From c2400ac374e3de1cfb7d58b6c262b99b4581fd39 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 21 Apr 2023 17:25:21 +0200 Subject: [PATCH] chore: remove contrib folder + rename folders --- contrib/filter-uuid-patch | 32 --- contrib/sigma2CSV.py | 63 ----- contrib/sigma2elastalert.py | 173 ------------ contrib/sigma2sumologic.py | 261 ------------------ contrib/sigmac-convert-updates.sh | 31 --- contrib/sigmacover.py | 160 ----------- {rules-deprecated => deprecated}/README.md | 0 .../cloud/azure_app_permissions_for_api.yml | 0 .../linux/lnx_auditd_alter_bash_profile.yml | 0 .../other/generic_brute_force.yml | 0 .../web/proxy_apt_domestic_kitten.yml | 0 .../file_event_win_hktl_createminidump.yml | 0 ...ile_event_win_mimikatz_memssp_log_file.yml | 0 .../windows/file_event_win_susp_clr_logs.yml | 0 .../windows/image_load_side_load_advapi32.yml | 0 .../windows/image_load_side_load_scm.yml | 0 .../image_load_susp_winword_wmidll_load.yml | 0 .../net_connection_win_binary_github_com.yml | 0 .../windows/posh_pm_powercat.yml | 0 .../posh_ps_access_to_chrome_login_data.yml | 0 .../windows/posh_ps_azurehound_commands.yml | 0 .../windows/posh_ps_invoke_nightmare.yml | 0 .../powershell_suspicious_download.yml | 0 ...wershell_suspicious_invocation_generic.yml | 0 ...ershell_suspicious_invocation_specific.yml | 0 ...owershell_syncappvpublishingserver_exe.yml | 0 ...ccess_win_in_memory_assembly_execution.yml | 0 ...proc_creation_win_apt_apt29_thinktanks.yml | 0 .../proc_creation_win_apt_dragonfly.yml | 0 .../windows/proc_creation_win_apt_gallium.yml | 0 .../proc_creation_win_apt_hurricane_panda.yml | 0 ...reation_win_apt_lazarus_activity_apr21.yml | 0 .../proc_creation_win_apt_lazarus_loader.yml | 0 ..._creation_win_apt_muddywater_dnstunnel.yml | 0 .../proc_creation_win_apt_ta505_dropper.yml | 0 ...c_creation_win_certutil_susp_execution.yml | 0 .../proc_creation_win_cmd_read_contents.yml | 0 ...oc_creation_win_cmd_redirect_to_stream.yml | 0 ...tial_acquisition_registry_hive_dumping.yml | 0 .../windows/proc_creation_win_cscript_vbs.yml | 0 ...ion_mssql_xp_cmdshell_stored_procedure.yml | 0 .../proc_creation_win_indirect_cmd.yml | 0 ...in_indirect_command_execution_forfiles.yml | 0 ...tion_win_invoke_obfuscation_via_rundll.yml | 0 ...in_invoke_obfuscation_via_use_rundll32.yml | 0 ...eation_win_lolbas_execution_of_wuauclt.yml | 0 ...ion_win_lolbins_by_office_applications.yml | 0 .../windows/proc_creation_win_mal_ryuk.yml | 0 .../proc_creation_win_mavinject_proc_inj.yml | 0 .../proc_creation_win_msdt_diagcab.yml | 0 ...proc_creation_win_new_service_creation.yml | 0 ...tion_win_nslookup_pwsh_download_cradle.yml | 0 ..._from_proxy_executing_regsvr32_payload.yml | 0 ...from_proxy_executing_regsvr32_payload2.yml | 0 ...on_win_office_spawning_wmi_commandline.yml | 0 ...creation_win_possible_applocker_bypass.yml | 0 ...n_powershell_amsi_bypass_pattern_nov22.yml | 0 ..._powershell_base64_invoke_susp_cmdlets.yml | 0 ...n_powershell_base64_listing_shadowcopy.yml | 0 ...eation_win_powershell_base64_shellcode.yml | 0 .../proc_creation_win_powershell_bitsjob.yml | 0 ...on_win_powershell_service_modification.yml | 0 ...ion_win_powershell_xor_encoded_command.yml | 0 .../proc_creation_win_reg_dump_sam.yml | 0 .../proc_creation_win_renamed_paexec.yml | 0 .../proc_creation_win_renamed_powershell.yml | 0 .../proc_creation_win_renamed_psexec.yml | 0 .../proc_creation_win_renamed_rundll32.yml | 0 ...reation_win_root_certificate_installed.yml | 0 .../proc_creation_win_run_from_zip.yml | 0 ...roc_creation_win_sc_delete_av_services.yml | 0 .../proc_creation_win_schtasks_user_temp.yml | 0 .../proc_creation_win_service_stop.yml | 0 .../proc_creation_win_susp_bitstransfer.yml | 0 ...eation_win_susp_cmd_exectution_via_wmi.yml | 0 ...oc_creation_win_susp_commandline_chars.yml | 0 .../proc_creation_win_susp_run_folder.yml | 0 ...proc_creation_win_susp_squirrel_lolbin.yml | 0 ..._sysinternals_psexec_service_execution.yml | 0 ...eation_win_sysinternals_psexesvc_start.yml | 0 .../proc_creation_win_whoami_as_system.yml | 0 .../proc_creation_win_winword_dll_load.yml | 0 ..._win_wmic_execution_via_office_process.yml | 0 .../proc_creation_win_wmic_remote_command.yml | 0 .../proc_creation_win_wmic_remote_service.yml | 0 ..._creation_syncappvpublishingserver_exe.yml | 0 ...add_sysinternals_sdelete_registry_keys.yml | 0 ...istry_event_asep_reg_keys_modification.yml | 0 ...sing_windows_telemetry_for_persistence.yml | 0 .../windows/registry_set_add_hidden_user.yml | 0 .../registry_set_silentprocessexit.yml | 0 ...napi_in_powershell_credentials_dumping.yml | 0 .../sysmon_dcom_iertutil_dll_hijack.yml | 0 .../sysmon_mimikatz_detection_lsass.yml | 0 .../windows/sysmon_rclone_execution.yml | 0 .../win_dsquery_domain_trust_discovery.yml | 0 .../windows/win_lateral_movement_condrv.yml | 0 ...in_security_lolbas_execution_of_nltest.yml | 0 .../windows/win_susp_esentutl_activity.yml | 0 .../windows/win_susp_rclone_exec.yml | 0 .../win_susp_vssadmin_ntds_activity.yml | 0 {rules-unsupported => unsupported}/README.md | 0 .../cloud/aws_ec2_download_userdata.yml | 0 .../cloud/aws_enum_backup.yml | 0 .../cloud/aws_enum_listing.yml | 0 .../cloud/aws_enum_network.yml | 0 .../cloud/aws_enum_storage.yml | 0 ...aws_lambda_function_created_or_invoked.yml | 0 .../cloud/aws_macic_evasion.yml | 0 .../cloud/aws_ses_messaging_enabled.yml | 0 ..._signin_failure_bad_password_threshold.yml | 0 ...itd_cve_2021_3156_sudo_buffer_overflow.yml | 0 ...21_3156_sudo_buffer_overflow_brutforce.yml | 0 .../linux/lnx_auditd_cve_2021_4034.yml | 0 .../linux/lnx_auditd_debugfs_usage.yml | 0 ...omigod_scx_runasprovider_executescript.yml | 0 ..._auth_susp_failed_logons_single_source.yml | 0 .../linux/lnx_shell_priv_esc_prep.yml | 0 .../network/net_dns_c2_detection.yml | 0 .../network/net_dns_high_bytes_out.yml | 0 ...et_dns_high_null_records_requests_rate.yml | 0 .../network/net_dns_high_requests_rate.yml | 0 .../network/net_dns_high_subdomain_rate.yml | 0 ...net_dns_high_txt_records_requests_rate.yml | 0 .../network/net_dns_large_domain_name.yml | 0 .../net_firewall_high_dns_bytes_out.yml | 0 .../net_firewall_high_dns_requests_rate.yml | 0 .../net_firewall_susp_network_scan_by_ip.yml | 0 ...net_firewall_susp_network_scan_by_port.yml | 0 .../network/net_possible_dns_rebinding.yml | 0 .../other/modsec_mulitple_blocks.yml | 0 ...multiple_susp_resp_codes_single_source.yml | 0 .../dns_query_win_possible_dns_rebinding.yml | 0 ...load_invoke_obfuscation_clip+_services.yml | 0 ...ke_obfuscation_obfuscated_iex_services.yml | 0 ...oad_invoke_obfuscation_stdin+_services.yml | 0 ..._load_invoke_obfuscation_var+_services.yml | 0 ...voke_obfuscation_via_compress_services.yml | 0 ...invoke_obfuscation_via_rundll_services.yml | 0 ..._invoke_obfuscation_via_stdin_services.yml | 0 ...voke_obfuscation_via_use_clip_services.yml | 0 ...oke_obfuscation_via_use_mshta_services.yml | 0 ..._obfuscation_via_use_rundll32_services.yml | 0 ..._invoke_obfuscation_via_var++_services.yml | 0 ...tstrike_getsystem_service_installation.yml | 0 .../driver_load_tap_driver_installation.yml | 0 ...ript_creation_by_office_using_file_ext.yml | 0 ...image_load_mimikatz_inmemory_detection.yml | 0 .../posh_ps_cl_invocation_lolscript_count.yml | 0 ...h_ps_cl_mutexverifiers_lolscript_count.yml | 0 ..._correlation_apt_silence_downloader_v3.yml | 0 ..._correlation_apt_turla_commands_medium.yml | 0 ...tion_dnscat2_powershell_implementation.yml | 0 ...tion_win_correlation_multiple_susp_cli.yml | 0 ...orrelation_susp_builtin_commands_recon.yml | 0 ...d_cmd_and_powershell_spawned_processes.yml | 0 ...stall_elevated_parent_child_correlated.yml | 0 .../sysmon_non_priv_program_files_move.yml | 0 .../windows/sysmon_process_reimaging.yml | 0 ...ess_fake_files_with_stored_credentials.yml | 0 .../windows/win_apt_apt29_tor.yml | 0 .../win_dumping_ntdsdit_via_dcsync.yml | 0 .../win_dumping_ntdsdit_via_netsync.yml | 0 ..._party_drivers_exploits_token_stealing.yml | 0 .../windows/win_mal_service_installs.yml | 0 ...or_impacket_smb_psexec_service_install.yml | 0 ...ivilege_escalation_using_rotten_potato.yml | 0 .../windows/win_remote_schtask.yml | 0 .../windows/win_remote_service.yml | 0 ...in_security_global_catalog_enumeration.yml | 0 .../win_security_rare_schtasks_creations.yml | 0 ...usp_failed_logons_explicit_credentials.yml | 0 ...rity_susp_failed_logons_single_process.yml | 0 ...urity_susp_failed_logons_single_source.yml | 0 ...rity_susp_failed_logons_single_source2.yml | 0 ...p_failed_logons_single_source_kerberos.yml | 0 ..._failed_logons_single_source_kerberos2.yml | 0 ..._failed_logons_single_source_kerberos3.yml | 0 ..._susp_failed_logons_single_source_ntlm.yml | 0 ...susp_failed_logons_single_source_ntlm2.yml | 0 ...usp_failed_remote_logons_single_source.yml | 0 ...susp_multiple_files_renamed_or_deleted.yml | 0 .../windows/win_security_susp_samr_pwset.yml | 0 .../win_susp_failed_hidden_share_mount.yml | 0 ...uspicious_werfault_connection_outbound.yml | 0 .../win_system_rare_service_installs.yml | 0 ...in_taskscheduler_rare_schtask_creation.yml | 0 .../zeek_dce_rpc_domain_user_enumeration.yml | 0 ...eek_http_exfiltration_compressed_files.yml | 0 189 files changed, 720 deletions(-) delete mode 100755 contrib/filter-uuid-patch delete mode 100644 contrib/sigma2CSV.py delete mode 100755 contrib/sigma2elastalert.py delete mode 100644 contrib/sigma2sumologic.py delete mode 100755 contrib/sigmac-convert-updates.sh delete mode 100644 contrib/sigmacover.py rename {rules-deprecated => deprecated}/README.md (100%) rename {rules-deprecated => deprecated}/cloud/azure_app_permissions_for_api.yml (100%) rename {rules-deprecated => deprecated}/linux/lnx_auditd_alter_bash_profile.yml (100%) rename {rules-deprecated => deprecated}/other/generic_brute_force.yml (100%) rename {rules-deprecated => deprecated}/web/proxy_apt_domestic_kitten.yml (100%) rename {rules-deprecated => deprecated}/windows/file_event_win_hktl_createminidump.yml (100%) rename {rules-deprecated => deprecated}/windows/file_event_win_mimikatz_memssp_log_file.yml (100%) rename {rules-deprecated => deprecated}/windows/file_event_win_susp_clr_logs.yml (100%) rename {rules-deprecated => deprecated}/windows/image_load_side_load_advapi32.yml (100%) rename {rules-deprecated => deprecated}/windows/image_load_side_load_scm.yml (100%) rename {rules-deprecated => deprecated}/windows/image_load_susp_winword_wmidll_load.yml (100%) mode change 100755 => 100644 rename {rules-deprecated => deprecated}/windows/net_connection_win_binary_github_com.yml (100%) rename {rules-deprecated => deprecated}/windows/posh_pm_powercat.yml (100%) rename {rules-deprecated => deprecated}/windows/posh_ps_access_to_chrome_login_data.yml (100%) rename {rules-deprecated => deprecated}/windows/posh_ps_azurehound_commands.yml (100%) rename {rules-deprecated => deprecated}/windows/posh_ps_invoke_nightmare.yml (100%) rename {rules-deprecated => deprecated}/windows/powershell_suspicious_download.yml (100%) rename {rules-deprecated => deprecated}/windows/powershell_suspicious_invocation_generic.yml (100%) rename {rules-deprecated => deprecated}/windows/powershell_suspicious_invocation_specific.yml (100%) rename {rules-deprecated => deprecated}/windows/powershell_syncappvpublishingserver_exe.yml (100%) rename {rules-deprecated => deprecated}/windows/proc_access_win_in_memory_assembly_execution.yml (100%) rename {rules-deprecated => deprecated}/windows/proc_creation_win_apt_apt29_thinktanks.yml (100%) rename {rules-deprecated => deprecated}/windows/proc_creation_win_apt_dragonfly.yml (100%) rename {rules-deprecated => deprecated}/windows/proc_creation_win_apt_gallium.yml (100%) rename {rules-deprecated => deprecated}/windows/proc_creation_win_apt_hurricane_panda.yml (100%) rename {rules-deprecated => deprecated}/windows/proc_creation_win_apt_lazarus_activity_apr21.yml (100%) rename {rules-deprecated => deprecated}/windows/proc_creation_win_apt_lazarus_loader.yml (100%) rename {rules-deprecated => deprecated}/windows/proc_creation_win_apt_muddywater_dnstunnel.yml (100%) rename {rules-deprecated => deprecated}/windows/proc_creation_win_apt_ta505_dropper.yml (100%) rename {rules-deprecated => deprecated}/windows/proc_creation_win_certutil_susp_execution.yml (100%) rename {rules-deprecated => deprecated}/windows/proc_creation_win_cmd_read_contents.yml (100%) rename {rules-deprecated => deprecated}/windows/proc_creation_win_cmd_redirect_to_stream.yml (100%) rename {rules-deprecated => deprecated}/windows/proc_creation_win_credential_acquisition_registry_hive_dumping.yml (100%) rename {rules-deprecated => deprecated}/windows/proc_creation_win_cscript_vbs.yml (100%) rename {rules-deprecated => deprecated}/windows/proc_creation_win_execution_mssql_xp_cmdshell_stored_procedure.yml (100%) rename {rules-deprecated => deprecated}/windows/proc_creation_win_indirect_cmd.yml (100%) rename {rules-deprecated => deprecated}/windows/proc_creation_win_indirect_command_execution_forfiles.yml (100%) rename {rules-deprecated => deprecated}/windows/proc_creation_win_invoke_obfuscation_via_rundll.yml (100%) rename {rules-deprecated => deprecated}/windows/proc_creation_win_invoke_obfuscation_via_use_rundll32.yml (100%) rename {rules-deprecated => deprecated}/windows/proc_creation_win_lolbas_execution_of_wuauclt.yml (100%) rename {rules-deprecated => deprecated}/windows/proc_creation_win_lolbins_by_office_applications.yml (100%) rename {rules-deprecated => deprecated}/windows/proc_creation_win_mal_ryuk.yml (100%) rename {rules-deprecated => deprecated}/windows/proc_creation_win_mavinject_proc_inj.yml (100%) rename {rules-deprecated => deprecated}/windows/proc_creation_win_msdt_diagcab.yml (100%) rename {rules-deprecated => deprecated}/windows/proc_creation_win_new_service_creation.yml (100%) rename {rules-deprecated => deprecated}/windows/proc_creation_win_nslookup_pwsh_download_cradle.yml (100%) rename {rules-deprecated => deprecated}/windows/proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml (100%) rename {rules-deprecated => deprecated}/windows/proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml (100%) rename {rules-deprecated => deprecated}/windows/proc_creation_win_office_spawning_wmi_commandline.yml (100%) rename {rules-deprecated => deprecated}/windows/proc_creation_win_possible_applocker_bypass.yml (100%) rename {rules-deprecated => deprecated}/windows/proc_creation_win_powershell_amsi_bypass_pattern_nov22.yml (100%) rename {rules-deprecated => deprecated}/windows/proc_creation_win_powershell_base64_invoke_susp_cmdlets.yml (100%) rename {rules-deprecated => deprecated}/windows/proc_creation_win_powershell_base64_listing_shadowcopy.yml (100%) rename {rules-deprecated => deprecated}/windows/proc_creation_win_powershell_base64_shellcode.yml (100%) rename {rules-deprecated => deprecated}/windows/proc_creation_win_powershell_bitsjob.yml (100%) rename {rules-deprecated => deprecated}/windows/proc_creation_win_powershell_service_modification.yml (100%) rename {rules-deprecated => deprecated}/windows/proc_creation_win_powershell_xor_encoded_command.yml (100%) rename {rules-deprecated => deprecated}/windows/proc_creation_win_reg_dump_sam.yml (100%) rename {rules-deprecated => deprecated}/windows/proc_creation_win_renamed_paexec.yml (100%) rename {rules-deprecated => deprecated}/windows/proc_creation_win_renamed_powershell.yml (100%) rename {rules-deprecated => deprecated}/windows/proc_creation_win_renamed_psexec.yml (100%) rename {rules-deprecated => deprecated}/windows/proc_creation_win_renamed_rundll32.yml (100%) rename {rules-deprecated => deprecated}/windows/proc_creation_win_root_certificate_installed.yml (100%) rename {rules-deprecated => deprecated}/windows/proc_creation_win_run_from_zip.yml (100%) rename {rules-deprecated => deprecated}/windows/proc_creation_win_sc_delete_av_services.yml (100%) rename {rules-deprecated => deprecated}/windows/proc_creation_win_schtasks_user_temp.yml (100%) rename {rules-deprecated => deprecated}/windows/proc_creation_win_service_stop.yml (100%) rename {rules-deprecated => deprecated}/windows/proc_creation_win_susp_bitstransfer.yml (100%) rename {rules-deprecated => deprecated}/windows/proc_creation_win_susp_cmd_exectution_via_wmi.yml (100%) rename {rules-deprecated => deprecated}/windows/proc_creation_win_susp_commandline_chars.yml (100%) rename {rules-deprecated => deprecated}/windows/proc_creation_win_susp_run_folder.yml (100%) rename {rules-deprecated => deprecated}/windows/proc_creation_win_susp_squirrel_lolbin.yml (100%) rename {rules-deprecated => deprecated}/windows/proc_creation_win_sysinternals_psexec_service_execution.yml (100%) rename {rules-deprecated => deprecated}/windows/proc_creation_win_sysinternals_psexesvc_start.yml (100%) rename {rules-deprecated => deprecated}/windows/proc_creation_win_whoami_as_system.yml (100%) rename {rules-deprecated => deprecated}/windows/proc_creation_win_winword_dll_load.yml (100%) rename {rules-deprecated => deprecated}/windows/proc_creation_win_wmic_execution_via_office_process.yml (100%) rename {rules-deprecated => deprecated}/windows/proc_creation_win_wmic_remote_command.yml (100%) rename {rules-deprecated => deprecated}/windows/proc_creation_win_wmic_remote_service.yml (100%) rename {rules-deprecated => deprecated}/windows/process_creation_syncappvpublishingserver_exe.yml (100%) rename {rules-deprecated => deprecated}/windows/registry_add_sysinternals_sdelete_registry_keys.yml (100%) rename {rules-deprecated => deprecated}/windows/registry_event_asep_reg_keys_modification.yml (100%) mode change 100755 => 100644 rename {rules-deprecated => deprecated}/windows/registry_set_abusing_windows_telemetry_for_persistence.yml (100%) rename {rules-deprecated => deprecated}/windows/registry_set_add_hidden_user.yml (100%) rename {rules-deprecated => deprecated}/windows/registry_set_silentprocessexit.yml (100%) rename {rules-deprecated => deprecated}/windows/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml (100%) rename {rules-deprecated => deprecated}/windows/sysmon_dcom_iertutil_dll_hijack.yml (100%) rename {rules-deprecated => deprecated}/windows/sysmon_mimikatz_detection_lsass.yml (100%) rename {rules-deprecated => deprecated}/windows/sysmon_rclone_execution.yml (100%) rename {rules-deprecated => deprecated}/windows/win_dsquery_domain_trust_discovery.yml (100%) rename {rules-deprecated => deprecated}/windows/win_lateral_movement_condrv.yml (100%) rename {rules-deprecated => deprecated}/windows/win_security_lolbas_execution_of_nltest.yml (100%) rename {rules-deprecated => deprecated}/windows/win_susp_esentutl_activity.yml (100%) rename {rules-deprecated => deprecated}/windows/win_susp_rclone_exec.yml (100%) rename {rules-deprecated => deprecated}/windows/win_susp_vssadmin_ntds_activity.yml (100%) rename {rules-unsupported => unsupported}/README.md (100%) rename {rules-unsupported => unsupported}/cloud/aws_ec2_download_userdata.yml (100%) rename {rules-unsupported => unsupported}/cloud/aws_enum_backup.yml (100%) rename {rules-unsupported => unsupported}/cloud/aws_enum_listing.yml (100%) rename {rules-unsupported => unsupported}/cloud/aws_enum_network.yml (100%) rename {rules-unsupported => unsupported}/cloud/aws_enum_storage.yml (100%) rename {rules-unsupported => unsupported}/cloud/aws_lambda_function_created_or_invoked.yml (100%) rename {rules-unsupported => unsupported}/cloud/aws_macic_evasion.yml (100%) rename {rules-unsupported => unsupported}/cloud/aws_ses_messaging_enabled.yml (100%) rename {rules-unsupported => unsupported}/cloud/azure_aad_secops_signin_failure_bad_password_threshold.yml (100%) rename {rules-unsupported => unsupported}/linux/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml (100%) rename {rules-unsupported => unsupported}/linux/lnx_auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml (100%) rename {rules-unsupported => unsupported}/linux/lnx_auditd_cve_2021_4034.yml (100%) rename {rules-unsupported => unsupported}/linux/lnx_auditd_debugfs_usage.yml (100%) rename {rules-unsupported => unsupported}/linux/lnx_auditd_omigod_scx_runasprovider_executescript.yml (100%) rename {rules-unsupported => unsupported}/linux/lnx_auth_susp_failed_logons_single_source.yml (100%) rename {rules-unsupported => unsupported}/linux/lnx_shell_priv_esc_prep.yml (100%) rename {rules-unsupported => unsupported}/network/net_dns_c2_detection.yml (100%) rename {rules-unsupported => unsupported}/network/net_dns_high_bytes_out.yml (100%) rename {rules-unsupported => unsupported}/network/net_dns_high_null_records_requests_rate.yml (100%) rename {rules-unsupported => unsupported}/network/net_dns_high_requests_rate.yml (100%) rename {rules-unsupported => unsupported}/network/net_dns_high_subdomain_rate.yml (100%) rename {rules-unsupported => unsupported}/network/net_dns_high_txt_records_requests_rate.yml (100%) rename {rules-unsupported => unsupported}/network/net_dns_large_domain_name.yml (100%) rename {rules-unsupported => unsupported}/network/net_firewall_high_dns_bytes_out.yml (100%) rename {rules-unsupported => unsupported}/network/net_firewall_high_dns_requests_rate.yml (100%) rename {rules-unsupported => unsupported}/network/net_firewall_susp_network_scan_by_ip.yml (100%) rename {rules-unsupported => unsupported}/network/net_firewall_susp_network_scan_by_port.yml (100%) rename {rules-unsupported => unsupported}/network/net_possible_dns_rebinding.yml (100%) rename {rules-unsupported => unsupported}/other/modsec_mulitple_blocks.yml (100%) rename {rules-unsupported => unsupported}/web/web_multiple_susp_resp_codes_single_source.yml (100%) rename {rules-unsupported => unsupported}/windows/dns_query_win_possible_dns_rebinding.yml (100%) rename {rules-unsupported => unsupported}/windows/driver_load_invoke_obfuscation_clip+_services.yml (100%) rename {rules-unsupported => unsupported}/windows/driver_load_invoke_obfuscation_obfuscated_iex_services.yml (100%) rename {rules-unsupported => unsupported}/windows/driver_load_invoke_obfuscation_stdin+_services.yml (100%) rename {rules-unsupported => unsupported}/windows/driver_load_invoke_obfuscation_var+_services.yml (100%) rename {rules-unsupported => unsupported}/windows/driver_load_invoke_obfuscation_via_compress_services.yml (100%) rename {rules-unsupported => unsupported}/windows/driver_load_invoke_obfuscation_via_rundll_services.yml (100%) rename {rules-unsupported => unsupported}/windows/driver_load_invoke_obfuscation_via_stdin_services.yml (100%) rename {rules-unsupported => unsupported}/windows/driver_load_invoke_obfuscation_via_use_clip_services.yml (100%) rename {rules-unsupported => unsupported}/windows/driver_load_invoke_obfuscation_via_use_mshta_services.yml (100%) rename {rules-unsupported => unsupported}/windows/driver_load_invoke_obfuscation_via_use_rundll32_services.yml (100%) rename {rules-unsupported => unsupported}/windows/driver_load_invoke_obfuscation_via_var++_services.yml (100%) rename {rules-unsupported => unsupported}/windows/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml (100%) rename {rules-unsupported => unsupported}/windows/driver_load_tap_driver_installation.yml (100%) rename {rules-unsupported => unsupported}/windows/file_event_executable_and_script_creation_by_office_using_file_ext.yml (100%) rename {rules-unsupported => unsupported}/windows/image_load_mimikatz_inmemory_detection.yml (100%) rename {rules-unsupported => unsupported}/windows/posh_ps_cl_invocation_lolscript_count.yml (100%) rename {rules-unsupported => unsupported}/windows/posh_ps_cl_mutexverifiers_lolscript_count.yml (100%) rename {rules-unsupported => unsupported}/windows/proc_creation_win_correlation_apt_silence_downloader_v3.yml (100%) rename {rules-unsupported => unsupported}/windows/proc_creation_win_correlation_apt_turla_commands_medium.yml (100%) rename {rules-unsupported => unsupported}/windows/proc_creation_win_correlation_dnscat2_powershell_implementation.yml (100%) rename {rules-unsupported => unsupported}/windows/proc_creation_win_correlation_multiple_susp_cli.yml (100%) rename {rules-unsupported => unsupported}/windows/proc_creation_win_correlation_susp_builtin_commands_recon.yml (100%) rename {rules-unsupported => unsupported}/windows/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml (100%) rename {rules-unsupported => unsupported}/windows/sysmon_always_install_elevated_parent_child_correlated.yml (100%) rename {rules-unsupported => unsupported}/windows/sysmon_non_priv_program_files_move.yml (100%) rename {rules-unsupported => unsupported}/windows/sysmon_process_reimaging.yml (100%) rename {rules-unsupported => unsupported}/windows/win_access_fake_files_with_stored_credentials.yml (100%) rename {rules-unsupported => unsupported}/windows/win_apt_apt29_tor.yml (100%) rename {rules-unsupported => unsupported}/windows/win_dumping_ntdsdit_via_dcsync.yml (100%) rename {rules-unsupported => unsupported}/windows/win_dumping_ntdsdit_via_netsync.yml (100%) rename {rules-unsupported => unsupported}/windows/win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml (100%) rename {rules-unsupported => unsupported}/windows/win_mal_service_installs.yml (100%) rename {rules-unsupported => unsupported}/windows/win_metasploit_or_impacket_smb_psexec_service_install.yml (100%) rename {rules-unsupported => unsupported}/windows/win_possible_privilege_escalation_using_rotten_potato.yml (100%) rename {rules-unsupported => unsupported}/windows/win_remote_schtask.yml (100%) rename {rules-unsupported => unsupported}/windows/win_remote_service.yml (100%) rename {rules-unsupported => unsupported}/windows/win_security_global_catalog_enumeration.yml (100%) rename {rules-unsupported => unsupported}/windows/win_security_rare_schtasks_creations.yml (100%) rename {rules-unsupported => unsupported}/windows/win_security_susp_failed_logons_explicit_credentials.yml (100%) rename {rules-unsupported => unsupported}/windows/win_security_susp_failed_logons_single_process.yml (100%) rename {rules-unsupported => unsupported}/windows/win_security_susp_failed_logons_single_source.yml (100%) rename {rules-unsupported => unsupported}/windows/win_security_susp_failed_logons_single_source2.yml (100%) rename {rules-unsupported => unsupported}/windows/win_security_susp_failed_logons_single_source_kerberos.yml (100%) rename {rules-unsupported => unsupported}/windows/win_security_susp_failed_logons_single_source_kerberos2.yml (100%) rename {rules-unsupported => unsupported}/windows/win_security_susp_failed_logons_single_source_kerberos3.yml (100%) rename {rules-unsupported => unsupported}/windows/win_security_susp_failed_logons_single_source_ntlm.yml (100%) rename {rules-unsupported => unsupported}/windows/win_security_susp_failed_logons_single_source_ntlm2.yml (100%) rename {rules-unsupported => unsupported}/windows/win_security_susp_failed_remote_logons_single_source.yml (100%) rename {rules-unsupported => unsupported}/windows/win_security_susp_multiple_files_renamed_or_deleted.yml (100%) rename {rules-unsupported => unsupported}/windows/win_security_susp_samr_pwset.yml (100%) rename {rules-unsupported => unsupported}/windows/win_susp_failed_hidden_share_mount.yml (100%) rename {rules-unsupported => unsupported}/windows/win_suspicious_werfault_connection_outbound.yml (100%) rename {rules-unsupported => unsupported}/windows/win_system_rare_service_installs.yml (100%) rename {rules-unsupported => unsupported}/windows/win_taskscheduler_rare_schtask_creation.yml (100%) rename {rules-unsupported => unsupported}/zeek/zeek_dce_rpc_domain_user_enumeration.yml (100%) rename {rules-unsupported => unsupported}/zeek/zeek_http_exfiltration_compressed_files.yml (100%) diff --git a/contrib/filter-uuid-patch b/contrib/filter-uuid-patch deleted file mode 100755 index bcce012e5..000000000 --- a/contrib/filter-uuid-patch +++ /dev/null @@ -1,32 +0,0 @@ -#!