Merge branch 'SigmaHQ:master' into master

2021-08-25 21:12:14 +05:30
parent 5022fdc085 f277ecbbeb
commit d5d28cc85e
156 changed files with 1414 additions and 376 deletions
@@ -23,7 +23,7 @@ from version 0.14.0.
 * Elastic EQL backend
 * Additional conversion selection filters
 * Filter negation
-* Specifiy table in SQL backend
+* Specify table in SQL backend
 * Generic registry event log source
 * Chronicle backend

@@ -1,4 +1,4 @@
-[![Build Status](https://travis-ci.org/Neo23x0/sigma.svg?branch=master)](https://travis-ci.org/Neo23x0/sigma)
+[![sigma build status](https://github.com/SigmaHQ/sigma/actions/workflows/sigma-test.yml/badge.svg?branch=master)](https://github.com/SigmaHQ/sigma/actions?query=branch%3Amaster)

 ![sigma_logo](./images/Sigma_0.3.png)

@@ -318,6 +318,7 @@ These tools are not part of the main toolchain and maintained separately by thei
 # Projects or Products that use Sigma

 * [MISP](http://www.misp-project.org/2017/03/26/MISP.2.4.70.released.html) (since version 2.4.70, March 2017)
+* [Atomic Threat Coverage](https://github.com/atc-project/atomic-threat-coverage) (since December 2018)
 * [SOC Prime - Sigma Rule Editor](https://tdm.socprime.com/sigma/)
 * [uncoder.io](https://uncoder.io/) - Online Translator for SIEM Searches
 * [THOR](https://www.nextron-systems.com/2018/06/28/spark-applies-sigma-rules-in-eventlog-scan/) - Scan with Sigma rules on endpoints
@@ -4,7 +4,7 @@ status: stable
 description: Identifies disabling of default Amazon Elastic Block Store (EBS) encryption in the current region. Disabling default encryption does not change the encryption status of your existing volumes.
 author: Sittikorn S
 date: 2021/06/29
-modified: 2021/08/09
+modified: 2021/08/20
 references:
    - https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html
 tags:
@@ -17,7 +17,6 @@ detection:
    selection:
        eventSource: ec2.amazonaws.com
        eventName: DisableEbsEncryptionByDefault
-        status: success
    condition: selection
 falsepositives:
    - System Administrator Activities
@@ -4,9 +4,9 @@ status: experimental
 description: Detects bulk downloading of User Data associated with AWS EC2 instances. Instance User Data may include installation scripts and hard-coded secrets for deployment.
 author: faloker
 date: 2020/02/11
-modified: 2021/08/09
+modified: 2021/08/20
 references:
-    - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/ec2__download_userdata/main.py#L24
+    - https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/ec2__download_userdata/main.py
 logsource:
    service: cloudtrail
 detection:
@@ -4,6 +4,7 @@ status: experimental
 description: An attempt to export an AWS EC2 instance has been detected. A VM Export might indicate an attempt to extract information from an instance.     
 author: Diogo Braz
 date: 2020/04/16
+modified: 2021/08/20
 references: 
  - https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance
 logsource:
@@ -17,7 +18,6 @@ detection:
  filter2:
    errorCode: '*'
  filter3:
-    eventName: 'ConsoleLogin'
    responseElements|contains: 'Failure'
  condition: selection and (filter1 or filter2 or filter3)
 level: low
@@ -4,9 +4,9 @@ status: experimental
 description: Detects AWS API key creation for a user by another user. Backdoored users can be used to obtain persistence in the AWS environment. Also with this alert, you can detect a flow of AWS keys in your org.
 author: faloker
 date: 2020/02/12
-modified: 2021/08/09
+modified: 2021/08/20
 references:
-    - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/iam__backdoor_users_keys/main.py#L6
+    - https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/iam__backdoor_users_keys/main.py
 logsource:
    service: cloudtrail
 detection:
@@ -4,9 +4,9 @@ status: experimental
 description: Detects the change of database master password. It may be a part of data exfiltration.
 author: faloker
 date: 2020/02/12
-modified: 2021/08/09
+modified: 2021/08/20
 references:
-    - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/rds__explore_snapshots/main.py#L10
+    - https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/rds__explore_snapshots/main.py
 logsource:
    service: cloudtrail
 detection:
@@ -4,9 +4,9 @@ status: experimental
 description: Detects the recovery of a new public database instance from a snapshot. It may be a part of data exfiltration.
 author: faloker
 date: 2020/02/12
-modified: 2021/08/09
+modified: 2021/08/20
 references:
-    - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/rds__explore_snapshots/main.py#L10
+    - https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/rds__explore_snapshots/main.py
 logsource:
    service: cloudtrail
 detection:
@@ -1,9 +1,10 @@
-title: AWS STS AssumedRole Misuse
+title: AWS STS AssumeRole Misuse
 id: 905d389b-b853-46d0-9d3d-dea0d3a3cd49
-description: Identifies the suspicious use of AssumedRole. Attackers could move laterally and escalate privileges.
+description: Identifies the suspicious use of AssumeRole. Attackers could move laterally and escalate privileges.
 author: Austin Songer @austinsonger
 status: experimental
 date: 2021/07/24
+modified: 2021/08/20
 references:
    - https://github.com/elastic/detection-rules/pull/1214
    - https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html
@@ -12,8 +13,8 @@ logsource:
 detection:
    selection:
        eventSource: sts.amazonaws.com
-        eventName: AssumedRole
-        userIdentity.sessionContext: Role
+        eventName: AssumeRole
+        userIdentity.sessionContext.sessionIssuer.type: Role
    condition: selection
 level: low
 tags:
@@ -23,5 +24,6 @@ tags:
    - attack.t1550
    - attack.t1550.001
 falsepositives:
-    - AssumedRole may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. AssumedRole from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+    - AssumeRole may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
+    - AssumeRole from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
    - Automated processes that uses Terraform may lead to false positives.
@@ -0,0 +1,20 @@
+title: Number Of Resource Creation Or Deployment Activities
+id: d2d901db-7a75-45a1-bc39-0cbf00812192
+status: experimental
+author: sawwinnnaung
+date: 2020/05/07
+description: Number of VM creations or deployment activities occur in Azure via the AzureActivity log.
+references:
+  - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/Creating_Anomalous_Number_Of_Resources_detection.yaml
+logsource:
+  service: AzureActivity
+detection:
+  keywords:
+    - Microsoft.Compute/virtualMachines/write
+    - Microsoft.Resources/deployments/write
+  condition: keywords
+level: medium
+falsepositives:
+  - Valid change
+tags:
+  - attack.t1098
@@ -0,0 +1,19 @@
+title: Granting Of Permissions To An Account
+id: a622fcd2-4b5a-436a-b8a2-a4171161833c
+status: experimental
+author: sawwinnnaung
+date: 2020/05/07
+description: Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.
+references:
+  - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/Granting_Permissions_To_Account_detection.yaml
+logsource:
+  service: AzureActivity
+detection:
+  keywords: 
+    - Microsoft.Authorization/roleAssignments/write
+  condition: keywords
+level: medium
+falsepositives:
+  - Valid change
+tags:
+  - attack.t1098
@@ -0,0 +1,25 @@
+title: Rare Subscription-level Operations In Azure
+id: c1182e02-49a3-481c-b3de-0fadc4091488
+status: experimental
+author: sawwinnnaung
+date: 2020/05/07
+description: Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.
+references:
+  - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/RareOperations.yaml
+logsource:
+  service: AzureActivity
+detection:
+  keywords: 
+    - Microsoft.DocumentDB/databaseAccounts/listKeys/action
+    - Microsoft.Maps/accounts/listKeys/action
+    - Microsoft.Media/mediaservices/listKeys/action
+    - Microsoft.CognitiveServices/accounts/listKeys/action
+    - Microsoft.Storage/storageAccounts/listKeys/action
+    - Microsoft.Compute/snapshots/write
+    - Microsoft.Network/networkSecurityGroups/write
+  condition: keywords
+level: medium
+falsepositives:
+  - Valid change
+tags:
+  - attack.t1003
@@ -0,0 +1,23 @@
+title: Google Workspace Granted Domain API Access
+id: 04e2a23a-9b29-4a5c-be3a-3542e3f982ba
+description: Detects when an API access service account is granted domain authority.
