 6ddab845-b1b8-49c2-bbf7-1a11967f64bc
 status: test
 description: A General detection to trigger for the deletion of files by Sysinternals SDelete. It looks for the common name pattern used to rename files.
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 references:
     - https://github.com/OTRF/detection-hackathon-apt29/issues/9
     - https://threathunterplaybook.com/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.html
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 date: 2020/05/02
 modified: 2022/09/21
+tags:
+    - attack.defense_evasion
+    - attack.t1070.004
 logsource:
     product: windows
     category: file_delete
@@ -22,6 +25,3 @@ detection:
 falsepositives:
     - Legitime usage of SDelete
 level: medium
-tags:
-    - attack.defense_evasion
-    - attack.t1070.004

rules/windows/file/file_delete/file_delete_win_unusual_deletion_by_dns_exe.yml

@@ -1,11 +1,11 @@
 title: Unusual File Deletion by dns.exe
 id: 8f0b1fb1-9bd4-4e74-8cdf-a8de4d2adfd0
 status: experimental
-author: Tim Rauch
-date: 2022/09/27
 description: Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
 references:
     - https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns.exe.html
+author: Tim Rauch
+date: 2022/09/27
 tags:
     - attack.initial_access
     - attack.t1133

rules/windows/file/file_delete/file_delete_win_webserver_access_logs_deleted.yml

@@ -6,12 +6,12 @@ references:
     - https://www.elastic.co/guide/en/security/current/webserver-access-logs-deleted.html
 author: Tim Rauch
 date: 2022/09/16
-logsource:
-    category: file_delete
-    product: windows
 tags:
     - attack.defense_evasion
     - attack.t1070
+logsource:
+    category: file_delete
+    product: windows
 detection:
     selection:
         FileName|startswith: 'C:\inetpub\logs\LogFiles\'
@@ -20,4 +20,4 @@ detection:
 falsepositives:
     - During uninstallation of the IIS service
     - During log rotation
-level: medium
+level: medium

rules/windows/file/file_event/file_event_win_access_susp_teams.yml

@@ -2,25 +2,25 @@ title: Suspicious File Event With Teams Objects
 id: 6902955a-01b7-432c-b32a-6f5f81d8f624
 status: experimental
 description: Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.
-author: '@SerkinValery'
 references:
-  - https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/
-  - https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens
+    - https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/
+    - https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens
+author: '@SerkinValery'
 date: 2022/09/16
-logsource:
-  product: windows
-  category: file_event
-detection:
-  selection:
-    TargetFilename|contains:
-      - '\Microsoft\Teams\Cookies'
-      - '\Microsoft\Teams\Local Storage\leveldb'
-  filter:
-    Image|contains: '\Microsoft\Teams\current\Teams.exe'
-  condition: selection and not filter
-falsepositives:
-  - Unknown
-level: high
 tags:
-  - attack.credential_access
-  - attack.t1528
+    - attack.credential_access
+    - attack.t1528
+logsource:
+    product: windows
+    category: file_event
+detection:
+    selection:
+        TargetFilename|contains:
+            - '\Microsoft\Teams\Cookies'
+            - '\Microsoft\Teams\Local Storage\leveldb'
+    filter:
+        Image|contains: '\Microsoft\Teams\current\Teams.exe'
+    condition: selection and not filter
+falsepositives:
+    - Unknown
+level: high

rules/windows/file/file_event/file_event_win_access_susp_unattend_xml.yml

@@ -2,12 +2,15 @@ title: Suspicious Unattend.xml File Access
 id: 1a3d42dd-3763-46b9-8025-b5f17f340dfb
 status: experimental
 description: |
-  Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored.
-  If these files exist, their contents will be displayed. They are used to store credentials/answers during the unattended windows install process
-author: frack113
+    Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored.
+    If these files exist, their contents will be displayed. They are used to store credentials/answers during the unattended windows install process
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md
+author: frack113
 date: 2021/12/19
+tags:
+    - attack.credential_access
+    - attack.t1552.001
 logsource:
     product: windows
     category: file_event
@@ -18,6 +21,3 @@ detection:
 falsepositives:
     - Unknown
 level: medium
-tags:
-    - attack.credential_access
-    - attack.t1552.001

rules/windows/file/file_event/file_event_win_anydesk_artefact.yml

@@ -2,16 +2,19 @@ title: Anydesk Temporary Artefact
 id: 0b9ad457-2554-44c1-82c2-d56a99c42377
 status: experimental
 description: |
-  An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
-  These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
-  Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
+    An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
+    These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
+    Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows
 author: frack113
 date: 2022/02/11
+tags:
+    - attack.command_and_control
+    - attack.t1219
 logsource:
-     category: file_event
-     product: windows
+    category: file_event
+    product: windows
 detection:
     selection:
         TargetFilename|contains:
@@ -22,6 +25,3 @@ detection:
 falsepositives:
     - Legitimate use
 level: medium
-tags:
-    - attack.command_and_control
-    - attack.t1219

rules/windows/file/file_event/file_event_win_anydesk_writing_susp_binaries.yml

@@ -1,11 +1,17 @@
 title: Suspicious Binary Writes Via AnyDesk
 id: 2d367498-5112-4ae5-a06a-96e7bc33a211
 status: experimental
-description: Detects anydesk writing binaries files to disk other than "gcapi.dll". According to RedCanary research it's highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll, which is a legitimate DLL that's part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details)
-author: Nasreddine Bencherchali
+description: |
+  Detects anydesk writing binaries files to disk other than "gcapi.dll".
+  According to RedCanary research it's highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll,
+  which is a legitimate DLL that's part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details)
 references:
     - https://redcanary.com/blog/misbehaving-rats/
+author: Nasreddine Bencherchali
 date: 2022/09/28
+tags:
+    - attack.command_and_control
+    - attack.t1219
 logsource:
     product: windows
     category: file_event
@@ -21,6 +27,3 @@ detection:
 falsepositives:
     - Unknown
 level: high
-tags:
-    - attack.command_and_control
-    - attack.t1219

rules/windows/file/file_event/file_event_win_apt_unidentified_nov_18.yml

@@ -4,8 +4,7 @@ related:
     - id: 7453575c-a747-40b9-839b-125a0aae324b
       type: derived
 status: stable
-description: A sigma rule detecting an unidetefied attacker who used phishing emails to target high profile orgs on November 2018. The Actor shares some TTPs with
-    YYTRIUM/APT29 campaign in 2016.
+description: A sigma rule detecting an unidetefied attacker who used phishing emails to target high profile orgs on November 2018. The Actor shares some TTPs with YYTRIUM/APT29 campaign in 2016.
 references:
     - https://twitter.com/DrunkBinary/status/1063075530180886529
 author: '@41thexplorer, Microsoft Defender ATP'
@@ -19,6 +18,6 @@ logsource:
     category: file_event
 detection:
     selection:
-        TargetFilename|contains: 'ds7002.lnk' 
+        TargetFilename|contains: 'ds7002.lnk'
     condition: selection
-level: high
+level: high

rules/windows/file/file_event/file_event_win_bloodhound_collection.yml

@@ -1,10 +1,10 @@
 title: BloodHound Collection Files
 id: 02773bed-83bf-469f-b7ff-e676e7d78bab
-description: Detects default file names outputted by the BloodHound collection tool SharpHound
 status: experimental
-author: C.J. May
+description: Detects default file names outputted by the BloodHound collection tool SharpHound
 references:
     - https://academy.hackthebox.com/course/preview/active-directory-bloodhound/bloodhound--data-collection
+author: C.J. May
 date: 2022/08/09
 modified: 2022/08/09
 tags:

rules/windows/file/file_event/file_event_win_crackmapexec_patterns.yml

@@ -1,10 +1,10 @@
 title: CrackMapExec File Creation Patterns
 id: 9433ff9c-5d3f-4269-99f8-95fc826ea489
-description: Detects suspicious file creation patterns found in logs when CrackMapExec is used
 status: experimental
-author: Florian Roth
+description: Detects suspicious file creation patterns found in logs when CrackMapExec is used
 references:
     - https://mpgn.gitbook.io/crackmapexec/smb-protocol/obtaining-credentials/dump-lsass
+author: Florian Roth
 date: 2022/03/12
 modified: 2022/05/27
 tags:
@@ -55,4 +55,4 @@ detection:
     condition: 1 of selection*
 falsepositives:
     - Unknown
-level: high
+level: high

rules/windows/file/file_event/file_event_win_creation_new_shim_database.yml

@@ -2,12 +2,15 @@ title: New Shim Database Created in the Default Directory
 id: ee63c85c-6d51-4d12-ad09-04e25877a947
 status: experimental
 description: |
-  Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.
-  The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time.
-author: frack113
+    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.
+    The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time.
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-2---new-shim-database-files-created-in-the-default-shim-database-directory
+author: frack113
 date: 2021/12/29
+tags:
+    - attack.persistence
+    - attack.t1547.009
 logsource:
     product: windows
     category: file_event
@@ -19,6 +22,3 @@ detection:
 falsepositives:
     - Unknown
 level: medium
-tags:
-    - attack.persistence
-    - attack.t1547.009

rules/windows/file/file_event/file_event_win_creation_scr_binary_file.yml

@@ -2,13 +2,16 @@ title: Suspicious Screensaver Binary File Creation
 id: 97aa2e88-555c-450d-85a6-229bcd87efb8
 status: experimental
 description: |
-  Adversaries may establish persistence by executing malicious content triggered by user inactivity.
-  Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension
-author: frack113
+    Adversaries may establish persistence by executing malicious content triggered by user inactivity.
+    Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md
+author: frack113
 date: 2021/12/29
 modified: 2022/01/10
+tags:
+    - attack.persistence
+    - attack.t1546.002
 logsource:
     product: windows
     category: file_event
@@ -23,6 +26,3 @@ detection:
 falsepositives:
     - Unknown
 level: medium
-tags:
-    - attack.persistence
-    - attack.t1546.002

rules/windows/file/file_event/file_event_win_creation_unquoted_service_path.yml

@@ -2,12 +2,15 @@ title: Creation Exe for Service with Unquoted Path
 id: 8c3c76ca-8f8b-4b1d-aaf3-81aebcd367c9
 status: experimental
 description: |
-  Adversaries may execute their own malicious payloads by hijacking vulnerable file path references.
-  Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
-author: frack113
+    Adversaries may execute their own malicious payloads by hijacking vulnerable file path references.
+    Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.009/T1574.009.md
+author: frack113
 date: 2021/12/30
+tags:
+    - attack.persistence
+    - attack.t1547.009
 logsource:
     product: windows
     category: file_event
@@ -19,6 +22,3 @@ detection:
 falsepositives:
     - Unknown
 level: high
-tags:
-    - attack.persistence
-    - attack.t1547.009

