Sigma tools release 0.5

False positive circumstance

.travis.yml

@@ -1,12 +1,14 @@
 language: python
 python:
-  - 3.4
   - 3.5
   - 3.6
-  - pypy3
+services:
+    - elasticsearch
 cache: pip
+before_install:
+    - curl -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-6.2.4.deb && sudo dpkg -i --force-confnew elasticsearch-6.2.4.deb && sudo service elasticsearch restart
 install:
   - pip install -r tools/requirements-devel.txt 
-
 script:
   - make test
+  - make test-backend-es-qs

Makefile

@@ -16,10 +16,17 @@ test-yaml:
 test-sigmac:
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -l
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-qs rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -O rulecomment -rvdI -t es-qs rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t kibana rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t graylog rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t xpack-watcher rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunkxml rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t logpoint rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t wdatp rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-dsl rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t arcsight -c tools/config/arcsight.yml rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t qualys -c tools/config/qualys.yml rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'level>=high,level<=critical,status=stable,logsource=windows' rules/ > /dev/null
 	! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'level>=high,level<=critical,status=xstable,logsource=windows' rules/ > /dev/null
 	! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'level>=high,level<=xcritical,status=stable,logsource=windows' rules/ > /dev/null
@@ -29,7 +36,9 @@ test-sigmac:
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-windows.yml -t es-qs rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-linux.yml -t es-qs rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-windows.yml -t kibana rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-windows.yml -Ooutput=curl -t kibana rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-linux.yml -t kibana rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-linux.yml -Ooutput=curl -t kibana rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-windows.yml -t xpack-watcher rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-linux.yml -t xpack-watcher rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-defaultindex.yml -t xpack-watcher rules/ > /dev/null
@@ -52,11 +61,14 @@ test-sigmac:
 	! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c not_existing rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
 	! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tests/invalid_yaml.yml rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
 	! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tests/invalid_config.yml rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
-	! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvI -c tools/config/elk-defaultindex.yml -t kibana rules/ > /dev/null
+	! coverage run -a --include=$(COVSCOPE) tools/sigmac -rv -c tools/config/elk-defaultindex.yml -t kibana rules/ > /dev/null
 
 test-merge:
 	tests/test-merge.sh
-	! coverage run -a --include=$(COVSCOPE) tools/merge_sigma.py tests/not_existing.yml > /dev/null
+	! coverage run -a --include=$(COVSCOPE) tools/merge_sigma tests/not_existing.yml > /dev/null
+
+test-backend-es-qs:
+	tests/test-backend-es-qs.py
 
 build: tools/sigmac tools/merge_sigma tools/sigma/*.py tools/setup.py tools/setup.cfg
 	cd tools && python3 setup.py bdist_wheel

README.md

@@ -3,9 +3,10 @@
 ![sigma_logo](./images/Sigma_0.3.png)
 
 # Sigma
+
 Generic Signature Format for SIEM Systems
 
-# What is Sigma?
+# What is Sigma
 
 Sigma is a generic and open signature format that allows you to describe relevant log events in a straight forward manner. The rule format is very flexible, easy to write and applicable to any type of log file. The main purpose of this project is to provide a structured form in which researchers or analysts can describe their once developed detection methods and make them shareable with others.
 
@@ -17,48 +18,25 @@ This repository contains:
 * Open repository for sigma signatures in the `./rules`subfolder
 * A converter that generate searches/queries for different SIEM systems [work in progress]
 
+![sigma_description](./images/Sigma-description.png)
+
 ## Hack.lu 2017 Talk
 
 [![Sigma - Generic Signatures for Log Events](https://preview.ibb.co/cMCigR/Screen_Shot_2017_10_18_at_15_47_15.png)](https://www.youtube.com/watch?v=OheVuE9Ifhs "Sigma - Generic Signatures for Log Events")
 
 # Use Cases
 
-* Describe your once discovered detection method in Sigma to make it sharable 
-* Share the signature in the appendix of your analysis along with file hashes and C2 servers
+* Describe your detection method in Sigma to make it sharable
+* Write and your SIEM searches in Sigma to avoid a vendor lock-in
+* Share the signature in the appendix of your analysis along with IOCs and YARA rules
 * Share the signature in threat intel communities - e.g. via MISP
-* Provide Sigma signatures for malicious behaviour in your own application (Error messages, access violations, manipulations) 
-* Integrate a new log into your SIEM and check the Sigma repository for available rules
-* Write a rule converter for your custom log analysis tool and process new Sigma rules automatically
-* Provide a free or commercial feed for Sigma signatures
-
-# Sigma Converter
-
-The converter is currently under development in the *devel-sigmac* branch of this project. It has currently the
-following capabilities:
-
-* Parsing of Sigma rule files
-* Conversion of searches into Elasticsearch and Splunk queries
-
-Planned main features are:
-
-* Conversion of aggregation expressions (after the pipe character)
-* Output of Kibana JSON configurations
-
-Support for further SIEM solutions can be added by developing an corresponsing output backend class.
-
-![sigma_description](./images/Sigma-description.png)
+* Provide Sigma signatures for malicious behaviour in your own application
 
 # Why Sigma
 
 Today, everyone collects log data for analysis. People start working on their own, processing numerous white papers, blog posts and log analysis guidelines, extracting the necessary information and build their own searches and dashboard. Some of their searches and correlations are great and very useful but they lack a standardized format in which they can share their work with others. 
 
-Others provide excellent analyses for threat groups, sharing file indicators, C2 servers and YARA rules to detect the malicious files, but describe a certain malicious service install or remote thread injection in a separate paragraph. Security analysts, who read that paragraph then extract the necessary information and create rules in their SIEM system. The detection method never finds a way into a repository that is shared, structured and archived. 
-
-The lower layers of the OSI layer are well known and described. Every SIEM vendor has rules to detect port scans, ping sweeps and threats like the ['smurf attack'](https://en.wikipedia.org/wiki/Smurf_attack). But the higher layers contain numerous applications and protocols  with special characteristics that write their own custom log files. SIEM vendors consider the signatures and correlations as their intelectual property and do not tend to share details on the coverage. 
-
-Sigma is meant to be an open standard in which detection mechanisms can be defined, shared and collected in order to improve the detection capabilities on the application layers for everyone. 
-
-![sigma_why](./images/Problem_OSI_v01.png)
+Others provide excellent analyses, include IOCs and YARA rules to detect the malicious files and network connections, but have no way to describe a specific or generic detection method in log events. Sigma is meant to be an open standard in which such detection mechanisms can be defined, shared and collected in order to improve the detection capabilities for everyone. 
 
 ## Slides
 
@@ -72,6 +50,21 @@ The specifications can be found in the [Wiki](https://github.com/Neo23x0/sigma/w
 
 The current specification is a proposal. Feedback is requested.
 
+# Getting Started
+
+## Rule Creation
+
+Florian wrote a short [rule creation tutorial](https://www.nextron-systems.com/2018/02/10/write-sigma-rules/) that can help you getting started.
+
+## Rule Usage 
+
+1. Download or clone the respository
+2. Check the `./rules` sub directory for an overview on the rule base
+3. Run `python sigmac --help` in folder `./tools` to get a help on the rule converter
+4. Convert a rule of your choice with `sigmac` like `python sigmac -t splunk ../rules/windows/builtin/win_susp_process_creations.yml`
+5. Convert a whole rule directory with `python sigmac -t splunk -r ../rules/proxy/`
+6. Check the `./tools/config` folder and the [wiki](https://github.com/Neo23x0/sigma/wiki/Converter-Tool-Sigmac) if you need custom field or log source mappings in your environment
+
 # Examples
 
 Windows 'Security' Eventlog: Access to LSASS Process with Certain Access Mask / Object Type (experimental)
@@ -89,7 +82,9 @@ Sysmon: Web Shell Detection
 Windows 'Security' Eventlog: Suspicious Number of Failed Logons from a Single Source Workstation
 ![sigma_rule example5](./images/Sigma_rule_example5.png)
 
-## Sigma Toolchain
+# Sigma Tools 
+
+## Sigmac 
 
 Sigmac converts sigma rules into queries or inputs of the supported targets listed below. It acts as a frontend to the
 Sigma library that may be used to integrate Sigma support in other projects. Further, there's `merge_sigma.py` which
@@ -101,29 +96,68 @@ merges multiple YAML documents of a Sigma rule collection into simple Sigma rule
 
 * [Splunk](https://www.splunk.com/)
 * [ElasticSearch](https://www.elastic.co/)
+* [ElasticSearch Query DSL](https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl.html)
+* [Kibana](https://www.elastic.co/de/products/kibana)
 * [Elastic X-Pack Watcher](https://www.elastic.co/guide/en/x-pack/current/xpack-alerting.html)
 * [Logpoint](https://www.logpoint.com)
+* [Windows Defender Advanced Threat Protection (WDATP)](https://www.microsoft.com/en-us/windowsforbusiness/windows-atp)
+* Grep with Perl-compatible regular expression support
+
+Current work-in-progress
+* [Splunk Data Models](https://docs.splunk.com/Documentation/Splunk/7.1.0/Knowledge/Aboutdatamodels)
+
+New targets are continuously developed. You can get a list of supported targets with `sigmac --target-list` or `sigmac -l`.
 
 ### Requirements
 
-The usage of Sigmac or the underlying library requires Python >= 3.4 and PyYAML.
+The usage of Sigmac (the Sigma Rule Converter) or the underlying library requires Python >= 3.5 and PyYAML.
 