+author: Austin Songer
+status: experimental
+date: 2021/08/23
+references:
+    - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3
+    - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#AUTHORIZE_API_CLIENT_ACCESS
+logsource:
+  service: google_workspace.admin
+detection:
+    selection:
+        eventService: admin.googleapis.com
+        eventName: AUTHORIZE_API_CLIENT_ACCESS
+    condition: selection
+level: medium
+tags:
+    - attack.persistence
+    - attack.t1098
+falsepositives:
+ - Unknown
+ 
@@ -0,0 +1,25 @@
+title: Google Workspace Role Modified or Deleted
+id: 6aef64e3-60c6-4782-8db3-8448759c714e
+description: Detects when an a role is modified or deleted in Google Workspace.
+author: Austin Songer
+status: experimental
+date: 2021/08/24
+references:
+    - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3
+    - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings
+logsource:
+  service: google_workspace.admin
+detection:
+    selection:
+        eventService: admin.googleapis.com
+        eventName: 
+            - DELETE_ROLE
+            - RENAME_ROLE
+            - UPDATE_ROLE
+    condition: selection
+level: medium
+tags:
+    - attack.impact
+falsepositives:
+ - Unknown
+ 
@@ -0,0 +1,22 @@
+title: Google Workspace Role Privilege Deleted
+id: bf638ef7-4d2d-44bb-a1dc-a238252e6267
+description: Detects when an a role privilege is deleted in Google Workspace.
+author: Austin Songer
+status: experimental
+date: 2021/08/24
+references:
+    - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3
+    - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings
+logsource:
+  service: google_workspace.admin
+detection:
+    selection:
+        eventService: admin.googleapis.com
+        eventName: REMOVE_PRIVILEGE
+    condition: selection
+level: medium
+tags:
+    - attack.impact
+falsepositives:
+ - Unknown
+ 
@@ -0,0 +1,24 @@
+title: Google Workspace User Granted Admin Privileges
+id: 2d1b83e4-17c6-4896-a37b-29140b40a788
+description: Detects when an Google Workspace user is granted admin privileges. 
+author: Austin Songer
+status: experimental
+date: 2021/08/23
+references:
+    - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3
+    - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE
+logsource:
+  service: google_workspace.admin
+detection:
+    selection:
+        eventService: admin.googleapis.com
+        eventName: 
+            - GRANT_DELEGATED_ADMIN_PRIVILEGES
+            - GRANT_ADMIN_PRIVILEGE
+    condition: selection
+level: medium
+tags:
+    - attack.persistence
+    - attack.t1098
+falsepositives:
+ - Google Workspace admin role privileges, may be modified by system administrators.
@@ -0,0 +1,23 @@
+title: Activity Performed by Terminated User
+id: 2e669ed8-742e-4fe5-b3c4-5a59b486c2ee
+status: experimental
+description: Detects when a Microsoft Cloud App Security reported for users whose account were terminated in Azure AD, but still perform activities in other platforms such as AWS or Salesforce. This is especially relevant for users who use another account to manage resources, since these accounts are often not terminated when a user leaves the company.
+author: Austin Songer @austinsonger
+date: 2021/08/23
+references:
+    - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
+    - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
+logsource:
+    category: ThreatManagement
+    service: m365
+detection:
+    selection:
+        eventSource: SecurityComplianceCenter
+        eventName: "Activity performed by terminated user"
+        status: success
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium
+tags:
+    - attack.impact
@@ -0,0 +1,24 @@
+title: Activity from Anonymous IP Addresses
+id: d8b0a4fe-07a8-41be-bd39-b14afa025d95
+status: experimental
+description: Detects when a Microsoft Cloud App Security reported when users were active from an IP address that has been identified as an anonymous proxy IP address.
+author: Austin Songer @austinsonger
+date: 2021/08/23
+references:
+    - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
+    - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
+logsource:
+    category: ThreatManagement
+    service: m365
+detection:
+    selection:
+        eventSource: SecurityComplianceCenter
+        eventName: "Activity from anonymous IP addresses"
+        status: success
+    condition: selection
+falsepositives:
+    - User using a VPN or Proxy
+level: medium
+tags:
+    - attack.command_and_control
+    - attack.t1573
@@ -0,0 +1,24 @@
+title: Activity from Infrequent Country
+id: 0f2468a2-5055-4212-a368-7321198ee706
+status: experimental
+description: Detects when a Microsoft Cloud App Security reported when an activity occurs from a location that wasn't recently or never visited by any user in the organization.
+author: Austin Songer @austinsonger
+date: 2021/08/23
+references:
+    - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
+    - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
+logsource:
+    category: ThreatManagement
+    service: m365
+detection:
+    selection:
+        eventSource: SecurityComplianceCenter
+        eventName: "Activity from infrequent country"
+        status: success
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium
+tags:
+    - attack.command_and_control
+    - attack.t1573
@@ -0,0 +1,24 @@
+title: Data Exfiltration to Unsanctioned Apps
+id: 2b669496-d215-47d8-bd9a-f4a45bf07cda
+status: experimental
+description: Detects when a Microsoft Cloud App Security reported when a user or IP address uses an app that is not sanctioned to perform an activity that resembles an attempt to exfiltrate information from your organization.
+author: Austin Songer @austinsonger
+date: 2021/08/23
+references:
+    - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
+    - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
+logsource:
+    category: ThreatManagement
+    service: m365
+detection:
+    selection:
+        eventSource: SecurityComplianceCenter
+        eventName: "Data exfiltration to unsanctioned apps"
+        status: success
+    condition: selection
+falsepositives:
+    - 
+level: medium
+tags:
+    - attack.exfiltration
+    - attack.t1537
@@ -0,0 +1,24 @@
+title: Activity from Suspicious IP Addresses
+id: a3501e8e-af9e-43c6-8cd6-9360bdaae498
+status: experimental
+description: Detects when a Microsoft Cloud App Security reported users were active from an IP address identified as risky by Microsoft Threat Intelligence. These IP addresses are involved in malicious activities, such as Botnet C&C, and may indicate compromised account. 
+author: Austin Songer @austinsonger
+date: 2021/08/23
+references:
+    - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
+    - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
+logsource:
+    category: ThreatDetection
+    service: m365
+detection:
+    selection:
+        eventSource: SecurityComplianceCenter
+        eventName: "Activity from suspicious IP addresses"
+        status: success
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium
+tags:
+    - attack.command_and_control
+    - attack.t1573
@@ -0,0 +1,24 @@
+title: Logon from a Risky IP Address
+id: c191e2fa-f9d6-4ccf-82af-4f2aba08359f
+status: experimental
+description: Detects when a Microsoft Cloud App Security reported when a user signs into your sanctioned apps from a risky IP address.
+author: Austin Songer @austinsonger
+date: 2021/08/23
+references:
+    - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
+    - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
+logsource:
+    category: ThreatManagement
+    service: m365
+detection:
+    selection:
+        eventSource: SecurityComplianceCenter
+        eventName: "Log on from a risky IP address"
+        status: success
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium
+tags:
+    - attack.initial_access
+    - attack.t1078
@@ -0,0 +1,24 @@
+title: Suspicious Inbox Forwarding
+id: 6c220477-0b5b-4b25-bb90-66183b4089e8
+status: experimental
+description: Detects when a Microsoft Cloud App Security reported suspicious email forwarding rules, for example, if a user created an inbox rule that forwards a copy of all emails to an external address.
+author: Austin Songer @austinsonger
+date: 2021/08/22
+references:
+    - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
+    - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
+logsource:
+    category: ThreatManagement
+    service: m365
+detection:
+    selection:
+        eventSource: SecurityComplianceCenter
+        eventName: "Suspicious inbox forwarding"
+        status: success
+    condition: selection
+falsepositives:
+    - Unknown
+level: low
+tags:
+    - attack.exfiltration
+    - attack.t1020
@@ -0,0 +1,23 @@
+title: Suspicious OAuth App File Download Activities
+id: ee111937-1fe7-40f0-962a-0eb44d57d174
+status: experimental
+description: Detects when a Microsoft Cloud App Security reported when an app downloads multiple files from Microsoft SharePoint or Microsoft OneDrive in a manner that is unusual for the user.