/usr/bin/env python3 -# Remove all hunks from a patch that don't add the id attribute to minimize the impact (removed -# comments etc.) of sigma_uuid script. -# -# Usually used as follows: -# 1. Add UUIDs to rules: -# tools/sigma_uuid -er rules -# 2. Generate and filter patch -# git diff | contrib/filter-uuid-patch > rule-uuid.diff -# 3. Reset to previous state -# git reset --hard -# 4. Apply filtered patch -# patch -p1 < rule-uuid.diff -# -# This tool requires an installed unidiff package. - -from unidiff import PatchSet -from sys import argv, stdin - -try: - with open(argv[1], "r") as f: - patch = PatchSet(f.readlines()) -except IndexError: - patch = PatchSet(stdin.readlines()) - -for patched_file in patch: - for h in reversed(range(len(patched_file))): - hunk = patched_file[h] - if not any([ line.is_added and line.value.startswith("id: ") for line in hunk ]): - del patched_file[h] - -print(str(patch)) diff --git a/contrib/sigma2CSV.py b/contrib/sigma2CSV.py deleted file mode 100644 index b2c99d66a..000000000 --- a/contrib/sigma2CSV.py +++ /dev/null @@ -1,63 +0,0 @@ -#!/usr/bin/env python3 -# Copyright 2021 wagga40 (https://github.com/wagga40) -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU Lesser General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU Lesser General Public License for more details. -# -# You should have received a copy of the GNU Lesser General Public License -# along with this program. If not, see . -""" -Project: sigma2CSV.py -Date: 07 aug 2021 -Author: wagga40 (https://github.com/wagga40) -Version: 1.0 -Description: - Asked by frak113 in issue #1787 (https://github.com/SigmaHQ/sigma/issues/1787#issuecomment-894618060) - This script converts sigma rules to a CSV format for statistics puprpose. - For now, it only keeps title, description, level, tags and author fields. - Feel free to modify it according to your needs. -Requirements: - $ pip install pyyaml -""" - -import yaml -import glob -import argparse - -parser = argparse.ArgumentParser() -parser.add_argument("-r", "--rulesdirectory", help="Sub-directory generated by rules-search", required=True, type=str) -parser.add_argument("-f", "--fileext", help="Rule file extension", default="yml", type=str) -parser.add_argument("-d", "--delimiter", help="Separator", default=",", type=str) -parser.add_argument("--oneline", help="Put all tags on a single line", action="store_true") -args = parser.parse_args() - -files = glob.glob(args.rulesdirectory + "/**/*." + args.fileext, recursive=True) -# for each file in the given directory -for file in files: - d={} - with open(file, 'r') as stream: - docs = yaml.load_all(stream, Loader=yaml.FullLoader) - for doc in docs: - for k,v in doc.items(): - if k in ['title','description','tags','level','author']: # Modify here if you want to include other fields - d[k]=v - # Check for optional fields - if "author" not in d: d["author"]="" - if "level" not in d: d["level"]="" - if args.oneline: # All tags will be on a single line - if "tags" in d: - expandTags = args.delimiter.join([ tags for tags in d["tags"] if "attack" in tags ]) # Only output attack related tags - print(f'{d["title"]}{args.delimiter}{d["description"]}{args.delimiter}{d["level"]}{args.delimiter}{d["author"]}{args.delimiter}{expandTags}') - else: - print(f'{d["title"]}{args.delimiter}{d["description"]}{args.delimiter}{d["level"]}{args.delimiter}{d["author"]}') - else: - if "tags" in d: - for tag in d["tags"]: - if "attack" in tag: # Only output attack related tags - print(f'{d["title"]}{args.delimiter}{d["description"]}{args.delimiter}{d["level"]}{args.delimiter}{d["author"]}{args.delimiter}{tag}') \ No newline at end of file diff --git a/contrib/sigma2elastalert.py b/contrib/sigma2elastalert.py deleted file mode 100755 index ea3e18daa..000000000 --- a/contrib/sigma2elastalert.py +++ /dev/null @@ -1,173 +0,0 @@ -#!/usr/bin/python -# Copyright 2018 David Routin - -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU Lesser General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU Lesser General Public License for more details. - -# You should have received a copy of the GNU Lesser General Public License -# along with this program. If not, see . -""" -Project: sigma2elastalert.py -Date: 25 Feb 2018 -Author: David ROUTIN (@Rewt_1) -Version: 1.0 -Description: This script creates elastalert configuration files from Sigma SIEM rules. -""" - -import re -import os -import glob -import subprocess -import argparse -import yaml -import traceback - -parser = argparse.ArgumentParser() -parser.add_argument("--eshost", help="Elasticsearch host", type=str, required=True) -parser.add_argument("--esport", help="Elasticsearch port", type=str, required=True) -parser.add_argument("--ruledir", help="sigma rule directory path to convert", type=str, required=True) -parser.add_argument("--index", help="Elasticsearch index name egs: \"winlogbeat-*\"", type=str, required=True) -parser.add_argument("--email", help="email address to send mail alert", type=str, required=True) -parser.add_argument("--outdir", help="output directory to create elastalert rules", type=str, required=True) -parser.add_argument("--sigmac", help="Sigmac location", default="../tools/sigmac", type=str) -parser.add_argument("--realerttime", help="Realert time (optional value, default 5 minutes)", type=str, default=5) -parser.add_argument("--debug", help="Show debug output", type=bool, default=False) -args = parser.parse_args() - -custom_query_keys = ["sensor", "Hostname", "EventID", "src_ip", "dst_ip"] - - -template="""es_host: ESHOST -es_port: ESPORT -name: "TITLE" -description: "DESCRIPTION" -index: INDEX -filter: -- query: - query_string: - query: 'QUERY' -realert: - minutes: MINUTES -query_key: UNIQKEYS -type: any -include: UNIQKEYS -alert: -- "email" - -# (required, email specific) -# a list of email addresses to send alerts to -email: -- "EMAIL" -""" - -def return_json_obj(x,custom_query_keys): - """ - Function used to filter all ES query object as unique value including predefined list from custom_query_keys - :param x: must contains ES query output - :param custom_query_keys: takes the list of predefined element to match in document - :return: a clean list (set) of all the query keys (EventID,TargetUserName...) - """ - # type: (str, list) -> list - y = x.replace(" ", "\n").split() - out = set() - for i in y: - out.update(re.findall("([a-zA-Z]+)\:", i)) - - for qk in custom_query_keys: - try: - out.remove(qk) - except: - pass - out = list(out) - count = 0 - for qk in custom_query_keys: - count += 1 - out.insert(count-1, qk) - return out - -def rule_element(file_content, elements): - """ - Function used to get specific element from yaml document and return content - :type file_content: str - :type elements: list - :param file_content: - :param elements: list of elements of the yaml document to get "title", "description" - :return: the value of the key in the yaml document - """ - try: - yaml.safe_load(file_content.replace("---","")) - except: - raise Exception('Unsupported') - element_output = "" - for e in elements: - try: - element_output = yaml.safe_load(file_content.replace("---",""))[e] - except: - pass - if element_output is None: - return "" - return element_output - -def get_rule_as_esqs(file): - """ - Function used to get Elastic query output from rule fome - :type file: str - :param file: rule filename - :return: string es query - """ - if not os.path.exists(args.sigmac): - print("Cannot find sigmac rule coverter at '%s', please set a correct location via '--sigmac'") - cmd = [args.sigmac, file, "--target", "es-qs"] - output = subprocess.Popen(cmd,stdout=subprocess.PIPE, stderr=subprocess.STDOUT).stdout.read() - if "unsupported" in output: - raise Exception('Unsupported output at this time') - output = output.split("\n") - # Remove empty string from \n - output = [a for a in output if a] - # Handle case of multiple queries returned - if len(output) > 1: - return " OR ".join(output) - return "".join(output) - -# Dictionary that contains args set at launch time -convert_args = { - "ESHOST": args.eshost, - "ESPORT": args.esport, - "INDEX": args.index, - "EMAIL": args.email, - "MINUTES": args.realerttime -} - -for file in glob.glob(args.ruledir + "/*"): - output_elast_config = template - try: - print("Processing %s ..." % file) - with open(file, "rb") as f: - file_content = f.read() - - # Dictionary that contains args with values returned by functions - translate_func = {'QUERY': get_rule_as_esqs(file), - 'TITLE': rule_element(file_content, ["title", "name"]), - 'DESCRIPTION': rule_element(file_content, ["description"]), - 'UNIQKEYS': str(return_json_obj(get_rule_as_esqs(file), custom_query_keys)) - } - for entry in convert_args: - output_elast_config = re.sub(entry, str(convert_args[entry]), output_elast_config) - for entry in translate_func: - output_elast_config = re.sub(entry, translate_func[entry], output_elast_config) - print("Converting file " + file) - with open(os.path.join(args.outdir, "sigma-" + file.split("/")[-1]), "w") as f: - f.write(output_elast_config) - except Exception as e: - if args.debug: - traceback.print_exc() - print("error " + str(file) + "----" + str(e)) - pass - diff --git a/contrib/sigma2sumologic.py b/contrib/sigma2sumologic.py deleted file mode 100644 index 91a14ecc1..000000000 --- a/contrib/sigma2sumologic.py +++ /dev/null @@ -1,261 +0,0 @@ -#!/usr/bin/python -# Copyright 2018 juju4 - -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU Lesser General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU Lesser General Public License for more details. - -# You should have received a copy of the GNU Lesser General Public License -# along with this program. If not, see . -""" -Project: sigma2sumologic.py -Date: 11 Jan 2019 -Author: juju4 -Version: 1.0 -Description: This script executes sumologic search queries from Sigma SIEM rules. -Workflow: - 1. Convert rules with sigmac - 2. Enrich: add ignore+local custom rules, priority - 3. Format - 4. Get results and save to txt/xlsx files -Requirements: - $ pip install sumologic-sdk pyyaml pandas openpyxl -""" - -import re -import os -import sys -import stat -import glob -import subprocess -import argparse -import yaml -import traceback -import logging -from sumologic import SumoLogic -import time -import datetime -import json -import pandas - -logging.basicConfig(level=logging.DEBUG) -logger = logging.getLogger(__name__) -formatter = logging.Formatter('%(asctime)s - %(name)s - p%(process)s {%(pathname)s:%(lineno)d} - %(levelname)s - %(message)s') -handler = logging.FileHandler('sigma2sumo.log') -handler.setFormatter(formatter) -logger.addHandler(handler) - -parser = argparse.ArgumentParser(description='Execute sigma rules in sumologic') -parser.add_argument("--conf", help="script yaml config file", type=str, required=True) -parser.add_argument("--accessid", help="Sumologic Access ID", type=str, required=False) -parser.add_argument("--accesskey", help="Sumologic Access Key", type=str, required=False) -parser.add_argument("--endpoint", help="Sumologic url endpoint", type=str, required=False) -parser.add_argument("--ruledir", help="sigma rule directory path to convert", type=str, required=False) -parser.add_argument("--outdir", help="output directory to create rules", type=str, required=False) -parser.add_argument("--sigmac", help="Sigmac location", default="../tools/sigmac", type=str) -parser.add_argument("--realerttime", help="Realert time (optional value, default 5 minutes)", type=str, default=5) -parser.add_argument("--debug", help="Show debug output", type=bool, default=False) -args = parser.parse_args() - -LIMIT = 100 -delay = 5 - - -def rule_element(file_content, elements): - """ - Function used to get specific element from yaml document and return content - :type file_content: str - :type elements: list - :param file_content: - :param elements: list of elements of the yaml document to get "title", "description" - :return: the value of the key in the yaml document - """ - try: - logger.debug("file_content: %s" % file_content) - yaml.safe_load(file_content.replace("---", "")) - except TypeError: - raise Exception('Unsupported') - element_output = "" - for e in elements: - try: - element_output = yaml.safe_load(file_content.replace("---", ""))[e] - except TypeError: - pass - if element_output is None: - return "" - return element_output - - -def get_rule_as_sumologic(file): - """ - Function used to get sumologic query output from rule file - :type file: str - :param file: rule filename - :return: string query - """ - if not os.path.exists(args.sigmac): - logger.error("Cannot find sigmac rule coverter at '%s', please set a correct location via '--sigmac'") - cmd = [args.sigmac, file, "--target", "sumologic"] - logger.info('get_rule_as_sumologic cmd: %s' % cmd) - process = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE) - output, err = process.communicate() - - # output is byte-string... - output = output.decode("utf-8") - err = err.decode("utf-8") - - logger.info('get_rule_as_sumologic output: %s' % output) - logger.info('get_rule_as_sumologic stderr: %s' % err) - if err or "unsupported" in err: - logger.error('Unsupported output at this time') - raise Exception('Unsupported output at this time') - output = output.split("\n") - # Remove empty string from \n - output = [a for a in output if a] - # Handle case of multiple queries returned - if len(output) > 1: - return " OR ".join(output) - return "".join(output) - -if args.help: - parser.print_help() - -if args.conf: - with open(args.conf, 'r') as ymlfile: - cfg = yaml.load(ymlfile) - args.accessid = cfg['accessid'] - args.accesskey = cfg['accesskey'] - args.endpoint = cfg['endpoint'] - args.ruledir = cfg['ruledir'] - args.outdir = cfg['outdir'] - args.sigmac = cfg['sigmac'] - try: - args.recursive = cfg['recursive'] - except TypeError: - args.recursive = False - if args.recursive: - globpath = args.ruledir + "/**/*.yml" - else: - globpath = args.ruledir + "/*.yml" - logger.debug("args: %s" % args) - logger.debug("globpath: %s" % globpath) - -if args.outdir and not os.path.isdir(args.outdir): - os.mkdir(args.outdir, stat.S_IRWXU) - -# non-recursive (above, not working...) -# for file in glob.iglob(args.ruledir + "/*.yml"): -# recursive -for file in glob.iglob(globpath, recursive=True): - - file_basename = os.path.basename(os.path.splitext(file)[0]) - file_basenamepath = os.path.splitext(file)[0] - file_ext = os.path.splitext(file)[1] - try: - if file_ext != '.yml': - continue - - logger.info("Processing %s ..." % file_basename) - with open(file, "rb") as f: - file_content = f.read() - - logger.info("Rule file: %s" % file) - - sumo_query = get_rule_as_sumologic(file) - - logger.info(" Checking if custom query file: %s" % file_basenamepath + '.custom') - if os.path.isfile(file_basenamepath + '.custom'): - # FIXME! want to add something in the middle for parsing for example... - logger.info(" Adding custom part to end query from: %s" % file_basenamepath + '.custom') - with open(file_basenamepath + '.custom', "rb") as f: - # FIXME ! manage pipe inside queries - if "| count" in sumo_query: - pos = sumo_query.find('| count') - sumo_query = sumo_query[:pos] + f.read().decode('utf-8') + sumo_query[pos:] - else: - sumo_query += " " + f.read().decode('utf-8') - elif 'count ' not in sumo_query and ('EventID=' in sumo_query): - sumo_query += " | count _sourceCategory, hostname, EventID, msg_summary, _raw" - elif 'count ' not in sumo_query: - sumo_query += " | count _sourceCategory, hostname, _raw" - - logger.debug("Final sumo query: %s" % sumo_query) - - except Exception as e: - if args.debug: - traceback.print_exc() - logger.exception("error generating sumo query " + str(file) + "----" + str(e)) - with open(os.path.join(args.outdir, "sigma-" + file_basename + '-error-generation.txt'), "w") as f: - # f.write(json.dumps(r, indent=4, sort_keys=True) + " ERROR: %s\n\nQUERY: %s" % (e, sumo_query)) - f.write(" ERROR for file: %s\n\Exception:\n %s" % (file, e)) - continue - - try: - # Run query - # https://github.com/SumoLogic/sumologic-python-sdk/blob/3ad8033deb028ac45ac4099f11c04785fa426f51/scripts/search-job.py - sumo = SumoLogic(args.accessid, args.accesskey, args.endpoint) - toTime = datetime.datetime.now().strftime("%Y-%m-%dT%H:%M:%S") - fromTime = datetime.datetime.strptime(toTime, "%Y-%m-%dT%H:%M:%S") - datetime.timedelta(hours=24) - fromTime = fromTime.strftime("%Y-%m-%dT%H:%M:%S") - timeZone = 'UTC' - byReceiptTime = True - - sj = sumo.search_job(sumo_query, fromTime, toTime, timeZone, byReceiptTime) - - status = sumo.search_job_status(sj) - while status['state'] != 'DONE GATHERING RESULTS': - if status['state'] == 'CANCELLED': - break - time.sleep(delay) - status = sumo.search_job_status(sj) - - except Exception as e: - if args.debug: - traceback.print_exc() - logger.exception("error searching sumo " + str(file) + "----" + str(e)) - with open(os.path.join(args.outdir, "sigma-" + file_basename + '-error.txt'), "w") as f: - # f.write(json.dumps(r, indent=4, sort_keys=True) + " ERROR: %s\n\nQUERY: %s" % (e, sumo_query)) - f.write(" ERROR: %s\n\nQUERY: %s" % (e, sumo_query)) - pass - - logger.debug("Sumo search job status: %s" % status['state']) - - try: - if status['state'] == 'DONE GATHERING RESULTS': - count = status['recordCount'] - # compensate bad limit check - limit = count if count < LIMIT and count != 0 else LIMIT - r = sumo.search_job_records(sj, limit=limit) - logger.debug("Sumo search results: %s" % r) - - logger.debug("Saving final sumo query for %s to %s" % (file, os.path.join(args.outdir, "sigma-" + file_basename + '.sumo'))) - with open(os.path.join(args.outdir, "sigma-" + file_basename + '.sumo'), "w") as f: - f.write(sumo_query) - if r and r['records'] != []: - logger.info("Saving results") - # as json text file - with open(os.path.join(args.outdir, "sigma-" + file_basename + '.txt'), "w") as f: - f.write(json.dumps(r, indent=4, sort_keys=True)) - # as excel file - df = pandas.io.json.json_normalize(r['records']) - with pandas.ExcelWriter(os.path.join(args.outdir, "sigma-" + file_basename + ".xlsx")) as writer: - df.to_excel(writer, 'data') - pandas.DataFrame({'References': [ - "timeframe: from %s to %s" % (fromTime, toTime), - "Sumo endpoint: %s" % args.endpoint, - "Sumo query: %s" % sumo_query - ]}).to_excel(writer, 'comments') - - # and do whatever you want, email alert, report, ticket... - - except Exception as e: - if args.debug: - traceback.print_exc() - logger.exception("error saving results " + str(file) + "----" + str(e)) - pass diff --git a/contrib/sigmac-convert-updates.sh b/contrib/sigmac-convert-updates.sh deleted file mode 100755 index 1ae8ec3a2..000000000 --- a/contrib/sigmac-convert-updates.sh +++ /dev/null @@ -1,31 +0,0 @@ -#!/bin/bash -# Copyright 2022 Tim Shelton -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU Lesser General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU Lesser General Public License for more details. -# -# You should have received a copy of the GNU Lesser General Public License -# along with this program. If not, see . - - -if [ $# -ne 3 ]; then - echo "Usage: $0 " - echo "Ex: $0 hawk ./tools/config/hawk.yml output.txt" - exit 1 -fi - -FILEDIFF=$(git fetch && git diff --name-only ..origin | egrep "rules/" ) -cd .. -echo "Updating ${FILEDIFF}" -git pull origin master -python3 ./tools/sigmac --target $1 -c $2 ${FILEDIFF} > $3 -E=$(pwd) -cd - - -echo "Output file can be found in $E" diff --git a/contrib/sigmacover.py b/contrib/sigmacover.py deleted file mode 100644 index 3c33e4f2b..000000000 --- a/contrib/sigmacover.py +++ /dev/null @@ -1,160 +0,0 @@ -# GNU Lesser General Public License for more details. -# -# You should have received a copy of the GNU Lesser General Public License -# along with this program. If not, see . -""" -Project: sigmacover.py -Date: 26/09/2021 -Author: frack113 -Version: 1.1 -Description: - get cover of the rules vs backend -Requirements: - python 3.7 min - $ pip install ruyaml -Todo: - - clean code and bug - - better use of subprocess.run - - have idea -""" - - -import re -import subprocess -import pathlib -import ruyaml -import json -import copy -import platform -import argparse - -def get_sigmac(name,conf): - infos = [] - if conf == None: - options = ["python","../tools/sigmac","-t",name,"--debug","-rI","-o","dump.txt","../rules"] - else: - options = ["python","../tools/sigmac","-t",name,"-c",conf,"--debug","-rI","-o","dump.txt","../rules"] - if platform.system() == "Windows": - si = subprocess.STARTUPINFO() - si.dwFlags |= subprocess.STARTF_USESHOWWINDOW - ret = subprocess.run(options, - stdout=subprocess.PIPE, - stderr=subprocess.STDOUT, - startupinfo=si - ) - my_regex = "Convertion Sigma input \S+\\\\(\w+\.yml) (\w+)" - else: - ret = subprocess.run(options, - stdout=subprocess.PIPE, - stderr=subprocess.STDOUT, - ) - my_regex = "Convertion Sigma input \S+/(\w+\.yml) (\w+)" - if not ret.returncode == 0: - print (f"error {ret.returncode} in sigmac") - log = pathlib.Path("sigmac.log") - with log.open() as f: - lines = f.readlines() - for line in lines: - if "Convertion Sigma input" in line: - info = re.findall(my_regex,line)[0] - infos.append(info) - log.unlink() - dump = pathlib.Path("dump.txt") - if dump.exists(): - dump.unlink() - return infos - -def update_dict(my_dict,my_data,backend): - for file,state in my_data: - my_dict[file][backend] = state - -#the backend dict command line options -backend_dict = { - "ala": None, - "ala-rule": None, - "arcsight": "../tools/config/elk-winlogbeat.yml", - "arcsight-esm": "../tools/config/elk-winlogbeat.yml", - "carbonblack": "../tools/config/elk-winlogbeat.yml", - "chronicle": "../tools/config/elk-winlogbeat.yml", - "crowdstrike": "../tools/config/elk-winlogbeat.yml", - "csharp" : None, - "devo": "../tools/config/elk-winlogbeat.yml", - "ee-outliers": "../tools/config/winlogbeat-modules-enabled.yml", - "elastalert": "../tools/config/winlogbeat-modules-enabled.yml", - "elastalert-dsl": "../tools/config/winlogbeat-modules-enabled.yml", - "es-dsl": "../tools/config/winlogbeat-modules-enabled.yml", - "es-eql": "../tools/config/winlogbeat-modules-enabled.yml", - "es-qs": "../tools/config/winlogbeat-modules-enabled.yml", - "es-qs-lr": "../tools/config/logrhythm_winevent.yml", - "es-rule": "../tools/config/winlogbeat-modules-enabled.yml", - "es-rule-eql": "../tools/config/winlogbeat-modules-enabled.yml", - "fireeye-helix": "../tools/config/elk-winlogbeat.yml", - "graylog" : None, - "grep" : None, - "humio": "../tools/config/elk-winlogbeat.yml", - "kibana": "../tools/config/winlogbeat-modules-enabled.yml", - "kibana-ndjson": "../tools/config/winlogbeat-modules-enabled.yml", - "lacework" : None, - "limacharlie" : None, - "logiq" : None, - "logpoint" : None, - "mdatp" : None, - "netwitness" : None, - "netwitness-epl" : None, - "opensearch-monitor": "../tools/config/winlogbeat.yml", - "powershell" : None, - "qradar" : None, - "qualys" : None, - "sentinel-rule" : None, - "splunk": "../tools/config/splunk-windows.yml", - "splunkdm": "../tools/config/splunk-windows.yml", - "splunkxml": "../tools/config/splunk-windows.yml", - "sql": "../tools/config/elk-winlogbeat.yml", - "sqlite": "../tools/config/elk-winlogbeat.yml", - "stix": "../tools/config/stix2.0.yml", - "sumologic" : None, - "sumologic-cse" : None, - "sumologic-cse-rule" : None, - "sysmon": "../tools/config/elk-windows.yml", - "uberagent" : None, - "xpack-watcher": "../tools/config/winlogbeat-modules-enabled.yml", - } - -print(""" -███ ███ ████ █▄┼▄█ ███ ┼┼ ███ ███ █▄█ ███ ███ -█▄▄ ┼█┼ █┼▄▄ █┼█┼█ █▄█ ┼┼ █┼┼ █┼█ ███ █▄┼ █▄┼ -▄▄█ ▄█▄ █▄▄█ █┼┼┼█ █┼█ ┼┼ ███ █▄█ ┼█┼ █▄▄ █┼█ - v1.1 bugfix -please wait during the tests -""") -argparser = argparse.ArgumentParser(description="Check Sigma rules with all backend.") -argparser.add_argument("--target", "-t", choices=["yaml","json"], help="Output target format") -cmdargs = argparser.parse_args() - -if cmdargs.target == None: - print("No outpout use -h to see help") - exit() - -#init dict of all rules -default_key_test = {key : "NO TEST" for key in backend_dict.keys()} -the_dico ={} -rules = pathlib.Path("../rules").glob("**/*.yml") -for rule in rules: - the_dico[rule.name] = copy.deepcopy(default_key_test) - -#Check all the backend -for name,opt in backend_dict.items(): - print (f"check backend : {name}") - result = get_sigmac(name,opt) - update_dict(the_dico,result,name) - -#Save -if cmdargs.target.lower() == "yaml": - cover = pathlib.Path("sigmacover.yml") - with cover.open("w") as file: - ruyaml.dump(the_dico, file, Dumper=ruyaml.RoundTripDumper) -else: - cover = pathlib.Path("sigmacover.json") - with cover.open("w") as file: - json_dumps_str = json.dumps(the_dico, indent=4) - file.write(json_dumps_str) diff --git a/rules-deprecated/README.md b/deprecated/README.md similarity index 100% rename from rules-deprecated/README.md rename to deprecated/README.md diff --git a/rules-deprecated/cloud/azure_app_permissions_for_api.yml b/deprecated/cloud/azure_app_permissions_for_api.yml similarity index 100% rename from rules-deprecated/cloud/azure_app_permissions_for_api.yml rename to deprecated/cloud/azure_app_permissions_for_api.yml diff --git a/rules-deprecated/linux/lnx_auditd_alter_bash_profile.yml b/deprecated/linux/lnx_auditd_alter_bash_profile.yml similarity index 100% rename from rules-deprecated/linux/lnx_auditd_alter_bash_profile.yml rename to deprecated/linux/lnx_auditd_alter_bash_profile.yml diff --git a/rules-deprecated/other/generic_brute_force.yml b/deprecated/other/generic_brute_force.yml similarity index 100% rename from rules-deprecated/other/generic_brute_force.yml rename to deprecated/other/generic_brute_force.yml diff --git a/rules-deprecated/web/proxy_apt_domestic_kitten.yml b/deprecated/web/proxy_apt_domestic_kitten.yml similarity index 100% rename from rules-deprecated/web/proxy_apt_domestic_kitten.yml rename to deprecated/web/proxy_apt_domestic_kitten.yml diff --git a/rules-deprecated/windows/file_event_win_hktl_createminidump.yml b/deprecated/windows/file_event_win_hktl_createminidump.yml similarity index 100% rename from rules-deprecated/windows/file_event_win_hktl_createminidump.yml rename to deprecated/windows/file_event_win_hktl_createminidump.yml diff --git a/rules-deprecated/windows/file_event_win_mimikatz_memssp_log_file.yml b/deprecated/windows/file_event_win_mimikatz_memssp_log_file.yml similarity index 100% rename from rules-deprecated/windows/file_event_win_mimikatz_memssp_log_file.yml rename to deprecated/windows/file_event_win_mimikatz_memssp_log_file.yml diff --git a/rules-deprecated/windows/file_event_win_susp_clr_logs.yml b/deprecated/windows/file_event_win_susp_clr_logs.yml similarity index 100% rename from rules-deprecated/windows/file_event_win_susp_clr_logs.yml rename to deprecated/windows/file_event_win_susp_clr_logs.yml diff --git a/rules-deprecated/windows/image_load_side_load_advapi32.yml b/deprecated/windows/image_load_side_load_advapi32.yml similarity index 100% rename from rules-deprecated/windows/image_load_side_load_advapi32.yml rename to deprecated/windows/image_load_side_load_advapi32.yml diff --git a/rules-deprecated/windows/image_load_side_load_scm.yml b/deprecated/windows/image_load_side_load_scm.yml similarity index 100% rename from rules-deprecated/windows/image_load_side_load_scm.yml rename to deprecated/windows/image_load_side_load_scm.yml diff --git a/rules-deprecated/windows/image_load_susp_winword_wmidll_load.yml b/deprecated/windows/image_load_susp_winword_wmidll_load.yml old mode 100755 new mode 100644 similarity index 100% rename from rules-deprecated/windows/image_load_susp_winword_wmidll_load.yml rename to deprecated/windows/image_load_susp_winword_wmidll_load.yml diff --git a/rules-deprecated/windows/net_connection_win_binary_github_com.yml