rules/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files.yml

@@ -2,51 +2,51 @@ title: Cred Dump Tools Dropped Files
 id: 8fbf3271-1ef6-4e94-8210-03c2317947f6
 status: test
 description: Files with well-known filenames (parts of credential dump software or files produced by them) creation
-author: Teymur Kheirkhabarov, oscd.community
 references:
-  - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
+    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
+author: Teymur Kheirkhabarov, oscd.community
 date: 2019/11/01
 modified: 2022/09/21
-logsource:
-  category: file_event
-  product: windows
-detection:
-  selection:
-    - TargetFilename|contains:
-      - '\pwdump'
-      - '\kirbi'
-      - '\pwhashes'
-      - '\wce_ccache'
-      - '\wce_krbtkts'
-      - '\fgdump-log'
-    - TargetFilename|endswith:
-      - '\test.pwd'
-      - '\lsremora64.dll'
-      - '\lsremora.dll'
-      - '\fgexec.exe'
-      - '\wceaux.dll'
-      - '\SAM.out'
-      - '\SECURITY.out'
-      - '\SYSTEM.out'
-      - '\NTDS.out'
-      - '\DumpExt.dll'
-      - '\DumpSvc.exe'
-      - '\cachedump64.exe'
-      - '\cachedump.exe'
-      - '\pstgdump.exe'
-      - '\servpw.exe'
-      - '\servpw64.exe'
-      - '\pwdump.exe'
-      - '\procdump64.exe'
-      - '\Dumpy.exe'
-  condition: selection
-falsepositives:
-  - Legitimate Administrator using tool for password recovery
-level: high
 tags:
-  - attack.credential_access
-  - attack.t1003.001
-  - attack.t1003.002
-  - attack.t1003.003
-  - attack.t1003.004
-  - attack.t1003.005
+    - attack.credential_access
+    - attack.t1003.001
+    - attack.t1003.002
+    - attack.t1003.003
+    - attack.t1003.004
+    - attack.t1003.005
+logsource:
+    category: file_event
+    product: windows
+detection:
+    selection:
+        - TargetFilename|contains:
+            - '\pwdump'
+            - '\kirbi'
+            - '\pwhashes'
+            - '\wce_ccache'
+            - '\wce_krbtkts'
+            - '\fgdump-log'
+        - TargetFilename|endswith:
+            - '\test.pwd'
+            - '\lsremora64.dll'
+            - '\lsremora.dll'
+            - '\fgexec.exe'
+            - '\wceaux.dll'
+            - '\SAM.out'
+            - '\SECURITY.out'
+            - '\SYSTEM.out'
+            - '\NTDS.out'
+            - '\DumpExt.dll'
+            - '\DumpSvc.exe'
+            - '\cachedump64.exe'
+            - '\cachedump.exe'
+            - '\pstgdump.exe'
+            - '\servpw.exe'
+            - '\servpw64.exe'
+            - '\pwdump.exe'
+            - '\procdump64.exe'
+            - '\Dumpy.exe'
+    condition: selection
+falsepositives:
+    - Legitimate Administrator using tool for password recovery
+level: high

rules/windows/file/file_event/file_event_win_csharp_compile_artefact.yml

@@ -2,13 +2,16 @@ title: Dynamic C Sharp Compile Artefact
 id: e4a74e34-ecde-4aab-b2fb-9112dd01aed0
 status: experimental
 description: |
-  When C# is compiled dynamically, a .cmdline file will be created as a part of the process.
-  Certain processes are not typically observed compiling C# code, but can do so without touching disk.
-  This can be used to unpack a payload for execution
-author: frack113
+    When C# is compiled dynamically, a .cmdline file will be created as a part of the process.
+    Certain processes are not typically observed compiling C# code, but can do so without touching disk.
+    This can be used to unpack a payload for execution
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.004/T1027.004.md#atomic-test-2---dynamic-c-compile
+author: frack113
 date: 2022/01/09
+tags:
+    - attack.defense_evasion
+    - attack.t1027.004
 logsource:
     product: windows
     category: file_event
@@ -19,6 +22,3 @@ detection:
 falsepositives:
     - Unknown
 level: low
-tags:
-    - attack.defense_evasion
-    - attack.t1027.004

rules/windows/file/file_event/file_event_win_cve_2021_1675_printspooler.yml

@@ -1,13 +1,12 @@
 title: CVE-2021-1675 Print Spooler Exploitation Filename Pattern
 id: 2131cfb3-8c12-45e8-8fa0-31f5924e9f07
-description: Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675
-author: Florian Roth
 status: experimental
-level: critical
+description: Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675
 references:
     - https://github.com/hhlxf/PrintNightmare
     - https://github.com/afwu/PrintNightmare
     - https://github.com/cube0x0/CVE-2021-1675
+author: Florian Roth
 date: 2021/06/29
 modified: 2021/12/01
 tags:
@@ -28,3 +27,4 @@ fields:
     - TargetFilename
 falsepositives:
     - Unknown
+level: critical

rules/windows/file/file_event/file_event_win_cve_2021_26858_msexchange.yml

@@ -1,7 +1,10 @@
 title: CVE-2021-26858 Exchange Exploitation
 id: b06335b3-55ac-4b41-937e-16b7f5d57dfd
 status: test
-description: Detects possible successful exploitation for vulnerability described in CVE-2021-26858 by looking for | creation of non-standard files on disk by Exchange Server’s Unified Messaging service | which could indicate dropping web shells or other malicious content
+description: |
+  Detects possible successful exploitation for vulnerability described in CVE-2021-26858 by looking for 
+  creation of non-standard files on disk by Exchange Server’s Unified Messaging service
+  which could indicate dropping web shells or other malicious content
 references:
     - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
 author: Bhabesh Raj
@@ -25,9 +28,9 @@ detection:
             - '.cfg'
             - 'cleanup.bin'
     condition: selection and not filter
-falsepositives:
-    - Unknown
-level: high
 fields:
     - ComputerName
     - TargetFilename
+falsepositives:
+    - Unknown
+level: high

rules/windows/file/file_event/file_event_win_cve_2021_41379_msi_lpe.yml

@@ -2,11 +2,11 @@ title: InstallerFileTakeOver LPE CVE-2021-41379 File Create Event
 id: 3be82d5d-09fe-4d6a-a275-0d40d234d324
 status: experimental
 description: Detects signs of the exploitation of LPE CVE-2021-41379 that include an msiexec process that creates an elevation_service.exe file
-author: Florian Roth
-date: 2021/11/22
 references:
     - https://github.com/klinix5/InstallerFileTakeOver
     - https://www.zerodayinitiative.com/advisories/ZDI-21-1308/
+author: Florian Roth
+date: 2021/11/22
 tags:
     - attack.privilege_escalation
     - attack.t1068

rules/windows/file/file_event/file_event_win_cve_2021_44077_poc_default_files.yml

@@ -2,11 +2,14 @@ title: CVE-2021-44077 POC Default Dropped File
 id: 7b501acf-fa98-4272-aa39-194f82edc8a3
 status: experimental
 description: Detects the creation of "msiexec.exe" in the "bin" directory of the ManageEngine SupportCenter Plus (Related to CVE-2021-44077) and public POC available (See references section)
-author: Nasreddine Bencherchali
 references:
     - https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/
     - https://github.com/horizon3ai/CVE-2021-44077/blob/b7a48e25824e8ead95e028475c7fd0e107e6e6bf/exploit.py
+author: Nasreddine Bencherchali
 date: 2022/06/06
+tags:
+    - attack.execution
+    - cve.2021.44077
 logsource:
     category: file_event
     product: windows
@@ -17,6 +20,3 @@ detection:
 falsepositives:
     - Unlikely
 level: high
-tags:
-    - attack.execution
-    - cve.2021.44077

rules/windows/file/file_event/file_event_win_cve_2022_24527_lpe.yml

@@ -1,27 +1,26 @@
 title: CVE-2022-24527 Microsoft Connected Cache LPE
 id: e0a41412-c69a-446f-8e6e-0e6d7483dad7
-description: Detects files created during the local privilege exploitation of CVE-2022-24527 Microsoft Connected Cache
-author: Florian Roth
 status: experimental
+description: Detects files created during the local privilege exploitation of CVE-2022-24527 Microsoft Connected Cache
 references:
-   - https://www.rapid7.com/blog/post/2022/04/12/cve-2022-24527-microsoft-connected-cache-local-privilege-escalation-fixed/
+    - https://www.rapid7.com/blog/post/2022/04/12/cve-2022-24527-microsoft-connected-cache-local-privilege-escalation-fixed/
+author: Florian Roth
 date: 2022/04/13
 tags:
-   - attack.privilege_escalation
-   - attack.t1059.001
-   - cve.2022.24527
+    - attack.privilege_escalation
+    - attack.t1059.001
+    - cve.2022.24527
 logsource:
-   category: file_event
-   product: windows
+    category: file_event
+    product: windows
 detection:
-   selection:
-      TargetFilename|endswith: 'WindowsPowerShell\Modules\webAdministration\webAdministration.psm1'
-   filter:
-      User|contains: # covers many language settings
-         - 'AUTHORI'
-         - 'AUTORI'
-   condition: selection and not filter
+    selection:
+        TargetFilename|endswith: 'WindowsPowerShell\Modules\webAdministration\webAdministration.psm1'
+    filter:
+        User|contains: # covers many language settings
+            - 'AUTHORI'
+            - 'AUTORI'
+    condition: selection and not filter
 falsepositives:
     - Unknown
 level: high
-

rules/windows/file/file_event/file_event_win_dll_sideloading_space_path.yml

@@ -2,16 +2,21 @@ title: DLL Search Order Hijackig Via Additional Space in Path
 id: b6f91281-20aa-446a-b986-38a92813a18f
 status: experimental
 description: |
-  Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...)
-  but with a space in order to trick DLL load search order and perform a "DLL Search Order Hijacking" attack
+    Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...)
+    but with a space in order to trick DLL load search order and perform a "DLL Search Order Hijacking" attack
 references:
     - https://twitter.com/cyb3rops/status/1552932770464292864
     - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows
 author: frack113, Nasreddine Bencherchali
 date: 2022/07/30
+tags:
+    - attack.persistence
+    - attack.privilege_escalation
+    - attack.defense_evasion
+    - attack.t1574.002
 logsource:
-     category: file_event
-     product: windows
+    category: file_event
+    product: windows
 detection:
     selection:
         TargetFilename|startswith:
@@ -23,8 +28,3 @@ detection:
 falsepositives:
     - Unknown
 level: high
-tags:
-    - attack.persistence
-    - attack.privilege_escalation
-    - attack.defense_evasion
-    - attack.t1574.002 

rules/windows/file/file_event/file_event_win_error_handler_cmd_persistence.yml

@@ -4,11 +4,13 @@ status: experimental
 description: |
     Detects creation of a file named "ErrorHandler.cmd" in the "C:\WINDOWS\Setup\Scripts\" directory which could be used as a method of persistence
     The content of C:\WINDOWS\Setup\Scripts\ErrorHandler.cmd is read whenever some tools under C:\WINDOWS\System32\oobe\ (e.g. Setup.exe) fail to run for any reason.
-author: Nasreddine Bencherchali
 references:
     - https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/
     - https://github.com/last-byte/PersistenceSniper
+author: Nasreddine Bencherchali
 date: 2022/08/09
+tags:
+    - attack.persistence
 logsource:
     category: file_event
     product: windows
@@ -19,5 +21,3 @@ detection:
 falsepositives:
     - Unknown
 level: medium
-tags:
-    - attack.persistence

rules/windows/file/file_event/file_event_win_exchange_webshell_drop.yml

@@ -1,35 +1,35 @@
 title: Suspicious ASPX File Drop by Exchange
 id: bd1212e5-78da-431e-95fa-c58e3237a8e6
 related:
-   - id: 6b269392-9eba-40b5-acb6-55c882b20ba6
-     type: similar
-description: Detects suspicious file type dropped by an Exchange component in IIS into a suspicious folder
-author: Florian Roth (rule), MSTI (query, idea)
+    - id: 6b269392-9eba-40b5-acb6-55c882b20ba6
+      type: similar
 status: experimental
+description: Detects suspicious file type dropped by an Exchange component in IIS into a suspicious folder
 references:
-   - https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/
-   - https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html
-   - https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html
+    - https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/
+    - https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html
+    - https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html
+author: Florian Roth (rule), MSTI (query, idea)
 date: 2022/10/01
 tags:
-   - attack.persistence
-   - attack.t1505.003
+    - attack.persistence
+    - attack.t1505.003
 logsource:
-   product: windows
-   category: file_event
+    product: windows
+    category: file_event
 detection:
-   selection:
-      Image|endswith: '\w3wp.exe'
-      CommandLine|contains: 'MSExchange'
-      TargetFilename|contains:
-         - 'FrontEnd\HttpProxy\'              # from GTSC and MSTI reports
-         - '\inetpub\wwwroot\aspnet_client\'  # from GTSC report
-   selection_types:
-      TargetFilename|endswith:
-         - '.aspx'
-         - '.asp'
-         - '.ashx'
-   condition: all of selection*
+    selection:
+        Image|endswith: '\w3wp.exe'
+        CommandLine|contains: 'MSExchange'
+        TargetFilename|contains:
+            - 'FrontEnd\HttpProxy\'           # from GTSC and MSTI reports
+            - '\inetpub\wwwroot\aspnet_client\' # from GTSC report
+    selection_types:
+        TargetFilename|endswith:
+            - '.aspx'
+            - '.asp'
+            - '.ashx'
+    condition: all of selection*
 falsepositives:
-   - Unknown
+    - Unknown
 level: high

rules/windows/file/file_event/file_event_win_exchange_webshell_drop_suspicious.yml