+author: Austin Songer @austinsonger
+date: 2021/08/23
+references:
+    - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
+    - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
+logsource:
+    category: ThreatManagement
+    service: m365
+detection:
+    selection:
+        eventSource: SecurityComplianceCenter
+        eventName: "Suspicious OAuth app file download activities"
+        status: success
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium
+tags:
+    - attack.exfiltration
@@ -13,49 +13,49 @@ references:
 falsepositives:
    - unknown
 level: low
-tags:
-    - CSC4
-    - CSC4.5
-    - CSC14
-    - CSC14.4
-    - CSC16
-    - CSC16.5
-    - NIST CSF 1.1 PR.AT-2
-    - NIST CSF 1.1 PR.MA-2
-    - NIST CSF 1.1 PR.PT-3
-    - NIST CSF 1.1 PR.AC-1
-    - NIST CSF 1.1 PR.AC-4
-    - NIST CSF 1.1 PR.AC-5
-    - NIST CSF 1.1 PR.AC-6
-    - NIST CSF 1.1 PR.AC-7
-    - NIST CSF 1.1 PR.DS-1
-    - NIST CSF 1.1 PR.DS-2
-    - ISO 27002-2013 A.9.2.1
-    - ISO 27002-2013 A.9.2.2
-    - ISO 27002-2013 A.9.2.3
-    - ISO 27002-2013 A.9.2.4
-    - ISO 27002-2013 A.9.2.5
-    - ISO 27002-2013 A.9.2.6
-    - ISO 27002-2013 A.9.3.1
-    - ISO 27002-2013 A.9.4.1
-    - ISO 27002-2013 A.9.4.2
-    - ISO 27002-2013 A.9.4.3
-    - ISO 27002-2013 A.9.4.4
-    - ISO 27002-2013 A.8.3.1
-    - ISO 27002-2013 A.9.1.1
-    - ISO 27002-2013 A.10.1.1
-    - PCI DSS 3.2 2.1
-    - PCI DSS 3.2 8.1
-    - PCI DSS 3.2 8.2
-    - PCI DSS 3.2 8.3
-    - PCI DSS 3.2 8.7
-    - PCI DSS 3.2 8.8
-    - PCI DSS 3.2 1.3
-    - PCI DSS 3.2 1.4
-    - PCI DSS 3.2 4.3
-    - PCI DSS 3.2 7.1
-    - PCI DSS 3.2 7.2
-    - PCI DSS 3.2 7.3
+# tags:
+    # - CSC4
+    # - CSC4.5
+    # - CSC14
+    # - CSC14.4
+    # - CSC16
+    # - CSC16.5
+    # - NIST CSF 1.1 PR.AT-2
+    # - NIST CSF 1.1 PR.MA-2
+    # - NIST CSF 1.1 PR.PT-3
+    # - NIST CSF 1.1 PR.AC-1
+    # - NIST CSF 1.1 PR.AC-4
+    # - NIST CSF 1.1 PR.AC-5
+    # - NIST CSF 1.1 PR.AC-6
+    # - NIST CSF 1.1 PR.AC-7
+    # - NIST CSF 1.1 PR.DS-1
+    # - NIST CSF 1.1 PR.DS-2
+    # - ISO 27002-2013 A.9.2.1
+    # - ISO 27002-2013 A.9.2.2
+    # - ISO 27002-2013 A.9.2.3
+    # - ISO 27002-2013 A.9.2.4
+    # - ISO 27002-2013 A.9.2.5
+    # - ISO 27002-2013 A.9.2.6
+    # - ISO 27002-2013 A.9.3.1
+    # - ISO 27002-2013 A.9.4.1
+    # - ISO 27002-2013 A.9.4.2
+    # - ISO 27002-2013 A.9.4.3
+    # - ISO 27002-2013 A.9.4.4
+    # - ISO 27002-2013 A.8.3.1
+    # - ISO 27002-2013 A.9.1.1
+    # - ISO 27002-2013 A.10.1.1
+    # - PCI DSS 3.2 2.1
+    # - PCI DSS 3.2 8.1
+    # - PCI DSS 3.2 8.2
+    # - PCI DSS 3.2 8.3
+    # - PCI DSS 3.2 8.7
+    # - PCI DSS 3.2 8.8
+    # - PCI DSS 3.2 1.3
+    # - PCI DSS 3.2 1.4
+    # - PCI DSS 3.2 4.3
+    # - PCI DSS 3.2 7.1
+    # - PCI DSS 3.2 7.2
+    # - PCI DSS 3.2 7.3
 ---
 logsource:
    product: netflow
@@ -81,29 +81,29 @@ detection:
 falsepositives:
    - unknown
 level: medium
-tags:
-    - CSC4
-    - CSC4.2
-    - NIST CSF 1.1 PR.AC-4
-    - NIST CSF 1.1 PR.AT-2
-    - NIST CSF 1.1 PR.MA-2
-    - NIST CSF 1.1 PR.PT-3
-    - ISO 27002-2013 A.9.1.1
-    - ISO 27002-2013 A.9.2.2
-    - ISO 27002-2013 A.9.2.3
-    - ISO 27002-2013 A.9.2.4
-    - ISO 27002-2013 A.9.2.5
-    - ISO 27002-2013 A.9.2.6
-    - ISO 27002-2013 A.9.3.1
-    - ISO 27002-2013 A.9.4.1
-    - ISO 27002-2013 A.9.4.2
-    - ISO 27002-2013 A.9.4.3
-    - ISO 27002-2013 A.9.4.4
-    - PCI DSS 3.2 2.1
-    - PCI DSS 3.2 7.1
-    - PCI DSS 3.2 7.2
-    - PCI DSS 3.2 7.3
-    - PCI DSS 3.2 8.1
-    - PCI DSS 3.2 8.2
-    - PCI DSS 3.2 8.3
-    - PCI DSS 3.2 8.7
+# tags:
+    # - CSC4
+    # - CSC4.2
+    # - NIST CSF 1.1 PR.AC-4
+    # - NIST CSF 1.1 PR.AT-2
+    # - NIST CSF 1.1 PR.MA-2
+    # - NIST CSF 1.1 PR.PT-3
+    # - ISO 27002-2013 A.9.1.1
+    # - ISO 27002-2013 A.9.2.2
+    # - ISO 27002-2013 A.9.2.3
+    # - ISO 27002-2013 A.9.2.4
+    # - ISO 27002-2013 A.9.2.5
+    # - ISO 27002-2013 A.9.2.6
+    # - ISO 27002-2013 A.9.3.1
+    # - ISO 27002-2013 A.9.4.1
+    # - ISO 27002-2013 A.9.4.2
+    # - ISO 27002-2013 A.9.4.3
+    # - ISO 27002-2013 A.9.4.4
+    # - PCI DSS 3.2 2.1
+    # - PCI DSS 3.2 7.1
+    # - PCI DSS 3.2 7.2
+    # - PCI DSS 3.2 7.3
+    # - PCI DSS 3.2 8.1
+    # - PCI DSS 3.2 8.2
+    # - PCI DSS 3.2 8.3
+    # - PCI DSS 3.2 8.7
@@ -33,29 +33,29 @@ detection:
 falsepositives:
    - unknown
 level: low
-tags:
-    - CSC4
-    - CSC4.8
-    - NIST CSF 1.1 PR.AC-4
-    - NIST CSF 1.1 PR.AT-2
-    - NIST CSF 1.1 PR.MA-2
-    - NIST CSF 1.1 PR.PT-3
-    - ISO 27002-2013 A.9.1.1
-    - ISO 27002-2013 A.9.2.2
-    - ISO 27002-2013 A.9.2.3
-    - ISO 27002-2013 A.9.2.4
-    - ISO 27002-2013 A.9.2.5
-    - ISO 27002-2013 A.9.2.6
-    - ISO 27002-2013 A.9.3.1
-    - ISO 27002-2013 A.9.4.1
-    - ISO 27002-2013 A.9.4.2
-    - ISO 27002-2013 A.9.4.3
-    - ISO 27002-2013 A.9.4.4
-    - PCI DSS 3.2 2.1
-    - PCI DSS 3.2 7.1
-    - PCI DSS 3.2 7.2
-    - PCI DSS 3.2 7.3
-    - PCI DSS 3.2 8.1
-    - PCI DSS 3.2 8.2
-    - PCI DSS 3.2 8.3
-    - PCI DSS 3.2 8.7
+# tags:
+    # - CSC4
+    # - CSC4.8
+    # - NIST CSF 1.1 PR.AC-4
+    # - NIST CSF 1.1 PR.AT-2
+    # - NIST CSF 1.1 PR.MA-2
+    # - NIST CSF 1.1 PR.PT-3
+    # - ISO 27002-2013 A.9.1.1
+    # - ISO 27002-2013 A.9.2.2
+    # - ISO 27002-2013 A.9.2.3
+    # - ISO 27002-2013 A.9.2.4
+    # - ISO 27002-2013 A.9.2.5
+    # - ISO 27002-2013 A.9.2.6
+    # - ISO 27002-2013 A.9.3.1
+    # - ISO 27002-2013 A.9.4.1
+    # - ISO 27002-2013 A.9.4.2
+    # - ISO 27002-2013 A.9.4.3
+    # - ISO 27002-2013 A.9.4.4
+    # - PCI DSS 3.2 2.1
+    # - PCI DSS 3.2 7.1
+    # - PCI DSS 3.2 7.2
+    # - PCI DSS 3.2 7.3
+    # - PCI DSS 3.2 8.1
+    # - PCI DSS 3.2 8.2
+    # - PCI DSS 3.2 8.3
+    # - PCI DSS 3.2 8.7
@@ -17,15 +17,15 @@ detection:
        host.scan.vuln_name: Firewall Product Not Detected*
    condition: selection
 level: low
-tags:
-    - CSC9
-    - CSC9.4
-    - NIST CSF 1.1 PR.AC-5
-    - NIST CSF 1.1 PR.AC-6
-    - NIST CSF 1.1 PR.AC-7
-    - NIST CSF 1.1 DE.AE-1
-    - ISO 27002-2013 A.9.1.2
-    - ISO 27002-2013 A.13.2.1
-    - ISO 27002-2013 A.13.2.2