-# Next Steps 
+### Installation
 
-* Integration of feedback into the rule specifications
-* Integration into Threat Intel Exchanges, e.g. [MISP](http://www.misp-project.org/)
+It's available on PyPI. Install with:
+
+```bash
+pip3 install sigmatools
+```
+
+Alternatively, if used from the Sigma Github repository, the Python dependencies can be installed with:
+
+```bash
+pip3 install -r tools/requirements.txt
+```
+
+For development (e.g. execution of integration tests with `make` and packaging), further dependencies are required and can be installed with:
+
+```bash
+pip3 install -r tools/requirements-devel.txt
+```
+
+## Evt2Sigma
+
+[Evt2Sigma](https://github.com/Neo23x0/evt2sigma) helps you with the rule creation. It generates a Sigma rule from a log entry. 
+
+## Contributed Scripts
+
+The directory `contrib` contains scripts that were contributed by the community:
+
+* `sigma2elastalert.py`i by David Routin: A script that converts Sigma rules to Elastalert configurations. This tool
+  uses *sigmac* and expects it in its path.
+
+These tools are not part of the main toolchain and maintained separately by their authors.
+
+# Next Steps
+
+* Integration of MITRE ATT&CK framework identifier to the rule set
+* Integration into Threat Intel Exchanges
 * Attempts to convince others to use the rule format in their reports, threat feeds, blog posts, threat sharing platforms
 
 # Projects that use Sigma
 
-* [Augmentd](https://augmentd.co/)
+* [MISP](http://www.misp-project.org/2017/03/26/MISP.2.4.70.released.html) (since version 2.4.70, March 2017)
 * [TA-Sigma-Searches](https://github.com/dstaulcu/TA-Sigma-Searches) (Splunk App)
-
-# Credits
-
-This is a private project mainly developed by Florian Roth and Thomas Patzke with feedback from many fellow analysts and friends. Rules are our own or have been drived from blog posts, tweets or other public sources that are referenced in the rules.
-
-Copyright for Tree Image: [studiobarcelona / 123RF Stock Photo](http://www.123rf.com/profile_studiobarcelona)
+* [SOC Prime - Sigma Rule Editor](https://tdm.socprime.com/sigma/)
+* [ypsilon](https://github.com/P4T12ICK/ypsilon) - Automated Use Case Testing 
+* [SPARK](https://www.nextron-systems.com/2018/06/28/spark-applies-sigma-rules-in-eventlog-scan/) - Scan with Sigma rules on endpoints
 
 # Licenses
 
@@ -132,3 +166,9 @@ The content of this repository is released under the following licenses:
 * The toolchain (everything under `tools/`) is licensed under the [GNU Lesser General Public License](https://www.gnu.org/licenses/lgpl-3.0.en.html).
 * The [Sigma specification](https://github.com/Neo23x0/sigma/wiki) is public domain.
 * Everything else, especially the rules contained in the `rules/` directory is released under the [GNU General Public License](https://www.gnu.org/licenses/gpl-3.0.en.html).
+
+# Credits
+
+This is a private project mainly developed by Florian Roth and Thomas Patzke with feedback from many fellow analysts and friends. Rules are our own or have been drived from blog posts, tweets or other public sources that are referenced in the rules.
+
+Copyright for Tree Image: [studiobarcelona / 123RF Stock Photo](http://www.123rf.com/profile_studiobarcelona)

contrib/sigma2elastalert.py

@@ -0,0 +1,173 @@
+#!/usr/bin/python
+# Copyright 2018 David Routin
+
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+
+# You should have received a copy of the GNU Lesser General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+"""
+Project: sigma2elastalert.py
+Date: 25 Feb 2018
+Author: David ROUTIN  (@Rewt_1)
+Version: 1.0
+Description: This script creates elastalert configuration files from Sigma SIEM rules.
+"""
+
+import re
+import os
+import glob
+import subprocess
+import argparse
+import yaml
+import traceback
+
+parser = argparse.ArgumentParser()
+parser.add_argument("--eshost", help="Elasticsearch host", type=str, required=True)
+parser.add_argument("--esport", help="Elasticsearch port", type=str, required=True)
+parser.add_argument("--ruledir", help="sigma rule directory path to convert", type=str, required=True)
+parser.add_argument("--index", help="Elasticsearch index name egs: \"winlogbeat-*\"", type=str, required=True)
+parser.add_argument("--email", help="email address to send mail alert", type=str, required=True)
+parser.add_argument("--outdir", help="output directory to create elastalert rules", type=str, required=True)
+parser.add_argument("--sigmac", help="Sigmac location", default="../tools/sigmac", type=str)
+parser.add_argument("--realerttime", help="Realert time (optional value, default 5 minutes)", type=str, default=5)
+parser.add_argument("--debug", help="Show debug output", type=bool, default=False)
+args = parser.parse_args()
+
+custom_query_keys = ["sensor", "Hostname", "EventID", "src_ip", "dst_ip"]
+
+
+template="""es_host: ESHOST
+es_port: ESPORT
+name: "TITLE"
+description: "DESCRIPTION"
+index: INDEX
+filter:
+- query:
+    query_string:
+      query: 'QUERY'
+realert:
+ minutes: MINUTES
+query_key: UNIQKEYS
+type: any
+include: UNIQKEYS
+alert:
+- "email"
+
+# (required, email specific)
+# a list of email addresses to send alerts to
+email:
+- "EMAIL"
+"""
+
+def return_json_obj(x,custom_query_keys):
+    """
+    Function used to filter all ES query object as unique value including predefined list from custom_query_keys
+    :param x: must contains ES query output
+    :param custom_query_keys: takes the list of predefined element to match in document
+    :return: a clean list (set) of all the query keys (EventID,TargetUserName...)
+    """
+    # type: (str, list) -> list
+    y = x.replace(" ", "\n").split()
+    out = set()
+    for i in y:
+        out.update(re.findall("([a-zA-Z]+)\:", i))
+
+    for qk in custom_query_keys:
+        try:
+            out.remove(qk)
+        except:
+            pass
+    out = list(out)
+    count = 0
+    for qk in custom_query_keys:
+        count += 1
+        out.insert(count-1, qk)
+    return out
+
+def rule_element(file_content, elements):
+    """
+    Function used to get specific element from yaml document and return content
+    :type file_content: str
+    :type elements: list
+    :param file_content:
+    :param elements: list of elements of the yaml document to get "title", "description"
+    :return: the value of the key in the yaml document
+    """
+    try:
+        yaml.load(file_content.replace("---",""))
+    except:
+        raise Exception('Unsupported')
+    element_output = ""
+    for e in elements:
+        try:
+            element_output = yaml.load(file_content.replace("---",""))[e]
+        except:
+            pass
+    if element_output is None:
+        return ""
+    return element_output
+
+def get_rule_as_esqs(file):
+    """
+    Function used to get Elastic query output from rule fome
+    :type file: str
+    :param file: rule filename
+    :return: string es query
+    """
+    if not os.path.exists(args.sigmac):
+        print("Cannot find sigmac rule coverter at '%s', please set a correct location via '--sigmac'")
+    cmd = [args.sigmac, file, "--target", "es-qs"]
+    output = subprocess.Popen(cmd,stdout=subprocess.PIPE, stderr=subprocess.STDOUT).stdout.read()
+    if "unsupported" in output:
+        raise Exception('Unsupported output at this time')
+    output = output.split("\n")
+    # Remove empty string from \n
+    output = [a for a in output if a]
+    # Handle case of multiple queries returned
+    if len(output) > 1:
+        return " OR ".join(output)
+    return "".join(output)
+
+# Dictionary that contains args set at launch time
+convert_args = {
+    "ESHOST": args.eshost,
+    "ESPORT": args.esport,
+    "INDEX": args.index,
+    "EMAIL": args.email,
+    "MINUTES": args.realerttime
+}
+
+for file in glob.glob(args.ruledir + "/*"):
+    output_elast_config = template
+    try:
+        print("Processing %s ..." % file)
+        with open(file, "rb") as f:
+            file_content = f.read()
+
+        # Dictionary that contains args with values returned by functions
+        translate_func = {'QUERY': get_rule_as_esqs(file),
+                        'TITLE': rule_element(file_content, ["title", "name"]),
+                        'DESCRIPTION': rule_element(file_content, ["description"]),
+                        'UNIQKEYS': str(return_json_obj(get_rule_as_esqs(file), custom_query_keys))
+                        }
+        for entry in convert_args:
+            output_elast_config = re.sub(entry, str(convert_args[entry]), output_elast_config)
+        for entry in translate_func:
+            output_elast_config = re.sub(entry, translate_func[entry], output_elast_config)
+        print "Converting file " + file
+        with open(os.path.join(args.outdir, "sigma-" + file.split("/")[-1]), "w") as f:
+                f.write(output_elast_config)
+    except Exception as e:
+        if args.debug:
+            traceback.print_exc()
+        print "error " + str(file) + "----" + str(e)
+        pass
+

rules/application/app_python_sql_exceptions.yml

@@ -1,7 +1,7 @@
 title: Python SQL Exceptions
 description: Generic rule for SQL exceptions in Python according to PEP 249
 author: Thomas Patzke
-reference:
+references:
     - https://www.python.org/dev/peps/pep-0249/#exceptions
 logsource:
     category: application

rules/application/app_sqlinjection_errors.yml

@@ -2,7 +2,8 @@ title: Suspicious SQL Error Messages
 status: experimental
 description: Detects SQL error messages that indicate probing for an injection attack
 author: Bjoern Kimminich
-reference: http://www.sqlinjection.net/errors
+references:
+    - http://www.sqlinjection.net/errors
 logsource:
     category: application
     product: sql
@@ -15,7 +16,7 @@ detection:
         # SQL Server
         - Unclosed quotation mark
         # SQLite
-        - near "*": syntax error
+        - 'near "*": syntax error'
         - SELECTs to the left and right of UNION do not have the same number of result columns
     condition: keywords
 falsepositives:

rules/application/appframework_django_exceptions.yml

@@ -1,7 +1,7 @@
 title: Django framework exceptions
 description: Detects suspicious Django web application framework exceptions that could indicate exploitation attempts
 author: Thomas Patzke
-reference:
+references:
     - https://docs.djangoproject.com/en/1.11/ref/exceptions/
     - https://docs.djangoproject.com/en/1.11/topics/logging/#django-security
 logsource:

rules/application/appframework_ruby_on_rails_exceptions.yml

@@ -1,7 +1,7 @@
 title: Ruby on Rails framework exceptions
 description: Detects suspicious Ruby on Rails exceptions that could indicate exploitation attempts
 author: Thomas Patzke
-reference:
+references:
     - http://edgeguides.rubyonrails.org/security.html
     - http://guides.rubyonrails.org/action_controller_overview.html
     - https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception

rules/application/appframework_spring_exceptions.yml

@@ -1,7 +1,7 @@
 title: Spring framework exceptions
 description: Detects suspicious Spring framework exceptions that could indicate exploitation attempts
 author: Thomas Patzke
-reference:
+references:
     - https://docs.spring.io/spring-security/site/docs/current/apidocs/overview-tree.html
 logsource:
     category: application

rules/apt/apt_apt29_tor.yml

@@ -1,7 +1,9 @@
+---
 action: global
 title: APT29 Google Update Service Install
 description: 'This method detects malicious services mentioned in APT29 report by FireEye. The legitimate path for the Google update service is C:\Program Files (x86)\Google\Update\GoogleUpdate.exe so the service names and executable locations used by APT29 are specific enough to be detected in log files.' 
-reference: https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html
+references:
+    - https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html
 logsource:
     product: windows
 detection:

rules/apt/apt_carbonpaper_turla.yml

@@ -1,6 +1,7 @@
 title: Turla Service Install
 description: 'This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET' 
-reference: https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/
+references:
+    - https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/
 logsource:
     product: windows
     service: system