@@ -1,39 +1,39 @@
 title: Suspicious File Drop by Exchange
 id: 6b269392-9eba-40b5-acb6-55c882b20ba6
 related:
-   - id: bd1212e5-78da-431e-95fa-c58e3237a8e6
-     type: similar
-description: Detects suspicious file type dropped by an Exchange component in IIS
-author: Florian Roth
+    - id: bd1212e5-78da-431e-95fa-c58e3237a8e6
+      type: similar
 status: experimental
+description: Detects suspicious file type dropped by an Exchange component in IIS
 references:
-   - https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/
-   - https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html
-   - https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html
+    - https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/
+    - https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html
+    - https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html
+author: Florian Roth
 date: 2022/10/04
 tags:
-   - attack.persistence
-   - attack.t1190
-   - attack.initial_access
-   - attack.t1505.003
+    - attack.persistence
+    - attack.t1190
+    - attack.initial_access
+    - attack.t1505.003
 logsource:
-   product: windows
-   category: file_event
+    product: windows
+    category: file_event
 detection:
-   selection:
-      Image|endswith: '\w3wp.exe'
-      CommandLine|contains: 'MSExchange'
-   selection_types:
-      TargetFilename|endswith:
-         - '.aspx'
-         - '.asp'
-         - '.ashx'
-         - '.ps1'
-         - '.bat'
-         - '.exe'
-         - '.dll'
-         - '.vbs'
-   condition: all of selection*
+    selection:
+        Image|endswith: '\w3wp.exe'
+        CommandLine|contains: 'MSExchange'
+    selection_types:
+        TargetFilename|endswith:
+            - '.aspx'
+            - '.asp'
+            - '.ashx'
+            - '.ps1'
+            - '.bat'
+            - '.exe'
+            - '.dll'
+            - '.vbs'
+    condition: all of selection*
 falsepositives:
-   - Unknown
+    - Unknown
 level: medium

rules/windows/file/file_event/file_event_win_ghostpack_safetykatz.yml

@@ -2,10 +2,10 @@ title: SafetyKatz Default Dump Filename
 id: e074832a-eada-4fd7-94a1-10642b130e16
 status: test
 description: Detects default lsass dump filename from SafetyKatz
-author: Markus Neis
 references:
     - https://github.com/GhostPack/SafetyKatz
     - https://github.com/GhostPack/SafetyKatz/blob/715b311f76eb3a4c8d00a1bd29c6cd1899e450b7/SafetyKatz/Program.cs#L63
+author: Markus Neis
 date: 2018/07/24
 modified: 2021/11/27
 tags:

rules/windows/file/file_event/file_event_win_gotoopener_artefact.yml

@@ -2,13 +2,16 @@ title: GoToAssist Temporary Installation Artefact
 id: 5d756aee-ad3e-4306-ad95-cb1abec48de2
 status: experimental
 description: |
-  An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
-  These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
-  Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
+    An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
+    These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
+    Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows
 author: frack113
 date: 2022/02/13
+tags:
+    - attack.command_and_control
+    - attack.t1219
 logsource:
     category: file_event
     product: windows
@@ -19,6 +22,3 @@ detection:
 falsepositives:
     - Legitimate use
 level: medium
-tags:
-    - attack.command_and_control
-    - attack.t1219

rules/windows/file/file_event/file_event_win_hivenightmare_file_exports.yml

@@ -29,9 +29,9 @@ detection:
         - TargetFilename:
             - 'C:\windows\temp\sam'  # C# version of HiveNightmare
     condition: selection
-falsepositives:
-    - Files that accidentally contain these strings
-level: high
 fields:
     - CommandLine
     - ParentCommandLine
+falsepositives:
+    - Files that accidentally contain these strings
+level: high

rules/windows/file/file_event/file_event_win_hktl_nppspy.yml

@@ -2,10 +2,10 @@ title: NPPSpy Hacktool Usage
 id: cad1fe90-2406-44dc-bd03-59d0b58fe722
 status: experimental
 description: Detects the use of NPPSpy hacktool that stores cleartext passwords of users that logged in to a local file
-author: Florian Roth
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md#atomic-test-2---credential-dumping-with-nppspy
     - https://twitter.com/0gtweet/status/1465282548494487554
+author: Florian Roth
 date: 2021/11/29
 tags:
     - attack.credential_access

rules/windows/file/file_event/file_event_win_install_teamviewer_desktop.yml

@@ -2,10 +2,13 @@ title: Installation of TeamViewer Desktop
 id: 9711de76-5d4f-4c50-a94f-21e4e8f8384d
 status: experimental
 description: TeamViewer_Desktop.exe is create during install
-author: frack113
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-1---teamviewer-files-detected-test-on-windows
+author: frack113
 date: 2022/01/28
+tags:
+    - attack.command_and_control
+    - attack.t1219
 logsource:
     product: windows
     category: file_event
@@ -16,6 +19,3 @@ detection:
 falsepositives:
     - Unknown
 level: medium
-tags:
-    - attack.command_and_control
-    - attack.t1219

rules/windows/file/file_event/file_event_win_iphlpapi_dll_sideloading.yml

@@ -8,9 +8,14 @@ references:
     - https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/
 author: frack113
 date: 2022/08/12
+tags:
+    - attack.persistence
+    - attack.privilege_escalation
+    - attack.defense_evasion
+    - attack.t1574.002
 logsource:
-     category: file_event
-     product: windows
+    category: file_event
+    product: windows
 detection:
     selection:
         TargetFilename|contains|all:
@@ -20,8 +25,3 @@ detection:
 falsepositives:
     - Unknown
 level: high
-tags:
-    - attack.persistence
-    - attack.privilege_escalation
-    - attack.defense_evasion
-    - attack.t1574.002

rules/windows/file/file_event/file_event_win_iso_file_mount.yml

@@ -2,7 +2,7 @@ title: ISO File Created Within Temp Folders
 id: 2f9356ae-bf43-41b8-b858-4496d83b2acb
 status: experimental
 description: Detects the creation of a ISO file in the Outlook temp folder or in the Appdata temp folder. Typical of Qakbot TTP from end-July 2022.
-references: 
+references:
     - https://twitter.com/Sam0x90/status/1552011547974696960
     - https://securityaffairs.co/wordpress/133680/malware/dll-sideloading-spread-qakbot.html
 author: '@sam0x90'

rules/windows/file/file_event/file_event_win_iso_file_recent.yml

@@ -1,13 +1,15 @@
 title: ISO or Image Mount Indicator in Recent Files
 id: 4358e5a5-7542-4dcb-b9f3-87667371839b
-description: Detects the creation of recent element file that points to an .ISO, .IMG, .VHD or .VHDX file as often used in phishing attacks. This can be a false positive on server systems but on workstations users should rarely mount .iso or .img files.
 status: experimental
-author: Florian Roth
+description: |
+  Detects the creation of recent element file that points to an .ISO, .IMG, .VHD or .VHDX file as often used in phishing attacks.
+  This can be a false positive on server systems but on workstations users should rarely mount .iso or .img files.
 references:
     - https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/
     - https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore
     - https://blog.emsisoft.com/en/32373/beware-new-wave-of-malware-spreads-via-iso-file-email-attachments/
     - https://insights.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/
+author: Florian Roth
 date: 2022/02/11
 logsource:
     product: windows

rules/windows/file/file_event/file_event_win_legitimate_app_dropping_archive.yml

@@ -1,11 +1,14 @@
 title: Legitimate Application Dropped Archive
 id: 654fcc6d-840d-4844-9b07-2c3300e54a26
-description: Detects programs on a Windows system that should not write an archive to disk
 status: experimental
-author: frack113, Florian Roth
+description: Detects programs on a Windows system that should not write an archive to disk
 references:
     - https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326
+author: frack113, Florian Roth
 date: 2022/08/21
+tags:
+    - attack.defense_evasion
+    - attack.t1218
 logsource:
     product: windows
     category: file_event
@@ -47,6 +50,3 @@ detection:
 falsepositives:
     - Unknown
 level: high
-tags:
-    - attack.defense_evasion
-    - attack.t1218

rules/windows/file/file_event/file_event_win_legitimate_app_dropping_exe.yml

@@ -1,11 +1,14 @@
 title: Legitimate Application Dropped Executable
 id: f0540f7e-2db3-4432-b9e0-3965486744bc
-description: Detects programs on a Windows system that should not write executables to disk
 status: experimental
-author: frack113, Florian Roth
+description: Detects programs on a Windows system that should not write executables to disk
 references:
     - https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326
+author: frack113, Florian Roth
 date: 2022/08/21
+tags:
+    - attack.defense_evasion
+    - attack.t1218
 logsource:
     product: windows
     category: file_event
@@ -45,6 +48,3 @@ detection:
 falsepositives:
     - Unknown
 level: high
-tags:
-    - attack.defense_evasion
-    - attack.t1218

rules/windows/file/file_event/file_event_win_legitimate_app_dropping_script.yml

@@ -1,11 +1,14 @@
 title: Legitimate Application Dropped Script
 id: 7d604714-e071-49ff-8726-edeb95a70679
-description: Detects programs on a Windows system that should not write scripts to disk
 status: experimental
-author: frack113, Florian Roth
+description: Detects programs on a Windows system that should not write scripts to disk
 references:
     - https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326
+author: frack113, Florian Roth
 date: 2022/08/21
+tags:
+    - attack.defense_evasion
+    - attack.t1218
 logsource:
     product: windows
     category: file_event
@@ -47,6 +50,3 @@ detection:
 falsepositives:
     - Unknown
 level: high
-tags:
-    - attack.defense_evasion
-    - attack.t1218

rules/windows/file/file_event/file_event_win_lsass_dump.yml

@@ -3,15 +3,15 @@ id: a5a2d357-1ab8-4675-a967-ef9990a59391
 related:
     - id: db2110f3-479d-42a6-94fb-d35bc1e46492
       type: obsoletes
-description: Detects file names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials
 status: experimental
-author: Florian Roth
+description: Detects file names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials
 references:
     - https://www.google.com/search?q=procdump+lsass
     - https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf
     - https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml
     - https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/
     - https://github.com/helpsystems/nanodump
+author: Florian Roth
 date: 2021/11/15
 modified: 2022/06/27
 tags:

rules/windows/file/file_event/file_event_win_lsass_memory_dump_file_creation.yml

@@ -18,10 +18,10 @@ detection:
         TargetFilename|contains: 'lsass'
         TargetFilename|endswith: 'dmp'
     condition: selection
+fields:
+    - ComputerName
+    - TargetFilename
 falsepositives:
     - Dumping lsass memory for forensic investigation purposes by legitimate incident responder or forensic invetigator
     - Dumps of another process that contains lsass in its process name (substring)
 level: high
-fields:
-    - ComputerName
-    - TargetFilename