-    - ISO 27002-2013 A.14.1.2
-    - PCI DSS 3.2 1.4
+# tags:
+    # - CSC9
+    # - CSC9.4
+    # - NIST CSF 1.1 PR.AC-5
+    # - NIST CSF 1.1 PR.AC-6
+    # - NIST CSF 1.1 PR.AC-7
+    # - NIST CSF 1.1 DE.AE-1
+    # - ISO 27002-2013 A.9.1.2
+    # - ISO 27002-2013 A.13.2.1
+    # - ISO 27002-2013 A.13.2.2
+    # - ISO 27002-2013 A.14.1.2
+    # - PCI DSS 3.2 1.4
@@ -21,27 +21,27 @@ detection:
 falsepositives:
    - unknown
 level: low
-tags:
-    - CSC16
-    - CSC16.11
-    - ISO27002-2013 A.9.1.1
-    - ISO27002-2013 A.9.2.1
-    - ISO27002-2013 A.9.2.2
-    - ISO27002-2013 A.9.2.3
-    - ISO27002-2013 A.9.2.4
-    - ISO27002-2013 A.9.2.5
-    - ISO27002-2013 A.9.2.6
-    - ISO27002-2013 A.9.3.1
-    - ISO27002-2013 A.9.4.1
-    - ISO27002-2013 A.9.4.3
-    - ISO27002-2013 A.11.2.8
-    - PCI DSS 3.1 7.1
-    - PCI DSS 3.1 7.2
-    - PCI DSS 3.1 7.3
-    - PCI DSS 3.1 8.7
-    - PCI DSS 3.1 8.8
-    - NIST CSF 1.1 PR.AC-1
-    - NIST CSF 1.1 PR.AC-4
-    - NIST CSF 1.1 PR.AC-6
-    - NIST CSF 1.1 PR.AC-7
-    - NIST CSF 1.1 PR.PT-3
+# tags:
+    # - CSC16
+    # - CSC16.11
+    # - ISO27002-2013 A.9.1.1
+    # - ISO27002-2013 A.9.2.1
+    # - ISO27002-2013 A.9.2.2
+    # - ISO27002-2013 A.9.2.3
+    # - ISO27002-2013 A.9.2.4
+    # - ISO27002-2013 A.9.2.5
+    # - ISO27002-2013 A.9.2.6
+    # - ISO27002-2013 A.9.3.1
+    # - ISO27002-2013 A.9.4.1
+    # - ISO27002-2013 A.9.4.3
+    # - ISO27002-2013 A.11.2.8
+    # - PCI DSS 3.1 7.1
+    # - PCI DSS 3.1 7.2
+    # - PCI DSS 3.1 7.3
+    # - PCI DSS 3.1 8.7
+    # - PCI DSS 3.1 8.8
+    # - NIST CSF 1.1 PR.AC-1
+    # - NIST CSF 1.1 PR.AC-4
+    # - NIST CSF 1.1 PR.AC-6
+    # - NIST CSF 1.1 PR.AC-7
+    # - NIST CSF 1.1 PR.PT-3
@@ -10,13 +10,13 @@ date: 2021/02/01
 references:
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3156
    - https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit
+    - https://nvd.nist.gov/vuln/detail/cve-2021-3156
 falsepositives:
    - Unknown
 level: critical
 tags:
    - attack.privilege_escalation
    - attack.t1068
-    - cve.2021-3156
 logsource:
    product: linux
    service: auditd
@@ -13,7 +13,7 @@ level: medium
 tags:
    - attack.defense_evasion
    - attack.t1562.004
-    - attack.t1089
+    - attack.t1089 # an old one
 ---
 logsource:
    category: process_creation
@@ -18,7 +18,8 @@ level: critical
 tags:
    - attack.privilege_escalation
    - attack.t1068
-    - attack.t1169
+    - attack.t1169 # an old one
+    - attack.t1548.003
 ---
 detection:
    selection_keywords:
@@ -0,0 +1,37 @@
+title: Potential PetitPotam Attack Via EFS RPC Calls 
+id: 4096842a-8f9f-4d36-92b4-d0b2a62f9b2a
+description: |
+    Detects usage of the windows RPC library Encrypting File System Remote Protocol (MS-EFSRPC). Variations of this RPC are used within the attack refereed to as PetitPotam.
+    The usage of this RPC function should be rare if ever used at all.
+    Thus usage of this function is uncommon enough that any usage of this RPC function should warrant further investigation to determine if it is legitimate.
+     View surrounding logs (within a few minutes before and after) from the Source IP to. Logs from from the Source IP would include dce_rpc, smb_mapping, smb_files, rdp, ntlm, kerberos, etc..'
+author: '@neu5ron, @Antonlovesdnb, Mike Remen'
+date: 2021/08/17
+references:
+    - https://github.com/topotam/PetitPotam/blob/main/PetitPotam/PetitPotam.cpp
+    - https://msrc.microsoft.com/update-guide/vulnerability/ADV210003
+    - https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf
+    - https://threatpost.com/microsoft-petitpotam-poc/168163/
+tags:
+    - attack.t1557.001
+    - attack.t1187
+logsource:
+    product: zeek
+    service: dce_rpc
+detection:
+    efs_operation:
+        operation|startswith:
+            - 'Efs'
+            - 'efs'
+    condition: efs_operation
+falsepositives:
+    - Uncommon but legitimate windows administrator or software tasks that make use of the Encrypting File System RPC Calls. Verify if this is common activity (see description).
+level: medium
+fields:
+    - id.orig_h
+    - id.resp_h
+    - id.resp_p
+    - operation
+    - endpoint
+    - named_pipe
+    - uid
@@ -0,0 +1,44 @@
+title: Possible PrintNightmare Print Driver Install
+id: 7b33baef-2a75-4ca3-9da4-34f9a15382d8
+description: |
+    Detects the remote installation of a print driver which is possible indication of the exploitation of PrintNightmare (CVE-2021-1675).
+    The occurrence of print drivers being installed remotely via RPC functions should be rare, as print drivers are normally installed locally and or through group policy.
+author: '@neu5ron (Nate Guagenti)'
+date: 2021/08/23
+references:
+    - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29
+    - https://github.com/zeek/zeek/blob/master/scripts/base/protocols/dce-rpc/consts.zeek
+    - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
+    - https://github.com/corelight/CVE-2021-1675
+    - https://github.com/SigmaHQ/sigma/blob/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml
+    - https://old.zeek.org/zeekweek2019/slides/bzar.pdf
+    - https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/
+    - https://nvd.nist.gov/vuln/detail/cve-2021-1675
+    - https://nvd.nist.gov/vuln/detail/cve-2021-1678
+tags:
+    - attack.execution
+logsource:
+    product: zeek
+    service: dce_rpc
+detection:
+    printer_operation:
+        operation:
+            - "RpcAsyncInstallPrinterDriverFromPackage" # "76f03f96-cdfd-44fc-a22c-64950a001209",0x3e
+            - "RpcAsyncAddPrintProcessor" # "76f03f96-cdfd-44fc-a22c-64950a001209",0x2c
+            - "RpcAddPrintProcessor" # "12345678-1234-abcd-ef00-0123456789ab",0x0e
+            - "RpcAddPrinterDriverEx" # "12345678-1234-abcd-ef00-0123456789ab",0x59
+            - "RpcAddPrinterDriver" # "12345678-1234-abcd-ef00-0123456789ab",0x09
+            - "RpcAsyncAddPrinterDriver" # "76f03f96-cdfd-44fc-a22c-64950a001209",0x27
+    condition: printer_operation
+falsepositives:
+    - Legitimate remote alteration of a printer driver.