rules/apt/apt_chafer_mar18.yml

@@ -0,0 +1,53 @@
+---
+action: global
+title: Chafer Activity
+description: Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018 
+references:
+    - https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/
+date: 2018/03/23
+author: Florian Roth, Markus Neis
+detection:
+    condition: 1 of them
+falsepositives:
+    - Unknown
+level: critical
+---
+logsource:
+    product: windows
+    service: system
+detection:
+    selection_service:
+        EventID: 7045
+        ServiceName:
+            - 'SC Scheduled Scan'
+            - 'UpdatMachine'
+---
+logsource:
+   product: windows
+   service: sysmon
+detection:
+    selection_reg1:
+        EventID: 13 
+        TargetObject: 
+            - '*SOFTWARE\Microsoft\Windows\CurrentVersion\UMe'
+            - '*SOFTWARE\Microsoft\Windows\CurrentVersion\UT'
+        EventType: 'SetValue'
+    selection_reg2:
+        EventID: 13 
+        TargetObject: '*\Control\SecurityProviders\WDigest\UseLogonCredential'
+        EventType: 'SetValue'
+        Details: 'DWORD (0x00000001)'
+    selection_process1:
+        EventID: 1 
+        CommandLine: 
+            - '*\Service.exe i'
+            - '*\Service.exe u'
+            - '*\microsoft\Taskbar\autoit3.exe'
+            - 'C:\wsc.exe*'
+    selection_process2:
+        EventID: 1
+        Image: '*\Windows\Temp\DB\*.exe'
+    selection_process3:
+        EventID: 1
+        CommandLine: '*\nslookup.exe -q=TXT*'
+        ParentImage: '*\Autoit*'

rules/apt/apt_cloudhopper.yml

@@ -1,7 +1,8 @@
-title: Detects an Execution of WMIExec VBS Script
+title: WMIExec VBS Script
 description: Detects suspicious file execution by wscript and cscript
 author: Florian Roth
-reference: https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
+references:
+    - https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
 logsource:
     product: windows
     service: sysmon

rules/apt/apt_dragonfly.yml

@@ -0,0 +1,36 @@
+---
+action: global
+title: CrackMapExecWin 
+description: Detects CrackMapExecWin Activity as Described by NCSC
+status: experimental
+references:
+    - https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control 
+author: Markus Neis
+detection:
+    condition: 1 of them
+falsepositives: 
+    - None 
+level: critical
+---
+# Windows Audit Log
+logsource:
+    product: windows
+    service: security
+    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+detection:
+    selection1:
+        # Does not require group policy 'Audit Process Creation' > Include command line in process creation events
+        EventID: 4688
+        NewProcessName:
+            - '*\crackmapexec.exe'
+---
+# Sysmon
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection1:
+        # Does not require group policy 'Audit Process Creation' > Include command line in process creation events
+        EventID: 1
+        Image:
+            - '*\crackmapexec.exe'

rules/apt/apt_elise.yml

@@ -0,0 +1,22 @@
+title: Elise Backdoor
+status: experimental
+description: Detects Elise backdoor acitivty as used by APT32 
+references: 
+    - https://community.rsa.com/community/products/netwitness/blog/2018/01/30/apt32-continues-asean-targeting
+author: Florian Roth
+date: 2018/01/31
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection1:
+        EventID: 1
+        Image: 'C:\Windows\SysWOW64\cmd.exe'
+        CommandLine: '*\Windows\Caches\NavShExt.dll *'
+    selection2:
+        EventID: 1
+        CommandLine: '*\AppData\Roaming\MICROS~1\Windows\Caches\NavShExt.dll,Setting'
+    condition: 1 of them
+falsepositives:
+    - Unknown
+level: critical

rules/apt/apt_equationgroup_c2.yml

@@ -1,6 +1,6 @@
 title: Equation Group C2 Communication
 description: Detects communication to C2 servers mentioned in the operational notes of the ShadowBroker leak of EquationGroup C2 tools
-reference:
+references:
     - 'https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation'
     - 'https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195'
 author: Florian Roth
@@ -15,7 +15,7 @@ detection:
         src:
             - '69.42.98.86'
             - '89.185.234.145'
-    condition: outgoing or incoming
+    condition: 1 of them
 falsepositives:
     - Unknown
 level: high

rules/apt/apt_equationgroup_dll_u_load.yml

@@ -0,0 +1,39 @@
+---
+action: global
+title: Equation Group DLL_U Load
+description: Detects a specific tool and export used by EquationGroup
+references:
+    - https://github.com/adamcaudill/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type=
+    - https://securelist.com/apt-slingshot/84312/
+    - https://twitter.com/cyb3rops/status/972186477512839170
+author: Florian Roth
+date: 2018/03/10 
+detection:
+    selection1:
+        Image: '*\rundll32.exe'
+        CommandLine: '*,dll_u'
+    selection2:
+        CommandLine: '* -export dll_u *'
+    condition: 1 of them
+falsepositives:
+    - Unknown
+level: critical
+---
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection1:
+        EventID: 1
+    selection2:
+        EventID: 1
+---
+logsource:
+    product: windows
+    service: security
+    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+detection:
+    selection1:
+        EventID: 4688
+    selection2:
+        EventID: 4688

rules/apt/apt_equationgroup_lnx.yml

@@ -1,6 +1,7 @@
 title: Equation Group Indicators
 description: Detects suspicious shell commands used in various Equation Group scripts and tools
-reference: https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
+references:
+    - https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
 author: Florian Roth
 logsource:
     product: linux

rules/apt/apt_hurricane_panda.yml

@@ -0,0 +1,35 @@
+---
+action: global
+title: Hurricane Panda Activity
+status: experimental
+description: Detects Hurricane Panda Activity 
+references: 
+    - https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/
+author: Florian Roth
+date: 2018/02/25
+detection:
+    selection:
+        CommandLine: 
+            - '* localgroup administrators admin /add'
+            - '*\Win64.exe*'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
+---
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+---
+logsource:
+    product: windows
+    service: security
+    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+detection:
+    selection:
+        EventID: 4688
+
+

rules/apt/apt_pandemic.yml

@@ -1,7 +1,7 @@
 title: Pandemic Registry Key
 status: experimental
 description: Detects Pandemic Windows Implant
-reference: 
+references:
     - https://wikileaks.org/vault7/#Pandemic
     - https://twitter.com/MalwareJake/status/870349480356454401
 author: Florian Roth
@@ -18,7 +18,7 @@ detection:
     selection2:
         EventID: 1
         Command: 'loaddll -a *'
-    condition: selection1 or selection2
+    condition: 1 of them
 fields:
     - EventID
     - CommandLine

rules/apt/apt_slingshot.yml

@@ -0,0 +1,35 @@
+---
+action: global
+title: Defrag Deactivation
+description: Detects the deactivation of the Scheduled defragmentation task as seen by Slingshot APT group
+references:
+    - https://securelist.com/apt-slingshot/84312/
+author: Florian Roth
+date: 2018/03/10
+logsource:
+    product: windows
+    service: security
+    description: 'Requirements: Audit Policy : Audit Other Object Access Events > Success'       
+detection:
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium
+---
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+        CommandLine: 
+            - '*schtasks* /delete *Defrag\ScheduledDefrag*'
+---
+logsource:
+    product: windows
+    service: security
+    description: 'Requirements: Audit Policy : Audit Other Object Access Events > Success'       
+detection:
+    selection:
+        EventID: 4701
+        TaskName: '\Microsoft\Windows\Defrag\ScheduledDefrag'

rules/apt/apt_sofacy.yml

@@ -0,0 +1,36 @@
+
+---
+action: global
+title: Sofacy Trojan Loader Activity
+status: experimental
+description: Detects Trojan loader acitivty as used by APT28 
+references: 
+    - https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/
+    - https://www.reverse.it/sample/e3399d4802f9e6d6d539e3ae57e7ea9a54610a7c4155a6541df8e94d67af086e?environmentId=100
+    - https://twitter.com/ClearskySec/status/960924755355369472
+author: Florian Roth
+date: 2018/03/01
+detection:
+    selection:
+        CommandLine: 
+            - 'rundll32.exe %APPDATA%\*.dat",*'
+            - 'rundll32.exe %APPDATA%\*.dll",#1'
+    condition: selection
+falsepositives:
+    - Unknown
+level: critical
+---
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+---
+logsource:
+    product: windows
+    service: security
+    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+detection:
+    selection:
+        EventID: 4688

rules/apt/apt_stonedrill.yml

@@ -1,7 +1,8 @@
 title: StoneDrill Service Install
 description: 'This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky'   
 author: Florian Roth
-reference: https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/
+references:
+    - https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/
 logsource:
     product: windows
     service: system

rules/apt/apt_ta17_293a_ps.yml

@@ -1,6 +1,7 @@
 title: Ps.exe Renamed SysInternals Tool
 description: Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documentied in TA17-293A report
-reference: https://www.us-cert.gov/ncas/alerts/TA17-293A
+references:
+    - https://www.us-cert.gov/ncas/alerts/TA17-293A
 author: Florian Roth
 date: 2017/10/22
 logsource:

rules/apt/apt_turla_commands.yml

@@ -3,7 +3,8 @@ action: global
 title: Turla Group Lateral Movement 
 status: experimental
 description: Detects automated lateral movement by Turla group 
-reference: https://securelist.com/the-epic-turla-operation/65545/
+references:
+    - https://securelist.com/the-epic-turla-operation/65545/
 author: Markus Neis
 date: 2017/11/07
 logsource:

rules/apt/apt_turla_namedpipes.yml

@@ -1,7 +1,8 @@
 title: Turla Group Named Pipes 
 status: experimental
 description: Detects a named pipe used by Turla group samples
-reference: Internal Research
+references:
+    - Internal Research
 date: 2017/11/06
 author: Markus Neis
 logsource:

rules/apt/apt_zxshell.yml

@@ -1,7 +1,8 @@
 title: ZxShell Malware
 description: Detects a ZxShell start by the called and well-known function name   
 author: Florian Roth
-reference: https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100
+references:
+    - https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100
 logsource:
     product: windows
     service: sysmon

rules/apt/crime_fireball.yml

@@ -1,9 +1,9 @@
-title: Detects Fireball - Archer Install
+title: Fireball Archer Install
 status: experimental
 description: Detects Archer malware invocation via rundll32
 author: Florian Roth
 date: 2017/06/03
-reference: 
+references:
     - https://www.virustotal.com/en/file/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022/analysis/
     - https://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100
 logsource:

rules/linux/auditd/lnx_auditd_susp_cmds.yml

@@ -0,0 +1,28 @@
+title: Detects Suspicious Commands on Linux systems
+status: experimental
+description: Detects relevant commands often related to malware or hacking activity
+references:
+    - 'Internal Research - mostly derived from exploit code including code in MSF'
+date: 2017/12/12
+author: Florian Roth
+logsource:
+    product: linux
+    service: auditd
+detection:
+    cmds:
+        - type: 'EXECVE'
+          a0: 'chmod'
+          a1: '777'
+        - type: 'EXECVE'
+          a0: 'chmod'
+          a1: 'u+s'
+        - type: 'EXECVE'
+          a0: 'cp'
+          a1: '/bin/ksh'
+        - type: 'EXECVE'
+          a0: 'cp'
+          a1: '/bin/sh'
+    condition: 1 of cmds
+falsepositives:
+    - Admin activity
+level: medium

rules/linux/auditd/lnx_auditd_susp_exe_folders.yml

@@ -0,0 +1,40 @@
+title: Program Executions in Suspicious Folders
+status: experimental
+description: Detects program executions in suspicious non-program folders related to malware or hacking activity
+references:
+    - 'Internal Research'
+date: 2018/01/23
+author: Florian Roth
+logsource:
+    product: linux
+    service: auditd
+detection:
+    selection:
+        type: 'SYSCALL'
+        exe:
+            # Temporary folder
+            - '/tmp/*'
+            # Web server 
+            - '/var/www/*'              # Standard
+            - '/home/*/public_html/*'   # Per-user
+            - '/usr/local/apache2/*'    # Classical Apache
+            - '/usr/local/httpd/*'      # Old SuSE Linux 6.* Apache
+            - '/var/apache/*'           # Solaris Apache
+            - '/srv/www/*'              # SuSE Linux 9.*
+            - '/home/httpd/html/*'      # Redhat 6 or older Apache
+            - '/srv/http/*'             # ArchLinux standard
+            - '/usr/share/nginx/html/*' # ArchLinux nginx
+            # Data dirs of typically exploited services (incomplete list)
+            - '/var/lib/pgsql/data/*'
+            - '/usr/local/mysql/data/*'
+            - '/var/lib/mysql/*'
+            - '/var/vsftpd/*'
+            - '/etc/bind/*'
+            - '/var/named/*'
+    condition: selection
+falsepositives:
+    - Admin activity (especially in /tmp folders)
+    - Crazy web applications
+level: medium
+
+

rules/linux/lnx_buffer_overflows.yml

@@ -1,6 +1,7 @@
 title: Buffer Overflow Attempts
 description: Detects buffer overflow attempts in Linux system log files
-reference: https://github.com/ossec/ossec-hids/blob/master/etc/rules/attack_rules.xml
+references:
+    - https://github.com/ossec/ossec-hids/blob/master/etc/rules/attack_rules.xml
 logsource:
     product: linux
 detection:

rules/linux/lnx_clamav.yml

@@ -1,6 +1,7 @@
 title: Relevant ClamAV Message
 description: Detects relevant ClamAV messages
-reference: https://github.com/ossec/ossec-hids/blob/master/etc/rules/clam_av_rules.xml
+references:
+    - https://github.com/ossec/ossec-hids/blob/master/etc/rules/clam_av_rules.xml
 logsource:
     product: linux
     service: clamav

rules/linux/lnx_shell_susp_commands.yml

@@ -1,6 +1,6 @@
 title: Suspicious Activity in Shell Commands
 description: Detects suspicious shell commands used in various exploit codes (see references)
-reference: 
+references:
     - http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html
     - https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb#L121
     - http://pastebin.com/FtygZ1cg

rules/linux/lnx_shellshock.yml

@@ -1,6 +1,7 @@
 title: Shellshock Expression
 description: Detects shellshock expressions in log files
-reference: http://rubular.com/r/zxBfjWfFYs
+references:
+    - http://rubular.com/r/zxBfjWfFYs
 logsource:
     product: linux
 detection:

rules/linux/lnx_susp_failed_logons_single_source.yml

@@ -5,9 +5,9 @@ logsource:
     service: auth
 detection:
     selection:
-        log: auth
-        pam_user: not null
-        pam_rhost: not null
+        pam_message: "authentication failure"
+        pam_user: '*'
+        pam_rhost: '*'
     timeframe: 24h 
     condition: selection | count(pam_user) by pam_rhost > 3
 falsepositives:

rules/linux/lnx_susp_named.yml

@@ -0,0 +1,20 @@
+title: Suspicious Named Error
+status: experimental
+description: Detects suspicious DNS error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts 
+references:
+    - https://github.com/ossec/ossec-hids/blob/master/etc/rules/named_rules.xml
+author: Florian Roth
+date: 2018/02/20
+logsource:
+    product: linux
+    service: syslog
+detection:
+    keywords:
+        - '* dropping source port zero packet from *'
+        - '* denied AXFR from *'
+        - '* exiting (due to fatal error)*'
+    condition: keywords
+falsepositives:
+    - Unknown
+level: high
+

rules/linux/lnx_susp_ssh.yml

@@ -1,6 +1,8 @@
-title: Suspicious SSHD error
+title: Suspicious SSHD Error
 description: Detects suspicious SSH / SSHD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts 
-reference: https://github.com/openssh/openssh-portable/blob/master/ssherr.c
+references:
+    - https://github.com/openssh/openssh-portable/blob/master/ssherr.c
+    - https://github.com/ossec/ossec-hids/blob/master/etc/rules/sshd_rules.xml
 author: Florian Roth
 date: 2017/06/30
 logsource:
@@ -8,13 +10,17 @@ logsource:
     service: sshd
 detection:
     keywords:
-        - 'unexpected internal error'
-        - 'unknown or unsupported key type'
-        - 'invalid certificate signing key'
-        - 'invalid elliptic curve value'
-        - 'incorrect signature'
-        - 'error in libcrypto'
-        - 'unexpected bytes remain after decoding'
+        - '*unexpected internal error*'
+        - '*unknown or unsupported key type*'
+        - '*invalid certificate signing key*'
+        - '*invalid elliptic curve value*'
+        - '*incorrect signature*'
+        - '*error in libcrypto*'
+        - '*unexpected bytes remain after decoding*'
+        - '*fatal: buffer_get_string: bad string*'
+        - '*Local: crc32 compensation attack*'
+        - '*bad client public DH value*'
+        - '*Corrupted MAC on input*'
     condition: keywords
 falsepositives:
     - Unknown

rules/linux/lnx_susp_vsftp.yml

@@ -1,6 +1,7 @@
-title: Suspicious VSFTPD error messages
+title: Suspicious VSFTPD Error Messages
 description: Detects suspicious VSFTPD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts 
-reference: https://github.com/dagwieers/vsftpd/
+references:
+    - https://github.com/dagwieers/vsftpd/
 author: Florian Roth
 date: 2017/07/05
 logsource:

rules/network/net_mal_dns_cobaltstrike.yml

@@ -0,0 +1,19 @@
+title: Cobalt Strike DNS Beaconing
+status: experimental
+description: Detects suspicious DNS queries known from Cobalt Strike beacons
+references:
+    - https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns
+author: Florian Roth
+date: 2018/05/10
+logsource:
+    category: dns
+detection:
+    selection:
+        query:
+            - 'aaa.stage.*' 
+            - 'post.1*'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
+

rules/network/net_susp_dns_b64_queries.yml

@@ -0,0 +1,17 @@
+title: Suspicious DNS Query with B64 Encoded String   
+status: experimental
+description: Detects suspicious DNS queries using base64 encoding
+references:
+    - https://github.com/krmaxwell/dns-exfiltration
+author: Florian Roth
+date: 2018/05/10
+logsource:
+    category: dns
+detection:
+    selection:
+        query:
+            - '*==.*'
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium

rules/network/net_susp_telegram_api.yml

@@ -0,0 +1,20 @@
+title: Telegram Bot API Request
+status: experimental
+description: Detects suspicious DNS queries to api.telegram.org used by Telegram Bots of any kind
+references:
+    - https://core.telegram.org/bots/faq
+    - https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/
+    - https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/
+    - https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/
+author: Florian Roth
+date: 2018/06/05
+logsource:
+    category: dns
+detection:
+    selection:
+        query:
+            - 'api.telegram.org'   # Telegram Bot API Request https://core.telegram.org/bots/faq
+    condition: selection
+falsepositives:
+    - Legitimate use of Telegram bots in the company
+level: medium

rules/proxy/proxy_download_susp_dyndns.yml

@@ -1,7 +1,8 @@
 title: Download from Suspicious Dyndns Hosts
 status: experimental
 description: Detects download of certain file types from hosts with dynamic DNS names (selected list)
-reference: https://www.alienvault.com/blogs/security-essentials/dynamic-dns-security-and-potential-threats
+references:
+    - https://www.alienvault.com/blogs/security-essentials/dynamic-dns-security-and-potential-threats
 author: Florian Roth
 date: 2017/11/08
 logsource:

rules/proxy/proxy_download_susp_tlds_blacklist.yml

@@ -1,12 +1,13 @@
 title: Download from Suspicious TLD
 status: experimental
 description: Detects download of certain file types from hosts in suspicious TLDs 
-reference: 
+references:
     - https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap
     - https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf
     - https://www.spamhaus.org/statistics/tlds/
+    - https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/
 author: Florian Roth
-date: 2017/11/07
+date: 2018/06/13
 logsource:
     category: proxy
 detection:
@@ -60,7 +61,7 @@ detection:
             - '*.cricket'
             - '*.space'
             - '*.top'
-            # McAfee report
+            # McAfee report 
             - '*.info'
             - '*.vn'
             - '*.cm'
@@ -83,7 +84,6 @@ detection:
             - '*.tt'
             - '*.name'
             - '*.tv'
-            - '*.tv'
             - '*.kz'
             - '*.tc'
             - '*.mobi'
@@ -93,10 +93,16 @@ detection:
             - '*.link'
             - '*.trade'
             - '*.accountant'
+            # Spamhaus 2018 https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/
+            - '*.click'
+            - '*.cf'
+            - '*.gq'
+            - '*.ml'
+            - '*.ga'
     condition: selection
 fields:
     - ClientIP
     - URL
 falsepositives:
-    - All kind of software downloads
+    - All kinds of software downloads
 level: low

rules/proxy/proxy_download_susp_tlds_whitelist.yml

@@ -1,4 +1,4 @@
-title: Download from Suspicious TLD
+title: Download EXE from Suspicious TLD
 status: experimental
 description: Detects executable downloads from suspicious remote systems
 author: Florian Roth