rules/windows/file/file_event/file_event_win_lsass_werfault_dump.yml

@@ -1,10 +1,10 @@
 title: WerFault LSASS Process Memory Dump
 id: c3e76af5-4ce0-4a14-9c9a-25ceb8fda182
-description: Detects WerFault creating a dump file with a name that indicates that the dump file could be an LSASS process memory, which contains user credentials
 status: experimental
-author: Florian Roth
+description: Detects WerFault creating a dump file with a name that indicates that the dump file could be an LSASS process memory, which contains user credentials
 references:
     - https://github.com/helpsystems/nanodump
+author: Florian Roth
 date: 2022/06/27
 tags:
     - attack.credential_access

rules/windows/file/file_event/file_event_win_macro_file.yml

@@ -2,12 +2,15 @@ title: Dump Office Macro Files from Commandline
 id: b1c50487-1967-4315-a026-6491686d860e
 status: experimental
 description: A office file with macro is created from a commandline or a script
-author: frack113
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md
     - https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference
+author: frack113
 date: 2022/01/23
 modified: 2022/07/14
+tags:
+    - attack.initial_access
+    - attack.t1566.001
 logsource:
     category: file_event
     product: windows
@@ -34,6 +37,3 @@ detection:
 falsepositives:
     - Unknown
 level: medium
-tags:
-    - attack.initial_access
-    - attack.t1566.001

rules/windows/file/file_event/file_event_win_mal_octopus_scanner.yml

@@ -2,23 +2,23 @@ title: Octopus Scanner Malware
 id: 805c55d9-31e6-4846-9878-c34c75054fe9
 status: test
 description: Detects Octopus Scanner Malware.
-author: NVISO
 references:
-  - https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain
+    - https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain
+author: NVISO
 date: 2020/06/09
 modified: 2021/11/27
-logsource:
-  product: windows
-  category: file_event
-detection:
-  selection:
-    TargetFilename|endswith:
-      - '\AppData\Local\Microsoft\Cache134.dat'
-      - '\AppData\Local\Microsoft\ExplorerSync.db'
-  condition: selection
-falsepositives:
-  - Unknown
-level: high
 tags:
-  - attack.t1195
-  - attack.t1195.001
+    - attack.t1195
+    - attack.t1195.001
+logsource:
+    product: windows
+    category: file_event
+detection:
+    selection:
+        TargetFilename|endswith:
+            - '\AppData\Local\Microsoft\Cache134.dat'
+            - '\AppData\Local\Microsoft\ExplorerSync.db'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high

rules/windows/file/file_event/file_event_win_mimikatz_kirbi_file_creation.yml

@@ -2,9 +2,9 @@ title: Mimikatz Kirbi File Creation
 id: 9e099d99-44c2-42b6-a6d8-54c3545cab29
 status: test
 description: Detects the creation of files that contain Kerberos tickets based on an extension used by the popular tool Mimikatz
-author: Florian Roth
 references:
     - https://cobalt.io/blog/kerberoast-attack-techniques
+author: Florian Roth
 date: 2021/11/08
 tags:
     - attack.credential_access

rules/windows/file/file_event/file_event_win_mimimaktz_memssp_log_file.yml

@@ -2,20 +2,20 @@ title: Mimikatz MemSSP Default Log File Creation
 id: 034affe8-6170-11ec-844f-0f78aa0c4d66
 status: experimental
 description: Detects Mimikatz MemSSP default log file creation
-author: David ANDRE
 references:
-   - https://pentestlab.blog/2019/10/21/persistence-security-support-provider/
+    - https://pentestlab.blog/2019/10/21/persistence-security-support-provider/
+author: David ANDRE
 date: 2021/12/20
 tags:
-   - attack.credential_access
-   - attack.t1003
+    - attack.credential_access
+    - attack.t1003
 logsource:
     product: windows
     category: file_event
 detection:
-   selection:
-      TargetFilename|endswith: 'mimilsa.log'
-   condition: selection
+    selection:
+        TargetFilename|endswith: 'mimilsa.log'
+    condition: selection
 falsepositives:
-   - Unlikely
+    - Unlikely
 level: critical

rules/windows/file/file_event/file_event_win_msdt_autorun.yml

@@ -1,11 +1,11 @@
-title: MSDT.exe Creates Files in Autorun Directory 
+title: MSDT.exe Creates Files in Autorun Directory
 id: 318557a5-150c-4c8d-b70e-a9910e199857
 status: experimental
 description: Detects msdt.exe creating files in suspicious directories
-author: Vadim Varganov, Florian Roth
 references:
-    - https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd 
+    - https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd
     - https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/
+author: Vadim Varganov, Florian Roth
 date: 2022/08/24
 tags:
     - attack.persistence
@@ -17,7 +17,7 @@ logsource:
 detection:
     selection:
         Image|endswith: '\msdt.exe'
-        TargetFilename|contains: 
+        TargetFilename|contains:
             - '\Start Menu\Programs\Startup\'
             - 'C:\Users\Public\'
             - 'C:\PerfLogs\'

rules/windows/file/file_event/file_event_win_new_files_in_uncommon_appdata_folder.yml

@@ -2,10 +2,13 @@ title: Creation Suspicious File In Uncommon AppData Folder
 id: d7b50671-d1ad-4871-aa60-5aa5b331fe04
 status: experimental
 description: Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs
-author: Nasreddine Bencherchali
 references:
     - Internal Research
+author: Nasreddine Bencherchali
 date: 2022/08/05
+tags:
+    - attack.defense_evasion
+    - attack.execution
 logsource:
     product: windows
     category: file_event
@@ -31,6 +34,3 @@ detection:
 falsepositives:
     - Unlikely
 level: high
-tags:
-    - attack.defense_evasion
-    - attack.execution

rules/windows/file/file_event/file_event_win_new_src_file.yml

@@ -2,30 +2,30 @@ title: SCR File Write Event
 id: c048f047-7e2a-4888-b302-55f509d4a91d
 status: experimental
 description: An attacker may execute an application as a .SCR File (Screensaver) using rundll32.exe desk.cpl,InstallScreenSaver
-author: 'Christopher Peacock @securepeacock, SCYTHE @scythe_io'
 references:
-  - https://lolbas-project.github.io/lolbas/Libraries/Desk/
+    - https://lolbas-project.github.io/lolbas/Libraries/Desk/
+author: 'Christopher Peacock @securepeacock, SCYTHE @scythe_io'
 date: 2022/04/27
 modified: 2022/10/07
 tags:
-  - attack.t1218.011
-  - attack.defense_evasion
+    - attack.t1218.011
+    - attack.defense_evasion
 logsource:
-  category: file_event
-  product: windows
+    category: file_event
+    product: windows
 detection:
-  selection:
-    TargetFilename|endswith: '.scr'
-  filter:
-    TargetFilename|startswith:
-      - 'C:\Windows\System32\'
-      - 'C:\Windows\system32\'
-      - 'C:\Windows\SysWOW64\'
-      - 'C:\Windows\SysWow64\'
-      - 'C:\Windows\winsxs\'
-      - 'C:\Windows\WinSxS\'
-      - 'C:\$WINDOWS.~BT\NewOS\'
-  condition: selection and not filter
+    selection:
+        TargetFilename|endswith: '.scr'
+    filter:
+        TargetFilename|startswith:
+            - 'C:\Windows\System32\'
+            - 'C:\Windows\system32\'
+            - 'C:\Windows\SysWOW64\'
+            - 'C:\Windows\SysWow64\'
+            - 'C:\Windows\winsxs\'
+            - 'C:\Windows\WinSxS\'
+            - 'C:\$WINDOWS.~BT\NewOS\'
+    condition: selection and not filter
 falsepositives:
-  - The installation of new screen savers.
+    - The installation of new screen savers.
 level: medium

rules/windows/file/file_event/file_event_win_notepad_plus_plus_persistence.yml

@@ -1,12 +1,14 @@
 title: Persistence Via Notepad++ Plugins
 id: 54127bd4-f541-4ac3-afdb-ea073f63f692
-description: Detects creation of new ".dll" files inside the plugins directory of a notepad++ installation by a process other than "gup.exe". Which could indicates possible persistence
 status: experimental
-author: Nasreddine Bencherchali
+description: Detects creation of new ".dll" files inside the plugins directory of a notepad++ installation by a process other than "gup.exe". Which could indicates possible persistence
 references:
     - https://pentestlab.blog/2022/02/14/persistence-notepad-plugins/
+author: Nasreddine Bencherchali
 date: 2022/06/10
 modified: 2022/09/20
+tags:
+    - attack.persistence
 logsource:
     product: windows
     category: file_event
@@ -28,5 +30,3 @@ falsepositives:
     - Possible FPs during first installation of Notepad++
     - Legitimate use of custom plugins to enhance notepad++ functionality by users
 level: medium
-tags:
-    - attack.persistence

rules/windows/file/file_event/file_event_win_ntds_dit.yml

@@ -1,13 +1,13 @@
 title: Suspicious NTDS.DIT Creation
 id: 4e7050dd-e548-483f-b7d6-527ab4fa784d
-description: Detects suspicious creations of a file named ntds.dit, e.g. by a PowerShell parent or in a suspicious directory or a suspicious one liner
 status: experimental
-author: Florian Roth
+description: Detects suspicious creations of a file named ntds.dit, e.g. by a PowerShell parent or in a suspicious directory or a suspicious one liner
 references:
     - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration
     - https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/
     - https://pentestlab.blog/tag/ntds-dit/
     - https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1
+author: Florian Roth
 date: 2022/03/11
 modified: 2022/07/14
 tags:

rules/windows/file/file_event/file_event_win_ntds_exfil_tools.yml

@@ -1,12 +1,12 @@
 title: Suspicious NTDS Exfil Filename Patterns
 id: 3a8da4e0-36c1-40d2-8b29-b3e890d5172a
-description: Detects suspicious creations of files with names used in various tools that export the NTDS.DIT for exfiltration
 status: experimental
-author: Florian Roth
+description: Detects suspicious creations of files with names used in various tools that export the NTDS.DIT for exfiltration
 references:
     - https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/post/windows/gather/ntds_grabber.rb
     - https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1
     - https://github.com/SecureAuthCorp/impacket/blob/7d2991d78836b376452ca58b3d14daa61b67cb40/impacket/examples/secretsdump.py#L2405
+author: Florian Roth
 date: 2022/03/11
 tags:
     - attack.credential_access

rules/windows/file/file_event/file_event_win_office_persistence.yml

@@ -2,30 +2,30 @@ title: Microsoft Office Add-In Loading
 id: 8e1cb247-6cf6-42fa-b440-3f27d57e9936
 status: test
 description: Detects add-ins that load when Microsoft Word or Excel starts (.wll/.xll are simply .dll fit for Word or Excel).
-author: NVISO
 references:
-  - Internal Research
+    - Internal Research
+author: NVISO
 date: 2020/05/11
 modified: 2021/11/27
-logsource:
-  category: file_event
-  product: windows
-detection:
-  selection_wlldropped:
-    TargetFilename|contains: '\Microsoft\Word\Startup\'
-    TargetFilename|endswith: '.wll'
-  selection_xlldropped:
-    TargetFilename|contains: '\Microsoft\Excel\Startup\'
-    TargetFilename|endswith: '.xll'
-  selection_generic:
-    TargetFilename|contains: '\Microsoft\Addins\'
-    TargetFilename|endswith:
-      - '.xlam'
-      - '.xla'
-  condition: 1 of selection*
-falsepositives:
-  - Legitimate add-ins
-level: high
 tags:
-  - attack.persistence
-  - attack.t1137.006
+    - attack.persistence
+    - attack.t1137.006
+logsource:
+    category: file_event
+    product: windows
+detection:
+    selection_wlldropped:
+        TargetFilename|contains: '\Microsoft\Word\Startup\'
+        TargetFilename|endswith: '.wll'
+    selection_xlldropped:
+        TargetFilename|contains: '\Microsoft\Excel\Startup\'
+        TargetFilename|endswith: '.xll'
+    selection_generic:
+        TargetFilename|contains: '\Microsoft\Addins\'
+        TargetFilename|endswith:
+            - '.xlam'
+            - '.xla'
+    condition: 1 of selection*
+falsepositives:
+    - Legitimate add-ins
+level: high