+level: medium
+fields:
+    - id.orig_h
+    - id.resp_h
+    - id.resp_p
+    - operation
+    - endpoint
+    - named_pipe
+    - uid
+status: stable
@@ -1,7 +1,7 @@
-title: First Time Seen Remote Named Pipe - Zeek
+title: SMB Spoolss Name Piped Usage
 id: bae2865c-5565-470d-b505-9496c87d0c30
 description: Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.
-author: OTR (Open Threat Research)
+author: OTR (Open Threat Research), @neu5ron
 references:
    - https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1
    - https://dirkjanm.io/a-different-way-of-abusing-zerologon/
@@ -10,14 +10,15 @@ tags:
    - attack.lateral_movement
    - attack.t1021.002
 date: 2018/11/28
+modified: 2021/08/23
 logsource:
    product: zeek
    service: smb_files
 detection:
    selection:
-        path: \\*\IPC$
+        path|endswith: IPC$
        name: spoolss
    condition: selection
 falsepositives:
-    - 'Domain Controllers acting as printer servers too? :)'
-level: medium
+    - Domain Controllers that are sometimes, commonly although should not be, acting as printer servers too
+level: medium
@@ -3,6 +3,7 @@ id: 7100f7e3-92ce-4584-b7b7-01b40d3d4118
 description: Detects the presence of default Cobalt Strike certificate in the HTTPS traffic
 author: Bhabesh Raj
 date: 2021/06/23
+modified: 2021/08/24
 references: 
  - https://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468
 tags:
@@ -13,7 +14,7 @@ logsource:
  service: x509
 detection:
  selection:
-    certificate.serial: 8bb00ee
+    certificate.serial: 8BB00EE
  condition: selection
 fields:
    - san.dns
@@ -0,0 +1,105 @@
+title: DNS Events Related To Mining Pools
+id: bf74135c-18e8-4a72-a926-0e4f47888c19
+description: Identifies clients that may be performing DNS lookups associated with common currency mining pools.
+references:
+  - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_Miners.yaml
+date: 2021/08/19
+modified: 2021/08/23
+author: Saw Winn Naung, Azure-Sentinel, @neu5ron
+level: low
+logsource:                     
+    service: dns  
+    product: zeek 
+tags:
+  - attack.t1035 # an old one
+  - attack.t1569.002
+  - attack.t1496
+detection:
+    selection:
+        query|endswith:
+            - "monerohash.com"
+            - "do-dear.com"
+            - "xmrminerpro.com"
+            - "secumine.net"
+            - "xmrpool.com"
+            - "minexmr.org"
+            - "hashanywhere.com"
+            - "xmrget.com"
+            - "mininglottery.eu"
+            - "minergate.com"
+            - "moriaxmr.com"
+            - "multipooler.com"
+            - "moneropools.com"
+            - "xmrpool.eu"
+            - "coolmining.club"
+            - "supportxmr.com"
+            - "minexmr.com"
+            - "hashvault.pro"
+            - "xmrpool.net"
+            - "crypto-pool.fr"
+            - "xmr.pt"
+            - "miner.rocks"
+            - "walpool.com"
+            - "herominers.com"
+            - "gntl.co.uk"
+            - "semipool.com"
+            - "coinfoundry.org"
+            - "cryptoknight.cc"
+            - "fairhash.org"
+            - "baikalmine.com"
+            - "tubepool.xyz"
+            - "fairpool.xyz"
+            - "asiapool.io"
+            - "coinpoolit.webhop.me"
+            - "nanopool.org"
+            - "moneropool.com"
+            - "miner.center"
+            - "prohash.net"
+            - "poolto.be"
+            - "cryptoescrow.eu"
+            - "monerominers.net"
+            - "cryptonotepool.org"
+            - "extrmepool.org"
+            - "webcoin.me"
+            - "kippo.eu"
+            - "hashinvest.ws"
+            - "monero.farm"
+            - "linux-repository-updates.com"
+            - "1gh.com"
+            - "dwarfpool.com"
+            - "hash-to-coins.com"
+            - "pool-proxy.com"
+            - "hashfor.cash"
+            - "fairpool.cloud"
+            - "litecoinpool.org"
+            - "mineshaft.ml"
+            - "abcxyz.stream"
+            - "moneropool.ru"
+            - "cryptonotepool.org.uk"
+            - "extremepool.org"
+            - "extremehash.com"
+            - "hashinvest.net"
+            - "unipool.pro"
+            - "crypto-pools.org"
+            - "monero.net"
+            - "backup-pool.com"
+            - "mooo.com" # Dynamic DNS, may want to exclude
+            - "freeyy.me"
+            - "cryptonight.net"
+            - "shscrypto.net"
+    exclude_answers:
+        answers:
+            - "127.0.0.1"
+            - "0.0.0.0"
+    exclude_rejected:
+        rejected: "true"
+    condition: selection and not (exclude_answers OR exclude_rejected)
+falsepositives:
+    - A DNS lookup does not necessarily  mean a successful attempt, verify a) if there was a response using the zeek answers field, if there was then verify the connections (conn.log) to those IPs. b) verify if HTTP, SSL, or TLS activity to the domain that was queried. http.log field is "host" and ssl/tls is "server_name".
+fields:
+    - id.orig_h
+    - id.resp_h
+    - query
+    - answers
+    - qtype_name
+    - rcode_name
@@ -10,7 +10,8 @@ references:
  - 'https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS'
 author: '@neu5ron, SOC Prime Team, Corelight'
 tags:
-  - attack.t1094
+  - attack.t1094 # an old one
+  - attack.t1095
  - attack.t1043
  - attack.command_and_control
 logsource:
@@ -0,0 +1,51 @@
+title: DNS TOR Proxies
+id: a8322756-015c-42e7-afb1-436e85ed3ff5
+description: Identifies IPs performing DNS lookups associated with common Tor proxies.
+references:
+  - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_TorProxies.yaml
+date: 2021/08/15
+author: Saw Winn Naung , Azure-Sentinel
+level: medium
+logsource: 
+    service: dns  
+    product: zeek 
+tags:
+  - attack.t1048
+detection:
+    selection:
+        query:
+            - "tor2web.org"
+            - "tor2web.com"
+            - "torlink.co"
+            - "onion.to"
+            - "onion.ink"
+            - "onion.cab"
+            - "onion.nu"
+            - "onion.link"
+            - "onion.it"
+            - "onion.city"
+            - "onion.direct"
+            - "onion.top"
+            - "onion.casa"
+            - "onion.plus"
+            - "onion.rip"
+            - "onion.dog"
+            - "tor2web.fi"
+            - "tor2web.blutmagie.de"
+            - "onion.sh"
+            - "onion.lu"
+            - "onion.pet"
+            - "t2w.pw"
+            - "tor2web.ae.org"
+            - "tor2web.io"
+            - "tor2web.xyz"
+            - "onion.lt"
+            - "s1.tor-gateways.de"
+            - "s2.tor-gateways.de"
+            - "s3.tor-gateways.de"
+            - "s4.tor-gateways.de"
+            - "s5.tor-gateways.de"
+            - "hiddenservice.net"
+    condition: selection
+fields:
+    - clientip
@@ -38,8 +38,8 @@ detection:
        #- x.x.x.x
    condition: not selection #and not approved_rdp
 fields:
-    - src_ip
-    - dst_ip
+    - id.orig_h
+    - id.resp_h
 falsepositives:
-    - none
+    - Although it is recommended to NOT have RDP exposed to the internet, verify that this is a) allowed b) the server has not already been compromised via some brute force or remote exploit since it has been exposed to the internet. Work to secure the server if you are unable to remove it from being exposed to the internet.
 level: high
@@ -0,0 +1,23 @@
+title: Detect Sql Injection By Keywords
+id: 5513deaf-f49a-46c2-a6c8-3f111b5cb453
+status: experimental
+description: Detects sql injection that use GET requests by keyword searches in URL strings
+author: Saw Win Naung
+date: 2020/02/22
+logsource:
+  category: webserver
+detection:
+  keywords:
+    - '=select'
+    - '=union'
+    - '=concat'
+  condition: keywords
+fields:
+  - client_ip
+  - vhost
+  - url
+  - response
+falsepositives:
+  - Java scripts and CSS Files
+  - User searches in search boxes of the respective website
+level: high
@@ -0,0 +1,40 @@
+title: Arcadyan Router Exploitations
+id: f0500377-bc70-425d-ac8c-e956cd906871
+status: experimental
+description: Detects exploitation of vulnerabilities in Arcadyan routers as reported in CVE-2021-20090 and CVE-2021-20091.