rules/proxy/proxy_downloadcradle_webdav.yml

@@ -0,0 +1,24 @@
+title: Windows WebDAV User Agent
+status: experimental
+description: Detects WebDav DownloadCradle
+references:
+    - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
+author: Florian Roth
+date: 2018/04/06
+logsource:
+    category: proxy
+detection:
+    selection:
+      UserAgent: 'Microsoft-WebDAV-MiniRedir/*'
+      HttpMethod: 'GET'
+    condition: selection
+fields:
+    - ClientIP
+    - URL
+    - UserAgent
+    - HttpMethod
+falsepositives:
+    - Administrative scripts that download files from the Internet
+    - Administrative scripts that retrieve certain website contents
+    - Legitimate WebDAV administration
+level: high

rules/proxy/proxy_empty_ua.yml

@@ -1,7 +1,7 @@
 title: Empty User Agent
 status: experimental
 description: Detects suspicious empty user agent strings in proxy logs
-reference:
+references:
     - https://twitter.com/Carlos_Perez/status/883455096645931008
 author: Florian Roth
 logsource:

rules/proxy/proxy_powershell_ua.yml

@@ -1,7 +1,8 @@
 title: Windows PowerShell User Agent
 status: experimental
 description: Detects Windows PowerShell Web Access
-reference: https://msdn.microsoft.com/powershell/reference/5.1/microsoft.powershell.utility/Invoke-WebRequest
+references:
+    - https://msdn.microsoft.com/powershell/reference/5.1/microsoft.powershell.utility/Invoke-WebRequest
 author: Florian Roth
 logsource:
     category: proxy

rules/proxy/proxy_susp_flash_download_loc.yml

@@ -1,7 +1,8 @@
 title: Flash Player Update from Suspicious Location
 status: experimental
 description: Detects a flashplayer update from an unofficial location
-reference: https://gist.github.com/roycewilliams/a723aaf8a6ac3ba4f817847610935cfb
+references:
+    - https://gist.github.com/roycewilliams/a723aaf8a6ac3ba4f817847610935cfb
 author: Florian Roth
 logsource:
     category: proxy
@@ -11,7 +12,7 @@ detection:
             - '*/install_flash_player.exe'
             - '*/flash_install.php*'
     filter:
-        cs-uri-query: '*.adobe.com/*'
+        cs-uri-stem: '*.adobe.com/*'
     condition: selection and not filter
 falsepositives:
     - Unknown flash download locations

rules/proxy/proxy_telegram_api.yml

@@ -0,0 +1,29 @@
+title: Telegram API Access
+status: experimental
+description: Detects suspicious requests to Telegram API without the usual Telegram User-Agent
+references:
+    - https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/
+    - https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/
+    - https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/
+author: Florian Roth
+date: 2018/06/05
+logsource:
+    category: proxy
+detection:
+    selection:
+        r-dns: 
+            - 'api.telegram.org'  # Often used by Bots
+    filter:
+        UserAgent: 
+            # Used https://core.telegram.org/bots/samples for this list
+            - '*Telegram*'
+            - '*Bot*'
+    condition: selection and not filter
+fields:
+    - ClientIP
+    - URL
+    - UserAgent
+falsepositives:
+    - Legitimate use of Telegram bots in the company
+level: medium
+

rules/proxy/proxy_ua_apt.yml

@@ -1,7 +1,8 @@
 title: APT User Agent
 status: experimental
 description: Detects suspicious user agent strings used in APT malware in proxy logs
-reference: Internal Research
+references:
+    - Internal Research
 author: Florian Roth
 logsource:
     category: proxy
@@ -27,6 +28,13 @@ detection:
         - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NETCLR 2.0.50727)'  # APT17
         - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; SV1)'  # Bronze Butler - Daserf
         - 'Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; SV1)'  # Bronze Butler - Daserf
+        - 'Mozilla/4.0 (compatible; MSIE 8.0; Win32)'  # TSCookie https://app.any.run/tasks/0996b314-5133-491b-8d23-d431ffdec597
+        - 'Mozilla v5.1 (Windows NT 6.1; rv:6.0.1) Gecko/20100101 Firefox/6.0.1'  # Delphi downloader https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/
+        - 'Mozilla/6.1 (compatible; MSIE 9.0; Windows NT 5.3; Trident/5.0)'  # VPNFilter https://blog.talosintelligence.com/2018/05/VPNFilter.html
+        - 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; InfoPath.1)'  # Sofacy User-Agent https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/
+        - 'Mozilla/5.0 (Windows NT 6.1; WOW64) WinHttp/1.6.3.8 (WinHTTP/5.1) like Gecko'  # Sofacy User-Agent https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/
+        - 'Mozilla v5.1 *'  # Sofacy Zebrocy samples 
+        - 'MSIE 8.0'  # Sofacy Azzy Backdoor  from https://www.hybrid-analysis.com/sample/a80e29c0757bee05338fd5c22a542d852ad86c477068e3eb4aacc1c3e59e2eef?environmentId=100
     condition: selection
 fields:
     - ClientIP

rules/proxy/proxy_ua_frameworks.yml

@@ -1,7 +1,7 @@
 title: Exploit Framework User Agent
 status: experimental
 description: Detects suspicious user agent strings used by exploit / pentest framworks like Metasploit in proxy logs
-reference:
+references:
     - https://blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/
 author: Florian Roth
 logsource:

rules/proxy/proxy_ua_hacktool.yml

@@ -1,7 +1,7 @@
 title: Hack Tool User Agent
 status: experimental
 description: Detects suspicious user agent strings user by hack tools in proxy logs
-reference:
+references:
     - https://github.com/fastly/waf_testbed/blob/master/templates/default/scanners-user-agents.data.erb
     - http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules
 author: Florian Roth

rules/proxy/proxy_ua_malware.yml

@@ -1,7 +1,7 @@
 title: Malware User Agent
 status: experimental
 description: Detects suspicious user agent strings used by malware in proxy logs
-reference:
+references:
     - http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules
     - http://www.botopedia.org/search?searchword=scan&searchphrase=all
     - https://networkraptor.blogspot.com/2015/01/user-agent-strings.html
@@ -22,6 +22,8 @@ detection:
         - '*<|>*'  # Houdini / Iniduoh / njRAT
         - 'nsis_inetc (mozilla)'  # ZeroAccess
         - 'Wget/1.9+cvs-stable (Red Hat modified)'  # Dyre / Upatre
+        # Ghost419 https://goo.gl/rW1yvZ
+        - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; .NET CLR 1.1.4322)'
 
         # Malware
         - '*zeroup*'  # W32/Renos.Downloader
@@ -44,6 +46,8 @@ detection:
         - 'Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)'  # Fareit
         - 'Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)'  # Webshell's back connect
         - 'MSIE'  # Toby web shell
+        - '*(Charon; Inferno)'  # Loki Bot
+        - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)'  # Fareit / Pony
 
         # Others 
         - '* pxyscand*'

rules/proxy/proxy_ua_suspicious.yml

@@ -1,7 +1,7 @@
 title: Suspicious User Agent
 status: experimental
 description: Detects suspicious malformed user agent strings in proxy logs
-reference:
+references:
     - https://github.com/fastly/waf_testbed/blob/master/templates/default/scanners-user-agents.data.erb
 author: Florian Roth
 logsource:

rules/web/web_apache_segfault.yml

@@ -1,7 +1,8 @@
 title: Apache Segmentation Fault
 description: Detects a segmentation fault error message caused by a creashing apacke worker process 
 author: Florian Roth
-reference: http://www.securityfocus.com/infocus/1633
+references:
+    - http://www.securityfocus.com/infocus/1633
 logsource:
     product: apache
 detection:

rules/windows/builtin/win_admin_rdp_login.yml

@@ -1,6 +1,6 @@
-title: Admin user remote login
+title: Admin User Remote Logon
 description: Detect remote login by Administrator user depending on internal pattern
-reference:
+references:
   - https://car.mitre.org/wiki/CAR-2016-04-005
 status: experimental
 author: juju4
@@ -13,7 +13,6 @@ detection:
         EventID: 4624
         LogonType: 10
         AuthenticationPackageName: Negotiate
-        Severity: Information
         AccountName: 'Admin-*'
     condition: selection
 falsepositives: 

rules/windows/builtin/win_admin_share_access.yml

@@ -1,5 +1,5 @@
 title: Access to ADMIN$ Share
-description: 
+description: Detects access to $ADMIN share
 status: experimental
 author: Florian Roth
 logsource:
@@ -11,7 +11,7 @@ detection:
         EventID: 5140
         ShareName: Admin$
     filter:
-        SubjectAccountName: '*$'
+        SubjectUserName: '*$'
     condition: selection and not filter
 falsepositives: 
     - Legitimate administrative activity

rules/windows/builtin/win_alert_active_directory_user_control.yml

@@ -1,6 +1,6 @@
-title: Detects Enabling of a User Right in AD to Control User Objects
+title: Enabled User Right in AD to Control User Objects
 description: Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.
-reference: 
+references:
     - https://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
 author: '@neu5ron'
 logsource:
@@ -9,10 +9,10 @@ logsource:
     description: 'Requirements: Audit Policy : Policy Change > Audit Authorization Policy Change, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Authorization Policy Change'
 detection:
     selection:
-        EventID: 4707
+        EventID: 4704
     keywords:
         - 'SeEnableDelegationPrivilege'
-    condition: selection and keywords
+    condition: all of them
 falsepositives: 
     - Unknown
 level: high

rules/windows/builtin/win_alert_ad_user_backdoors.yml

@@ -1,6 +1,6 @@
 title: Active Directory User Backdoors
 description: Detects scenarios where one can control another users account without having to use their credentials via msDS-AllowedToDelegateTo and or service principal names (SPN).
-reference:
+references:
     - https://msdn.microsoft.com/en-us/library/cc220234.aspx
     - https://adsecurity.org/?p=3466
 author: '@neu5ron'
@@ -12,7 +12,8 @@ logsource:
 detection:
     selection1:
         EventID: 4738
-        AllowedToDelegateTo: '*'
+    filter1:
+        AllowedToDelegateTo: null
     selection2:
         EventID: 5136
         AttributeLDAPDisplayName: 'msDS-AllowedToDelegateTo'
@@ -20,7 +21,7 @@ detection:
         EventID: 5136
         ObjectClass: 'user'
         AttributeLDAPDisplayName: 'servicePrincipalName'
-    condition: selection1 or selection2 or selection3
+    condition: (selection1 and not filter1) or selection2 or selection3
 falsepositives: 
     - Unknown
 level: high