b/deprecated/windows/net_connection_win_binary_github_com.yml similarity index 100% rename from rules-deprecated/windows/net_connection_win_binary_github_com.yml rename to deprecated/windows/net_connection_win_binary_github_com.yml diff --git a/rules-deprecated/windows/posh_pm_powercat.yml b/deprecated/windows/posh_pm_powercat.yml similarity index 100% rename from rules-deprecated/windows/posh_pm_powercat.yml rename to deprecated/windows/posh_pm_powercat.yml diff --git a/rules-deprecated/windows/posh_ps_access_to_chrome_login_data.yml b/deprecated/windows/posh_ps_access_to_chrome_login_data.yml similarity index 100% rename from rules-deprecated/windows/posh_ps_access_to_chrome_login_data.yml rename to deprecated/windows/posh_ps_access_to_chrome_login_data.yml diff --git a/rules-deprecated/windows/posh_ps_azurehound_commands.yml b/deprecated/windows/posh_ps_azurehound_commands.yml similarity index 100% rename from rules-deprecated/windows/posh_ps_azurehound_commands.yml rename to deprecated/windows/posh_ps_azurehound_commands.yml diff --git a/rules-deprecated/windows/posh_ps_invoke_nightmare.yml b/deprecated/windows/posh_ps_invoke_nightmare.yml similarity index 100% rename from rules-deprecated/windows/posh_ps_invoke_nightmare.yml rename to deprecated/windows/posh_ps_invoke_nightmare.yml diff --git a/rules-deprecated/windows/powershell_suspicious_download.yml b/deprecated/windows/powershell_suspicious_download.yml similarity index 100% rename from rules-deprecated/windows/powershell_suspicious_download.yml rename to deprecated/windows/powershell_suspicious_download.yml diff --git a/rules-deprecated/windows/powershell_suspicious_invocation_generic.yml b/deprecated/windows/powershell_suspicious_invocation_generic.yml similarity index 100% rename from rules-deprecated/windows/powershell_suspicious_invocation_generic.yml rename to deprecated/windows/powershell_suspicious_invocation_generic.yml diff --git a/rules-deprecated/windows/powershell_suspicious_invocation_specific.yml b/deprecated/windows/powershell_suspicious_invocation_specific.yml similarity index 100% rename from rules-deprecated/windows/powershell_suspicious_invocation_specific.yml rename to deprecated/windows/powershell_suspicious_invocation_specific.yml diff --git a/rules-deprecated/windows/powershell_syncappvpublishingserver_exe.yml b/deprecated/windows/powershell_syncappvpublishingserver_exe.yml similarity index 100% rename from rules-deprecated/windows/powershell_syncappvpublishingserver_exe.yml rename to deprecated/windows/powershell_syncappvpublishingserver_exe.yml diff --git a/rules-deprecated/windows/proc_access_win_in_memory_assembly_execution.yml b/deprecated/windows/proc_access_win_in_memory_assembly_execution.yml similarity index 100% rename from rules-deprecated/windows/proc_access_win_in_memory_assembly_execution.yml rename to deprecated/windows/proc_access_win_in_memory_assembly_execution.yml diff --git a/rules-deprecated/windows/proc_creation_win_apt_apt29_thinktanks.yml b/deprecated/windows/proc_creation_win_apt_apt29_thinktanks.yml similarity index 100% rename from rules-deprecated/windows/proc_creation_win_apt_apt29_thinktanks.yml rename to deprecated/windows/proc_creation_win_apt_apt29_thinktanks.yml diff --git a/rules-deprecated/windows/proc_creation_win_apt_dragonfly.yml b/deprecated/windows/proc_creation_win_apt_dragonfly.yml similarity index 100% rename from rules-deprecated/windows/proc_creation_win_apt_dragonfly.yml rename to deprecated/windows/proc_creation_win_apt_dragonfly.yml diff --git a/rules-deprecated/windows/proc_creation_win_apt_gallium.yml b/deprecated/windows/proc_creation_win_apt_gallium.yml similarity index 100% rename from rules-deprecated/windows/proc_creation_win_apt_gallium.yml rename to deprecated/windows/proc_creation_win_apt_gallium.yml diff --git a/rules-deprecated/windows/proc_creation_win_apt_hurricane_panda.yml b/deprecated/windows/proc_creation_win_apt_hurricane_panda.yml similarity index 100% rename from rules-deprecated/windows/proc_creation_win_apt_hurricane_panda.yml rename to deprecated/windows/proc_creation_win_apt_hurricane_panda.yml diff --git a/rules-deprecated/windows/proc_creation_win_apt_lazarus_activity_apr21.yml b/deprecated/windows/proc_creation_win_apt_lazarus_activity_apr21.yml similarity index 100% rename from rules-deprecated/windows/proc_creation_win_apt_lazarus_activity_apr21.yml rename to deprecated/windows/proc_creation_win_apt_lazarus_activity_apr21.yml diff --git a/rules-deprecated/windows/proc_creation_win_apt_lazarus_loader.yml b/deprecated/windows/proc_creation_win_apt_lazarus_loader.yml similarity index 100% rename from rules-deprecated/windows/proc_creation_win_apt_lazarus_loader.yml rename to deprecated/windows/proc_creation_win_apt_lazarus_loader.yml diff --git a/rules-deprecated/windows/proc_creation_win_apt_muddywater_dnstunnel.yml b/deprecated/windows/proc_creation_win_apt_muddywater_dnstunnel.yml similarity index 100% rename from rules-deprecated/windows/proc_creation_win_apt_muddywater_dnstunnel.yml rename to deprecated/windows/proc_creation_win_apt_muddywater_dnstunnel.yml diff --git a/rules-deprecated/windows/proc_creation_win_apt_ta505_dropper.yml b/deprecated/windows/proc_creation_win_apt_ta505_dropper.yml similarity index 100% rename from rules-deprecated/windows/proc_creation_win_apt_ta505_dropper.yml rename to deprecated/windows/proc_creation_win_apt_ta505_dropper.yml diff --git a/rules-deprecated/windows/proc_creation_win_certutil_susp_execution.yml b/deprecated/windows/proc_creation_win_certutil_susp_execution.yml similarity index 100% rename from rules-deprecated/windows/proc_creation_win_certutil_susp_execution.yml rename to deprecated/windows/proc_creation_win_certutil_susp_execution.yml diff --git a/rules-deprecated/windows/proc_creation_win_cmd_read_contents.yml b/deprecated/windows/proc_creation_win_cmd_read_contents.yml similarity index 100% rename from rules-deprecated/windows/proc_creation_win_cmd_read_contents.yml rename to deprecated/windows/proc_creation_win_cmd_read_contents.yml diff --git a/rules-deprecated/windows/proc_creation_win_cmd_redirect_to_stream.yml b/deprecated/windows/proc_creation_win_cmd_redirect_to_stream.yml similarity index 100% rename from rules-deprecated/windows/proc_creation_win_cmd_redirect_to_stream.yml rename to deprecated/windows/proc_creation_win_cmd_redirect_to_stream.yml diff --git a/rules-deprecated/windows/proc_creation_win_credential_acquisition_registry_hive_dumping.yml b/deprecated/windows/proc_creation_win_credential_acquisition_registry_hive_dumping.yml similarity index 100% rename from rules-deprecated/windows/proc_creation_win_credential_acquisition_registry_hive_dumping.yml rename to deprecated/windows/proc_creation_win_credential_acquisition_registry_hive_dumping.yml diff --git a/rules-deprecated/windows/proc_creation_win_cscript_vbs.yml b/deprecated/windows/proc_creation_win_cscript_vbs.yml similarity index 100% rename from rules-deprecated/windows/proc_creation_win_cscript_vbs.yml rename to deprecated/windows/proc_creation_win_cscript_vbs.yml diff --git a/rules-deprecated/windows/proc_creation_win_execution_mssql_xp_cmdshell_stored_procedure.yml b/deprecated/windows/proc_creation_win_execution_mssql_xp_cmdshell_stored_procedure.yml similarity index 100% rename from rules-deprecated/windows/proc_creation_win_execution_mssql_xp_cmdshell_stored_procedure.yml rename to deprecated/windows/proc_creation_win_execution_mssql_xp_cmdshell_stored_procedure.yml diff --git a/rules-deprecated/windows/proc_creation_win_indirect_cmd.yml b/deprecated/windows/proc_creation_win_indirect_cmd.yml similarity index 100% rename from rules-deprecated/windows/proc_creation_win_indirect_cmd.yml rename to deprecated/windows/proc_creation_win_indirect_cmd.yml diff --git a/rules-deprecated/windows/proc_creation_win_indirect_command_execution_forfiles.yml b/deprecated/windows/proc_creation_win_indirect_command_execution_forfiles.yml similarity index 100% rename from rules-deprecated/windows/proc_creation_win_indirect_command_execution_forfiles.yml rename to deprecated/windows/proc_creation_win_indirect_command_execution_forfiles.yml diff --git a/rules-deprecated/windows/proc_creation_win_invoke_obfuscation_via_rundll.yml b/deprecated/windows/proc_creation_win_invoke_obfuscation_via_rundll.yml similarity index 100% rename from rules-deprecated/windows/proc_creation_win_invoke_obfuscation_via_rundll.yml rename to deprecated/windows/proc_creation_win_invoke_obfuscation_via_rundll.yml diff --git a/rules-deprecated/windows/proc_creation_win_invoke_obfuscation_via_use_rundll32.yml b/deprecated/windows/proc_creation_win_invoke_obfuscation_via_use_rundll32.yml similarity index 100% rename from rules-deprecated/windows/proc_creation_win_invoke_obfuscation_via_use_rundll32.yml rename to deprecated/windows/proc_creation_win_invoke_obfuscation_via_use_rundll32.yml diff --git a/rules-deprecated/windows/proc_creation_win_lolbas_execution_of_wuauclt.yml b/deprecated/windows/proc_creation_win_lolbas_execution_of_wuauclt.yml similarity index 100% rename from rules-deprecated/windows/proc_creation_win_lolbas_execution_of_wuauclt.yml rename to deprecated/windows/proc_creation_win_lolbas_execution_of_wuauclt.yml diff --git a/rules-deprecated/windows/proc_creation_win_lolbins_by_office_applications.yml b/deprecated/windows/proc_creation_win_lolbins_by_office_applications.yml similarity index 100% rename from rules-deprecated/windows/proc_creation_win_lolbins_by_office_applications.yml rename to deprecated/windows/proc_creation_win_lolbins_by_office_applications.yml diff --git a/rules-deprecated/windows/proc_creation_win_mal_ryuk.yml b/deprecated/windows/proc_creation_win_mal_ryuk.yml similarity index 100% rename from rules-deprecated/windows/proc_creation_win_mal_ryuk.yml rename to deprecated/windows/proc_creation_win_mal_ryuk.yml diff --git a/rules-deprecated/windows/proc_creation_win_mavinject_proc_inj.yml b/deprecated/windows/proc_creation_win_mavinject_proc_inj.yml similarity index 100% rename from rules-deprecated/windows/proc_creation_win_mavinject_proc_inj.yml rename to deprecated/windows/proc_creation_win_mavinject_proc_inj.yml diff --git a/rules-deprecated/windows/proc_creation_win_msdt_diagcab.yml b/deprecated/windows/proc_creation_win_msdt_diagcab.yml similarity index 100% rename from rules-deprecated/windows/proc_creation_win_msdt_diagcab.yml rename to deprecated/windows/proc_creation_win_msdt_diagcab.yml diff --git a/rules-deprecated/windows/proc_creation_win_new_service_creation.yml b/deprecated/windows/proc_creation_win_new_service_creation.yml similarity index 100% rename from rules-deprecated/windows/proc_creation_win_new_service_creation.yml rename to deprecated/windows/proc_creation_win_new_service_creation.yml diff --git a/rules-deprecated/windows/proc_creation_win_nslookup_pwsh_download_cradle.yml b/deprecated/windows/proc_creation_win_nslookup_pwsh_download_cradle.yml similarity index 100% rename from rules-deprecated/windows/proc_creation_win_nslookup_pwsh_download_cradle.yml rename to deprecated/windows/proc_creation_win_nslookup_pwsh_download_cradle.yml diff --git a/rules-deprecated/windows/proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml b/deprecated/windows/proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml similarity index 100% rename from rules-deprecated/windows/proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml rename to deprecated/windows/proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml diff --git a/rules-deprecated/windows/proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml b/deprecated/windows/proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml similarity index 100% rename from rules-deprecated/windows/proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml rename to deprecated/windows/proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml diff --git a/rules-deprecated/windows/proc_creation_win_office_spawning_wmi_commandline.yml b/deprecated/windows/proc_creation_win_office_spawning_wmi_commandline.yml similarity index 100% rename from rules-deprecated/windows/proc_creation_win_office_spawning_wmi_commandline.yml rename to deprecated/windows/proc_creation_win_office_spawning_wmi_commandline.yml diff --git a/rules-deprecated/windows/proc_creation_win_possible_applocker_bypass.yml b/deprecated/windows/proc_creation_win_possible_applocker_bypass.yml similarity index 100% rename from rules-deprecated/windows/proc_creation_win_possible_applocker_bypass.yml rename to deprecated/windows/proc_creation_win_possible_applocker_bypass.yml diff --git a/rules-deprecated/windows/proc_creation_win_powershell_amsi_bypass_pattern_nov22.yml b/deprecated/windows/proc_creation_win_powershell_amsi_bypass_pattern_nov22.yml similarity index 100% rename from rules-deprecated/windows/proc_creation_win_powershell_amsi_bypass_pattern_nov22.yml rename to deprecated/windows/proc_creation_win_powershell_amsi_bypass_pattern_nov22.yml diff --git a/rules-deprecated/windows/proc_creation_win_powershell_base64_invoke_susp_cmdlets.yml b/deprecated/windows/proc_creation_win_powershell_base64_invoke_susp_cmdlets.yml similarity index 100% rename from rules-deprecated/windows/proc_creation_win_powershell_base64_invoke_susp_cmdlets.yml rename to deprecated/windows/proc_creation_win_powershell_base64_invoke_susp_cmdlets.yml diff --git a/rules-deprecated/windows/proc_creation_win_powershell_base64_listing_shadowcopy.yml b/deprecated/windows/proc_creation_win_powershell_base64_listing_shadowcopy.yml similarity index 100% rename from rules-deprecated/windows/proc_creation_win_powershell_base64_listing_shadowcopy.yml rename to deprecated/windows/proc_creation_win_powershell_base64_listing_shadowcopy.yml diff --git a/rules-deprecated/windows/proc_creation_win_powershell_base64_shellcode.yml b/deprecated/windows/proc_creation_win_powershell_base64_shellcode.yml