+references:
+  - https://nvd.nist.gov/vuln/detail/cve-2021-20090
+  - https://nvd.nist.gov/vuln/detail/cve-2021-20091
+  - https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2
+  - https://www.tenable.com/security/research/tra-2021-13
+  - https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild
+author: Bhabesh Raj
+date: 2021/08/24
+modified: 2021/08/25
+falsepositives:
+  - Unknown
+level: critical
+tags:
+    - attack.initial_access
+    - attack.t1190
+logsource: 
+  category: webserver
+detection:
+  path_traversal:
+    c-uri|contains: # CVE-2021-20090 (Bypass Auth: Path Traversal)
+      - '..%2f'
+  config_file_inj:
+    c-uri|contains|all: # Chaining of CVE-2021-20090 (Bypass Auth) and CVE-2021-20091 (Config File Injection)
+      - '..%2f'
+      - 'apply_abstract.cgi'
+  noauth_list:
+    c-uri|contains:
+      - '/images/'
+      - '/js/'
+      - '/css/'
+      - '/setup_top_login.htm'
+      - '/login.html'
+      - '/loginerror.html'
+      - '/loginexclude.html'
+      - '/loginlock.html'
+  condition: (path_traversal or config_file_inj) and noauth_list
@@ -9,6 +9,7 @@ references:
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2894
    - https://twitter.com/pyn3rd/status/1020620932967223296
    - https://github.com/LandGrey/CVE-2018-2894
+    - https://nvd.nist.gov/vuln/detail/cve-2018-2894
 logsource:
    category: webserver
 detection:
@@ -26,5 +27,4 @@ tags:
    - attack.t1190
    - attack.initial_access
    - attack.persistence
-    - cve.2018-2894
    - attack.t1505.003
@@ -10,6 +10,7 @@ references:
    - https://isc.sans.edu/diary/26734
    - https://twitter.com/jas502n/status/1321416053050667009?s=20
    - https://twitter.com/sudo_sudoka/status/1323951871078223874
+    - https://nvd.nist.gov/vuln/detail/cve-2020-14882
 logsource:
    category: webserver
 detection:
@@ -28,4 +29,3 @@ tags:
    - attack.t1100 # an old one
    - attack.t1190
    - attack.initial_access
-    - cve.2020-14882
@@ -8,6 +8,7 @@ references:
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3452
    - https://twitter.com/aboul3la/status/1286012324722155525
    - https://github.com/darklotuskdb/CISCO-CVE-2020-3452-Scanner-Exploiter
+    - https://nvd.nist.gov/vuln/detail/CVE-2020-3452
 logsource:
    category: webserver
 detection:
@@ -34,4 +35,3 @@ tags:
    - attack.t1100 # an old one
    - attack.t1190
    - attack.initial_access
-    - cve.2020-3452
@@ -7,6 +7,7 @@ date: 2021/01/20
 references:
    - https://twitter.com/pyn3rd/status/1351696768065409026
    - https://mp.weixin.qq.com/s/wX9TMXl1KVWwB_k6EZOklw
+    - https://nvd.nist.gov/vuln/detail/cve-2021-2109
 logsource:
    category: webserver
 detection:
@@ -26,4 +27,3 @@ level: critical
 tags:
    - attack.t1190
    - attack.initial_access
-    - cve.2021-2109
@@ -8,6 +8,7 @@ references:
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21978
    - https://twitter.com/wugeej/status/1369476795255320580
    - https://paper.seebug.org/1495/
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-21978
 logsource:
    category: webserver
 detection:
@@ -27,4 +28,3 @@ level: high
 tags:
    - attack.initial_access
    - attack.t1190
-    - cve.2021-21978
@@ -7,6 +7,7 @@ date: 2021/05/22
 references:
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-26814
    - https://github.com/WickdDavid/CVE-2021-26814/blob/main/PoC.py
+    - https://nvd.nist.gov/vuln/detail/cve-2021-21978
 logsource:
    category: webserver
 detection:
@@ -22,4 +23,3 @@ level: high
 tags:
    - attack.initial_access
    - attack.t1190
-    - cve.2021-21978
@@ -8,6 +8,7 @@ references:
    - https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/
    - https://nvd.nist.gov/vuln/detail/CVE-2020-28188
    - https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/
+    - https://nvd.nist.gov/vuln/detail/cve-2020-28188
 logsource:
    category: webserver
 detection:
@@ -34,4 +35,3 @@ level: critical
 tags:
    - attack.t1190
    - attack.initial_access
-    - cve.2020-28188
@@ -10,8 +10,8 @@ date: 2021/03/03
 modified: 2021/08/09
 tags:
    - attack.execution
-    - attack.t1086
-    - attack.t1059.005
+    - attack.t1086 # an old one
+    - attack.t1059.001
    - attack.collection
    - attack.t1114
 logsource:
@@ -33,5 +33,5 @@ falsepositives:
 level: high
 tags:
    - attack.persistence
-    - attack.t1100
+    - attack.t1100 # an old one
    - attack.t1505.003
@@ -0,0 +1,24 @@
+title: Detect XSS Attempts By Keywords
+id: 65354b83-a2ea-4ea6-8414-3ab38be0d409
+status: experimental
+description: Detects XSS that use GET requests by keyword searches in URL strings
+author: Saw Win Naung
+date: 2021/08/15
+logsource:
+  category: webserver
+detection:
+  keywords:
+    - '=cookie'
+    - '=script'
+    - '=onload'
+    - '=onmouseover'
+  condition: keywords
+fields:
+  - client_ip
+  - vhost
+  - url
+  - response
+falsepositives:
+  - Java scripts,CSS Files and PNG files
+  - User searches in search boxes of the respective website
+level: high
@@ -8,7 +8,8 @@ references:
    - https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39
 tags: 
    - attack.t1204
-    - attack.t1193
+    - attack.t1193 # an old one
+    - attack.t1566.001
    - attack.execution
    - attack.initial_access
 logsource:
@@ -0,0 +1,26 @@
+title: Security Event Log Cleared
+id: a122ac13-daf8-4175-83a2-72c387be339d
+status: experimental
+description: Checks for event id 1102 which indicates the security event log was cleared.