rules/windows/builtin/win_alert_enable_weak_encryption.yml

@@ -1,6 +1,6 @@
-title: Detects Enabling of Weak Encryption and Kerberoast
+title: Weak Encryption Enabled and Kerberoast
 description: Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking.
-reference: 
+references:
     - https://adsecurity.org/?p=2053
     - https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/
 author: '@neu5ron'

rules/windows/builtin/win_alert_hacktool_use.yml

@@ -3,7 +3,7 @@ description: This method detects well-known keywords, certain field combination
 author: Florian Roth
 logsource:
     product: windows
-    service: system
+    service: security
 detection:
     # Ruler https://github.com/sensepost/ruler
     selection1:

rules/windows/builtin/win_alert_mimikatz_keywords.yml

@@ -1,4 +1,4 @@
-title: Mimikatz Usage
+title: Mimikatz Use
 description: This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)
 author: Florian Roth
 logsource:

rules/windows/builtin/win_dcsync.yml

@@ -0,0 +1,22 @@
+title: Mimikatz DC Sync
+description: Detects Mimikatz DC sync security events
+status: experimental
+date: 2018/06/03
+author: Benjamin Delpy, Florian Roth
+references:
+    - https://twitter.com/gentilkiwi/status/1003236624925413376
+    - https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2
+logsource:
+    product: windows
+    service: security
+detection:
+    selection:
+        EventID: 4662
+        Properties: 
+            - '*Replicating Directory Changes All*'
+            - '*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*'
+    condition: selection
+falsepositives:
+    - Unkown
+level: critical
+

rules/windows/builtin/win_disable_event_logging.yml

@@ -6,7 +6,7 @@ description: >
     that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc".
     Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off
     specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways.
-reference:
+references:
     - https://bit.ly/WinLogsZero2Hero
 author: '@neu5ron'
 logsource:
@@ -16,7 +16,7 @@ logsource:
 detection:
     selection:
         EventID: 4719
-        Message: 'removed'
+        AuditPolicyChanges: 'removed'
     condition: selection
 falsepositives: 
     - Unknown

rules/windows/builtin/win_eventlog_cleared.yml

@@ -3,7 +3,8 @@ status: experimental
 description: Detects a cleared Windows Eventlog as e.g. caused by "wevtutil cl" command execution  
 author: Florian Roth
 date: 2017/06/27
-reference: https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100
+references:
+    - https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100
 logsource:
     product: windows
     service: system

rules/windows/builtin/win_hack_smbexec.yml

@@ -0,0 +1,21 @@
+title: smbexec.py Service Installation
+description: Detects the use of smbexec.py tool by detecting a specific service installation
+author: Omer Faruk Celik
+date: 2018/03/20
+references:
+    - https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/
+logsource:
+    product: windows
+detection:
+    service_installation:
+        EventID: 7045
+        ServiceName: 'BTOBTO'
+        ServiceFileName: '*\execute.bat'
+    condition: service_installation
+fields:
+    - ServiceName
+    - ServiceFileName
+falsepositives:
+    - Penetration Test
+    - Unknown
+level: critical

rules/windows/builtin/win_mal_service_installs.yml

@@ -1,4 +1,4 @@
-title: Malicious Service Installs
+title: Malicious Service Installations
 description: Detects known malicious service installs that only appear in cases of lateral movement, credential dumping and other suspicious activity
 author: Florian Roth
 logsource:
@@ -7,26 +7,26 @@ logsource:
 detection:
     selection:
         EventID: 7045
-    wce:
+    malsvc_wce:
         ServiceName: 
             - 'WCESERVICE'
             - 'WCE SERVICE'
-    paexec:
+    malsvc_paexec:
         ServiceFileName: '*\PAExec*'
-    winexe:
+    malsvc_winexe:
         ServiceFileName: 'winexesvc.exe*'
-    pwdumpx:
+    malsvc_pwdumpx:
         ServiceFileName: '*\DumpSvc.exe'
-    wannacry:
+    malsvc_wannacry:
         ServiceName: 'mssecsvc2.0'
-    persistence:
+    malsvc_persistence:
         ServiceFileName: '* net user *'
-    others:
+    malsvc_others:
         ServiceName:
             - 'pwdump*'
             - 'gsecdump*'
             - 'cachedump*'
-    condition: selection and ( wce or paexec or winexe or pwdumpx or wannacry or persistence or others )
+    condition: selection and 1 of malsvc_*
 falsepositives: 
     - Penetration testing
 level: critical

rules/windows/builtin/win_mal_wceaux_dll.yml

@@ -1,8 +1,10 @@
-title: WCE wceaux.dll access
+title: WCE wceaux.dll Access
 status: experimental
 description: Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host
 author: Thomas Patzke
-reference: https://www.jpcert.or.jp/english/pub/sr/ir_research.html
+references:
+    - https://www.jpcert.or.jp/english/pub/sr/ir_research.html
+    - https://jpcertcc.github.io/ToolAnalysisResultSheet
 logsource:
     product: windows
     service: security

rules/windows/builtin/win_multiple_suspicious_cli.yml

@@ -1,8 +1,8 @@
 action: global
-title: Detects Quick execution of a series of suspicious commands
+title: Quick Execution of a Series of Suspicious Commands
 description: Detects multiple suspicious process in a limited timeframe
 status: experimental
-reference: 
+references:
     - https://car.mitre.org/wiki/CAR-2013-04-002
 author: juju4
 detection:

rules/windows/builtin/win_net_ntlm_downgrade.yml

@@ -0,0 +1,39 @@
+--- 
+action: global
+title: NetNTLM Downgrade Attack
+description: Detects post exploitation using NetNTLM downgrade attacks
+reference: 
+    - https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks
+author: Florian Roth
+date: 2018/03/20
+detection:
+    condition: 1 of them
+falsepositives:
+    - Unknown
+level: critical
+--- 
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection1:
+        EventID: 13
+        TargetObject: 
+            - '*SYSTEM\*ControlSet*\Control\Lsa\lmcompatibilitylevel'
+            - '*SYSTEM\*ControlSet*\Control\Lsa\NtlmMinClientSec'
+            - '*SYSTEM\*ControlSet*\Control\Lsa\RestrictSendingNTLMTraffic'
+        EventType: 'SetValue'
+---
+# Windows Security Eventlog: Process Creation with Full Command Line
+logsource:
+    product: windows
+    service: security
+    description: 'Requirements: Audit Policy : Object Access > Audit Registry (Success)'
+detection:
+    selection2:
+        EventID: 4657
+        ObjectName: '\REGISTRY\MACHINE\SYSTEM\*ControlSet*\Control\Lsa'
+        ObjectValueName: 
+            - 'LmCompatibilityLevel'
+            - 'NtlmMinClientSec'
+            - 'RestrictSendingNTLMTraffic'

rules/windows/builtin/win_overpass_the_hash.yml

@@ -0,0 +1,20 @@
+title: Successful Overpass the Hash Attempt
+status: experimental
+description: Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.
+references: 
+    - https://cyberwardog.blogspot.de/2017/04/chronicles-of-threat-hunter-hunting-for.html
+author: Roberto Rodriguez (source), Dominik Schaudel (rule)
+date: 2018/02/12
+logsource:
+    product: windows
+    service: security
+detection:
+    selection:
+        EventID: 4624
+        LogonType: 9
+        LogonProcessName: seclogo
+        AuthenticationPackageName: Negotiate
+    condition: selection
+falsepositives:
+    - Runas command-line tool using /netonly parameter
+level: high

rules/windows/builtin/win_pass_the_hash.yml

@@ -1,7 +1,8 @@
-title: Detects Pass the Hash Activity
+title: Pass the Hash Activity
 status: experimental
 description: 'Detects the attack technique pass the hash which is used to move laterally inside the network'
-reference: https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events
+references:
+    - https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events
 author: Ilias el Matani (rule), The Information Assurance Directorate at the NSA (method)
 logsource:
     product: windows
@@ -11,12 +12,12 @@ detection:
     selection:
         - EventID: 4624
           LogonType: '3'
-          LogonProcess: 'NtLmSsp'
+          LogonProcessName: 'NtLmSsp'
           WorkstationName: '%Workstations%'
           ComputerName: '%Workstations%'
         - EventID: 4625
           LogonType: '3'
-          LogonProcess: 'NtLmSsp'
+          LogonProcessName: 'NtLmSsp'
           WorkstationName: '%Workstations%'
           ComputerName: '%Workstations%'
     filter:

rules/windows/builtin/win_plugx_susp_exe_locations.yml

@@ -1,7 +1,7 @@
 title: Executable used by PlugX in Uncommon Location
 status: experimental
 description: Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location
-reference: 
+references:
     - 'http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/'
     - 'https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/'
 author: Florian Roth
@@ -14,50 +14,50 @@ detection:
     # CamMute
     selection_cammute:
         EventID: 4688
-        ProcessCommandLine: '*\CamMute.exe'
+        CommandLine: '*\CamMute.exe'
     filter_cammute:
         EventID: 4688
-        ProcessCommandLine: '*\Lenovo\Communication Utility\*'
+        CommandLine: '*\Lenovo\Communication Utility\*'
 
     # Chrome Frame Helper
     selection_chrome_frame:
         EventID: 4688
-        ProcessCommandLine: '*\chrome_frame_helper.exe'
+        CommandLine: '*\chrome_frame_helper.exe'
     filter_chrome_frame:
         EventID: 4688
-        ProcessCommandLine: '*\Google\Chrome\application\*'    
+        CommandLine: '*\Google\Chrome\application\*'    
 
     # Microsoft Device Emulator
     selection_devemu:
         EventID: 4688
-        ProcessCommandLine: '*\dvcemumanager.exe'
+        CommandLine: '*\dvcemumanager.exe'
     filter_devemu:
         EventID: 4688
-        ProcessCommandLine: '*\Microsoft Device Emulator\*'   
+        CommandLine: '*\Microsoft Device Emulator\*'   
 
     # Windows Media Player Gadget
     selection_gadget:
         EventID: 4688
-        ProcessCommandLine: '*\Gadget.exe'
+        CommandLine: '*\Gadget.exe'
     filter_gadget:
         EventID: 4688
-        ProcessCommandLine: '*\Windows Media Player\*'
+        CommandLine: '*\Windows Media Player\*'
 
     # HTML Help Workshop
     selection_hcc:
         EventID: 4688
-        ProcessCommandLine: '*\hcc.exe'
+        CommandLine: '*\hcc.exe'
     filter_hcc:
         EventID: 4688
-        ProcessCommandLine: '*\HTML Help Workshop\*'
+        CommandLine: '*\HTML Help Workshop\*'
 