rules/windows/file/file_event/file_event_win_outlook_c2_macro_creation.yml

@@ -1,7 +1,10 @@
 title: Outlook C2 Macro Creation
 id: 8c31f563-f9a7-450c-bfa8-35f8f32f1f61
 status: test
-description: Detects the creation of a macro file for Outlook. Goes with win_outlook_c2_registry_key. VbaProject.OTM is explicitly mentioned in T1137. Particularly interesting if both events Registry & File Creation happens at the same time.
+description: |
+  Detects the creation of a macro file for Outlook.
+  Goes with win_outlook_c2_registry_key. VbaProject.OTM is explicitly mentioned in T1137.
+  Particularly interesting if both events Registry & File Creation happens at the same time.
 references:
     - https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/
 author: '@ScoubiMtl'

rules/windows/file/file_event/file_event_win_outlook_newform.yml

@@ -4,12 +4,12 @@ status: experimental
 description: Detects the creation of new Outlook form which can contain malicious code
 references:
     - https://twitter.com/blueteamsec1/status/1401290874202382336?s=20
-tags:
-    - attack.persistence
-    - attack.t1137.003
 author: Tobias Michalski
 date: 2021/06/10
 modified: 2022/06/16
+tags:
+    - attack.persistence
+    - attack.t1137.003
 logsource:
     product: windows
     category: file_event

rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml

@@ -2,7 +2,6 @@ title: Malicious PowerShell Commandlet Names
 id: f331aa1f-8c53-4fc3-b083-cc159bc971cb
 status: test
 description: Detects the creation of known powershell scripts for exploitation
-author: Markus Neis, Nasreddine Bencherchali
 references:
     - https://raw.githubusercontent.com/Neo23x0/sigma/f35c50049fa896dff91ff545cb199319172701e8/rules/windows/powershell/powershell_malicious_commandlets.yml
     - https://github.com/PowerShellMafia/PowerSploit
@@ -15,8 +14,12 @@ references:
     - https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1
     - https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1
     - https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1
+author: Markus Neis, Nasreddine Bencherchali
 date: 2018/04/07
 modified: 2022/10/25
+tags:
+    - attack.execution
+    - attack.t1059.001
 logsource:
     category: file_event
     product: windows
@@ -214,6 +217,3 @@ detection:
 falsepositives:
     - Unknown
 level: high
-tags:
-    - attack.execution
-    - attack.t1059.001

rules/windows/file/file_event/file_event_win_powershell_startup_shortcuts.yml

@@ -1,16 +1,20 @@
 title: PowerShell Writing Startup Shortcuts
 id: 92fa78e7-4d39-45f1-91a3-8b23f3f1088d
-description: Attempts to detect PowerShell writing startup shortcuts. This procedure was highlighted in Red Canary Intel Insights Oct. 2021, "We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence. Accordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats. In the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL"
 status: experimental
+description: |
+  Attempts to detect PowerShell writing startup shortcuts.
+  This procedure was highlighted in Red Canary Intel Insights Oct. 2021, "We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence.
+  Accordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats.
+  In the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL"
 references:
     - https://redcanary.com/blog/intelligence-insights-october-2021/
     - https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1547.001/T1547.001.md#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder
+author: Christopher Peacock '@securepeacock', SCYTHE
+date: 2021/10/24
+modified: 2022/08/10
 tags:
     - attack.persistence
     - attack.t1547.001
-date: 2021/10/24
-modified: 2022/08/10
-author: Christopher Peacock '@securepeacock', SCYTHE
 logsource:
     product: windows
     category: file_event

rules/windows/file/file_event/file_event_win_quarkspw_filedump.yml

@@ -2,24 +2,24 @@ title: QuarksPwDump Dump File
 id: 847def9e-924d-4e90-b7c4-5f581395a2b4
 status: test
 description: Detects a dump file written by QuarksPwDump password dumper
-author: Florian Roth
 references:
-  - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/QuarksPWDump.htm
+    - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/QuarksPWDump.htm
+author: Florian Roth
 date: 2018/02/10
 modified: 2021/11/27
-logsource:
-  category: file_event
-  product: windows
-detection:
-  selection:
-        # Sysmon: File Creation (ID 11)
-    TargetFilename|contains|all:
-      - '\AppData\Local\Temp\SAM-'
-      - '.dmp'
-  condition: selection
-falsepositives:
-  - Unknown
-level: critical
 tags:
-  - attack.credential_access
-  - attack.t1003.002
+    - attack.credential_access
+    - attack.t1003.002
+logsource:
+    category: file_event
+    product: windows
+detection:
+    selection:
+        # Sysmon: File Creation (ID 11)
+        TargetFilename|contains|all:
+            - '\AppData\Local\Temp\SAM-'
+            - '.dmp'
+    condition: selection
+falsepositives:
+    - Unknown
+level: critical

rules/windows/file/file_event/file_event_win_redmimicry_winnti_filedrop.yml

@@ -2,24 +2,24 @@ title: RedMimicry Winnti Playbook Dropped File
 id: 130c9e58-28ac-4f83-8574-0a4cc913b97e
 status: test
 description: Detects actions caused by the RedMimicry Winnti playbook
-author: Alexander Rausch
 references:
-  - https://redmimicry.com
+    - https://redmimicry.com
+author: Alexander Rausch
 date: 2020/06/24
 modified: 2021/11/27
-logsource:
-  product: windows
-  category: file_event
-detection:
-  selection:
-    TargetFilename|contains:
-      - gthread-3.6.dll
-      - sigcmm-2.4.dll
-      - \Windows\Temp\tmp.bat
-  condition: selection
-falsepositives:
-  - Unknown
-level: high
 tags:
-  - attack.defense_evasion
-  - attack.t1027
+    - attack.defense_evasion
+    - attack.t1027
+logsource:
+    product: windows
+    category: file_event
+detection:
+    selection:
+        TargetFilename|contains:
+            - gthread-3.6.dll
+            - sigcmm-2.4.dll
+            - \Windows\Temp\tmp.bat
+    condition: selection
+falsepositives:
+    - Unknown
+level: high

rules/windows/file/file_event/file_event_win_sam_dump.yml

@@ -1,14 +1,14 @@
 title: SAM Dump File Creation
 id: 4e87b8e2-2ee9-4b2a-a715-4727d297ece0
-description: Detects the creation of files that look like exports of the local SAM (Security Account Manager)
 status: experimental
-author: Florian Roth
+description: Detects the creation of files that look like exports of the local SAM (Security Account Manager)
 references:
     - https://github.com/search?q=CVE-2021-36934
     - https://github.com/cube0x0/CVE-2021-36934
     - https://www.google.com/search?q=%22reg.exe+save%22+sam
     - https://github.com/HuskyHacks/ShadowSteal
     - https://github.com/FireFart/hivenightmare
+author: Florian Roth
 date: 2022/02/11
 tags:
     - attack.credential_access
@@ -18,7 +18,7 @@ logsource:
     category: file_event
 detection:
     selection:
-        - TargetFilename|endswith: 
+        - TargetFilename|endswith:
             - '\Temp\sam'
             - '\sam.sav'
             - '\Intel\sam'

rules/windows/file/file_event/file_event_win_screenconnect_artefact.yml

@@ -2,13 +2,16 @@ title: ScreenConnect Temporary Installation Artefact
 id: fec96f39-988b-4586-b746-b93d59fd1922
 status: experimental
 description: |
-  An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
-  These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
-  Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
+    An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
+    These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
+    Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-5---screenconnect-application-download-and-install-on-windows
 author: frack113
 date: 2022/02/13
+tags:
+    - attack.command_and_control
+    - attack.t1219
 logsource:
     category: file_event
     product: windows
@@ -19,6 +22,3 @@ detection:
 falsepositives:
     - Legitimate use
 level: medium
-tags:
-    - attack.command_and_control
-    - attack.t1219

rules/windows/file/file_event/file_event_win_script_creation_by_office_using_file_ext.yml

@@ -1,16 +1,16 @@
 title: Created Files by Office Applications
 id: c7a74c80-ba5a-486e-9974-ab9e682bc5e4
+status: experimental
 description: This rule will monitor executable and script file creation by office applications. Please add more file extensions or magic bytes to the logic of your choice.
 references:
     - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
     - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
 author: 'Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)'
+date: 2021/08/23
+modified: 2022/07/11
 tags:
     - attack.t1204.002
     - attack.execution
-status: experimental
-date: 2021/08/23
-modified: 2022/07/11
 logsource:
     product: windows
     category: file_event

rules/windows/file/file_event/file_event_win_startup_folder_file_write.yml

@@ -2,12 +2,15 @@ title: Startup Folder File Write
 id: 2aa0a6b4-a865-495b-ab51-c28249537b75
 status: test
 description: A General detection for files being created in the Windows startup directory. This could be an indicator of persistence.
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 references:
     - https://github.com/OTRF/detection-hackathon-apt29/issues/12
     - https://threathunterplaybook.com/evals/apt29/detections/5.B.1_611FCA99-97D0-4873-9E51-1C1BA2DBB40D.html
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 date: 2020/05/02
 modified: 2022/10/07
+tags:
+    - attack.persistence
+    - attack.t1547.001
 logsource:
     product: windows
     category: file_event
@@ -21,6 +24,3 @@ detection:
 falsepositives:
     - An FP could be caused by legitimate application writing shortcuts for example. This folder should always be inspected to make sure that all the files in there are legitimate
 level: medium
-tags:
-    - attack.persistence
-    - attack.t1547.001

rules/windows/file/file_event/file_event_win_susp_adsi_cache_usage.yml

@@ -2,13 +2,16 @@ title: Suspicious ADSI-Cache Usage By Unknown Tool
 id: 75bf09fa-1dd7-4d18-9af9-dd9e492562eb
 status: test
 description: Detects the usage of ADSI (LDAP) operations by tools. This may also detect tools like LDAPFragger.
-author: xknow @xknow_infosec, Tim Shelton
 references:
     - https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961
     - https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/
     - https://github.com/fox-it/LDAPFragger
+author: xknow @xknow_infosec, Tim Shelton
 date: 2019/03/24
 modified: 2022/08/24
+tags:
+    - attack.t1001.003
+    - attack.command_and_control
 logsource:
     product: windows
     category: file_event
@@ -39,6 +42,3 @@ detection:
 falsepositives:
     - Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity by MMC, Powershell, Windows etc.
 level: high
-tags:
-    - attack.t1001.003
-    - attack.command_and_control

rules/windows/file/file_event/file_event_win_susp_colorcpl.yml

@@ -2,10 +2,13 @@ title: Suspicious Creation with Colorcpl
 id: e15b518d-b4ce-4410-a9cd-501f23ce4a18
 status: experimental
 description: Once executed, colorcpl.exe will copy the arbitrary file to c:\windows\system32\spool\drivers\color\
-author: frack113
 references:
     - https://twitter.com/eral4m/status/1480468728324231172?s=20
+author: frack113
 date: 2022/01/21
+tags:
+    - attack.defense_evasion
+    - attack.t1564
 logsource:
     product: windows
     category: file_event
@@ -22,6 +25,3 @@ detection:
 falsepositives:
     - Unknown
 level: high
-tags:
-    - attack.defense_evasion
-    - attack.t1564