+references: 
+  - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/SecurityEventLogCleared.yaml
+date: 2021/08/15
+author: Saw Winn Naung
+level: medium
+logsource:                     
+    service: security  
+    product: windows 
+tags:
+    - attack.t1107           # an old one
+    - attack.t1070.001
+detection:
+    selection:
+        EventID: 1102
+    condition: selection
+fields:
+    - SubjectLogonId
+    - SubjectUserName
+    - SubjectUserSid
+    - SubjectDomainName
+falsepositives:
+    - Legitimate administrative activity
@@ -8,11 +8,11 @@ references:
    - https://github.com/hhlxf/PrintNightmare
    - https://github.com/afwu/PrintNightmare
    - https://twitter.com/fuzzyf10w/status/1410202370835898371
+    - https://nvd.nist.gov/vuln/detail/cve-2021-1675
 date: 2021/06/30
 modified: 2021/07/08
 tags:
    - attack.execution
-    - cve.2021-1675
 logsource:
    product: windows
    service: printservice-admin
@@ -6,11 +6,11 @@ status: experimental
 level: critical
 references:
    - https://twitter.com/INIT_3/status/1410662463641731075
+    - https://nvd.nist.gov/vuln/detail/cve-2021-1675
+    - https://nvd.nist.gov/vuln/detail/cve-2021-34527
 date: 2021/07/02
 tags:
    - attack.execution
-    - cve.2021-1675
-    - cve.2021-34527
 logsource:
    product: windows
    service: security
@@ -6,10 +6,10 @@ status: experimental
 level: critical
 references:
    - https://twitter.com/MalwareJake/status/1410421967463731200
+    - https://nvd.nist.gov/vuln/detail/cve-2021-1675
 date: 2021/07/01
 tags:
    - attack.execution
-    - cve.2021-1675
 logsource:
    product: windows
    service: printservice-operational
@@ -5,11 +5,12 @@ author: Florian Roth
 date: 2021/05/05
 references:
    - https://labs.sentinelone.com/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/
+    - https://nvd.nist.gov/vuln/detail/cve-2021-21551
 logsource:
    category: driver_load
    product: windows
 tags:
-    - cve.2021-21551
+    - attack.privilege_escalation
 detection:
    selection_image:
        ImageLoaded|contains: '\DBUtil_2_3.Sys'
@@ -5,24 +5,23 @@ description: Detect DLL deletions from Spooler Service driver folder
 references:
    - https://github.com/hhlxf/PrintNightmare
    - https://github.com/cube0x0/CVE-2021-1675
+    - https://nvd.nist.gov/vuln/detail/cve-2021-1675
 author: Bhabesh Raj
 date: 2021/07/01
+modified: 2021/08/24
 tags:
    - attack.persistence
    - attack.defense_evasion
    - attack.privilege_escalation
    - attack.t1574
-    - cve.2021-1675
 logsource:
    category: file_delete
    product: windows
 detection:
    selection:
-        Image|endswith:
-            - 'spoolsv.exe'
-        TargetFilename|contains:
-            - 'C:\Windows\System32\spool\drivers\x64\3\'
+        Image|endswith: 'spoolsv.exe'
+        TargetFilename|contains: 'C:\Windows\System32\spool\drivers\x64\3\'
    condition: selection
 falsepositives:
    - Unknown
-level: high
+level: high
@@ -9,11 +9,11 @@ level: critical
 references:
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26858
    - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
+    - https://nvd.nist.gov/vuln/detail/cve-2021-26858
 date: 2021/03/03
 tags:
    - attack.t1203
    - attack.execution
-    - cve.2021-26858
 logsource:
    category: file_event
    product: windows
@@ -8,11 +8,12 @@ references:
    - https://github.com/hhlxf/PrintNightmare
    - https://github.com/afwu/PrintNightmare
    - https://github.com/cube0x0/CVE-2021-1675
+    - https://nvd.nist.gov/vuln/detail/cve-2021-1675
 date: 2021/06/29
 modified: 2021/07/01
 tags:
    - attack.execution
-    - cve.2021-1675
+    - attack.privilege_escalation
 logsource:
    category: file_event
    product: windows
@@ -9,11 +9,11 @@ references:
    - https://github.com/FireFart/hivenightmare/
    - https://github.com/WiredPulse/Invoke-HiveNightmare
    - https://twitter.com/cube0x0/status/1418920190759378944
+    - https://nvd.nist.gov/vuln/detail/cve-2021-36934
 logsource:
    product: windows
    category: file_event
 tags:
-    - cve.2021-36934
    - attack.credential_access
    - attack.t1552.001
 detection:
@@ -7,7 +7,7 @@ references:
 author: '@ScoubiMtl'
 tags:
    - attack.persistence
-    - command_and_control
+    - attack.command_and_control
    - attack.t1137
    - attack.t1008
    - attack.t1546
@@ -4,27 +4,24 @@ status: experimental
 description: Detect DLL Load from Spooler Service backup folder
 references:
    - https://github.com/hhlxf/PrintNightmare
+    - https://nvd.nist.gov/vuln/detail/cve-2021-1675
+    - https://nvd.nist.gov/vuln/detail/cve-2021-34527
 author: FPT.EagleEye, Thomas Patzke (improvements)
 date: 2021/06/29
-modified: 2021/07/08
+modified: 2021/08/24
 tags:
    - attack.persistence
    - attack.defense_evasion
    - attack.privilege_escalation
    - attack.t1574
-    - cve.2021-1675
-    - cve.2021-34527
 logsource:
    category: image_load
    product: windows
 detection:
    selection:
-        Image|endswith:
-            - 'spoolsv.exe'
-        ImageLoaded|contains:
-            - '\Windows\System32\spool\drivers\x64\3\'
-        ImageLoaded|endswith:
-            - '.dll'
+        Image|endswith: 'spoolsv.exe'
+        ImageLoaded|contains: '\Windows\System32\spool\drivers\x64\3\'
+        ImageLoaded|endswith: '.dll'
    condition: selection
 falsepositives:
    - Loading of legitimate driver
@@ -16,7 +16,7 @@ references:
    - https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection
 tags:
    - attack.persistence
-    - attack.t1100
+    - attack.t1100 # an old one
    - attack.t1505.003
 logsource:
    product: antivirus
@@ -0,0 +1,29 @@
+title: Certificate Request Export to Exchange Webserver
+id: b7bc7038-638b-4ffd-880c-292c692209ef
+status: experimental
+description: Detects a write of an Exchange CSR to an untypical directory or with aspx name suffix which can be used to place a webshell
+references:
+    - https://twitter.com/GossiTheDog/status/1429175908905127938
+author: Max Altgelt
+date: 2021/08/23
+logsource:
+    service: msexchange-management
+    product: windows
+detection:
+    export_command:
+        - 'New-ExchangeCertificate'
+        - ' -GenerateRequest'
+        - ' -BinaryEncoded'
+        - ' -RequestFile'
+    export_params:
+        - '\\\\localhost\\C$'
+        - '\\\\127.0.0.1\\C$'
+        - 'C:\\inetpub'
+        - '.aspx'
+    condition: all of export_command and export_params
+falsepositives:
+    - unlikely
+level: critical
+tags:
+    - attack.persistence
+    - attack.t1505.003
@@ -0,0 +1,26 @@
+title: EfsPotato Named Pipe
+id: 637f689e-b4a5-4a86-be0e-0100a0a33ba2
+status: experimental
+description: Detects the pattern of a pipe name as used by the tool EfsPotato
+references:
+   - https://twitter.com/SBousseaden/status/1429530155291193354?s=20
+   - https://github.com/zcgonvh/EfsPotato
+date: 2021/08/23
+author: Florian Roth
+logsource:
+   product: windows
+   category: pipe_created
+   definition: 'Note that you have to configure logging for PipeEvents in Sysmon config'
+detection:
+   selection:
+      PipeName|contains: 
+         - '\pipe\'
+         - '\pipe\srvsvc'  # more specific version (use only this one of the other causes too many false positives)
+   condition: selection
+tags:
+   - attack.defense_evasion
+   - attack.privilege_escalation
+   - attack.t1055
+falsepositives:
+   - Unknown
+level: critical
@@ -14,7 +14,7 @@ tags:
 logsource:
    product: windows
    service: powershell
-    definition: 'Script block logging must be enabled'
+    definition: Script block logging must be enabled
 detection:
    selection:
        EventID: 4104
@@ -14,7 +14,7 @@ tags:
 logsource:
    product: windows
    service: powershell
-    definition: 'Script block logging must be enabled'
+    definition: Script block logging must be enabled
 detection:
    selection2:
        EventID: 4104
@@ -14,7 +14,7 @@ tags:
 logsource:
    product: windows
    service: powershell
-    definition: 'Script block logging must be enabled'
+    definition: Script block logging must be enabled
 detection:
    selection:
        EventID: 4104
@@ -14,7 +14,7 @@ tags:
 logsource:
    product: windows
    service: powershell
-    definition: 'Script block logging must be enabled'
+    definition: Script block logging must be enabled
 detection:
    selection2:
        EventID: 4104
@@ -14,7 +14,7 @@ tags:
 logsource:
    product: windows
    service: powershell
-    definition: 'Script block logging must be enabled'
+    definition: Script block logging must be enabled
 detection:
    selection:
        EventID: 4104
@@ -14,7 +14,7 @@ date: 2021/07/16
 logsource:
    product: windows
    service: powershell
-    definition: 'Script block logging must be enabled'
+    definition: Script block logging must be enabled
 detection:
    selection:
        EventID: 4104
@@ -12,7 +12,7 @@ tags:
 logsource:
    product: windows
    service: powershell
-    definition: 'Script block logging must be enabled'
+    definition: Script block logging must be enabled
 detection:
    selection_eventid:
        EventID: 4104
@@ -12,11 +12,11 @@ modified: 2020/10/09
 tags:
    - attack.execution
    - attack.t1059.001
-    - attack.t1086
+    - attack.t1086 # an old one
 logsource:
    product: windows
    service: powershell
-    definition: 'Script block logging must be enabled'
+    definition: Script block logging must be enabled for 4104 , Module Logging must be enable for 4103
 detection:
    selection_4104:
        EventID: 4104
@@ -14,7 +14,7 @@ tags:
 logsource:
    product: windows
    service: powershell
-    definition: 'Script block logging must be enabled'
+    definition: 4104 Script block logging must be enabled , 4103 Module Logging must be enabled
 detection:
    selection_1:
        EventID: 4104
@@ -17,7 +17,7 @@ modified: 2021/08/04
 logsource:
    product: windows
    service: powershell
-    definition: 'Script block logging must be enabled'
+    definition: Script block logging must be enabled
 detection:
    selection:
        EventID: 4104
@@ -10,7 +10,7 @@ references:
 logsource:
    product: windows
    service: powershell
-    definition: 'Script block logging must be enabled'
+    definition: Script block logging must be enabled
 detection:
    selection:
        EventID: 4104
@@ -13,7 +13,7 @@ references:
 logsource:
    product: windows
    service: powershell
-    definition: 'Script block logging must be enabled'
+    definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103
 detection:
    selection1:
        EventID: 4104
@@ -14,7 +14,7 @@ tags:
 logsource:
    product: windows
    service: powershell
-    definition: 'Script block logging must be enabled'
+    definition: Script block logging must be enabled
 detection:
    selection:
        EventID: 4104
@@ -13,7 +13,7 @@ references:
 logsource:
    product: windows
    service: powershell
-    definition: 'Script block logging must be enabled'
+    definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103
 detection:
    selection1:
        EventID: 4104
@@ -12,7 +12,7 @@ tags:
 logsource:
    product: windows
    service: powershell
-    definition: 'Script block logging must be enabled'
+    definition: Script block logging must be enabled
 detection:
    selection:
        EventID: 4104
@@ -9,7 +9,7 @@ author: Max Altgelt, Tobias Michalski
 logsource:
    product: windows
    service: powershell
-    definition: It is recommended to use the new "Script Block Logging" of PowerShell v5.