similarity index 100% rename from rules-deprecated/windows/proc_creation_win_powershell_base64_shellcode.yml rename to deprecated/windows/proc_creation_win_powershell_base64_shellcode.yml diff --git a/rules-deprecated/windows/proc_creation_win_powershell_bitsjob.yml b/deprecated/windows/proc_creation_win_powershell_bitsjob.yml similarity index 100% rename from rules-deprecated/windows/proc_creation_win_powershell_bitsjob.yml rename to deprecated/windows/proc_creation_win_powershell_bitsjob.yml diff --git a/rules-deprecated/windows/proc_creation_win_powershell_service_modification.yml b/deprecated/windows/proc_creation_win_powershell_service_modification.yml similarity index 100% rename from rules-deprecated/windows/proc_creation_win_powershell_service_modification.yml rename to deprecated/windows/proc_creation_win_powershell_service_modification.yml diff --git a/rules-deprecated/windows/proc_creation_win_powershell_xor_encoded_command.yml b/deprecated/windows/proc_creation_win_powershell_xor_encoded_command.yml similarity index 100% rename from rules-deprecated/windows/proc_creation_win_powershell_xor_encoded_command.yml rename to deprecated/windows/proc_creation_win_powershell_xor_encoded_command.yml diff --git a/rules-deprecated/windows/proc_creation_win_reg_dump_sam.yml b/deprecated/windows/proc_creation_win_reg_dump_sam.yml similarity index 100% rename from rules-deprecated/windows/proc_creation_win_reg_dump_sam.yml rename to deprecated/windows/proc_creation_win_reg_dump_sam.yml diff --git a/rules-deprecated/windows/proc_creation_win_renamed_paexec.yml b/deprecated/windows/proc_creation_win_renamed_paexec.yml similarity index 100% rename from rules-deprecated/windows/proc_creation_win_renamed_paexec.yml rename to deprecated/windows/proc_creation_win_renamed_paexec.yml diff --git a/rules-deprecated/windows/proc_creation_win_renamed_powershell.yml b/deprecated/windows/proc_creation_win_renamed_powershell.yml similarity index 100% rename from rules-deprecated/windows/proc_creation_win_renamed_powershell.yml rename to deprecated/windows/proc_creation_win_renamed_powershell.yml diff --git a/rules-deprecated/windows/proc_creation_win_renamed_psexec.yml b/deprecated/windows/proc_creation_win_renamed_psexec.yml similarity index 100% rename from rules-deprecated/windows/proc_creation_win_renamed_psexec.yml rename to deprecated/windows/proc_creation_win_renamed_psexec.yml diff --git a/rules-deprecated/windows/proc_creation_win_renamed_rundll32.yml b/deprecated/windows/proc_creation_win_renamed_rundll32.yml similarity index 100% rename from rules-deprecated/windows/proc_creation_win_renamed_rundll32.yml rename to deprecated/windows/proc_creation_win_renamed_rundll32.yml diff --git a/rules-deprecated/windows/proc_creation_win_root_certificate_installed.yml b/deprecated/windows/proc_creation_win_root_certificate_installed.yml similarity index 100% rename from rules-deprecated/windows/proc_creation_win_root_certificate_installed.yml rename to deprecated/windows/proc_creation_win_root_certificate_installed.yml diff --git a/rules-deprecated/windows/proc_creation_win_run_from_zip.yml b/deprecated/windows/proc_creation_win_run_from_zip.yml similarity index 100% rename from rules-deprecated/windows/proc_creation_win_run_from_zip.yml rename to deprecated/windows/proc_creation_win_run_from_zip.yml diff --git a/rules-deprecated/windows/proc_creation_win_sc_delete_av_services.yml b/deprecated/windows/proc_creation_win_sc_delete_av_services.yml similarity index 100% rename from rules-deprecated/windows/proc_creation_win_sc_delete_av_services.yml rename to deprecated/windows/proc_creation_win_sc_delete_av_services.yml diff --git a/rules-deprecated/windows/proc_creation_win_schtasks_user_temp.yml b/deprecated/windows/proc_creation_win_schtasks_user_temp.yml similarity index 100% rename from rules-deprecated/windows/proc_creation_win_schtasks_user_temp.yml rename to deprecated/windows/proc_creation_win_schtasks_user_temp.yml diff --git a/rules-deprecated/windows/proc_creation_win_service_stop.yml b/deprecated/windows/proc_creation_win_service_stop.yml similarity index 100% rename from rules-deprecated/windows/proc_creation_win_service_stop.yml rename to deprecated/windows/proc_creation_win_service_stop.yml diff --git a/rules-deprecated/windows/proc_creation_win_susp_bitstransfer.yml b/deprecated/windows/proc_creation_win_susp_bitstransfer.yml similarity index 100% rename from rules-deprecated/windows/proc_creation_win_susp_bitstransfer.yml rename to deprecated/windows/proc_creation_win_susp_bitstransfer.yml diff --git a/rules-deprecated/windows/proc_creation_win_susp_cmd_exectution_via_wmi.yml b/deprecated/windows/proc_creation_win_susp_cmd_exectution_via_wmi.yml similarity index 100% rename from rules-deprecated/windows/proc_creation_win_susp_cmd_exectution_via_wmi.yml rename to deprecated/windows/proc_creation_win_susp_cmd_exectution_via_wmi.yml diff --git a/rules-deprecated/windows/proc_creation_win_susp_commandline_chars.yml b/deprecated/windows/proc_creation_win_susp_commandline_chars.yml similarity index 100% rename from rules-deprecated/windows/proc_creation_win_susp_commandline_chars.yml rename to deprecated/windows/proc_creation_win_susp_commandline_chars.yml diff --git a/rules-deprecated/windows/proc_creation_win_susp_run_folder.yml b/deprecated/windows/proc_creation_win_susp_run_folder.yml similarity index 100% rename from rules-deprecated/windows/proc_creation_win_susp_run_folder.yml rename to deprecated/windows/proc_creation_win_susp_run_folder.yml diff --git a/rules-deprecated/windows/proc_creation_win_susp_squirrel_lolbin.yml b/deprecated/windows/proc_creation_win_susp_squirrel_lolbin.yml similarity index 100% rename from rules-deprecated/windows/proc_creation_win_susp_squirrel_lolbin.yml rename to deprecated/windows/proc_creation_win_susp_squirrel_lolbin.yml diff --git a/rules-deprecated/windows/proc_creation_win_sysinternals_psexec_service_execution.yml b/deprecated/windows/proc_creation_win_sysinternals_psexec_service_execution.yml similarity index 100% rename from rules-deprecated/windows/proc_creation_win_sysinternals_psexec_service_execution.yml rename to deprecated/windows/proc_creation_win_sysinternals_psexec_service_execution.yml diff --git a/rules-deprecated/windows/proc_creation_win_sysinternals_psexesvc_start.yml b/deprecated/windows/proc_creation_win_sysinternals_psexesvc_start.yml similarity index 100% rename from rules-deprecated/windows/proc_creation_win_sysinternals_psexesvc_start.yml rename to deprecated/windows/proc_creation_win_sysinternals_psexesvc_start.yml diff --git a/rules-deprecated/windows/proc_creation_win_whoami_as_system.yml b/deprecated/windows/proc_creation_win_whoami_as_system.yml similarity index 100% rename from rules-deprecated/windows/proc_creation_win_whoami_as_system.yml rename to deprecated/windows/proc_creation_win_whoami_as_system.yml diff --git a/rules-deprecated/windows/proc_creation_win_winword_dll_load.yml b/deprecated/windows/proc_creation_win_winword_dll_load.yml similarity index 100% rename from rules-deprecated/windows/proc_creation_win_winword_dll_load.yml rename to deprecated/windows/proc_creation_win_winword_dll_load.yml diff --git a/rules-deprecated/windows/proc_creation_win_wmic_execution_via_office_process.yml b/deprecated/windows/proc_creation_win_wmic_execution_via_office_process.yml similarity index 100% rename from rules-deprecated/windows/proc_creation_win_wmic_execution_via_office_process.yml rename to deprecated/windows/proc_creation_win_wmic_execution_via_office_process.yml diff --git a/rules-deprecated/windows/proc_creation_win_wmic_remote_command.yml b/deprecated/windows/proc_creation_win_wmic_remote_command.yml similarity index 100% rename from rules-deprecated/windows/proc_creation_win_wmic_remote_command.yml rename to deprecated/windows/proc_creation_win_wmic_remote_command.yml diff --git a/rules-deprecated/windows/proc_creation_win_wmic_remote_service.yml b/deprecated/windows/proc_creation_win_wmic_remote_service.yml similarity index 100% rename from rules-deprecated/windows/proc_creation_win_wmic_remote_service.yml rename to deprecated/windows/proc_creation_win_wmic_remote_service.yml diff --git a/rules-deprecated/windows/process_creation_syncappvpublishingserver_exe.yml b/deprecated/windows/process_creation_syncappvpublishingserver_exe.yml similarity index 100% rename from rules-deprecated/windows/process_creation_syncappvpublishingserver_exe.yml rename to deprecated/windows/process_creation_syncappvpublishingserver_exe.yml diff --git a/rules-deprecated/windows/registry_add_sysinternals_sdelete_registry_keys.yml b/deprecated/windows/registry_add_sysinternals_sdelete_registry_keys.yml similarity index 100% rename from rules-deprecated/windows/registry_add_sysinternals_sdelete_registry_keys.yml rename to deprecated/windows/registry_add_sysinternals_sdelete_registry_keys.yml diff --git a/rules-deprecated/windows/registry_event_asep_reg_keys_modification.yml b/deprecated/windows/registry_event_asep_reg_keys_modification.yml old mode 100755 new mode 100644 similarity index 100% rename from rules-deprecated/windows/registry_event_asep_reg_keys_modification.yml rename to deprecated/windows/registry_event_asep_reg_keys_modification.yml diff --git a/rules-deprecated/windows/registry_set_abusing_windows_telemetry_for_persistence.yml b/deprecated/windows/registry_set_abusing_windows_telemetry_for_persistence.yml similarity index 100% rename from rules-deprecated/windows/registry_set_abusing_windows_telemetry_for_persistence.yml rename to deprecated/windows/registry_set_abusing_windows_telemetry_for_persistence.yml diff --git a/rules-deprecated/windows/registry_set_add_hidden_user.yml b/deprecated/windows/registry_set_add_hidden_user.yml similarity index 100% rename from rules-deprecated/windows/registry_set_add_hidden_user.yml rename to deprecated/windows/registry_set_add_hidden_user.yml diff --git a/rules-deprecated/windows/registry_set_silentprocessexit.yml b/deprecated/windows/registry_set_silentprocessexit.yml similarity index 100% rename from rules-deprecated/windows/registry_set_silentprocessexit.yml rename to deprecated/windows/registry_set_silentprocessexit.yml diff --git a/rules-deprecated/windows/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml b/deprecated/windows/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml similarity index 100% rename from rules-deprecated/windows/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml rename to deprecated/windows/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml diff --git a/rules-deprecated/windows/sysmon_dcom_iertutil_dll_hijack.yml b/deprecated/windows/sysmon_dcom_iertutil_dll_hijack.yml similarity index 100% rename from rules-deprecated/windows/sysmon_dcom_iertutil_dll_hijack.yml rename to deprecated/windows/sysmon_dcom_iertutil_dll_hijack.yml diff --git a/rules-deprecated/windows/sysmon_mimikatz_detection_lsass.yml b/deprecated/windows/sysmon_mimikatz_detection_lsass.yml similarity index 100% rename from rules-deprecated/windows/sysmon_mimikatz_detection_lsass.yml rename to deprecated/windows/sysmon_mimikatz_detection_lsass.yml diff --git a/rules-deprecated/windows/sysmon_rclone_execution.yml b/deprecated/windows/sysmon_rclone_execution.yml similarity index 100% rename from rules-deprecated/windows/sysmon_rclone_execution.yml rename to deprecated/windows/sysmon_rclone_execution.yml diff --git a/rules-deprecated/windows/win_dsquery_domain_trust_discovery.yml b/deprecated/windows/win_dsquery_domain_trust_discovery.yml similarity index 100% rename from rules-deprecated/windows/win_dsquery_domain_trust_discovery.yml rename to deprecated/windows/win_dsquery_domain_trust_discovery.yml diff --git a/rules-deprecated/windows/win_lateral_movement_condrv.yml b/deprecated/windows/win_lateral_movement_condrv.yml similarity index 100% rename from rules-deprecated/windows/win_lateral_movement_condrv.yml rename to deprecated/windows/win_lateral_movement_condrv.yml diff --git a/rules-deprecated/windows/win_security_lolbas_execution_of_nltest.yml b/deprecated/windows/win_security_lolbas_execution_of_nltest.yml similarity index 100% rename from rules-deprecated/windows/win_security_lolbas_execution_of_nltest.yml rename to deprecated/windows/win_security_lolbas_execution_of_nltest.yml diff --git a/rules-deprecated/windows/win_susp_esentutl_activity.yml b/deprecated/windows/win_susp_esentutl_activity.yml similarity index 100% rename from rules-deprecated/windows/win_susp_esentutl_activity.yml rename to deprecated/windows/win_susp_esentutl_activity.yml diff --git a/rules-deprecated/windows/win_susp_rclone_exec.yml b/deprecated/windows/win_susp_rclone_exec.yml similarity index 100% rename from rules-deprecated/windows/win_susp_rclone_exec.yml rename to deprecated/windows/win_susp_rclone_exec.yml diff --git a/rules-deprecated/windows/win_susp_vssadmin_ntds_activity.yml b/deprecated/windows/win_susp_vssadmin_ntds_activity.yml similarity index 100% rename from rules-deprecated/windows/win_susp_vssadmin_ntds_activity.yml rename to deprecated/windows/win_susp_vssadmin_ntds_activity.yml diff --git a/rules-unsupported/README.md b/unsupported/README.md similarity index 100% rename from rules-unsupported/README.md rename to unsupported/README.md diff --git a/rules-unsupported/cloud/aws_ec2_download_userdata.yml b/unsupported/cloud/aws_ec2_download_userdata.yml similarity index 100% rename from rules-unsupported/cloud/aws_ec2_download_userdata.yml rename to unsupported/cloud/aws_ec2_download_userdata.yml diff --git a/rules-unsupported/cloud/aws_enum_backup.yml b/unsupported/cloud/aws_enum_backup.yml similarity index 100% rename from rules-unsupported/cloud/aws_enum_backup.yml rename to unsupported/cloud/aws_enum_backup.yml diff --git a/rules-unsupported/cloud/aws_enum_listing.yml b/unsupported/cloud/aws_enum_listing.yml similarity index 100% rename from