     # Hotkey Command Module for Intel Graphics Contollers
     selection_hkcmd:
         EventID: 4688
-        ProcessCommandLine: '*\hkcmd.exe'
+        CommandLine: '*\hkcmd.exe'
     filter_hkcmd:
         EventID: 4688
-        ProcessCommandLine: 
+        CommandLine: 
             - '*\System32\*'
             - '*\SysNative\*'
             - '*\SysWowo64\*'
@@ -65,10 +65,10 @@ detection:
     # McAfee component
     selection_mc:
         EventID: 4688
-        ProcessCommandLine: '*\Mc.exe'
+        CommandLine: '*\Mc.exe'
     filter_mc:
         EventID: 4688
-        ProcessCommandLine: 
+        CommandLine: 
             - '*\Microsoft Visual Studio*'
             - '*\Microsoft SDK*'
             - '*\Windows Kit*'
@@ -76,10 +76,10 @@ detection:
     # MsMpEng - Microsoft Malware Protection Engine
     selection_msmpeng:
         EventID: 4688
-        ProcessCommandLine: '*\MsMpEng.exe'
+        CommandLine: '*\MsMpEng.exe'
     filter_msmpeng:
         EventID: 4688
-        ProcessCommandLine: 
+        CommandLine: 
             - '*\Microsoft Security Client\*'
             - '*\Windows Defender\*'
             - '*\AntiMalware\*'
@@ -87,26 +87,26 @@ detection:
     # Microsoft Security Center
     selection_msseces:
         EventID: 4688
-        ProcessCommandLine: '*\msseces.exe'
+        CommandLine: '*\msseces.exe'
     filter_msseces:
         EventID: 4688
-        ProcessCommandLine: '*\Microsoft Security Center\*'
+        CommandLine: '*\Microsoft Security Center\*'
 
     # Microsoft Office 2003 OInfo
     selection_oinfo:
         EventID: 4688
-        ProcessCommandLine: '*\OInfoP11.exe'
+        CommandLine: '*\OInfoP11.exe'
     filter_oinfo:
         EventID: 4688
-        ProcessCommandLine: '*\Common Files\Microsoft Shared\*'      
+        CommandLine: '*\Common Files\Microsoft Shared\*'      
 
     # OLE View
     selection_oleview:
         EventID: 4688
-        ProcessCommandLine: '*\OleView.exe'
+        CommandLine: '*\OleView.exe'
     filter_oleview:
         EventID: 4688
-        ProcessCommandLine: 
+        CommandLine: 
             - '*\Microsoft Visual Studio*'
             - '*\Microsoft SDK*'
             - '*\Windows Kit*'   
@@ -115,10 +115,10 @@ detection:
     # RC
     selection_rc:
         EventID: 4688
-        ProcessCommandLine: '*\OleView.exe'
+        CommandLine: '*\OleView.exe'
     filter_rc:
         EventID: 4688
-        ProcessCommandLine: 
+        CommandLine: 
             - '*\Microsoft Visual Studio*'
             - '*\Microsoft SDK*'
             - '*\Windows Kit*'   

rules/windows/builtin/win_possible_applocker_bypass.yml

@@ -1,8 +1,8 @@
 action: global
-title: Detects Possible Applocker Bypass
+title: Possible Applocker Bypass
 description: Detects execution of executables that can be used to bypass Applocker whitelisting
 status: experimental
-reference:
+references:
     - https://github.com/subTee/ApplicationWhitelistBypassTechniques/blob/master/TheList.txt
     - https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/
 author: juju4

rules/windows/builtin/win_psexesvc_start.yml

@@ -0,0 +1,16 @@
+title: PsExec Service Start
+description: Detects a PsExec service start
+author: Florian Roth
+date: 2018/03/13
+logsource:
+    product: windows
+    service: security
+    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+detection:
+    selection:
+        EventID: 4688
+        CommandLine: 'C:\Windows\PSEXESVC.exe'
+    condition: 1 of them
+falsepositives:
+    - Administrative activity
+level: low

rules/windows/builtin/win_rare_schtasks_creations.yml

@@ -1,4 +1,4 @@
-title: Rare SchTasks Creations
+title: Rare Schtasks Creations
 description: Detects rare scheduled tasks creations that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious code
 status: experimental
 author: Florian Roth

rules/windows/builtin/win_susp_add_sid_history.yml

@@ -1,7 +1,8 @@
 title: Addition of SID History to Active Directory Object
 status: stable
 description: An attacker can use the SID history attribute to gain additional privileges.
-reference: https://adsecurity.org/?p=1772
+references:
+    - https://adsecurity.org/?p=1772
 author: Thomas Patzke
 logsource:
     product: windows

rules/windows/builtin/win_susp_backup_delete.yml

@@ -1,7 +1,7 @@
 title: Backup Catalog Deleted
 status: experimental
 description: Detects backup catalog deletions
-reference: 
+references:
     - https://technet.microsoft.com/en-us/library/cc742154(v=ws.11).aspx
     - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
 author: Florian Roth (rule), Tom U. @c_APT_ure (collection) 

rules/windows/builtin/win_susp_cli_escape.yml

@@ -1,8 +1,8 @@
 action: global
-title: Detects Suspicious Commandline escape
+title: Suspicious Commandline Escape
 description: Detects suspicious process that use escape characters
 status: experimental
-reference: 
+references:
     - https://twitter.com/vysecurity/status/885545634958385153
     - https://twitter.com/Hexacorn/status/885553465417756673
     - https://twitter.com/Hexacorn/status/885570278637678592
@@ -12,19 +12,19 @@ author: juju4
 detection:
     selection:
         CommandLine: 
-            - '^'
-            - '@'
+            #- '^'
+            #- '@'
 # 0x002D -, 0x2013 , 0x2014 , 0x2015 ― ... FIXME! how to match hexa form?
-            - '-'
-            - '―'
-            - 'c:/'
+            # - '-'
+            # - '―'
+            #- 'c:/'
             - '<TAB>'
             - '^h^t^t^p'
             - 'h"t"t"p'
     condition: selection
 falsepositives: 
     - False positives depend on scripts and administrative tools used in the monitored environment
-level: medium
+level: low
 ---
 # Windows Audit Log
 logsource:

rules/windows/builtin/win_susp_commands_recon_activity.yml

@@ -0,0 +1,42 @@
+---
+action: global
+title: Reconnaissance Activity with Net Command
+status: experimental
+description: 'Detects a set of commands often used in recon stages by different attack groups' 
+references:
+    - https://twitter.com/haroonmeer/status/939099379834658817
+    - https://twitter.com/c_APT_ure/status/939475433711722497
+author: Florian Roth
+date: 2017/12/12
+detection:
+    selection:
+        CommandLine: 
+            - 'tasklist'
+            - 'net time'
+            - 'systeminfo'
+            - 'whoami'
+            - 'nbtstat'
+            - 'net start'
+            - '*\net1 start'
+            - 'qprocess'
+            - 'nslookup'
+    timeframe: 1m 
+    condition: selection | count() > 2
+falsepositives: 
+    - False positives depend on scripts and administrative tools used in the monitored environment
+level: medium
+---
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+---
+logsource:
+    product: windows
+    service: security
+    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+detection:
+    selection:
+        EventID: 4688

rules/windows/builtin/win_susp_dhcp_config.yml

@@ -1,7 +1,7 @@
-title: DHCP Server loaded the CallOut DLL
+title: DHCP Server Loaded the CallOut DLL
 status: experimental
 description: This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded
-reference:
+references:
     - https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html
     - https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx
     - https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx
@@ -12,7 +12,6 @@ logsource:
     service: system
 detection:
     selection:
-        EventLog: System
         EventID: 1033
     condition: selection
 falsepositives: 

rules/windows/builtin/win_susp_dhcp_config_failed.yml

@@ -1,7 +1,7 @@
 title: DHCP Server Error Failed Loading the CallOut DLL
 description: This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded
 status: experimental
-reference:
+references:
     - https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html
     - https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx
     - https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx
@@ -12,7 +12,6 @@ logsource:
     service: system
 detection:
     selection:
-        - EventLog: System
           EventID: 
             - 1031
             - 1032

rules/windows/builtin/win_susp_dns_config.yml

@@ -2,7 +2,7 @@ title: DNS Server Error Failed Loading the ServerLevelPluginDLL
 description: This rule detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded
 status: experimental
 date: 2017/05/08
-reference: 
+references:
     - https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
     - https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx
     - https://twitter.com/gentilkiwi/status/861641945944391680

rules/windows/builtin/win_susp_dsrm_password_change.yml

@@ -1,7 +1,8 @@
 title: Password Change on Directory Service Restore Mode (DSRM) Account
 status: stable
 description: The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence.
-reference: https://adsecurity.org/?p=1714
+references:
+    - https://adsecurity.org/?p=1714
 author: Thomas Patzke
 logsource:
     product: windows

rules/windows/builtin/win_susp_eventlog_cleared.yml

@@ -1,6 +1,7 @@
 title: Eventlog Cleared
 description: One of the Windows Eventlogs has been cleared
-reference: https://twitter.com/deviouspolack/status/832535435960209408
+references:
+    - https://twitter.com/deviouspolack/status/832535435960209408
 author: Florian Roth
 logsource:
     product: windows

rules/windows/builtin/win_susp_failed_logon_reasons.yml

@@ -10,11 +10,11 @@ detection:
             - 4625
             - 4776
         Status:
-            - 0xC0000072
-            - 0xC000006F
-            - 0xC0000070
-            - 0xC0000413
-            - 0xC000018C
+            - '0xC0000072'
+            - '0xC000006F'
+            - '0xC0000070'
+            - '0xC0000413'
+            - '0xC000018C'
     condition: selection
 falsepositives:
     - User using a disabled account

rules/windows/builtin/win_susp_failed_logons_single_source.yml

@@ -5,15 +5,20 @@ logsource:
     product: windows
     service: security
 detection:
-    selection:
+    selection1:
         EventID:
             - 529
             - 4625
-            - 4776
-        UserName: not null
-        SourceWorkstation: not null
+        UserName: '*'
+        WorkstationName: '*'
+    selection2:
+        EventID: 4776
+        UserName: '*'
+        Workstation: '*'
     timeframe: 24h 
-    condition: selection | count(UserName) by SourceWorkstation > 3
+    condition:
+        - selection1 | count(UserName) by WorkstationName > 3
+        - selection2 | count(UserName) by Workstation > 3
 falsepositives:
     - Terminal servers
     - Jump servers