rules/windows/file/file_event/file_event_win_susp_creation_by_mobsync.yml

@@ -1,13 +1,17 @@
 title: Created Files by Microsoft Sync Center
 id: 409f8a98-4496-4aaa-818a-c931c0a8b832
+status: experimental
 description: This rule detects suspicious files created by Microsoft Sync Center (mobsync)
 references:
     - https://redcanary.com/blog/intelligence-insights-november-2021/
 author: elhoim
-status: experimental
-level: medium
 date: 2022/04/28
 modified: 2022/06/02
+tags:
+    - attack.t1055
+    - attack.t1218
+    - attack.execution
+    - attack.defense_evasion
 logsource:
     product: windows
     category: file_event
@@ -21,8 +25,4 @@ detection:
     condition: selection_mobsync and filter_created_file
 falsepositives:
     - Unknown
-tags:
-    - attack.t1055
-    - attack.t1218
-    - attack.execution
-    - attack.defense_evasion
+level: medium

rules/windows/file/file_event/file_event_win_susp_default_gpo_dir_write.yml

@@ -6,6 +6,9 @@ references:
     - https://redcanary.com/blog/intelligence-insights-november-2021/
 author: elhoim
 date: 2022/04/28
+tags:
+    - attack.t1036.005
+    - attack.defense_evasion
 logsource:
     product: windows
     category: file_event
@@ -18,7 +21,4 @@ detection:
     condition: selection
 falsepositives:
     - Unknown
-tags:
-    - attack.t1036.005
-    - attack.defense_evasion
 level: medium

rules/windows/file/file_event/file_event_win_susp_desktop_ini.yml

@@ -2,11 +2,14 @@ title: Suspicious desktop.ini Action
 id: 81315b50-6b60-4d8f-9928-3466e1022515
 status: test
 description: Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.
-author: Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO)
 references:
     - https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/
+author: Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO)
 date: 2020/03/19
 modified: 2022/10/07
+tags:
+    - attack.persistence
+    - attack.t1547.009
 logsource:
     product: windows
     category: file_event
@@ -28,6 +31,3 @@ falsepositives:
     - Operations performed through Windows SCCM or equivalent
     - Read only access list authority
 level: medium
-tags:
-    - attack.persistence
-    - attack.t1547.009

rules/windows/file/file_event/file_event_win_susp_desktop_txt.yml

@@ -2,10 +2,13 @@ title: Suspicious Creation TXT File in User Desktop
 id: caf02a0a-1e1c-4552-9b48-5e070bd88d11
 status: experimental
 description: Ransomware create txt file in the user Desktop
-author: frack113
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1486/T1486.md#atomic-test-5---purelocker-ransom-note
+author: frack113
 date: 2021/12/26
+tags:
+    - attack.impact
+    - attack.t1486
 logsource:
     product: windows
     category: file_event
@@ -20,6 +23,3 @@ detection:
 falsepositives:
     - Unknown
 level: high
-tags:
-    - attack.impact
-    - attack.t1486

rules/windows/file/file_event/file_event_win_susp_desktopimgdownldr_file.yml

@@ -2,33 +2,33 @@ title: Suspicious Desktopimgdownldr Target File
 id: fc4f4817-0c53-4683-a4ee-b17a64bc1039
 status: test
 description: Detects a suspicious Microsoft desktopimgdownldr file creation that stores a file to a suspicious location or contains a file with a suspicious extension
-author: Florian Roth
 references:
-  - https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/
-  - https://twitter.com/SBousseaden/status/1278977301745741825
+    - https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/
+    - https://twitter.com/SBousseaden/status/1278977301745741825
+author: Florian Roth
 date: 2020/07/03
 modified: 2022/06/02
-logsource:
-  product: windows
-  category: file_event
-detection:
-  selection:
-    Image|endswith: '\svchost.exe'
-    TargetFilename|contains: '\Personalization\LockScreenImage\'
-  filter1:
-    TargetFilename|contains: 'C:\Windows\'
-  filter2:
-    TargetFilename|contains:
-      - '.jpg'
-      - '.jpeg'
-      - '.png'
-  condition: selection and not filter1 and not filter2
-fields:
-  - CommandLine
-  - ParentCommandLine
-falsepositives:
-  - False positives depend on scripts and administrative tools used in the monitored environment
-level: high
 tags:
-  - attack.defense_evasion
-  - attack.t1105
+    - attack.defense_evasion
+    - attack.t1105
+logsource:
+    product: windows
+    category: file_event
+detection:
+    selection:
+        Image|endswith: '\svchost.exe'
+        TargetFilename|contains: '\Personalization\LockScreenImage\'
+    filter1:
+        TargetFilename|contains: 'C:\Windows\'
+    filter2:
+        TargetFilename|contains:
+            - '.jpg'
+            - '.jpeg'
+            - '.png'
+    condition: selection and not filter1 and not filter2
+fields:
+    - CommandLine
+    - ParentCommandLine
+falsepositives:
+    - False positives depend on scripts and administrative tools used in the monitored environment
+level: high

rules/windows/file/file_event/file_event_win_susp_diagcab.yml

@@ -2,19 +2,19 @@ title: Creation of a Diagcab
 id: 3d0ed417-3d94-4963-a562-4a92c940656a
 status: experimental
 description: Detects the creation of diagcab file, which could be caused by some legitimate installer or is a sign of exploitation (review the filename and its location)
-author: frack113
 references:
-  - https://threadreaderapp.com/thread/1533879688141086720.html
+    - https://threadreaderapp.com/thread/1533879688141086720.html
+author: frack113
 date: 2022/06/08
-logsource:
-  product: windows
-  category: file_event
-detection:
-  selection:
-    TargetFilename|endswith: '.diagcab'
-  condition: selection 
-falsepositives:
-  - Legitimate microsoft diagcab 
-level: medium
 tags:
-  - attack.resource_development
+    - attack.resource_development
+logsource:
+    product: windows
+    category: file_event
+detection:
+    selection:
+        TargetFilename|endswith: '.diagcab'
+    condition: selection
+falsepositives:
+    - Legitimate microsoft diagcab
+level: medium

rules/windows/file/file_event/file_event_win_susp_double_extension.yml

@@ -5,15 +5,18 @@ related:
       type: derived
 status: experimental
 description: Detects dropped files with double extensions which is often used by malware as a method to abuse the fact that windows hide default extensions by default.
-author: Nasreddine Bencherchali, frack113
 references:
     - https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/
     - https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations
     - https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles
     - https://twitter.com/malwrhunterteam/status/1235135745611960321
     - https://twitter.com/luc4m/status/1073181154126254080
+author: Nasreddine Bencherchali, frack113
 date: 2022/06/19
 modified: 2022/07/28
+tags:
+    - attack.defense_evasion
+    - attack.t1036.007
 logsource:
     category: file_event
     product: windows
@@ -36,7 +39,7 @@ detection:
     selection_exe:
         TargetFilename|endswith:
             - '.zip.exe'
-            - '.rar.exe'   
+            - '.rar.exe'
     filter:
         TargetFilename|contains:
             - '\AppData\Roaming\Microsoft\Office\Recent\'
@@ -45,7 +48,3 @@ detection:
 falsepositives:
     - Unlikely
 level: high
-tags:
-    - attack.defense_evasion
-    - attack.t1036.007
-

rules/windows/file/file_event/file_event_win_susp_dropper.yml

@@ -2,50 +2,50 @@ title: Creation of an Executable by an Executable
 id: 297afac9-5d02-4138-8c58-b977bac60556
 status: experimental
 description: Detects the creation of an executable by another executable
-author: frack113
 references:
-  - Malware Sandbox
+    - Malware Sandbox
+author: frack113
 date: 2022/03/09
 modified: 2022/07/27
+tags:
+    - attack.resource_development
+    - attack.t1587.001
 logsource:
-  product: windows
-  category: file_event
+    product: windows
+    category: file_event
 detection:
-  selection:
-    Image|endswith: '.exe'
-    TargetFilename|endswith: '.exe'
-  filter_whitelist:
-    Image: 
-      - 'C:\Windows\System32\msiexec.exe'
-      - 'C:\Windows\system32\cleanmgr.exe'
-      - 'C:\Windows\explorer.exe'
-      - 'C:\WINDOWS\system32\dxgiadaptercache.exe'
-      - 'C:\WINDOWS\system32\Dism.exe'
-      - 'C:\Windows\System32\wuauclt.exe'
-  filter_update:
-    Image: 'C:\WINDOWS\system32\svchost.exe'
-    TargetFilename|startswith: 'C:\Windows\SoftwareDistribution\Download\Install\'
+    selection:
+        Image|endswith: '.exe'
+        TargetFilename|endswith: '.exe'
+    filter_whitelist:
+        Image:
+            - 'C:\Windows\System32\msiexec.exe'
+            - 'C:\Windows\system32\cleanmgr.exe'
+            - 'C:\Windows\explorer.exe'
+            - 'C:\WINDOWS\system32\dxgiadaptercache.exe'
+            - 'C:\WINDOWS\system32\Dism.exe'
+            - 'C:\Windows\System32\wuauclt.exe'
+    filter_update:
+        Image: 'C:\WINDOWS\system32\svchost.exe'
+        TargetFilename|startswith: 'C:\Windows\SoftwareDistribution\Download\Install\'
     # Security_UserID: S-1-5-18
-  filter_tiworker:
-    Image|startswith: 'C:\Windows\WinSxS\'
-    Image|endswith: '\TiWorker.exe'
-  filter_programfiles:
-    - Image|startswith:
-      - 'C:\Program Files\'
-      - 'C:\Program Files (x86)\'
-    - TargetFilename|startswith:
-      - 'C:\Program Files\'
-      - 'C:\Program Files (x86)\'
-  filter_defender:
-    Image|startswith: 'C:\ProgramData\Microsoft\Windows Defender\'
-  filter_windows_apps:
-    TargetFilename|contains: '\Microsoft\WindowsApps\'
-  condition: selection and not 1 of filter_*
+    filter_tiworker:
+        Image|startswith: 'C:\Windows\WinSxS\'
+        Image|endswith: '\TiWorker.exe'
+    filter_programfiles:
+        - Image|startswith:
+            - 'C:\Program Files\'
+            - 'C:\Program Files (x86)\'
+        - TargetFilename|startswith:
+            - 'C:\Program Files\'
+            - 'C:\Program Files (x86)\'
+    filter_defender:
+        Image|startswith: 'C:\ProgramData\Microsoft\Windows Defender\'
+    filter_windows_apps:
+        TargetFilename|contains: '\Microsoft\WindowsApps\'
+    condition: selection and not 1 of filter_*
 falsepositives:
-  - Software installers
-  - Update utilities
+    - Software installers
+    - Update utilities
 #Please contribute to FP to go up the level
 level: low
-tags:
-  - attack.resource_development
-  - attack.t1587.001

rules/windows/file/file_event/file_event_win_susp_exchange_aspx_write.yml

@@ -17,7 +17,7 @@ logsource:
 detection:
     selection:
         Image|endswith: '\MSExchangeMailboxReplication.exe'
-        TargetFilename|endswith: 
+        TargetFilename|endswith:
             - '.aspx'
             - '.asp'
     condition: selection