rules-unsupported/cloud/aws_enum_listing.yml rename to unsupported/cloud/aws_enum_listing.yml diff --git a/rules-unsupported/cloud/aws_enum_network.yml b/unsupported/cloud/aws_enum_network.yml similarity index 100% rename from rules-unsupported/cloud/aws_enum_network.yml rename to unsupported/cloud/aws_enum_network.yml diff --git a/rules-unsupported/cloud/aws_enum_storage.yml b/unsupported/cloud/aws_enum_storage.yml similarity index 100% rename from rules-unsupported/cloud/aws_enum_storage.yml rename to unsupported/cloud/aws_enum_storage.yml diff --git a/rules-unsupported/cloud/aws_lambda_function_created_or_invoked.yml b/unsupported/cloud/aws_lambda_function_created_or_invoked.yml similarity index 100% rename from rules-unsupported/cloud/aws_lambda_function_created_or_invoked.yml rename to unsupported/cloud/aws_lambda_function_created_or_invoked.yml diff --git a/rules-unsupported/cloud/aws_macic_evasion.yml b/unsupported/cloud/aws_macic_evasion.yml similarity index 100% rename from rules-unsupported/cloud/aws_macic_evasion.yml rename to unsupported/cloud/aws_macic_evasion.yml diff --git a/rules-unsupported/cloud/aws_ses_messaging_enabled.yml b/unsupported/cloud/aws_ses_messaging_enabled.yml similarity index 100% rename from rules-unsupported/cloud/aws_ses_messaging_enabled.yml rename to unsupported/cloud/aws_ses_messaging_enabled.yml diff --git a/rules-unsupported/cloud/azure_aad_secops_signin_failure_bad_password_threshold.yml b/unsupported/cloud/azure_aad_secops_signin_failure_bad_password_threshold.yml similarity index 100% rename from rules-unsupported/cloud/azure_aad_secops_signin_failure_bad_password_threshold.yml rename to unsupported/cloud/azure_aad_secops_signin_failure_bad_password_threshold.yml diff --git a/rules-unsupported/linux/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml b/unsupported/linux/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml similarity index 100% rename from rules-unsupported/linux/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml rename to unsupported/linux/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml diff --git a/rules-unsupported/linux/lnx_auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml b/unsupported/linux/lnx_auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml similarity index 100% rename from rules-unsupported/linux/lnx_auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml rename to unsupported/linux/lnx_auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml diff --git a/rules-unsupported/linux/lnx_auditd_cve_2021_4034.yml b/unsupported/linux/lnx_auditd_cve_2021_4034.yml similarity index 100% rename from rules-unsupported/linux/lnx_auditd_cve_2021_4034.yml rename to unsupported/linux/lnx_auditd_cve_2021_4034.yml diff --git a/rules-unsupported/linux/lnx_auditd_debugfs_usage.yml b/unsupported/linux/lnx_auditd_debugfs_usage.yml similarity index 100% rename from rules-unsupported/linux/lnx_auditd_debugfs_usage.yml rename to unsupported/linux/lnx_auditd_debugfs_usage.yml diff --git a/rules-unsupported/linux/lnx_auditd_omigod_scx_runasprovider_executescript.yml b/unsupported/linux/lnx_auditd_omigod_scx_runasprovider_executescript.yml similarity index 100% rename from rules-unsupported/linux/lnx_auditd_omigod_scx_runasprovider_executescript.yml rename to unsupported/linux/lnx_auditd_omigod_scx_runasprovider_executescript.yml diff --git a/rules-unsupported/linux/lnx_auth_susp_failed_logons_single_source.yml b/unsupported/linux/lnx_auth_susp_failed_logons_single_source.yml similarity index 100% rename from rules-unsupported/linux/lnx_auth_susp_failed_logons_single_source.yml rename to unsupported/linux/lnx_auth_susp_failed_logons_single_source.yml diff --git a/rules-unsupported/linux/lnx_shell_priv_esc_prep.yml b/unsupported/linux/lnx_shell_priv_esc_prep.yml similarity index 100% rename from rules-unsupported/linux/lnx_shell_priv_esc_prep.yml rename to unsupported/linux/lnx_shell_priv_esc_prep.yml diff --git a/rules-unsupported/network/net_dns_c2_detection.yml b/unsupported/network/net_dns_c2_detection.yml similarity index 100% rename from rules-unsupported/network/net_dns_c2_detection.yml rename to unsupported/network/net_dns_c2_detection.yml diff --git a/rules-unsupported/network/net_dns_high_bytes_out.yml b/unsupported/network/net_dns_high_bytes_out.yml similarity index 100% rename from rules-unsupported/network/net_dns_high_bytes_out.yml rename to unsupported/network/net_dns_high_bytes_out.yml diff --git a/rules-unsupported/network/net_dns_high_null_records_requests_rate.yml b/unsupported/network/net_dns_high_null_records_requests_rate.yml similarity index 100% rename from rules-unsupported/network/net_dns_high_null_records_requests_rate.yml rename to unsupported/network/net_dns_high_null_records_requests_rate.yml diff --git a/rules-unsupported/network/net_dns_high_requests_rate.yml b/unsupported/network/net_dns_high_requests_rate.yml similarity index 100% rename from rules-unsupported/network/net_dns_high_requests_rate.yml rename to unsupported/network/net_dns_high_requests_rate.yml diff --git a/rules-unsupported/network/net_dns_high_subdomain_rate.yml b/unsupported/network/net_dns_high_subdomain_rate.yml similarity index 100% rename from rules-unsupported/network/net_dns_high_subdomain_rate.yml rename to unsupported/network/net_dns_high_subdomain_rate.yml diff --git a/rules-unsupported/network/net_dns_high_txt_records_requests_rate.yml b/unsupported/network/net_dns_high_txt_records_requests_rate.yml similarity index 100% rename from rules-unsupported/network/net_dns_high_txt_records_requests_rate.yml rename to unsupported/network/net_dns_high_txt_records_requests_rate.yml diff --git a/rules-unsupported/network/net_dns_large_domain_name.yml b/unsupported/network/net_dns_large_domain_name.yml similarity index 100% rename from rules-unsupported/network/net_dns_large_domain_name.yml rename to unsupported/network/net_dns_large_domain_name.yml diff --git a/rules-unsupported/network/net_firewall_high_dns_bytes_out.yml b/unsupported/network/net_firewall_high_dns_bytes_out.yml similarity index 100% rename from rules-unsupported/network/net_firewall_high_dns_bytes_out.yml rename to unsupported/network/net_firewall_high_dns_bytes_out.yml diff --git a/rules-unsupported/network/net_firewall_high_dns_requests_rate.yml b/unsupported/network/net_firewall_high_dns_requests_rate.yml similarity index 100% rename from rules-unsupported/network/net_firewall_high_dns_requests_rate.yml rename to unsupported/network/net_firewall_high_dns_requests_rate.yml diff --git a/rules-unsupported/network/net_firewall_susp_network_scan_by_ip.yml b/unsupported/network/net_firewall_susp_network_scan_by_ip.yml similarity index 100% rename from rules-unsupported/network/net_firewall_susp_network_scan_by_ip.yml rename to unsupported/network/net_firewall_susp_network_scan_by_ip.yml diff --git a/rules-unsupported/network/net_firewall_susp_network_scan_by_port.yml b/unsupported/network/net_firewall_susp_network_scan_by_port.yml similarity index 100% rename from rules-unsupported/network/net_firewall_susp_network_scan_by_port.yml rename to unsupported/network/net_firewall_susp_network_scan_by_port.yml diff --git a/rules-unsupported/network/net_possible_dns_rebinding.yml b/unsupported/network/net_possible_dns_rebinding.yml similarity index 100% rename from rules-unsupported/network/net_possible_dns_rebinding.yml rename to unsupported/network/net_possible_dns_rebinding.yml diff --git a/rules-unsupported/other/modsec_mulitple_blocks.yml b/unsupported/other/modsec_mulitple_blocks.yml similarity index 100% rename from rules-unsupported/other/modsec_mulitple_blocks.yml rename to unsupported/other/modsec_mulitple_blocks.yml diff --git a/rules-unsupported/web/web_multiple_susp_resp_codes_single_source.yml b/unsupported/web/web_multiple_susp_resp_codes_single_source.yml similarity index 100% rename from rules-unsupported/web/web_multiple_susp_resp_codes_single_source.yml rename to unsupported/web/web_multiple_susp_resp_codes_single_source.yml diff --git a/rules-unsupported/windows/dns_query_win_possible_dns_rebinding.yml b/unsupported/windows/dns_query_win_possible_dns_rebinding.yml similarity index 100% rename from rules-unsupported/windows/dns_query_win_possible_dns_rebinding.yml rename to unsupported/windows/dns_query_win_possible_dns_rebinding.yml diff --git a/rules-unsupported/windows/driver_load_invoke_obfuscation_clip+_services.yml b/unsupported/windows/driver_load_invoke_obfuscation_clip+_services.yml similarity index 100% rename from rules-unsupported/windows/driver_load_invoke_obfuscation_clip+_services.yml rename to unsupported/windows/driver_load_invoke_obfuscation_clip+_services.yml diff --git a/rules-unsupported/windows/driver_load_invoke_obfuscation_obfuscated_iex_services.yml b/unsupported/windows/driver_load_invoke_obfuscation_obfuscated_iex_services.yml similarity index 100% rename from rules-unsupported/windows/driver_load_invoke_obfuscation_obfuscated_iex_services.yml rename to unsupported/windows/driver_load_invoke_obfuscation_obfuscated_iex_services.yml diff --git a/rules-unsupported/windows/driver_load_invoke_obfuscation_stdin+_services.yml b/unsupported/windows/driver_load_invoke_obfuscation_stdin+_services.yml similarity index 100% rename from rules-unsupported/windows/driver_load_invoke_obfuscation_stdin+_services.yml rename to unsupported/windows/driver_load_invoke_obfuscation_stdin+_services.yml diff --git a/rules-unsupported/windows/driver_load_invoke_obfuscation_var+_services.yml b/unsupported/windows/driver_load_invoke_obfuscation_var+_services.yml similarity index 100% rename from rules-unsupported/windows/driver_load_invoke_obfuscation_var+_services.yml rename to unsupported/windows/driver_load_invoke_obfuscation_var+_services.yml diff --git a/rules-unsupported/windows/driver_load_invoke_obfuscation_via_compress_services.yml b/unsupported/windows/driver_load_invoke_obfuscation_via_compress_services.yml similarity index 100% rename from rules-unsupported/windows/driver_load_invoke_obfuscation_via_compress_services.yml rename to unsupported/windows/driver_load_invoke_obfuscation_via_compress_services.yml diff --git a/rules-unsupported/windows/driver_load_invoke_obfuscation_via_rundll_services.yml b/unsupported/windows/driver_load_invoke_obfuscation_via_rundll_services.yml similarity index 100% rename from rules-unsupported/windows/driver_load_invoke_obfuscation_via_rundll_services.yml rename to unsupported/windows/driver_load_invoke_obfuscation_via_rundll_services.yml diff --git a/rules-unsupported/windows/driver_load_invoke_obfuscation_via_stdin_services.yml b/unsupported/windows/driver_load_invoke_obfuscation_via_stdin_services.yml similarity index 100% rename from rules-unsupported/windows/driver_load_invoke_obfuscation_via_stdin_services.yml rename to unsupported/windows/driver_load_invoke_obfuscation_via_stdin_services.yml diff --git a/rules-unsupported/windows/driver_load_invoke_obfuscation_via_use_clip_services.yml b/unsupported/windows/driver_load_invoke_obfuscation_via_use_clip_services.yml similarity index 100% rename from rules-unsupported/windows/driver_load_invoke_obfuscation_via_use_clip_services.yml rename to unsupported/windows/driver_load_invoke_obfuscation_via_use_clip_services.yml diff --git a/rules-unsupported/windows/driver_load_invoke_obfuscation_via_use_mshta_services.yml b/unsupported/windows/driver_load_invoke_obfuscation_via_use_mshta_services.yml similarity index 100% rename from rules-unsupported/windows/driver_load_invoke_obfuscation_via_use_mshta_services.yml rename to unsupported/windows/driver_load_invoke_obfuscation_via_use_mshta_services.yml diff --git a/rules-unsupported/windows/driver_load_invoke_obfuscation_via_use_rundll32_services.yml b/unsupported/windows/driver_load_invoke_obfuscation_via_use_rundll32_services.yml similarity index 100% rename from rules-unsupported/windows/driver_load_invoke_obfuscation_via_use_rundll32_services.yml rename to unsupported/windows/driver_load_invoke_obfuscation_via_use_rundll32_services.yml diff --git a/rules-unsupported/windows/driver_load_invoke_obfuscation_via_var++_services.yml b/unsupported/windows/driver_load_invoke_obfuscation_via_var++_services.yml similarity index 100% rename from rules-unsupported/windows/driver_load_invoke_obfuscation_via_var++_services.yml rename to unsupported/windows/driver_load_invoke_obfuscation_via_var++_services.yml diff --git a/rules-unsupported/windows/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/unsupported/windows/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml similarity index 100% rename from rules-unsupported/windows/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml rename to unsupported/windows/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml diff --git a/rules-unsupported/windows/driver_load_tap_driver_installation.yml b/unsupported/windows/driver_load_tap_driver_installation.yml similarity index 100% rename from rules-unsupported/windows/driver_load_tap_driver_installation.yml rename to unsupported/windows/driver_load_tap_driver_installation.yml diff --git a/rules-unsupported/windows/file_event_executable_and_script_creation_by_office_using_file_ext.yml b/unsupported/windows/file_event_executable_and_script_creation_by_office_using_file_ext.yml similarity index 100% rename from rules-unsupported/windows/file_event_executable_and_script_creation_by_office_using_file_ext.yml rename to unsupported/windows/file_event_executable_and_script_creation_by_office_using_file_ext.yml diff --git a/rules-unsupported/windows/image_load_mimikatz_inmemory_detection.yml b/unsupported/windows/image_load_mimikatz_inmemory_detection.yml similarity index 100% rename from rules-unsupported/windows/image_load_mimikatz_inmemory_detection.yml rename to unsupported/windows/image_load_mimikatz_inmemory_detection.yml diff --git a/rules-unsupported/windows/posh_ps_cl_invocation_lolscript_count.yml b/unsupported/windows/posh_ps_cl_invocation_lolscript_count.yml similarity index 100% rename from rules-unsupported/windows/posh_ps_cl_invocation_lolscript_count.yml rename to unsupported/windows/posh_ps_cl_invocation_lolscript_count.yml diff --git a/rules-unsupported/windows/posh_ps_cl_mutexverifiers_lolscript_count.yml b/unsupported/windows/posh_ps_cl_mutexverifiers_lolscript_count.yml similarity index 100% rename from rules-unsupported/windows/posh_ps_cl_mutexverifiers_lolscript_count.yml rename to unsupported/windows/posh_ps_cl_mutexverifiers_lolscript_count.yml diff --git a/rules-unsupported/windows/proc_creation_win_correlation_apt_silence_downloader_v3.yml b/unsupported/windows/proc_creation_win_correlation_apt_silence_downloader_v3.yml similarity index 100% rename from rules-unsupported/windows/proc_creation_win_correlation_apt_silence_downloader_v3.yml rename to unsupported/windows/proc_creation_win_correlation_apt_silence_downloader_v3.yml diff --git a/rules-unsupported/windows/proc_creation_win_correlation_apt_turla_commands_medium.yml b/unsupported/windows/proc_creation_win_correlation_apt_turla_commands_medium.yml similarity index 100% rename from rules-unsupported/windows/proc_creation_win_correlation_apt_turla_commands_medium.yml rename to unsupported/windows/proc_creation_win_correlation_apt_turla_commands_medium.yml diff --git a/rules-unsupported/windows/proc_creation_win_correlation_dnscat2_powershell_implementation.yml b/unsupported/windows/proc_creation_win_correlation_dnscat2_powershell_implementation.yml similarity index 100% rename from rules-unsupported/windows/proc_creation_win_correlation_dnscat2_powershell_implementation.yml rename to unsupported/windows/proc_creation_win_correlation_dnscat2_powershell_implementation.yml diff --git a/rules-unsupported/windows/proc_creation_win_correlation_multiple_susp_cli.yml b/unsupported/windows/proc_creation_win_correlation_multiple_susp_cli.yml similarity index 100% rename from rules-unsupported/windows/proc_creation_win_correlation_multiple_susp_cli.yml rename to unsupported/windows/proc_creation_win_correlation_multiple_susp_cli.yml diff --git a/rules-unsupported/windows/proc_creation_win_correlation_susp_builtin_commands_recon.yml b/unsupported/windows/proc_creation_win_correlation_susp_builtin_commands_recon.yml similarity index 100% rename from rules-unsupported/windows/proc_creation_win_correlation_susp_builtin_commands_recon.yml rename to unsupported/windows/proc_creation_win_correlation_susp_builtin_commands_recon.yml diff --git a/rules-unsupported/windows/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml b/unsupported/windows/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml similarity index 100% rename from rules-unsupported/windows/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml rename to unsupported/windows/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml diff --git a/rules-unsupported/windows/sysmon_always_install_elevated_parent_child_correlated.yml b/unsupported/windows/sysmon_always_install_elevated_parent_child_correlated.yml similarity index 100% rename from rules-unsupported/windows/sysmon_always_install_elevated_parent_child_correlated.yml rename to unsupported/windows/sysmon_always_install_elevated_parent_child_correlated.yml diff --git a/rules-unsupported/windows/sysmon_non_priv_program_files_move.yml b/unsupported/windows/sysmon_non_priv_program_files_move.yml similarity index 100% rename from rules-unsupported/windows/sysmon_non_priv_program_files_move.yml rename to unsupported/windows/sysmon_non_priv_program_files_move.yml diff --git a/rules-unsupported/windows/sysmon_process_reimaging.yml b/unsupported/windows/sysmon_process_reimaging.yml similarity index 100% rename from rules-unsupported/windows/sysmon_process_reimaging.yml rename to unsupported/windows/sysmon_process_reimaging.yml diff --git a/rules-unsupported/windows/win_access_fake_files_with_stored_credentials.yml b/unsupported/windows/win_access_fake_files_with_stored_credentials.yml similarity index 100% rename from rules-unsupported/windows/win_access_fake_files_with_stored_credentials.yml rename to unsupported/windows/win_access_fake_files_with_stored_credentials.yml diff --git a/rules-unsupported/windows/win_apt_apt29_tor.yml b/unsupported/windows/win_apt_apt29_tor.yml similarity index 100% rename from rules-unsupported/windows/win_apt_apt29_tor.yml rename to unsupported/windows/win_apt_apt29_tor.yml diff --git a/rules-unsupported/windows/win_dumping_ntdsdit_via_dcsync.yml b/unsupported/windows/win_dumping_ntdsdit_via_dcsync.yml similarity index 100% rename from rules-unsupported/windows/win_dumping_ntdsdit_via_dcsync.yml rename to unsupported/windows/win_dumping_ntdsdit_via_dcsync.yml diff --git a/rules-unsupported/windows/win_dumping_ntdsdit_via_netsync.yml b/unsupported/windows/win_dumping_ntdsdit_via_netsync.yml similarity index 100% rename from rules-unsupported/windows/win_dumping_ntdsdit_via_netsync.yml rename to unsupported/windows/win_dumping_ntdsdit_via_netsync.yml diff --git a/rules-unsupported/windows/win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml b/unsupported/windows/win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml similarity index 100% rename from rules-unsupported/windows/win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml rename to unsupported/windows/win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml diff --git a/rules-unsupported/windows/win_mal_service_installs.yml b/unsupported/windows/win_mal_service_installs.yml similarity index 100% rename from rules-unsupported/windows/win_mal_service_installs.yml rename to unsupported/windows/win_mal_service_installs.yml diff --git a/rules-unsupported/windows/win_metasploit_or_impacket_smb_psexec_service_install.yml b/unsupported/windows/win_metasploit_or_impacket_smb_psexec_service_install.yml similarity index 100% rename from rules-unsupported/windows/win_metasploit_or_impacket_smb_psexec_service_install.yml rename to unsupported/windows/win_metasploit_or_impacket_smb_psexec_service_install.yml diff --git a/rules-unsupported/windows/win_possible_privilege_escalation_using_rotten_potato.yml b/unsupported/windows/win_possible_privilege_escalation_using_rotten_potato.yml similarity index 100% rename from rules-unsupported/windows/win_possible_privilege_escalation_using_rotten_potato.yml rename to unsupported/windows/win_possible_privilege_escalation_using_rotten_potato.yml diff --git a/rules-unsupported/windows/win_remote_schtask.yml b/unsupported/windows/win_remote_schtask.yml similarity index 100% rename from rules-unsupported/windows/win_remote_schtask.yml rename to unsupported/windows/win_remote_schtask.yml diff --git a/rules-unsupported/windows/win_remote_service.yml b/unsupported/windows/win_remote_service.yml similarity index 100% rename from rules-unsupported/windows/win_remote_service.yml rename to unsupported/windows/win_remote_service.yml diff --git a/rules-unsupported/windows/win_security_global_catalog_enumeration.yml b/unsupported/windows/win_security_global_catalog_enumeration.yml similarity index 100% rename from rules-unsupported/windows/win_security_global_catalog_enumeration.yml rename to unsupported/windows/win_security_global_catalog_enumeration.yml diff --git a/rules-unsupported/windows/win_security_rare_schtasks_creations.yml b/unsupported/windows/win_security_rare_schtasks_creations.yml similarity index 100% rename from rules-unsupported/windows/win_security_rare_schtasks_creations.yml rename to unsupported/windows/win_security_rare_schtasks_creations.yml diff --git a/rules-unsupported/windows/win_security_susp_failed_logons_explicit_credentials.yml b/unsupported/windows/win_security_susp_failed_logons_explicit_credentials.yml similarity index 100% rename from rules-unsupported/windows/win_security_susp_failed_logons_explicit_credentials.yml rename to unsupported/windows/win_security_susp_failed_logons_explicit_credentials.yml diff --git a/rules-unsupported/windows/win_security_susp_failed_logons_single_process.yml b/unsupported/windows/win_security_susp_failed_logons_single_process.yml similarity index 100% rename from rules-unsupported/windows/win_security_susp_failed_logons_single_process.yml rename to unsupported/windows/win_security_susp_failed_logons_single_process.yml diff --git a/rules-unsupported/windows/win_security_susp_failed_logons_single_source.yml b/unsupported/windows/win_security_susp_failed_logons_single_source.yml similarity index 100% rename from rules-unsupported/windows/win_security_susp_failed_logons_single_source.yml rename to unsupported/windows/win_security_susp_failed_logons_single_source.yml diff --git a/rules-unsupported/windows/win_security_susp_failed_logons_single_source2.yml b/unsupported/windows/win_security_susp_failed_logons_single_source2.yml similarity index 100% rename from rules-unsupported/windows/win_security_susp_failed_logons_single_source2.yml rename to unsupported/windows/win_security_susp_failed_logons_single_source2.yml diff --git a/rules-unsupported/windows/win_security_susp_failed_logons_single_source_kerberos.yml b/unsupported/windows/win_security_susp_failed_logons_single_source_kerberos.yml similarity index 100% rename from rules-unsupported/windows/win_security_susp_failed_logons_single_source_kerberos.yml rename to unsupported/windows/win_security_susp_failed_logons_single_source_kerberos.yml diff --git a/rules-unsupported/windows/win_security_susp_failed_logons_single_source_kerberos2.yml b/unsupported/windows/win_security_susp_failed_logons_single_source_kerberos2.yml similarity index 100% rename from rules-unsupported/windows/win_security_susp_failed_logons_single_source_kerberos2.yml rename to unsupported/windows/win_security_susp_failed_logons_single_source_kerberos2.yml diff --git a/rules-unsupported/windows/win_security_susp_failed_logons_single_source_kerberos3.yml b/unsupported/windows/win_security_susp_failed_logons_single_source_kerberos3.yml similarity index 100% rename from rules-unsupported/windows/win_security_susp_failed_logons_single_source_kerberos3.yml rename to unsupported/windows/win_security_susp_failed_logons_single_source_kerberos3.yml diff --git a/rules-unsupported/windows/win_security_susp_failed_logons_single_source_ntlm.yml b/unsupported/windows/win_security_susp_failed_logons_single_source_ntlm.yml similarity index 100% rename from rules-unsupported/windows/win_security_susp_failed_logons_single_source_ntlm.yml rename to unsupported/windows/win_security_susp_failed_logons_single_source_ntlm.yml diff --git a/rules-unsupported/windows/win_security_susp_failed_logons_single_source_ntlm2.yml b/unsupported/windows/win_security_susp_failed_logons_single_source_ntlm2.yml similarity index 100% rename from rules-unsupported/windows/win_security_susp_failed_logons_single_source_ntlm2.yml rename to unsupported/windows/win_security_susp_failed_logons_single_source_ntlm2.yml diff --git a/rules-unsupported/windows/win_security_susp_failed_remote_logons_single_source.yml b/unsupported/windows/win_security_susp_failed_remote_logons_single_source.yml similarity index 100% rename from rules-unsupported/windows/win_security_susp_failed_remote_logons_single_source.yml rename to unsupported/windows/win_security_susp_failed_remote_logons_single_source.yml diff --git a/rules-unsupported/windows/win_security_susp_multiple_files_renamed_or_deleted.yml b/unsupported/windows/win_security_susp_multiple_files_renamed_or_deleted.yml similarity index 100% rename from rules-unsupported/windows/win_security_susp_multiple_files_renamed_or_deleted.yml rename to unsupported/windows/win_security_susp_multiple_files_renamed_or_deleted.yml diff --git a/rules-unsupported/windows/win_security_susp_samr_pwset.yml b/unsupported/windows/win_security_susp_samr_pwset.yml similarity index 100% rename from rules-unsupported/windows/win_security_susp_samr_pwset.yml rename to unsupported/windows/win_security_susp_samr_pwset.yml diff --git a/rules-unsupported/windows/win_susp_failed_hidden_share_mount.yml b/unsupported/windows/win_susp_failed_hidden_share_mount.yml similarity index 100% rename from rules-unsupported/windows/win_susp_failed_hidden_share_mount.yml rename to unsupported/windows/win_susp_failed_hidden_share_mount.yml diff --git a/rules-unsupported/windows/win_suspicious_werfault_connection_outbound.yml b/unsupported/windows/win_suspicious_werfault_connection_outbound.yml similarity index 100% rename from rules-unsupported/windows/win_suspicious_werfault_connection_outbound.yml rename to unsupported/windows/win_suspicious_werfault_connection_outbound.yml diff --git a/rules-unsupported/windows/win_system_rare_service_installs.yml b/unsupported/windows/win_system_rare_service_installs.yml similarity index 100% rename from rules-unsupported/windows/win_system_rare_service_installs.yml rename to unsupported/windows/win_system_rare_service_installs.yml diff --git a/rules-unsupported/windows/win_taskscheduler_rare_schtask_creation.yml b/unsupported/windows/win_taskscheduler_rare_schtask_creation.yml similarity index 100% rename from rules-unsupported/windows/win_taskscheduler_rare_schtask_creation.yml rename to unsupported/windows/win_taskscheduler_rare_schtask_creation.yml diff --git a/rules-unsupported/zeek/zeek_dce_rpc_domain_user_enumeration.yml b/unsupported/zeek/zeek_dce_rpc_domain_user_enumeration.yml similarity index 100% rename from rules-unsupported/zeek/zeek_dce_rpc_domain_user_enumeration.yml rename to unsupported/zeek/zeek_dce_rpc_domain_user_enumeration.yml diff --git a/rules-unsupported/zeek/zeek_http_exfiltration_compressed_files.yml b/unsupported/zeek/zeek_http_exfiltration_compressed_files.yml similarity index 100% rename from rules-unsupported/zeek/zeek_http_exfiltration_compressed_files.yml rename to unsupported/zeek/zeek_http_exfiltration_compressed_files.yml