+    definition: Script Block Logging must be enable
 detection:
  selection:
      EventID: 4104
@@ -14,7 +14,7 @@ tags:
 logsource:
    product: windows
    service: powershell
-    definition: 'Script block logging must be enabled'
+    definition: Script block logging must be enabled for 4104 , Module Logging must be enabled for 4103
 detection:
    selection_1:
        EventID: 4104
@@ -14,7 +14,7 @@ tags:
 logsource:
    product: windows
    service: powershell
-    definition: 'Script block logging must be enabled'
+    definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103
 detection:
    selection_1:
        EventID: 4104
@@ -14,7 +14,7 @@ tags:
 logsource:
    product: windows
    service: powershell
-    definition: 'Script block logging must be enabled'
+    definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103
 detection:
    selection_1:
        EventID: 4104
@@ -14,7 +14,7 @@ tags:
 logsource:
    product: windows
    service: powershell
-    definition: 'Script block logging must be enabled'
+    definition: Script block logging must be enabled for 4104,Module Logging must be enabled for 4103
 detection:
    selection_1:
        EventID: 4104
@@ -14,7 +14,7 @@ tags:
 logsource:
    product: windows
    service: powershell
-    definition: 'Script block logging must be enabled'
+    definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103
 detection:
    selection_1:
        EventID: 4104
@@ -14,7 +14,7 @@ tags:
 logsource:
    product: windows
    service: powershell
-    definition: 'Script block logging must be enabled'
+    definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103
 detection:
    selection_1:
        EventID: 4104
@@ -14,7 +14,7 @@ tags:
 logsource:
    product: windows
    service: powershell
-    definition: 'Script block logging must be enabled'
+    definition: Script block logging must be enabled for 4104, Module Logging must be enable for 4103
 detection:
    selection_1:
        EventID: 4104
@@ -14,7 +14,7 @@ tags:
 logsource:
    product: windows
    service: powershell
-    definition: 'Script block logging must be enabled'
+    definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103
 detection:
    selection_1:
        EventID: 4104
@@ -14,7 +14,7 @@ tags:
 logsource:
    product: windows
    service: powershell
-    definition: 'Script block logging must be enabled'
+    definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103
 detection:
    selection_1:
        EventID: 4104
@@ -14,7 +14,7 @@ tags:
 logsource:
    product: windows
    service: powershell
-    definition: 'Script block logging must be enabled'
+    definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103
 detection:
    selection_1:
        EventID: 4104
@@ -15,7 +15,7 @@ tags:
 logsource:
    product: windows
    service: powershell
-    definition: 'Script block logging must be enabled'
+    definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103
 detection:
    selection_1:
        EventID: 4104
@@ -10,13 +10,13 @@ tags:
    - attack.t1086  #an old one
 author: Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update), oscd.community (update)
 date: 2017/03/05
-modified: 2020/10/11
+modified: 2021/08/21
 logsource:
    product: windows
    service: powershell
-    definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
+    definition: Script Block Logging must be enable
 detection:
-    keywords:
+    select_Malicious:
        EventID: 4104
        ScriptBlockText|contains:
            - "Invoke-DllInjection"
@@ -115,10 +115,8 @@ detection:
            - "Invoke-Mimikittenz"
            - "Invoke-AllChecks"
    false_positives:
-        EventID: 4104
-        ScriptBlockText|contains:
-            - Get-SystemDriveInfo  # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1
-    condition: keywords and not false_positives
+        ScriptBlockText|contains: Get-SystemDriveInfo  # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1
+    condition: select_Malicious and not false_positives
 falsepositives:
    - Penetration testing
 level: high
@@ -10,33 +10,36 @@ tags:
    - attack.t1086  #an old one
 author: Sean Metcalf (source), Florian Roth (rule)
 date: 2017/03/05
+modified: 2021/08/21
 logsource:
    product: windows
    service: powershell
    definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
 detection:
-    keywords:
-        - "AdjustTokenPrivileges"
-        - "IMAGE_NT_OPTIONAL_HDR64_MAGIC"
-        - "Microsoft.Win32.UnsafeNativeMethods"
-        - "ReadProcessMemory.Invoke"
-        - "SE_PRIVILEGE_ENABLED"
-        - "LSA_UNICODE_STRING"
-        - "MiniDumpWriteDump"
-        - "PAGE_EXECUTE_READ"
-        - "SECURITY_DELEGATION"
-        - "TOKEN_ADJUST_PRIVILEGES"
-        - "TOKEN_ALL_ACCESS"
-        - "TOKEN_ASSIGN_PRIMARY"
-        - "TOKEN_DUPLICATE"
-        - "TOKEN_ELEVATION"
-        - "TOKEN_IMPERSONATE"
-        - "TOKEN_INFORMATION_CLASS"
-        - "TOKEN_PRIVILEGES"
-        - "TOKEN_QUERY"
-        - "Metasploit"
-        - "Mimikatz"
-    condition: keywords
+    Malicious:
+        EventID: 4104
+        ScriptBlockText|contains:
+            - "AdjustTokenPrivileges"
+            - "IMAGE_NT_OPTIONAL_HDR64_MAGIC"
+            - "Microsoft.Win32.UnsafeNativeMethods"
+            - "ReadProcessMemory.Invoke"
+            - "SE_PRIVILEGE_ENABLED"
+            - "LSA_UNICODE_STRING"
+            - "MiniDumpWriteDump"
+            - "PAGE_EXECUTE_READ"
+            - "SECURITY_DELEGATION"
+            - "TOKEN_ADJUST_PRIVILEGES"
+            - "TOKEN_ALL_ACCESS"
+            - "TOKEN_ASSIGN_PRIMARY"
+            - "TOKEN_DUPLICATE"
+            - "TOKEN_ELEVATION"
+            - "TOKEN_IMPERSONATE"
+            - "TOKEN_INFORMATION_CLASS"
+            - "TOKEN_PRIVILEGES"
+            - "TOKEN_QUERY"
+            - "Metasploit"
+            - "Mimikatz"
+    condition: Malicious
 falsepositives:
    - Penetration tests
 level: high
@@ -3,7 +3,7 @@ id: f772cee9-b7c2-4cb2-8f07-49870adc02e0
 status: experimental
 description: Detects Commandlet names and arguments from the Nishang exploitation framework
 date: 2019/05/16
-modified: 2021/07/21
+modified: 2021/08/21
 references:
    - https://github.com/samratashok/nishang
 tags:
@@ -14,10 +14,11 @@ author: Alec Costello
 logsource:
    product: windows
    service: powershell
-    definition: It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277
+    definition: Script block logging must be enabled
 detection:
-    keywords:
-        Payload|contains:
+    Nishang:
+        EventID: 4104
+        ScriptBlockText|contains:
            - Add-ConstrainedDelegationBackdoor
            - Set-DCShadowPermissions
            - DNS_TXT_Pwnage
@@ -89,7 +90,7 @@ detection:
            - NotAllNameSpaces
            - exfill
            - FakeDC
-    condition: keywords
+    condition: Nishang
 falsepositives:
    - Penetration testing
 level: high
--- a/Show More
+++ b/Show More