rules/windows/file/file_event/file_event_win_susp_executable_creation.yml

@@ -2,30 +2,30 @@ title: Suspicious Executable File Creation
 id: 74babdd6-a758-4549-9632-26535279e654
 status: experimental
 description: Detect creation of suspicious executable file name. Some strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths.
-author: frack113
 references:
-  - https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae
-  - https://app.any.run/tasks/76c69e2d-01e8-49d9-9aea-fb7cc0c4d3ad/
+    - https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae
+    - https://app.any.run/tasks/76c69e2d-01e8-49d9-9aea-fb7cc0c4d3ad/
+author: frack113
 date: 2022/09/05
-logsource:
-  product: windows
-  category: file_event
-detection:
-  selection_double:
-    TargetFilename|endswith: 
-        - '.bat.exe'
-        - '.sys.exe'
-  selection_folder:
-    TargetFilename:
-        - 'C:\$Recycle.Bin.exe'
-        - 'C:\Documents and Settings.exe'
-        - 'C:\MSOCache.exe'
-        - 'C:\Recovery.exe'
-        - 'C:\PerfLogs.exe'
-  condition: 1 of selection_*
-falsepositives:
-  - Unknown
-level: high
 tags:
-  - attack.defense_evasion
-  - attack.t1564
+    - attack.defense_evasion
+    - attack.t1564
+logsource:
+    product: windows
+    category: file_event
+detection:
+    selection_double:
+        TargetFilename|endswith:
+            - '.bat.exe'
+            - '.sys.exe'
+    selection_folder:
+        TargetFilename:
+            - 'C:\$Recycle.Bin.exe'
+            - 'C:\Documents and Settings.exe'
+            - 'C:\MSOCache.exe'
+            - 'C:\Recovery.exe'
+            - 'C:\PerfLogs.exe'
+    condition: 1 of selection_*
+falsepositives:
+    - Unknown
+level: high

rules/windows/file/file_event/file_event_win_susp_get_variable.yml

@@ -1,28 +1,27 @@
-title: Suspicious Get-Variable.exe Creation 
+title: Suspicious Get-Variable.exe Creation
 id: 0c3fac91-5627-46e8-a6a8-a0d7b9b8ae1b
 status: experimental
 description: |
-  Get-Variable is a valid PowerShell cmdlet
-  WindowsApps is by default in the path where PowerShell is executed.
-  So when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet.
-author: frack113
+    Get-Variable is a valid PowerShell cmdlet
+    WindowsApps is by default in the path where PowerShell is executed.
+    So when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet.
 references:
-  - https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/
-  - https://www.joesandbox.com/analysis/465533/0/html
+    - https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/
+    - https://www.joesandbox.com/analysis/465533/0/html
+author: frack113
 date: 2022/04/23
-logsource:
-  product: windows
-  category: file_event
-detection:
-  selection:
-    TargetFilename|endswith: 'Local\Microsoft\WindowsApps\Get-Variable.exe'
-  condition: selection 
-falsepositives:
-  - Unknown
-level: high
 tags:
-  - attack.persistence
-  - attack.t1546
-  - attack.defense_evasion
-  - attack.t1027
-  
+    - attack.persistence
+    - attack.t1546
+    - attack.defense_evasion
+    - attack.t1027
+logsource:
+    product: windows
+    category: file_event
+detection:
+    selection:
+        TargetFilename|endswith: 'Local\Microsoft\WindowsApps\Get-Variable.exe'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high

rules/windows/file/file_event/file_event_win_susp_pfx_file_creation.yml

@@ -2,26 +2,26 @@ title: Suspicious PFX File Creation
 id: dca1b3e8-e043-4ec8-85d7-867f334b5724
 status: test
 description: A general detection for processes creating PFX files. This could be an indicator of an adversary exporting a local certificate to a PFX file.
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 references:
-  - https://github.com/OTRF/detection-hackathon-apt29/issues/14
-  - https://threathunterplaybook.com/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-433DEDD7F622.html
+    - https://github.com/OTRF/detection-hackathon-apt29/issues/14
+    - https://threathunterplaybook.com/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-433DEDD7F622.html
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 date: 2020/05/02
 modified: 2022/07/07
-logsource:
-  product: windows
-  category: file_event
-detection:
-  selection:
-    TargetFilename|endswith: '.pfx'
-  filter:
-    TargetFilename|contains|all:
-      - '\Templates\Windows\Windows_TemporaryKey.pfx'
-      - '\CMake\'
-  condition: selection and not 1 of filter*
-falsepositives:
-  - System administrators managing certififcates.
-level: medium
 tags:
-  - attack.credential_access
-  - attack.t1552.004
+    - attack.credential_access
+    - attack.t1552.004
+logsource:
+    product: windows
+    category: file_event
+detection:
+    selection:
+        TargetFilename|endswith: '.pfx'
+    filter:
+        TargetFilename|contains|all:
+            - '\Templates\Windows\Windows_TemporaryKey.pfx'
+            - '\CMake\'
+    condition: selection and not 1 of filter*
+falsepositives:
+    - System administrators managing certififcates.
+level: medium

rules/windows/file/file_event/file_event_win_susp_powershell_profile.yml

@@ -2,12 +2,16 @@ title: PowerShell Profile Modification
 id: b5b78988-486d-4a80-b991-930eff3ff8bf
 status: test
 description: Detects the creation or modification of a powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence
-author: HieuTT35, Nasreddine Bencherchali
 references:
     - https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/
     - https://persistence-info.github.io/Data/powershellprofile.html
+author: HieuTT35, Nasreddine Bencherchali
 date: 2019/10/24
 modified: 2022/08/24
+tags:
+    - attack.persistence
+    - attack.privilege_escalation
+    - attack.t1546.013
 logsource:
     product: windows
     category: file_event
@@ -23,7 +27,3 @@ detection:
 falsepositives:
     - System administrator create Powershell profile manually
 level: high
-tags:
-    - attack.persistence
-    - attack.privilege_escalation
-    - attack.t1546.013

rules/windows/file/file_event/file_event_win_susp_procexplorer_driver_created_in_tmp_folder.yml

@@ -1,29 +1,31 @@
 title: Suspicious PROCEXP152.sys File Created In TMP
 id: 3da70954-0f2c-4103-adff-b7440368f50e
 status: test
-description: Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder. This driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU.
-author: xknow (@xknow_infosec), xorxes (@xor_xes)
+description: |
+  Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder.
+  This driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU.
 references:
-  - https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/
+    - https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/
+author: xknow (@xknow_infosec), xorxes (@xor_xes)
 date: 2019/04/08
 modified: 2021/11/27
-logsource:
-  product: windows
-  category: file_event
-detection:
-  selection_1:
-    TargetFilename|contains: '\AppData\Local\Temp\'
-    TargetFilename|endswith: 'PROCEXP152.sys'
-  selection_2:
-    Image|contains:
-      - '\procexp64.exe'
-      - '\procexp.exe'
-      - '\procmon64.exe'
-      - '\procmon.exe'
-  condition: selection_1 and not selection_2
-falsepositives:
-  - Other legimate tools using this driver and filename (like Sysinternals). Note - Clever attackers may easily bypass this detection by just renaming the driver filename. Therefore just Medium-level and don't rely on it.
-level: medium
 tags:
-  - attack.t1562.001
-  - attack.defense_evasion
+    - attack.t1562.001
+    - attack.defense_evasion
+logsource:
+    product: windows
+    category: file_event
+detection:
+    selection_1:
+        TargetFilename|contains: '\AppData\Local\Temp\'
+        TargetFilename|endswith: 'PROCEXP152.sys'
+    selection_2:
+        Image|contains:
+            - '\procexp64.exe'
+            - '\procexp.exe'
+            - '\procmon64.exe'
+            - '\procmon.exe'
+    condition: selection_1 and not selection_2
+falsepositives:
+    - Other legimate tools using this driver and filename (like Sysinternals). Note - Clever attackers may easily bypass this detection by just renaming the driver filename. Therefore just Medium-level and don't rely on it.
+level: medium

rules/windows/file/file_event/file_event_win_susp_spool_drivers_color_drop.yml

@@ -2,10 +2,12 @@ title: Drop Binaries Into Spool Drivers Color Folder
 id: ce7066a6-508a-42d3-995b-2952c65dc2ce
 status: experimental
 description: Detects the creation of suspcious binary files inside the "\windows\system32\spool\drivers\color\" as seen in the blog referenced below
-author: Nasreddine Bencherchali
 references:
     - https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/
+author: Nasreddine Bencherchali
 date: 2022/07/28
+tags:
+    - attack.defense_evasion
 logsource:
     product: windows
     category: file_event
@@ -20,5 +22,3 @@ detection:
 falsepositives:
     - Unknown
 level: medium
-tags:
-    - attack.defense_evasion

rules/windows/file/file_event/file_event_win_susp_startup_folder_persistence.yml

@@ -1,14 +1,14 @@
 title: Suspicious Startup Folder Persistence
 id: 28208707-fe31-437f-9a7f-4b1108b94d2e
-description: Detects when a file with a suspicious extension is created in the startup folder
 status: experimental
-author: Nasreddine Bencherchali
+description: Detects when a file with a suspicious extension is created in the startup folder
 references:
     - https://github.com/last-byte/PersistenceSniper
+author: Nasreddine Bencherchali
+date: 2022/08/10
 tags:
     - attack.persistence
     - attack.t1547.001
-date: 2022/08/10
 logsource:
     product: windows
     category: file_event

rules/windows/file/file_event/file_event_win_susp_system_interactive_powershell.yml

@@ -2,9 +2,9 @@ title: Suspicious Interactive PowerShell as SYSTEM
 id: 5b40a734-99b6-4b98-a1d0-1cea51a08ab2
 status: experimental
 description: Detects the creation of files that indicator an interactive use of PowerShell in the SYSTEM user context
-author: Florian Roth
 references:
     - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/PowerSploit_Invoke-Mimikatz.htm
+author: Florian Roth
 date: 2021/12/07
 modified: 2022/08/13
 logsource:

rules/windows/file/file_event/file_event_win_susp_task_write.yml

@@ -10,14 +10,14 @@ modified: 2022/01/12
 tags:
     - attack.persistence
     - attack.execution
-    - attack.t1053 
+    - attack.t1053
 logsource:
     product: windows
     category: file_event
 detection:
     selection:
         TargetFilename|contains: '\Windows\System32\Tasks'
-        Image|contains: 
+        Image|contains:
             - '\AppData\'
             - 'C:\PerfLogs'
             - '\Windows\System32\config\systemprofile'

rules/windows/file/file_event/file_event_win_susp_vscode_powershell_profile.yml

@@ -5,10 +5,14 @@ related:
       type: similar
 status: experimental
 description: Detects the creation or modification of a vscode related powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence
-author: Nasreddine Bencherchali
 references:
     - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-7.2
+author: Nasreddine Bencherchali
 date: 2022/08/24
+tags:
+    - attack.persistence
+    - attack.privilege_escalation
+    - attack.t1546.013
 logsource:
     product: windows
     category: file_event
@@ -19,7 +23,3 @@ detection:
 falsepositives:
     - Legitimate use of the profile by developers or administrators
 level: high
-tags:
-    - attack.persistence
-    - attack.privilege_escalation
-    - attack.t1546.013

rules/windows/file/file_event/file_event_win_susp_winword_startup.yml

@@ -2,30 +2,30 @@ title: Creation In User Word Startup Folder
 id: a10a2c40-2c4d-49f8-b557-1a946bc55d9d
 status: experimental
 description: Detects the creation of an file in user Word Startup
-author: frack113
 references:
-  - Malware Sandbox https://app.any.run/tasks/d6fe6624-6ef8-485d-aa75-3d1bdda2a08c/
+    - Malware Sandbox https://app.any.run/tasks/d6fe6624-6ef8-485d-aa75-3d1bdda2a08c/
+author: frack113
 date: 2022/06/05
-logsource:
-  product: windows
-  category: file_event
-detection:
-  selection:
-    TargetFilename|contains: '\AppData\Roaming\Microsoft\Word\STARTUP\'
-  filter_ext:
-    TargetFilename|endswith:
-      - '.docx' # Word document
-      - '.docm' # Word macro-enabled document; same as docx, but may contain macros and scripts
-      - '.dotx' # Word template
-      - '.dotm' # Word macro-enabled template; same as dotx, but may contain macros and scripts
-      - '.docb' # Word binary document introduced in Microsoft Office 2007
-      - '.pdf'  # PDF documents
-      - '.wll'  # Word add-in
-      - '.wwl'  # Word add-in
-  condition: selection and not filter_ext
-falsepositives:
-  - Addition of legitimate plugins
-level: medium
 tags:
-  - attack.resource_development
-  - attack.t1587.001
+    - attack.resource_development
+    - attack.t1587.001
+logsource:
+    product: windows
+    category: file_event
+detection:
+    selection:
+        TargetFilename|contains: '\AppData\Roaming\Microsoft\Word\STARTUP\'
+    filter_ext:
+        TargetFilename|endswith:
+            - '.docx' # Word document
+            - '.docm' # Word macro-enabled document; same as docx, but may contain macros and scripts
+            - '.dotx' # Word template
+            - '.dotm' # Word macro-enabled template; same as dotx, but may contain macros and scripts
+            - '.docb' # Word binary document introduced in Microsoft Office 2007
+            - '.pdf' # PDF documents
+            - '.wll' # Word add-in
+            - '.wwl' # Word add-in
+    condition: selection and not filter_ext
+falsepositives:
+    - Addition of legitimate plugins
+level: medium

rules/windows/file/file_event/file_event_win_tool_psexec.yml

@@ -22,9 +22,6 @@ detection:
     selection:
         TargetFilename|endswith: '\PSEXESVC.exe'
     condition: selection
-falsepositives:
-    - Unknown
-level: low
 fields:
     - EventID
     - CommandLine
@@ -33,3 +30,6 @@ fields:
     - ServiceFileName
     - TargetFilename
     - PipeName
+falsepositives:
+    - Unknown
+level: low

rules/windows/file/file_event/file_event_win_tsclient_filewrite_startup.yml

@@ -5,6 +5,9 @@ description: Detects the usage of tsclient share to place a backdoor on the RDP
 author: Samir Bousseaden
 date: 2019/02/21
 modified: 2021/11/27
+tags:
+    - attack.command_and_control
+    - attack.t1219
 logsource:
     product: windows
     category: file_event
@@ -16,6 +19,3 @@ detection:
 falsepositives:
     - Unlikely
 level: high
-tags:
-    - attack.command_and_control
-    - attack.t1219

rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml

@@ -1,13 +1,13 @@
 title: UAC Bypass Using EventVwr
 id: 63e4f530-65dc-49cc-8f80-ccfa95c69d43
-description: Detects the pattern of a UAC bypass using Windows Event Viewer
-author: Antonio Cocomazzi (idea), Florian Roth (rule)
-date: 2022/04/27
-modified: 2022/04/27
 status: experimental
+description: Detects the pattern of a UAC bypass using Windows Event Viewer
 references:
     - https://twitter.com/orange_8361/status/1518970259868626944?s=20&t=RFXqZjtA7tWM3HxqEH78Aw
     - https://twitter.com/splinter_code/status/1519075134296006662?s=12&t=DLUXH86WtcmG_AZ5gY3C6g
+author: Antonio Cocomazzi (idea), Florian Roth (rule)
+date: 2022/04/27
+modified: 2022/04/27
 tags:
     - attack.defense_evasion
     - attack.privilege_escalation

rules/windows/file/file_event/file_event_win_uac_bypass_idiagnostic_profile.yml

@@ -2,10 +2,15 @@ title: UAC Bypass Using IDiagnostic Profile - File
 id: 48ea844d-19b1-4642-944e-fe39c2cc1fec
 status: experimental
 description: Detects the creation of a file by "dllhost.exe" in System32 directory part of "IDiagnosticProfileUAC" UAC bypass technique
-author: Nasreddine Bencherchali
 references:
     - https://github.com/Wh04m1001/IDiagnosticProfileUAC
+author: Nasreddine Bencherchali
 date: 2022/07/03
+tags:
+    - attack.execution
+    - attack.defense_evasion
+    - attack.privilege_escalation
+    - attack.t1548.002
 logsource:
     product: windows
     category: file_event
@@ -18,8 +23,3 @@ detection:
 falsepositives:
     - Unknown
 level: high
-tags:
-    - attack.execution
-    - attack.defense_evasion
-    - attack.privilege_escalation
-    - attack.t1548.002

rules/windows/file/file_event/file_event_win_webshell_creation_detect.yml

@@ -2,41 +2,41 @@ title: Windows Webshell Creation
 id: 39f1f9f2-9636-45de-98f6-a4046aa8e4b9
 status: test
 description: Possible webshell file creation on a static web site
-author: Beyu Denis, oscd.community, Tim Shelton
 references:
-  - PT ESC rule and personal experience
+    - PT ESC rule and personal experience
+author: Beyu Denis, oscd.community, Tim Shelton
 date: 2019/10/22
 modified: 2022/09/18
-logsource:
-  product: windows
-  category: file_event
-detection:
-  selection_wwwroot:
-    TargetFilename|contains: '\inetpub\wwwroot\'
-  selection_ext1:
-    TargetFilename|contains:
-      - '.asp'
-      - '.ashx'
-      - '.ph'
-  selection_static:
-    TargetFilename|contains:
-      - '\www\'
-      - '\htdocs\'
-      - '\html\'
-  selection_ext2:
-    TargetFilename|contains: '.ph'
-  false_positive1:    # false positives when unpacking some executables in $TEMP
-    TargetFilename|contains:
-      - '\AppData\Local\Temp\'
-      - '\Windows\Temp\'
-  false_positive_system:
-    Image: 'System' # fp : backup/restore from drivers
-  false_positive_legitimate:
-    TargetFilename|contains: '\xampp'
-  condition: ((selection_wwwroot and selection_ext1) or (selection_static and selection_ext2)) and not 1 of false_positive*
-falsepositives:
-  - Legitimate administrator or developer creating legitimate executable files in a web application folder
-level: high
 tags:
-  - attack.persistence
-  - attack.t1505.003
+    - attack.persistence
+    - attack.t1505.003
+logsource:
+    product: windows
+    category: file_event
+detection:
+    selection_wwwroot:
+        TargetFilename|contains: '\inetpub\wwwroot\'
+    selection_ext1:
+        TargetFilename|contains:
+            - '.asp'
+            - '.ashx'
+            - '.ph'
+    selection_static:
+        TargetFilename|contains:
+            - '\www\'
+            - '\htdocs\'
+            - '\html\'
+    selection_ext2:
+        TargetFilename|contains: '.ph'
+    false_positive1:  # false positives when unpacking some executables in $TEMP
+        TargetFilename|contains:
+            - '\AppData\Local\Temp\'
+            - '\Windows\Temp\'
+    false_positive_system:
+        Image: 'System' # fp : backup/restore from drivers
+    false_positive_legitimate:
+        TargetFilename|contains: '\xampp'
+    condition: ((selection_wwwroot and selection_ext1) or (selection_static and selection_ext2)) and not 1 of false_positive*
+falsepositives:
+    - Legitimate administrator or developer creating legitimate executable files in a web application folder
+level: high

rules/windows/file/file_event/file_event_win_werfault_dll_hijacking.yml

@@ -2,28 +2,28 @@ title: Creation of an WerFault.exe in Unusual Folder
 id: 28a452f3-786c-4fd8-b8f2-bddbe9d616d1
 status: experimental
 description: Detects WerFault copoed to a suspicious folder, which could be a sign of WerFault DLL hijacking
-author: frack113
 references:
-  - https://www.bleepingcomputer.com/news/security/hackers-are-now-hiding-malware-in-windows-event-logs/
+    - https://www.bleepingcomputer.com/news/security/hackers-are-now-hiding-malware-in-windows-event-logs/
+author: frack113
 date: 2022/05/09
-logsource:
-  product: windows
-  category: file_event
-detection:
-  selection:
-    TargetFilename|endswith:
-      - '\WerFault.exe'
-      - '\wer.dll'
-  filter_whitelist:
-    TargetFilename|contains:
-      - '\System32\'
-      - '\SysWOW64\'
-      - '\WinSxS\'
-  condition: selection and not filter_whitelist
-falsepositives:
-  - Unknown
-level: high
 tags:
-  - attack.persistence
-  - attack.defense_evasion
-  - attack.t1574.001
+    - attack.persistence
+    - attack.defense_evasion
+    - attack.t1574.001
+logsource:
+    product: windows
+    category: file_event
+detection:
+    selection:
+        TargetFilename|endswith:
+            - '\WerFault.exe'
+            - '\wer.dll'
+    filter_whitelist:
+        TargetFilename|contains:
+            - '\System32\'
+            - '\SysWOW64\'
+            - '\WinSxS\'
+    condition: selection and not filter_whitelist
+falsepositives:
+    - Unknown
+level: high

rules/windows/file/file_event/file_event_win_win_cscript_wscript_dropper.yml

@@ -1,10 +1,10 @@
 title: WScript or CScript Dropper
 id: 002bdb95-0cf1-46a6-9e08-d38c128a6127
-status: experimental
-description: Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe
-related: 
+related:
     - id: cea72823-df4d-4567-950c-0b579eaf0846
       type: derived
+status: experimental
+description: Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe
 references:
     - WScript or CScript Dropper (cea72823-df4d-4567-950c-0b579eaf0846)
 author: Tim Shelton
@@ -18,10 +18,10 @@ detection:
         Image|endswith:
             - '\wscript.exe'
             - '\cscript.exe'
-        TargetFilename|startswith: 
+        TargetFilename|startswith:
             - 'C:\Users\'
             - 'C:\ProgramData'
-        TargetFilename|endswith: 
+        TargetFilename|endswith:
             - '.jse'
             - '.vbe'
             - '.js'

rules/windows/file/file_event/file_event_win_winword_cve_2021_40444.yml

@@ -1,13 +1,16 @@
 title: Suspicious Word Cab File Write CVE-2021-40444
 id: 60c0a111-787a-4e8a-9262-ee485f3ef9d5
-description: Detects file creation patterns noticeable during the exploitation of CVE-2021-40444
 status: experimental
+description: Detects file creation patterns noticeable during the exploitation of CVE-2021-40444
 references:
     - https://twitter.com/RonnyTNL/status/1436334640617373699?s=20
     - https://twitter.com/vanitasnk/status/1437329511142420483?s=21
 author: Florian Roth, Sittikorn S
 date: 2021/09/10
 modified: 2022/06/17
+tags:
+    - attack.resource_development
+    - attack.t1587
 logsource:
     product: windows
     category: file_event
@@ -31,6 +34,3 @@ fields:
 falsepositives:
     - Unknown
 level: high
-tags:
-    - attack.resource_development
-    - attack.t1587

rules/windows/file/file_event/file_event_win_wmi_persistence_script_event_consumer_write.yml

@@ -2,21 +2,21 @@ title: WMI Persistence - Script Event Consumer File Write
 id: 33f41cdd-35ac-4ba8-814b-c6a4244a1ad4
 status: test
 description: Detects file writes of WMI script event consumer
-author: Thomas Patzke
 references:
-  - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
+    - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
+author: Thomas Patzke
 date: 2018/03/07
 modified: 2021/11/27
-logsource:
-  product: windows
-  category: file_event
-detection:
-  selection:
-    Image: 'C:\WINDOWS\system32\wbem\scrcons.exe'
-  condition: selection
-falsepositives:
-  - Dell Power Manager (C:\Program Files\Dell\PowerManager\DpmPowerPlanSetup.exe)
-level: high
 tags:
-  - attack.t1546.003
-  - attack.persistence
+    - attack.t1546.003
+    - attack.persistence
+logsource:
+    product: windows
+    category: file_event
+detection:
+    selection:
+        Image: 'C:\WINDOWS\system32\wbem\scrcons.exe'
+    condition: selection
+falsepositives:
+    - Dell Power Manager (C:\Program Files\Dell\PowerManager\DpmPowerPlanSetup.exe)
+level: high