rules/windows/builtin/win_susp_iss_module_install.yml

@@ -0,0 +1,31 @@
+---
+action: global
+title: IIS Native-Code Module Command Line Installation
+description: Detects suspicious IIS native-code module installations via command line
+status: experimental
+references:
+    - https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/
+author: Florian Roth
+detection:
+    selection:
+        CommandLine: 
+            - '*\APPCMD.EXE install module /name:*'
+    condition: selection
+falsepositives: 
+    - Unknown as it may vary from organisation to arganisation how admins use to install IIS modules
+level: medium
+---
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+---
+logsource:
+    product: windows
+    service: security
+    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+detection:
+    selection:
+        EventID: 4688

rules/windows/builtin/win_susp_lsass_dump.yml

@@ -1,7 +1,8 @@
 title: Password Dumper Activity on LSASS
 description: Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN 
 status: experimental
-reference: https://twitter.com/jackcr/status/807385668833968128
+references:
+    - https://twitter.com/jackcr/status/807385668833968128
 logsource:
     product: windows
     service: security

rules/windows/builtin/win_susp_msiexec_web_install.yml

@@ -0,0 +1,32 @@
+---
+action: global
+title: MsiExec Web Install
+status: experimental
+description: Detects suspicious msiexec proess starts with web addreses as parameter
+references:
+    - https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/
+author: Florian Roth
+date: 2018/02/09
+detection:
+    selection:
+        CommandLine: 
+            - '* msiexec*:\/\/*'
+    condition: selection
+falsepositives: 
+    - False positives depend on scripts and administrative tools used in the monitored environment
+level: medium
+---
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+---
+logsource:
+    product: windows
+    service: security
+    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+detection:
+    selection:
+        EventID: 4688

rules/windows/builtin/win_susp_msmpeng_crash.yml

@@ -2,7 +2,7 @@ title: Microsoft Malware Protection Engine Crash
 description: This rule detects a suspicious crash of the Microsoft Malware Protection Engine
 status: experimental
 date: 2017/05/09
-reference: 
+references:
     - https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5
     - https://technet.microsoft.com/en-us/library/security/4022344
 author: Florian Roth
@@ -16,12 +16,11 @@ detection:
     selection2:
         Source: 'Windows Error Reporting'
         EventID: 1001
-    keyword1:
+    keywords:
         - 'MsMpEng.exe'
-    keyword2:
         - 'mpengine.dll'
-    condition: (selection1 or selection2) and keyword1 and keyword2
+    condition: 1 of selection* and all of keywords
 falsepositives: 
-    - Unknown
+    - MsMpEng.exe can crash when C:\ is full
 level: high
 

rules/windows/builtin/win_susp_net_recon_activity.yml

@@ -1,7 +1,8 @@
-title: Detects Reconnaissance Activity
+title: Reconnaissance Activity
 status: experimental
 description: 'Detects activity as "net user administrator /domain" and "net group domain admins /domain"' 
-reference: https://findingbad.blogspot.de/2017/01/hunting-what-does-it-look-like.html
+references:
+    - https://findingbad.blogspot.de/2017/01/hunting-what-does-it-look-like.html
 author: Florian Roth (rule), Jack Croock (method)
 logsource:
     product: windows

rules/windows/builtin/win_susp_ntdsutil.yml

@@ -0,0 +1,31 @@
+---
+action: global
+title: Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)
+description: Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)
+status: experimental
+references:
+    - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm
+author: Thomas Patzke
+detection:
+    selection:
+        CommandLine: '*\ntdsutil.exe *'
+    condition: selection
+falsepositives: 
+    - NTDS maintenance
+level: high
+---
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+---
+logsource:
+    product: windows
+    service: security
+    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+detection:
+    selection:
+        EventID: 4688
+

rules/windows/builtin/win_susp_ntlm_auth.yml

@@ -0,0 +1,20 @@
+title: NTLM Logon
+status: experimental
+description: Detects logons using NTLM, which could be caused by a legacy source or attackers
+references:
+    - https://twitter.com/JohnLaTwC/status/1004895028995477505
+    - https://goo.gl/PsqrhT
+author: Florian Roth
+date: 2018/06/08
+logsource:
+    product: windows
+    service: ntlm
+    description: Reqiures events from Microsoft-Windows-NTLM/Operational
+detection:
+    selection:
+        EventID: 8002
+        CallingProcessName: '*'  # We use this to avoid false positives with ID 8002 on other log sources if the logsource isn't set correctly
+    condition: selection
+falsepositives:
+    - Legacy hosts
+level: low

rules/windows/builtin/win_susp_phantom_dll.yml

@@ -1,83 +0,0 @@
-action: global
-title: Detects Phantom DLLs usage
-description: Detects Phantom DLLs usage and matching executable
-status: experimental
-reference: 
-    - http://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
-    - http://www.hexacorn.com/blog/2015/02/23/beyond-good-ol-run-key-part-28/
-author: juju4
-detection:
-    selection:
-        CommandLine: 
-            - '*ntbackup*'
-            - '*\edbbcli.dll*'
-            - '*\esebcli2.dll*'
-#            - '*mrt*'
-            - '*\bcrypt.dll*'
-            - '*sessmgr*'
-            - '*\SalemHook.dll*'
-            - '*certreq*'
-            - '*\msfte.dll*'
-            - '*\mstracer.dll*'
-            - '*fxscover*'
-            - '*\TPPrnUIENU.dll*'
-            - '*dxdiag*'
-            - '*\DXGIDebug.dll*'
-            - '*msinfo32*'
-            - '*\fveapi.dll*'
-            - '*narrator*'
-            - '*\MSTTSLocEnUS.dll*'
-            - '*\Wow64Log.dll*'
-            - '*Dism*'
-            - '*\Dism\wimgapi.dll*'
-            - '*\DismCore.dll*'
-            - '*FileHistory*'
-            - '*\Microsoft.NET\Framework\v4.0.30319\api-ms-win-core-winrt-l1-1-0.dll*'
-            - '*\Microsoft.NET\Framework\v4.0.30319\mscoree.dll*'
-            - '*\Microsoft.NET\Framework\v4.0.30319\ole32.dll*'
-            - '*\Microsoft.NET\Framework\v4.0.30319\urlmon.dll*'
-#            - '*mmc*'
-            - '*\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\oleaut32.dll*'
-            - '*\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\shell32.dll*'
-            - '*\Microsoft.Net\assembly\GAC_MSIL\MIGUIControls\v4.0_1.0.0.0__31bf3856ad364e35\ntdll.dll*'
-            - '*\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\comctl32.dll*'
-            - '*\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\uxtheme.dll*'
-            - '*\Microsoft.NET\Framework\v4.0.30319\api-ms-win-core-winrt-l1-1-0.dll*'
-            - '*\Microsoft.NET\Framework\v4.0.30319\mscoree.dll*'
-            - '*\Microsoft.NET\Framework\v4.0.30319\ole32.dll*'
-            - '*\Microsoft.NET\Framework\v4.0.30319\VERSION.dll*'
-            - '*Narrator*'
-            - '*speech\engines\tts\MSTTSLocEnUS.DLL'
-            - '*omadmclient*'
-            - '*cmnet.dll*'
-            - '*PresentationHost*'
-            - '*\Microsoft.NET\Framework\v4.0.30319\WPF\PresentationHost_v0400.dll*'
-            - '*provtool*'
-            - '*MvHelper.dll*'
-            - '*SearchIndexer*'
-            - '*msfte.dll*'
-            - '*msTracer.dll*'
-            - '*SearchProtocolHost*'
-            - '*msfte.dll*'
-            - '*msTracer.dll*'
-    condition: selection
-falsepositives: 
-    - False positives depend on environment
-level: medium
----
-# Windows Audit Log
-logsource:
-    product: windows
-    service: security
-    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection:
-        EventID: 4688
----
-# Sysmon
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 1

rules/windows/builtin/win_susp_process_creations.yml

@@ -1,9 +1,9 @@
 ---
 action: global
-title: Detects Suspicious Process Creations
+title: Suspicious Process Creation
 description: Detects suspicious process starts on Windows systems bsed on keywords
 status: experimental
-reference: 
+references:
     - https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/
     - https://www.youtube.com/watch?v=H3t_kHQG1Js&feature=youtu.be&t=15m35s
     - https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/
@@ -43,6 +43,7 @@ detection:
             - '*\certutil.exe -ping *'
             - 'icacls * /grant Everyone:F /T /C /Q'
             - '* wmic shadowcopy delete *'
+            - '* wbadmin.exe delete catalog -quiet*'  # http://blog.talosintelligence.com/2018/02/olympic-destroyer.html
             # Scripts
             - '*\wscript.exe *.jse'
             - '*\wscript.exe *.js'
@@ -65,8 +66,6 @@ detection:
             - '*AddInProcess*'
             # NotPowershell (nps) attack
             - '*msbuild*'
-            - '*forfiles*'
-            - '*bash*'
     condition: selection
 falsepositives: 
     - False positives depend on scripts and administrative tools used in the monitored environment

rules/windows/builtin/win_susp_rasdial_activity.yml

@@ -1,8 +1,8 @@
 action: global
-title: Detects Suspicious rasdial activity
+title: Suspicious RASdial Activity
 description: Detects suspicious process related to rasdial.exe
 status: experimental
-reference: 
+references:
     - https://twitter.com/subTee/status/891298217907830785
 author: juju4
 detection:

rules/windows/builtin/win_susp_rc4_kerberos.yml

@@ -1,7 +1,9 @@
 title: Suspicious Kerberos RC4 Ticket Encryption
 status: experimental
-reference: https://adsecurity.org/?p=3458
-description: Detects logons using RC4 encryption type
+references:
+    - https://adsecurity.org/?p=3458
+    - https://www.trimarcsecurity.com/single-post/TrimarcResearch/Detecting-Kerberoasting-Activity
+description: Detects service ticket requests using RC4 encryption type
 logsource:
     product: windows
     service: security
@@ -9,10 +11,9 @@ detection:
     selection:
         EventID: 4769
         TicketOptions: '0x40810000'
-        TicketEncryption: '0x17'
+        TicketEncryptionType: '0x17'
     reduction:
         - ServiceName: '$*'
-        - Type: 'Success Audit'
     condition: selection and not reduction
 falsepositives:
     - Service accounts used on legacy systems (e.g. NetApp)

rules/windows/builtin/win_susp_run_locations.yml

@@ -1,8 +1,8 @@
 action: global
-title: Detects Suspicious Run Locations
+title: Suspicious Process Start Locations
 description: Detects suspicious process run from unusual locations
 status: experimental
-reference: 
+references:
     - https://car.mitre.org/wiki/CAR-2013-05-002
 author: juju4
 detection: