Fixed build

Missing package specification

.travis.yml

@@ -1,12 +1,24 @@
 language: python
+dist: xenial
 python:
-  - 3.4
-  - 3.5
+  # - 3.5  # Deactivated because Travis CI tests failed randomly (Travis's problem)
   - 3.6
-  - pypy3
+  - 3.7
+sudo: true
+services:
+    - elasticsearch
 cache: pip
+before_install:
+    - curl -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-6.2.4.deb && sudo dpkg -i --force-confnew elasticsearch-6.2.4.deb && sudo service elasticsearch restart
 install:
   - pip install -r tools/requirements-devel.txt 
-
 script:
   - make test
+  - make test-backend-es-qs
+notifications:
+  email:
+    recipients:
+      - venom14@gmail.com
+      - thomas@patzke.org
+    on_success: change
+    on_failure: always

.yamllint

@@ -1,4 +1,12 @@
 ---
 # https://yamllint.readthedocs.io/en/latest/configuration.html
+extends: default
 rules:
+  comments: disable
+  comments-indentation: disable
   document-start: disable
+  empty-lines: {max: 2, max-start: 2, max-end: 2}
+  indentation: disable
+  line-length: disable
+  new-line-at-end-of-file: disable
+  trailing-spaces: disable

BREAKING_CHANGES.md

@@ -0,0 +1,30 @@
+# Breaking Changes in Sigma
+
+Improvement sometimes makes it inavoidable to break with the past. This file describes the planned and implemented
+breaking changes since 2019. Monitor this file if you use Sigma in productive environments.
+
+Columns:
+
+* Date: The date the change was or will be implemented. Planned dates may be sunject of changes.
+* Status may be one of:
+    * Planned: there's the idea, but work hasn't begun.
+    * Development: the change is currently developed.
+    * Implemented: the development is finished, but the change was not yet merged to the master.
+    * Merged: the change has been merged to the master branch. Breaking changes affecting only rules
+      skip this state.
+    * Released: the change has been released officially, this means:
+        * Code or configuration of Sigma tools was pushed as [PyPI release](https://pypi.org/project/sigmatools/)
+        * Sigma rules were merged to master.
+* Issues: GitHub issues in the project repository for further details.
+* Commit/Branch:
+    * a development branch for the states *Development* and *Implemented*.
+    * a commit reference to the merge commit for states from *Merged*.
+* Release: [PyPI release](https://pypi.org/project/sigmatools/) that implements or will implement the change.
+* Description: contains a short description of the change.
+
+| Date       | Status   | Issues              | Commit/Branch   | Release | Description                                                                                                                                                 |
+|------------|----------|---------------------|-----------------|---------|-------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 2019-10-01 | Planned  | -                   | -               | -       | Field name cleanup                                                                                                                                          |
+| 2019-08-01 | Released | -                   | config-cleanup  | 0.12    | Configuration name cleanup                                                                                                                                  |
+| 2019-08-01 | Released | -                   | devel-modifiers | 0.12    | Pipe character must be escaped with backslash in field value names due to introduction of value modifiers                                                   |
+| 2019-03-02 | Released | #136 #137 #139 #147 | 56a1ed1         | 0.9     | Introduction of [generic log sources](https://patzke.org/introducing-generic-log-sources-in-sigma.html) and *process_creation* as first generic log source. |

Makefile

@@ -1,7 +1,7 @@
-.PHONY: test test-yaml test-sigmac
-TMPOUT = $(shell tempfile)
-COVSCOPE = tools/sigma/*.py,tools/sigmac,tools/merge_sigma
-test: clearcov test-yaml test-sigmac test-merge build finish
+.PHONY: test test-rules test-sigmac
+TMPOUT = $(shell tempfile||mktemp)
+COVSCOPE = tools/sigma/*.py,tools/sigma/backends/*.py,tools/sigmac,tools/merge_sigma
+test: clearcov test-rules test-sigmac test-merge build finish
 
 clearcov:
 	rm -f .coverage
@@ -10,53 +10,84 @@ finish:
 	coverage report --fail-under=90
 	rm -f $(TMPOUT)
 
-test-yaml:
+test-rules:
 	yamllint rules
+	tests/test_rules.py
 
 test-sigmac:
+	coverage run -a --include=$(COVSCOPE) tools/sigmac
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -h
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -l
-	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-qs rules/ > /dev/null
-	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t kibana rules/ > /dev/null
-	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t xpack-watcher rules/ > /dev/null
-	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk rules/ > /dev/null
-	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t logpoint rules/ > /dev/null
-	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'level>=high,level<=critical,status=stable,logsource=windows' rules/ > /dev/null
-	! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'level>=high,level<=critical,status=xstable,logsource=windows' rules/ > /dev/null
-	! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'level>=high,level<=xcritical,status=stable,logsource=windows' rules/ > /dev/null
-	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'level=critical' rules/ > /dev/null
-	! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'level=xcritical' rules/ > /dev/null
-	! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'foo=bar' rules/ > /dev/null
-	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-windows.yml -t es-qs rules/ > /dev/null
-	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-linux.yml -t es-qs rules/ > /dev/null
-	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-windows.yml -t kibana rules/ > /dev/null
-	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-linux.yml -t kibana rules/ > /dev/null
-	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-windows.yml -t xpack-watcher rules/ > /dev/null
-	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-linux.yml -t xpack-watcher rules/ > /dev/null
-	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-defaultindex.yml -t xpack-watcher rules/ > /dev/null
-	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/splunk-windows-all.yml -t splunk rules/ > /dev/null
-	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/logpoint-windows-all.yml -t logpoint rules/ > /dev/null
+	! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvd -t es-qs rules/ > /dev/null
+	! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-qs rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-qs --shoot-yourself-in-the-foot rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c winlogbeat tests/test-modifiers.yml > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -O rulecomment -rvdI -c tools/config/winlogbeat.yml -t es-qs rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t kibana -c tools/config/winlogbeat.yml rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t graylog rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t xpack-watcher -O email,index,webhook -c tools/config/winlogbeat.yml rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t elastalert -c tools/config/winlogbeat.yml -O alert_methods=http_post,email -O emails=test@test.invalid -O http_post_url=http://test.invalid rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t elastalert-dsl -c tools/config/winlogbeat.yml -O alert_methods=http_post,email -O emails=test@test.invalid -O http_post_url=http://test.invalid rules/ > /dev/null
+	! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunkxml -c tools/config/splunk-windows.yml rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t logpoint -c tools/config/logpoint-windows.yml rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t wdatp rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t ala rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t ala --backend-config tests/backend_config.yml rules/windows/process_creation/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-dsl -c tools/config/winlogbeat.yml rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t powershell -c tools/config/powershell.yml -Ocsv rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t arcsight -c tools/config/arcsight.yml rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t qradar -c tools/config/qradar.yml rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t qualys -c tools/config/qualys.yml rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t netwitness -c tools/config/netwitness.yml rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t sumologic -O rulecomment -c tools/config/sumologic.yml rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml -f 'level>=high,level<=critical,status=stable,logsource=windows,tag=attack.execution' rules/ > /dev/null
+	! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml -f 'level>=high,level<=critical,status=xstable,logsource=windows' rules/ > /dev/null
+	! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml -f 'level>=high,level<=xcritical,status=stable,logsource=windows' rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml -f 'level=critical' rules/ > /dev/null
+	! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml -f 'level=xcritical' rules/ > /dev/null
+	! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml -f 'foo=bar' rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/logstash-windows.yml -t es-qs rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c sysmon -c logstash-windows -t es-qs rules/ > /dev/null
+	! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c sysmon -c logstash-windows -t splunk rules/ > /dev/null
+	! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/logstash-windows.yml -c tools/config/generic/sysmon.yml -t es-qs rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/logstash-linux.yml -t es-qs rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/logstash-windows.yml -t kibana rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/logstash-windows.yml -Ooutput=curl -t kibana rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/logstash-linux.yml -t kibana rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/logstash-linux.yml -Ooutput=curl -t kibana rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/logstash-windows.yml -t xpack-watcher rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/logstash-linux.yml -t xpack-watcher rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/filebeat-defaultindex.yml -t xpack-watcher rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/splunk-windows.yml -t splunk rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/generic/sysmon.yml -c tools/config/splunk-windows.yml -t splunk rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t grep rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t fieldlist rules/ > /dev/null
-	coverage run -a --include=$(COVSCOPE) tools/sigmac -t xpack-watcher -O output=plain -O es=es -O foobar rules/windows/builtin/win_susp_failed_logons_single_source.yml > /dev/null
-	coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -o $(TMPOUT) tests/collection_repeat.yml > /dev/null
-	! coverage run -a --include=$(COVSCOPE)  tools/sigmac -t xpack-watcher -O output=foobar -O es=es -O foobar rules/windows/builtin/win_susp_failed_logons_single_source.yml > /dev/null
-	! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs tests/not_existing.yml > /dev/null
-	! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs tests/invalid_yaml.yml > /dev/null
-	! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs tests/invalid_sigma-no_identifiers.yml > /dev/null
-	! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs tests/invalid_sigma-no_condition.yml > /dev/null
-	! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs tests/invalid_sigma-invalid_identifier_reference.yml > /dev/null
-	! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs tests/invalid_sigma-invalid_aggregation.yml > /dev/null
-	! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs tests/invalid_sigma-wrong_identifier_definition.yml > /dev/null
-	! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs rules/windows/builtin/win_susp_failed_logons_single_source.yml
-	! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -o /not_possible rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -t xpack-watcher -c tools/config/winlogbeat.yml -O output=plain -O es=es -O foobar rules/windows/builtin/win_susp_failed_logons_single_source.yml > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -t kibana -c tests/config-multiple_mapping.yml -c tests/config-multiple_mapping-2.yml tests/mapping-conditional-multi.yml > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -t xpack-watcher -c tools/config/winlogbeat.yml -O output=json -O es=es -O foobar rules/windows/builtin/win_susp_failed_logons_single_source.yml > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml -o $(TMPOUT) - < tests/collection_repeat.yml > /dev/null
+	! coverage run -a --include=$(COVSCOPE)  tools/sigmac -t xpack-watcher -c tools/config/winlogbeat.yml -O output=foobar -O es=es -O foobar rules/windows/builtin/win_susp_failed_logons_single_source.yml > /dev/null
+	! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/not_existing.yml > /dev/null
+	! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/invalid_yaml.yml > /dev/null
+	! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/invalid_sigma-no_identifiers.yml > /dev/null
+	! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/invalid_sigma-no_condition.yml > /dev/null
+	! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/invalid_sigma-invalid_identifier_reference.yml > /dev/null
+	! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/invalid_sigma-invalid_aggregation.yml > /dev/null
+	! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/invalid_sigma-wrong_identifier_definition.yml > /dev/null
+	! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml rules/windows/builtin/win_susp_failed_logons_single_source.yml
+	! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml -o /not_possible rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
 	! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c not_existing rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
 	! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tests/invalid_yaml.yml rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
 	! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tests/invalid_config.yml rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
-	! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvI -c tools/config/elk-defaultindex.yml -t kibana rules/ > /dev/null
 
 test-merge:
 	tests/test-merge.sh
-	! coverage run -a --include=$(COVSCOPE) tools/merge_sigma.py tests/not_existing.yml > /dev/null
+	! coverage run -a --include=$(COVSCOPE) tools/merge_sigma tests/not_existing.yml > /dev/null
+
+test-backend-es-qs:
+	tests/test-backend-es-qs.py
 
 build: tools/sigmac tools/merge_sigma tools/sigma/*.py tools/setup.py tools/setup.cfg
 	cd tools && python3 setup.py bdist_wheel

README.md

@@ -3,9 +3,10 @@
 ![sigma_logo](./images/Sigma_0.3.png)
 
 # Sigma
+
 Generic Signature Format for SIEM Systems
 
-# What is Sigma?
+# What is Sigma
 
 Sigma is a generic and open signature format that allows you to describe relevant log events in a straight forward manner. The rule format is very flexible, easy to write and applicable to any type of log file. The main purpose of this project is to provide a structured form in which researchers or analysts can describe their once developed detection methods and make them shareable with others.
 
@@ -17,48 +18,31 @@ This repository contains:
 * Open repository for sigma signatures in the `./rules`subfolder
 * A converter that generate searches/queries for different SIEM systems [work in progress]
 
+![sigma_description](./images/Sigma-description.png)
+
 ## Hack.lu 2017 Talk
 
 [![Sigma - Generic Signatures for Log Events](https://preview.ibb.co/cMCigR/Screen_Shot_2017_10_18_at_15_47_15.png)](https://www.youtube.com/watch?v=OheVuE9Ifhs "Sigma - Generic Signatures for Log Events")
 
+## SANS Webcast on MITRE ATT&CK and Sigma
+
+The SANS webcast on Sigma contains a very good 20 min introduction to the project by John Hubbart from minute 39 onward. (SANS account required; registration is free)
+
+[MITRE ATT&CK and Sigma Alerting Webcast Recording](https://www.sans.org/webcasts/mitre-att-ck-sigma-alerting-110010 "MITRE ATT&CK and Sigma Alerting")
+
 # Use Cases
 
-* Describe your once discovered detection method in Sigma to make it sharable 
-* Share the signature in the appendix of your analysis along with file hashes and C2 servers
+* Describe your detection method in Sigma to make it sharable
+* Write and your SIEM searches in Sigma to avoid a vendor lock-in
+* Share the signature in the appendix of your analysis along with IOCs and YARA rules
 * Share the signature in threat intel communities - e.g. via MISP
-* Provide Sigma signatures for malicious behaviour in your own application (Error messages, access violations, manipulations) 
-* Integrate a new log into your SIEM and check the Sigma repository for available rules
-* Write a rule converter for your custom log analysis tool and process new Sigma rules automatically
-* Provide a free or commercial feed for Sigma signatures
-
-# Sigma Converter
-
-The converter is currently under development in the *devel-sigmac* branch of this project. It has currently the
-following capabilities:
-
-* Parsing of Sigma rule files
-* Conversion of searches into Elasticsearch and Splunk queries
-
-Planned main features are:
-
-* Conversion of aggregation expressions (after the pipe character)
-* Output of Kibana JSON configurations
-
-Support for further SIEM solutions can be added by developing an corresponsing output backend class.
-
-![sigma_description](./images/Sigma-description.png)
+* Provide Sigma signatures for malicious behaviour in your own application
 
 # Why Sigma
 
 Today, everyone collects log data for analysis. People start working on their own, processing numerous white papers, blog posts and log analysis guidelines, extracting the necessary information and build their own searches and dashboard. Some of their searches and correlations are great and very useful but they lack a standardized format in which they can share their work with others. 
 
-Others provide excellent analyses for threat groups, sharing file indicators, C2 servers and YARA rules to detect the malicious files, but describe a certain malicious service install or remote thread injection in a separate paragraph. Security analysts, who read that paragraph then extract the necessary information and create rules in their SIEM system. The detection method never finds a way into a repository that is shared, structured and archived. 
-
-The lower layers of the OSI layer are well known and described. Every SIEM vendor has rules to detect port scans, ping sweeps and threats like the ['smurf attack'](https://en.wikipedia.org/wiki/Smurf_attack). But the higher layers contain numerous applications and protocols  with special characteristics that write their own custom log files. SIEM vendors consider the signatures and correlations as their intelectual property and do not tend to share details on the coverage. 
-
-Sigma is meant to be an open standard in which detection mechanisms can be defined, shared and collected in order to improve the detection capabilities on the application layers for everyone. 
-
-![sigma_why](./images/Problem_OSI_v01.png)
+Others provide excellent analyses, include IOCs and YARA rules to detect the malicious files and network connections, but have no way to describe a specific or generic detection method in log events. Sigma is meant to be an open standard in which such detection mechanisms can be defined, shared and collected in order to improve the detection capabilities for everyone. 
 
 ## Slides
 
@@ -72,6 +56,21 @@ The specifications can be found in the [Wiki](https://github.com/Neo23x0/sigma/w
 
 The current specification is a proposal. Feedback is requested.
 
+# Getting Started
+
+## Rule Creation
+
+Florian wrote a short [rule creation tutorial](https://www.nextron-systems.com/2018/02/10/write-sigma-rules/) that can help you getting started.
+
+## Rule Usage 
+
+1. Download or clone the respository
+2. Check the `./rules` sub directory for an overview on the rule base
+3. Run `python sigmac --help` in folder `./tools` to get a help on the rule converter
+4. Convert a rule of your choice with `sigmac` like `./sigmac -t splunk -c tools/config/generic/sysmon.yml ./rules/windows/process_creation/win_susp_whoami.yml`
+5. Convert a whole rule directory with `python sigmac -t splunk -r ../rules/proxy/`
+6. Check the `./tools/config` folder and the [wiki](https://github.com/Neo23x0/sigma/wiki/Converter-Tool-Sigmac) if you need custom field or log source mappings in your environment
+
 # Examples
 
 Windows 'Security' Eventlog: Access to LSASS Process with Certain Access Mask / Object Type (experimental)
@@ -89,49 +88,194 @@ Sysmon: Web Shell Detection
 Windows 'Security' Eventlog: Suspicious Number of Failed Logons from a Single Source Workstation
 ![sigma_rule example5](./images/Sigma_rule_example5.png)
 
-## Sigma Toolchain
+# Sigma Tools 
+
+## Sigmac 
 
 Sigmac converts sigma rules into queries or inputs of the supported targets listed below. It acts as a frontend to the
 Sigma library that may be used to integrate Sigma support in other projects. Further, there's `merge_sigma.py` which
 merges multiple YAML documents of a Sigma rule collection into simple Sigma rules.
 
-![sigmac_converter](./images/Sigmac-win_susp_rc4_kerberos.png)
+### Usage
+
+```
+usage: sigmac [-h] [--recurse] [--filter FILTER]
+              [--target {arcsight,es-qs,es-dsl,kibana,xpack-watcher,elastalert,graylog,logpoint,grep,netwitness,powershell,qradar,qualys,splunk,splunkxml,sumologic,fieldlist,wdatp}]
+              [--target-list] [--config CONFIG] [--output OUTPUT]
+              [--backend-option BACKEND_OPTION] [--defer-abort]
+              [--ignore-backend-errors] [--verbose] [--debug]
+              [inputs [inputs ...]]
+
+Convert Sigma rules into SIEM signatures.
+
+positional arguments:
+  inputs                Sigma input files ('-' for stdin)
+
+optional arguments:
+  -h, --help            show this help message and exit
+  --recurse, -r         Use directory as input (recurse into subdirectories is
+                        not implemented yet)
+  --filter FILTER, -f FILTER
+                        Define comma-separated filters that must match (AND-
+                        linked) to rule to be processed. Valid filters:
+                        level<=x, level>=x, level=x, status=y, logsource=z,
+                        tag=t. x is one of: low, medium, high, critical. y is
+                        one of: experimental, testing, stable. z is a word
+                        appearing in an arbitrary log source attribute. t is a
+                        tag that must appear in the rules tag list, case-
+                        insensitive matching. Multiple log source
+                        specifications are AND linked.
+  --target {arcsight,es-qs,es-dsl,kibana,xpack-watcher,elastalert,graylog,logpoint,grep,netwitness,powershell,qradar,qualys,splunk,splunkxml,sumologic,fieldlist,wdatp}, -t {arcsight,es-qs,es-dsl,kibana,xpack-watcher,elastalert,graylog,logpoint,grep,netwitness,powershell,qradar,qualys,splunk,splunkxml,sumologic,fieldlist,wdatp}
+                        Output target format
+  --target-list, -l     List available output target formats
+  --config CONFIG, -c CONFIG
+                        Configurations with field name and index mapping for
+                        target environment. Multiple configurations are merged
+                        into one. Last config is authorative in case of
+                        conflicts.
+  --output OUTPUT, -o OUTPUT
+                        Output file or filename prefix if multiple files are
+                        generated
+  --backend-option BACKEND_OPTION, -O BACKEND_OPTION
+                        Options and switches that are passed to the backend
+  --defer-abort, -d     Don't abort on parse or conversion errors, proceed
+                        with next rule. The exit code from the last error is
+                        returned
+  --ignore-backend-errors, -I
+                        Only return error codes for parse errors and ignore
+                        errors for rules that cause backend errors. Useful,
+                        when you want to get as much queries as possible.
+  --verbose, -v         Be verbose
+  --debug, -D           Debugging output
+```
+
+### Examples
+
+#### Single Rule Translation
+Translate a single rule
+```
+tools/sigmac -t splunk rules/windows/sysmon/sysmon_susp_image_load.yml
+```
+#### Rule Set Translation
+Translate a whole rule directory and ignore backend errors (`-I`) in rule conversion for the selected backend (`-t splunk`)
+```
+tools/sigmac -I -t splunk -r rules/windows/sysmon/
+```
+#### Rule Set Translation with Custom Config 
+Apply your own config file (`-c ~/my-elk-winlogbeat.yml`) during conversion, which can contain you custom field and source mappings
+```
+tools/sigmac -t es-qs -c ~/my-elk-winlogbeat.yml -r rules/windows/sysmon
+```
+#### Generic Rule Set Translation
+Use a config file for `process_creation` rules (`-r rules/windows/process_creation`) that instructs sigmac to create queries for a Sysmon log source (`-c tools/config/generic/sysmon.yml`) and the ElasticSearch target backend (`-t es-qs`) 
+```
+tools/sigmac -t es-qs -c tools/config/generic/sysmon.yml -r rules/windows/process_creation
+```
+#### Generic Rule Set Translation with Custom Config
+Use a config file for a single `process_creation` rule (`./rules/windows/process_creation/win_susp_outlook.yml`) that instructs sigmac to create queries for process creation events generated in the Windows Security Eventlog (`-c tools/config/generic/windows-audit.yml`) and a Splunk target backend (`-t splunk`)
+```
+tools/sigmac -t splunk -c ~/my-splunk-mapping.yml -c tools/config/generic/windows-audit.yml ./rules/windows/process_creation/win_susp_outlook.yml
+```
+(See @blubbfiction's [blog post](https://patzke.org/a-guide-to-generic-log-sources-in-sigma.html) for more information)
 
 ### Supported Targets
 
-* [Splunk](https://www.splunk.com/)
-* [ElasticSearch](https://www.elastic.co/)
+* [Splunk](https://www.splunk.com/) (plainqueries and dashboards)
+* [ElasticSearch Query Strings](https://www.elastic.co/)
+* [ElasticSearch Query DSL](https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl.html)
+* [Kibana](https://www.elastic.co/de/products/kibana)
 * [Elastic X-Pack Watcher](https://www.elastic.co/guide/en/x-pack/current/xpack-alerting.html)
 * [Logpoint](https://www.logpoint.com)
+* [Windows Defender Advanced Threat Protection (WDATP)](https://www.microsoft.com/en-us/windowsforbusiness/windows-atp)
+* [Azure Sentinel / Azure Log Analytics](https://azure.microsoft.com/en-us/services/azure-sentinel/)
+* [ArcSight](https://software.microfocus.com/en-us/products/siem-security-information-event-management/overview)
+* [QRadar](https://www.ibm.com/de-de/marketplace/ibm-qradar-siem)
+* [Qualys](https://www.qualys.com/apps/threat-protection/)
+* [RSA NetWitness](https://www.rsa.com/en-us/products/threat-detection-response)
+* [PowerShell](https://docs.microsoft.com/en-us/powershell/scripting/getting-started/getting-started-with-windows-powershell?view=powershell-6)
+* [Grep](https://www.gnu.org/software/grep/manual/grep.html) with Perl-compatible regular expression support
+
+Current work-in-progress
+* [Splunk Data Models](https://docs.splunk.com/Documentation/Splunk/7.1.0/Knowledge/Aboutdatamodels)
+
+New targets are continuously developed. You can get a list of supported targets with `sigmac --target-list` or `sigmac -l`.
 
 ### Requirements
 
-The usage of Sigmac or the underlying library requires Python >= 3.4 and PyYAML.
+The usage of Sigmac (the Sigma Rule Converter) or the underlying library requires Python >= 3.5 and PyYAML.
 
 ### Installation
 
 It's available on PyPI. Install with:
 
-```
+```bash
 pip3 install sigmatools
 ```
 
-# Next Steps 
+Alternatively, if used from the Sigma Github repository, the Python dependencies can be installed with:
 
-* Integration of feedback into the rule specifications
-* Integration into Threat Intel Exchanges, e.g. [MISP](http://www.misp-project.org/)
+```bash
+pip3 install -r tools/requirements.txt
+```
+
+For development (e.g. execution of integration tests with `make` and packaging), further dependencies are required and can be installed with:
+
+```bash
+pip3 install -r tools/requirements-devel.txt
+```
+
+## Sigma2MISP
+
+Import Sigma rules to MISP events. Depends on PyMISP.
+
+Parameters that aren't changed frequently (`--url`, `--key`) can be put without the prefixing dashes `--` into a file
+and included with `@filename` as parameter on the command line.
+
+Example:
+*misp.conf*:
+```
+url https://host
+key foobarfoobarfoobarfoobarfoobarfoobarfoo 
+```
+
+Load Sigma rule into MISP event 1234:
+```
+sigma2misp @misp.conf --event 1234 sigma_rule.py
+```
+
+Load Sigma rules in directory sigma_rules/ into one newly created MISP event with info set to *Test Event*:
+```
+sigma2misp @misp.conf --same-event --info "Test Event" -r sigma_rules/
+```
+
+## Evt2Sigma
+
+[Evt2Sigma](https://github.com/Neo23x0/evt2sigma) helps you with the rule creation. It generates a Sigma rule from a log entry. 
+
+## Contributed Scripts
+
+The directory `contrib` contains scripts that were contributed by the community:
+
+* `sigma2elastalert.py`i by David Routin: A script that converts Sigma rules to Elastalert configurations. This tool
+  uses *sigmac* and expects it in its path.
+
+These tools are not part of the main toolchain and maintained separately by their authors.
+
+# Next Steps
+
+* Integration of MITRE ATT&CK framework identifier to the rule set
+* Integration into Threat Intel Exchanges
 * Attempts to convince others to use the rule format in their reports, threat feeds, blog posts, threat sharing platforms
 
-# Projects that use Sigma
+# Projects or Products that use Sigma
 
-* [Augmentd](https://augmentd.co/)
+* [MISP](http://www.misp-project.org/2017/03/26/MISP.2.4.70.released.html) (since version 2.4.70, March 2017)
 * [TA-Sigma-Searches](https://github.com/dstaulcu/TA-Sigma-Searches) (Splunk App)
-
-# Credits
-
-This is a private project mainly developed by Florian Roth and Thomas Patzke with feedback from many fellow analysts and friends. Rules are our own or have been drived from blog posts, tweets or other public sources that are referenced in the rules.
-
-Copyright for Tree Image: [studiobarcelona / 123RF Stock Photo](http://www.123rf.com/profile_studiobarcelona)
+* [SOC Prime - Sigma Rule Editor](https://tdm.socprime.com/sigma/)
+* [ypsilon](https://github.com/P4T12ICK/ypsilon) - Automated Use Case Testing 
+* [uncoder.io](https://uncoder.io/) - Online Translator for SIEM Searches
+* [SPARK](https://www.nextron-systems.com/2018/06/28/spark-applies-sigma-rules-in-eventlog-scan/) - Scan with Sigma rules on endpoints
+* [RANK VASA](https://globenewswire.com/news-release/2019/03/04/1745907/0/en/RANK-Software-to-Help-MSSPs-Scale-Cybersecurity-Offerings.html)
 
 # Licenses
 
@@ -140,3 +284,11 @@ The content of this repository is released under the following licenses:
 * The toolchain (everything under `tools/`) is licensed under the [GNU Lesser General Public License](https://www.gnu.org/licenses/lgpl-3.0.en.html).
 * The [Sigma specification](https://github.com/Neo23x0/sigma/wiki) is public domain.
 * Everything else, especially the rules contained in the `rules/` directory is released under the [GNU General Public License](https://www.gnu.org/licenses/gpl-3.0.en.html).
+
+# Credits
+
+This is a private project mainly developed by Florian Roth and Thomas Patzke with feedback from many fellow analysts and friends. Rules are our own or have been drived from blog posts, tweets or other public sources that are referenced in the rules.
+
+# Info Graphic
+
+![sigmac_info_graphic](./images/sigma_infographic_lq.png)

contrib/sigma2elastalert.py

@@ -0,0 +1,173 @@
+#!/usr/bin/python
+# Copyright 2018 David Routin
+
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+
+# You should have received a copy of the GNU Lesser General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+"""
+Project: sigma2elastalert.py
+Date: 25 Feb 2018
+Author: David ROUTIN  (@Rewt_1)
+Version: 1.0
+Description: This script creates elastalert configuration files from Sigma SIEM rules.
+"""
+
+import re
+import os
+import glob
+import subprocess
+import argparse
+import yaml
+import traceback
+
+parser = argparse.ArgumentParser()
+parser.add_argument("--eshost", help="Elasticsearch host", type=str, required=True)
+parser.add_argument("--esport", help="Elasticsearch port", type=str, required=True)
+parser.add_argument("--ruledir", help="sigma rule directory path to convert", type=str, required=True)
+parser.add_argument("--index", help="Elasticsearch index name egs: \"winlogbeat-*\"", type=str, required=True)
+parser.add_argument("--email", help="email address to send mail alert", type=str, required=True)
+parser.add_argument("--outdir", help="output directory to create elastalert rules", type=str, required=True)
+parser.add_argument("--sigmac", help="Sigmac location", default="../tools/sigmac", type=str)
+parser.add_argument("--realerttime", help="Realert time (optional value, default 5 minutes)", type=str, default=5)
+parser.add_argument("--debug", help="Show debug output", type=bool, default=False)
+args = parser.parse_args()
+
+custom_query_keys = ["sensor", "Hostname", "EventID", "src_ip", "dst_ip"]
+
+
+template="""es_host: ESHOST
+es_port: ESPORT
+name: "TITLE"
+description: "DESCRIPTION"
+index: INDEX
+filter:
+- query:
+    query_string:
+      query: 'QUERY'
+realert:
+ minutes: MINUTES
+query_key: UNIQKEYS
+type: any
+include: UNIQKEYS
+alert:
+- "email"
+
+# (required, email specific)
+# a list of email addresses to send alerts to
+email:
+- "EMAIL"
+"""
+
+def return_json_obj(x,custom_query_keys):
+    """
+    Function used to filter all ES query object as unique value including predefined list from custom_query_keys
+    :param x: must contains ES query output
+    :param custom_query_keys: takes the list of predefined element to match in document
+    :return: a clean list (set) of all the query keys (EventID,TargetUserName...)
+    """
+    # type: (str, list) -> list
+    y = x.replace(" ", "\n").split()
+    out = set()
+    for i in y:
+        out.update(re.findall("([a-zA-Z]+)\:", i))
+
+    for qk in custom_query_keys:
+        try:
+            out.remove(qk)
+        except:
+            pass
+    out = list(out)
+    count = 0
+    for qk in custom_query_keys:
+        count += 1
+        out.insert(count-1, qk)
+    return out
+
+def rule_element(file_content, elements):
+    """
+    Function used to get specific element from yaml document and return content
+    :type file_content: str
+    :type elements: list
+    :param file_content:
+    :param elements: list of elements of the yaml document to get "title", "description"
+    :return: the value of the key in the yaml document
+    """
+    try:
+        yaml.safe_load(file_content.replace("---",""))
+    except:
+        raise Exception('Unsupported')
+    element_output = ""
+    for e in elements:
+        try:
+            element_output = yaml.safe_load(file_content.replace("---",""))[e]
+        except:
+            pass
+    if element_output is None:
+        return ""
+    return element_output
+
+def get_rule_as_esqs(file):
+    """
+    Function used to get Elastic query output from rule fome
+    :type file: str
+    :param file: rule filename
+    :return: string es query
+    """
+    if not os.path.exists(args.sigmac):
+        print("Cannot find sigmac rule coverter at '%s', please set a correct location via '--sigmac'")
+    cmd = [args.sigmac, file, "--target", "es-qs"]
+    output = subprocess.Popen(cmd,stdout=subprocess.PIPE, stderr=subprocess.STDOUT).stdout.read()
+    if "unsupported" in output:
+        raise Exception('Unsupported output at this time')
+    output = output.split("\n")
+    # Remove empty string from \n
+    output = [a for a in output if a]
+    # Handle case of multiple queries returned
+    if len(output) > 1:
+        return " OR ".join(output)
+    return "".join(output)
+
+# Dictionary that contains args set at launch time
+convert_args = {
+    "ESHOST": args.eshost,
+    "ESPORT": args.esport,
+    "INDEX": args.index,
+    "EMAIL": args.email,
+    "MINUTES": args.realerttime
+}
+
+for file in glob.glob(args.ruledir + "/*"):
+    output_elast_config = template
+    try:
+        print("Processing %s ..." % file)
+        with open(file, "rb") as f:
+            file_content = f.read()
+
+        # Dictionary that contains args with values returned by functions
+        translate_func = {'QUERY': get_rule_as_esqs(file),
+                        'TITLE': rule_element(file_content, ["title", "name"]),
+                        'DESCRIPTION': rule_element(file_content, ["description"]),
+                        'UNIQKEYS': str(return_json_obj(get_rule_as_esqs(file), custom_query_keys))
+                        }
+        for entry in convert_args:
+            output_elast_config = re.sub(entry, str(convert_args[entry]), output_elast_config)
+        for entry in translate_func:
+            output_elast_config = re.sub(entry, translate_func[entry], output_elast_config)
+        print("Converting file " + file)
+        with open(os.path.join(args.outdir, "sigma-" + file.split("/")[-1]), "w") as f:
+                f.write(output_elast_config)
+    except Exception as e:
+        if args.debug:
+            traceback.print_exc()
+        print("error " + str(file) + "----" + str(e))
+        pass
+

contrib/sigma2sumologic.py

@@ -0,0 +1,261 @@
+#!/usr/bin/python
+# Copyright 2018 juju4
+
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+
+# You should have received a copy of the GNU Lesser General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+"""
+Project: sigma2sumologic.py
+Date: 11 Jan 2019
+Author: juju4
+Version: 1.0
+Description: This script executes sumologic search queries from Sigma SIEM rules.
+Workflow:
+    1. Convert rules with sigmac
+    2. Enrich: add ignore+local custom rules, priority
+    3. Format
+    4. Get results and save to txt/xlsx files
+Requirements:
+    $ pip install sumologic-sdk pyyaml pandas openpyxl
+"""
+
+import re
+import os
+import sys
+import stat
+import glob
+import subprocess
+import argparse
+import yaml
+import traceback
+import logging
+from sumologic import SumoLogic
+import time
+import datetime
+import json
+import pandas
+
+logging.basicConfig(level=logging.DEBUG)
+logger = logging.getLogger(__name__)
+formatter = logging.Formatter('%(asctime)s - %(name)s - p%(process)s {%(pathname)s:%(lineno)d} - %(levelname)s - %(message)s')
+handler = logging.FileHandler('sigma2sumo.log')
+handler.setFormatter(formatter)
+logger.addHandler(handler)
+
+parser = argparse.ArgumentParser(description='Execute sigma rules in sumologic')
+parser.add_argument("--conf", help="script yaml config file", type=str, required=True)
+parser.add_argument("--accessid", help="Sumologic Access ID", type=str, required=False)
+parser.add_argument("--accesskey", help="Sumologic Access Key", type=str, required=False)
+parser.add_argument("--endpoint", help="Sumologic url endpoint", type=str, required=False)
+parser.add_argument("--ruledir", help="sigma rule directory path to convert", type=str, required=False)
+parser.add_argument("--outdir", help="output directory to create rules", type=str, required=False)
+parser.add_argument("--sigmac", help="Sigmac location", default="../tools/sigmac", type=str)
+parser.add_argument("--realerttime", help="Realert time (optional value, default 5 minutes)", type=str, default=5)
+parser.add_argument("--debug", help="Show debug output", type=bool, default=False)
+args = parser.parse_args()
+
+LIMIT = 100
+delay = 5
+
+
+def rule_element(file_content, elements):
+    """
+    Function used to get specific element from yaml document and return content
+    :type file_content: str
+    :type elements: list
+    :param file_content:
+    :param elements: list of elements of the yaml document to get "title", "description"
+    :return: the value of the key in the yaml document
+    """
+    try:
+        logger.debug("file_content: %s" % file_content)
+        yaml.safe_load(file_content.replace("---", ""))
+    except TypeError:
+        raise Exception('Unsupported')
+    element_output = ""
+    for e in elements:
+        try:
+            element_output = yaml.safe_load(file_content.replace("---", ""))[e]
+        except TypeError:
+            pass
+    if element_output is None:
+        return ""
+    return element_output
+
+
+def get_rule_as_sumologic(file):
+    """
+    Function used to get sumologic query output from rule file
+    :type file: str
+    :param file: rule filename
+    :return: string query
+    """
+    if not os.path.exists(args.sigmac):
+        logger.error("Cannot find sigmac rule coverter at '%s', please set a correct location via '--sigmac'")
+    cmd = [args.sigmac, file, "--target", "sumologic"]
+    logger.info('get_rule_as_sumologic cmd: %s' % cmd)
+    process = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+    output, err = process.communicate()
+
+    # output is byte-string...
+    output = output.decode("utf-8")
+    err = err.decode("utf-8")
+
+    logger.info('get_rule_as_sumologic output: %s' % output)
+    logger.info('get_rule_as_sumologic stderr: %s' % err)
+    if err or "unsupported" in err:
+        logger.error('Unsupported output at this time')
+        raise Exception('Unsupported output at this time')
+    output = output.split("\n")
+    # Remove empty string from \n
+    output = [a for a in output if a]
+    # Handle case of multiple queries returned
+    if len(output) > 1:
+        return " OR ".join(output)
+    return "".join(output)
+
+if args.help:
+    parser_print_help()
+
+if args.conf:
+    with open(args.conf, 'r') as ymlfile:
+        cfg = yaml.load(ymlfile)
+    args.accessid = cfg['accessid']
+    args.accesskey = cfg['accesskey']
+    args.endpoint = cfg['endpoint']
+    args.ruledir = cfg['ruledir']
+    args.outdir = cfg['outdir']
+    args.sigmac = cfg['sigmac']
+    try:
+        args.recursive = cfg['recursive']
+    except TypeError:
+        args.recursive = False
+    if args.recursive:
+        globpath = args.ruledir + "/**/*.yml"
+    else:
+        globpath = args.ruledir + "/*.yml"
+    logger.debug("args: %s" % args)
+    logger.debug("globpath: %s" % globpath)
+
+if args.outdir and not os.path.isdir(args.outdir):
+    os.mkdir(args.outdir, stat.S_IRWXU)
+
+# non-recursive (above, not working...)
+# for file in glob.iglob(args.ruledir + "/*.yml"):
+# recursive
+for file in glob.iglob(globpath, recursive=True):
+
+    file_basename = os.path.basename(os.path.splitext(file)[0])
+    file_basenamepath = os.path.splitext(file)[0]
+    file_ext = os.path.splitext(file)[1]
+    try:
+        if file_ext != '.yml':
+            continue
+
+        logger.info("Processing %s ..." % file_basename)
+        with open(file, "rb") as f:
+            file_content = f.read()
+
+        logger.info("Rule file: %s" % file)
+
+        sumo_query = get_rule_as_sumologic(file)
+
+        logger.info("  Checking if custom query file: %s" % file_basenamepath + '.custom')
+        if os.path.isfile(file_basenamepath + '.custom'):
+            # FIXME! want to add something in the middle for parsing for example...
+            logger.info("  Adding custom part to end query from: %s" % file_basenamepath + '.custom')
+            with open(file_basenamepath + '.custom', "rb") as f:
+                # FIXME ! manage pipe inside queries
+                if "| count" in sumo_query:
+                    pos = sumo_query.find('| count')
+                    sumo_query = sumo_query[:pos] + f.read().decode('utf-8') + sumo_query[pos:]
+                else:
+                    sumo_query += " " + f.read().decode('utf-8')
+        elif 'count ' not in sumo_query and ('EventID=' in sumo_query):
+            sumo_query += " | count _sourceCategory, hostname, EventID, msg_summary, _raw"
+        elif 'count ' not in sumo_query:
+            sumo_query += " | count _sourceCategory, hostname, _raw"
+
+        logger.debug("Final sumo query: %s" % sumo_query)
+
+    except Exception as e:
+        if args.debug:
+            traceback.print_exc()
+        logger.exception("error generating sumo query " + str(file) + "----" + str(e))
+        with open(os.path.join(args.outdir, "sigma-" + file_basename + '-error-generation.txt'), "w") as f:
+            # f.write(json.dumps(r, indent=4, sort_keys=True) + " ERROR: %s\n\nQUERY: %s" % (e, sumo_query))
+            f.write(" ERROR for file: %s\n\Exception:\n %s" % (file, e))
+        continue
+
+    try:
+        # Run query
+        # https://github.com/SumoLogic/sumologic-python-sdk/blob/master/scripts/search-job.py
+        sumo = SumoLogic(args.accessid, args.accesskey, args.endpoint)
+        toTime = datetime.datetime.now().strftime("%Y-%m-%dT%H:%M:%S")
+        fromTime = datetime.datetime.strptime(toTime, "%Y-%m-%dT%H:%M:%S") - datetime.timedelta(hours=24)
+        fromTime = fromTime.strftime("%Y-%m-%dT%H:%M:%S")
+        timeZone = 'UTC'
+        byReceiptTime = True
+
+        sj = sumo.search_job(sumo_query, fromTime, toTime, timeZone, byReceiptTime)
+
+        status = sumo.search_job_status(sj)
+        while status['state'] != 'DONE GATHERING RESULTS':
+            if status['state'] == 'CANCELLED':
+                break
+            time.sleep(delay)
+            status = sumo.search_job_status(sj)
+
+    except Exception as e:
+        if args.debug:
+            traceback.print_exc()
+        logger.exception("error seaching sumo  " + str(file) + "----" + str(e))
+        with open(os.path.join(args.outdir, "sigma-" + file_basename + '-error.txt'), "w") as f:
+            # f.write(json.dumps(r, indent=4, sort_keys=True) + " ERROR: %s\n\nQUERY: %s" % (e, sumo_query))
+            f.write(" ERROR: %s\n\nQUERY: %s" % (e, sumo_query))
+        pass
+
+    logger.debug("Sumo search job status: %s" % status['state'])
+
+    try:
+        if status['state'] == 'DONE GATHERING RESULTS':
+            count = status['recordCount']
+            # compensate bad limit check
+            limit = count if count < LIMIT and count != 0 else LIMIT
+            r = sumo.search_job_records(sj, limit=limit)
+            logger.debug("Sumo search results: %s" % r)
+
+        logger.debug("Saving final sumo query for %s to %s" % (file, os.path.join(args.outdir, "sigma-" + file_basename + '.sumo')))
+        with open(os.path.join(args.outdir, "sigma-" + file_basename + '.sumo'), "w") as f:
+            f.write(sumo_query)
+        if r and r['records'] != []:
+            logger.info("Saving results")
+            # as json text file
+            with open(os.path.join(args.outdir, "sigma-" + file_basename + '.txt'), "w") as f:
+                f.write(json.dumps(r, indent=4, sort_keys=True))
+            # as excel file
+            df = pandas.io.json.json_normalize(r['records'])
+            with pandas.ExcelWriter(os.path.join(args.outdir, "sigma-" + file_basename + ".xlsx")) as writer:
+                df.to_excel(writer, 'data')
+                pandas.DataFrame({'References': [
+                    "timeframe: from %s to %s" % (fromTime, toTime),
+                    "Sumo endpoint: %s" % args.endpoint,
+                    "Sumo query: %s" % sumo_query
+                ]}).to_excel(writer, 'comments')
+
+        # and do whatever you want, email alert, report, ticket...
+
+    except Exception as e:
+        if args.debug:
+            traceback.print_exc()
+        logger.exception("error saving results " + str(file) + "----" + str(e))
+        pass

other/sigma_attack_nav_coverage.json

@@ -0,0 +1,2653 @@
+{
+	"name": "SIGMA Rule Coverage",
+	"version": "2.1",
+	"domain": "mitre-enterprise",
+	"description": "Accurate to commit #: 81693d81b6823bb5f064919453eac70c1d097d3e\nhttps://github.com/Neo23x0/sigma/commit/81693d81b6823bb5f064919453eac70c1d097d3e",
+	"filters": {
+		"stages": [
+			"act"
+		],
+		"platforms": [
+			"windows",
+			"linux",
+			"mac"
+		]
+	},
+	"sorting": 0,
+	"viewMode": 0,
+	"hideDisabled": false,
+	"techniques": [
+		{
+			"techniqueID": "T1156",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1134",
+			"tactic": "defense-evasion",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1134",
+			"tactic": "privilege-escalation",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1015",
+			"tactic": "persistence",
+			"score": 1,
+			"color": "",
+			"comment": "sysmon_stickykey_like_backdoor.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1015",
+			"tactic": "privilege-escalation",
+			"score": 1,
+			"color": "",
+			"comment": "sysmon_stickykey_like_backdoor.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1087",
+			"tactic": "discovery",
+			"score": 5,
+			"color": "",
+			"comment": "win_account_discovery.yml\nwin_alert_hacktool_use.yml\nwin_susp_net_recon_activity.yml\nwin_susp_commands_recon_activity.yml\nwin_susp_recon_activity.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1098",
+			"tactic": "credential-access",
+			"score": 3,
+			"color": "",
+			"comment": "apt_judgement_panda_gtr19.yml\nwin_alert_ad_user_backdoors.yml\nwin_susp_dsrm_password_change.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1098",
+			"tactic": "persistence",
+			"score": 3,
+			"color": "",
+			"comment": "apt_judgement_panda_gtr19.yml\nwin_alert_ad_user_backdoors.yml\nwin_susp_dsrm_password_change.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1182",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1182",
+			"tactic": "privilege-escalation",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1103",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1103",
+			"tactic": "privilege-escalation",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1155",
+			"tactic": "execution",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1155",
+			"tactic": "lateral-movement",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1017",
+			"tactic": "lateral-movement",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1138",
+			"tactic": "persistence",
+			"score": 1,
+			"color": "",
+			"comment": "win_sdbinst_shim_persistence.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1138",
+			"tactic": "privilege-escalation",
+			"score": 1,
+			"color": "",
+			"comment": "win_sdbinst_shim_persistence.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1010",
+			"tactic": "discovery",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1123",
+			"tactic": "collection",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1131",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1119",
+			"tactic": "collection",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1020",
+			"tactic": "exfiltration",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1197",
+			"tactic": "defense-evasion",
+			"score": 1,
+			"color": "",
+			"comment": "win_process_creation_bitsadmin_download.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1197",
+			"tactic": "persistence",
+			"score": 1,
+			"color": "",
+			"comment": "win_process_creation_bitsadmin_download.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1139",
+			"tactic": "credential-access",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1009",
+			"tactic": "defense-evasion",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1067",
+			"tactic": "persistence",
+			"score": 1,
+			"color": "",
+			"comment": "win_susp_bcdedit.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1217",
+			"tactic": "discovery",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1176",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1110",
+			"tactic": "credential-access",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1088",
+			"tactic": "defense-evasion",
+			"score": 3,
+			"color": "",
+			"comment": "win_cmstp_com_object_access.yml\nsysmon_uac_bypass_eventvwr.yml\nsysmon_uac_bypass_sdclt.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1088",
+			"tactic": "privilege-escalation",
+			"score": 3,
+			"color": "",
+			"comment": "win_cmstp_com_object_access.yml\nsysmon_uac_bypass_eventvwr.yml\nsysmon_uac_bypass_sdclt.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1191",
+			"tactic": "defense-evasion",
+			"score": 2,
+			"color": "",
+			"comment": "win_cmstp_com_object_access.yml\nsysmon_cmstp_execution.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1191",
+			"tactic": "execution",
+			"score": 2,
+			"color": "",
+			"comment": "win_cmstp_com_object_access.yml\nsysmon_cmstp_execution.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1042",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1146",
+			"tactic": "defense-evasion",
+			"score": 1,
+			"color": "",
+			"comment": "lnx_shell_clear_cmd_history.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1115",
+			"tactic": "collection",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1116",
+			"tactic": "defense-evasion",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1059",
+			"tactic": "execution",
+			"score": 12,
+			"color": "",
+			"comment": "apt_babyshark.yml\napt_equationgroup_dll_u_load.yml\napt_equationgroup_lnx.yml\napt_sofacy.yml\napt_sofacy_zebrocy.yml\napt_turla_commands.yml\napt_zxshell.yml\ncrime_fireball.yml\nwin_alert_hacktool_use.yml\nwin_office_shell.yml\nwin_susp_cmd_http_appdata.yml\nwin_susp_outlook.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1043",
+			"tactic": "command-and-control",
+			"score": 1,
+			"color": "",
+			"comment": "sysmon_malware_backconnect_ports.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1092",
+			"tactic": "command-and-control",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1223",
+			"tactic": "defense-evasion",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1223",
+			"tactic": "execution",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1109",
+			"tactic": "defense-evasion",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1109",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1122",
+			"tactic": "defense-evasion",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1122",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1090",
+			"tactic": "command-and-control",
+			"score": 2,
+			"color": "",
+			"comment": "win_netsh_fw_add.yml\nwin_netsh_port_fwd.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1196",
+			"tactic": "defense-evasion",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1196",
+			"tactic": "execution",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1136",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1003",
+			"tactic": "credential-access",
+			"score": 23,
+			"color": "",
+			"comment": "apt_bear_activity_gtr19.yml\nwin_alert_lsass_access.yml\nwin_alert_mimikatz_keywords.yml\nwin_dcsync.yml\nwin_impacket_secretdump.yml\nwin_mal_creddumper.yml\nwin_mal_wceaux_dll.yml\nwin_susp_lsass_dump.yml\nwin_susp_sam_dump.yml\nav_password_dumper.yml\nwin_cmdkey_recon.yml\nwin_hack_rubeus.yml\nwin_malware_notpetya.yml\nwin_susp_ntdsutil.yml\nwin_susp_procdump.yml\nwin_susp_sysvol_access.yml\nwin_susp_vssadmin_ntds_activity.yml\nsysmon_ghostpack_safetykatz.yml\nsysmon_lsass_memdump.yml\nsysmon_mimikatz_detection_lsass.yml\nsysmon_mimikatz_inmemory_detection.yml\nsysmon_password_dumper_lsass.yml\nsysmon_quarkspw_filedump.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1081",
+			"tactic": "credential-access",
+			"score": 1,
+			"color": "",
+			"comment": "apt_bear_activity_gtr19.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1214",
+			"tactic": "credential-access",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1094",
+			"tactic": "command-and-control",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1024",
+			"tactic": "command-and-control",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1207",
+			"tactic": "defense-evasion",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1038",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1038",
+			"tactic": "privilege-escalation",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1038",
+			"tactic": "defense-evasion",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1073",
+			"tactic": "defense-evasion",
+			"score": 9,
+			"color": "",
+			"comment": "win_susp_dhcp_config.yml\nwin_susp_dhcp_config_failed.yml\nwin_susp_dns_config.yml\nwin_plugx_susp_exe_locations.yml\nwin_susp_control_dll_load.yml\nwin_susp_gup.yml\nsysmon_dhcp_calloutdll.yml\nsysmon_dns_serverlevelplugindll.yml\nsysmon_susp_image_load.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1002",
+			"tactic": "exfiltration",
+			"score": 1,
+			"color": "",
+			"comment": "apt_judgement_panda_gtr19.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1132",
+			"tactic": "command-and-control",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1022",
+			"tactic": "exfiltration",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1001",
+			"tactic": "command-and-control",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1074",
+			"tactic": "collection",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1030",
+			"tactic": "exfiltration",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1213",
+			"tactic": "collection",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1005",
+			"tactic": "collection",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1039",
+			"tactic": "collection",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1025",
+			"tactic": "collection",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1140",
+			"tactic": "defense-evasion",
+			"score": 4,
+			"color": "",
+			"comment": "win_susp_mshta_execution.yml\nwin_susp_certutil_command.yml\nwin_susp_cli_escape.yml\nwin_susp_ping_hex_ip.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1089",
+			"tactic": "defense-evasion",
+			"score": 2,
+			"color": "",
+			"comment": "win_alert_enable_weak_encryption.yml\nwin_susp_msmpeng_crash.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1175",
+			"tactic": "lateral-movement",
+			"score": 1,
+			"color": "",
+			"comment": "win_susp_mmc_source.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1172",
+			"tactic": "command-and-control",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1189",
+			"tactic": "initial-access",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1157",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1157",
+			"tactic": "privilege-escalation",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1173",
+			"tactic": "execution",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1114",
+			"tactic": "collection",
+			"score": 1,
+			"color": "",
+			"comment": "win_alert_hacktool_use.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1106",
+			"tactic": "execution",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1129",
+			"tactic": "execution",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1048",
+			"tactic": "exfiltration",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1041",
+			"tactic": "exfiltration",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1011",
+			"tactic": "exfiltration",
+			"score": 1,
+			"color": "",
+			"comment": "sysmon_ssp_added_lsa_config.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1052",
+			"tactic": "exfiltration",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1190",
+			"tactic": "initial-access",
+			"score": 1,
+			"color": "",
+			"comment": "web_cve_2018_2894_weblogic_exploit.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1203",
+			"tactic": "execution",
+			"score": 2,
+			"color": "",
+			"comment": "av_exploiting.yml\nwin_exploit_cve_2017_8759.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1212",
+			"tactic": "credential-access",
+			"score": 3,
+			"color": "",
+			"comment": "win_net_ntlm_downgrade.yml\nwin_susp_kerberos_manipulation.yml\nwin_susp_samr_pwset.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1211",
+			"tactic": "defense-evasion",
+			"score": 2,
+			"color": "",
+			"comment": "win_susp_msmpeng_crash.yml\nwin_exploit_cve_2017_11882.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1068",
+			"tactic": "privilege-escalation",
+			"score": 1,
+			"color": "",
+			"comment": "apt_hurricane_panda.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1210",
+			"tactic": "lateral-movement",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1133",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1181",
+			"tactic": "defense-evasion",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1181",
+			"tactic": "privilege-escalation",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1008",
+			"tactic": "command-and-control",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1107",
+			"tactic": "defense-evasion",
+			"score": 2,
+			"color": "",
+			"comment": "win_susp_backup_delete.yml\nwin_susp_sdelete.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1222",
+			"tactic": "defense-evasion",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1006",
+			"tactic": "defense-evasion",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1044",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1044",
+			"tactic": "privilege-escalation",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1083",
+			"tactic": "discovery",
+			"score": 1,
+			"color": "",
+			"comment": "apt_turla_commands.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1187",
+			"tactic": "credential-access",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1144",
+			"tactic": "defense-evasion",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1061",
+			"tactic": "execution",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1148",
+			"tactic": "defense-evasion",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1200",
+			"tactic": "initial-access",
+			"score": 1,
+			"color": "",
+			"comment": "win_usb_device_plugged.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1158",
+			"tactic": "defense-evasion",
+			"score": 1,
+			"color": "",
+			"comment": "win_attrib_hiding_files.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1158",
+			"tactic": "persistence",
+			"score": 1,
+			"color": "",
+			"comment": "win_attrib_hiding_files.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1147",
+			"tactic": "defense-evasion",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1143",
+			"tactic": "defense-evasion",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1179",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1179",
+			"tactic": "privilege-escalation",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1179",
+			"tactic": "credential-access",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1062",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1183",
+			"tactic": "privilege-escalation",
+			"score": 1,
+			"color": "",
+			"comment": "sysmon_win_reg_persistence.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1183",
+			"tactic": "persistence",
+			"score": 1,
+			"color": "",
+			"comment": "sysmon_win_reg_persistence.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1183",
+			"tactic": "defense-evasion",
+			"score": 1,
+			"color": "",
+			"comment": "sysmon_win_reg_persistence.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1054",
+			"tactic": "defense-evasion",
+			"score": 1,
+			"color": "",
+			"comment": "win_disable_event_logging.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1066",
+			"tactic": "defense-evasion",
+			"score": 1,
+			"color": "",
+			"comment": "win_susp_sdelete.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1070",
+			"tactic": "defense-evasion",
+			"score": 4,
+			"color": "",
+			"comment": "win_susp_eventlog_cleared.yml\nwin_susp_security_eventlog_cleared.yml\nwin_malware_notpetya.yml\nwin_susp_bcdedit.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1202",
+			"tactic": "defense-evasion",
+			"score": 2,
+			"color": "",
+			"comment": "win_office_shell.yml\nwin_susp_outlook.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1056",
+			"tactic": "collection",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1056",
+			"tactic": "credential-access",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1141",
+			"tactic": "credential-access",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1130",
+			"tactic": "defense-evasion",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1118",
+			"tactic": "defense-evasion",
+			"score": 1,
+			"color": "",
+			"comment": "win_possible_applocker_bypass.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1118",
+			"tactic": "execution",
+			"score": 1,
+			"color": "",
+			"comment": "win_possible_applocker_bypass.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1208",
+			"tactic": "credential-access",
+			"score": 2,
+			"color": "",
+			"comment": "win_susp_rc4_kerberos.yml\nwin_spn_enum.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1215",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1142",
+			"tactic": "credential-access",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1161",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1149",
+			"tactic": "defense-evasion",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1171",
+			"tactic": "credential-access",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1177",
+			"tactic": "execution",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1177",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1159",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1160",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1160",
+			"tactic": "privilege-escalation",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1152",
+			"tactic": "defense-evasion",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1152",
+			"tactic": "execution",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1152",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1168",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1168",
+			"tactic": "execution",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1162",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1037",
+			"tactic": "lateral-movement",
+			"score": 1,
+			"color": "",
+			"comment": "sysmon_logon_scripts_userinitmprlogonscript.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1037",
+			"tactic": "persistence",
+			"score": 1,
+			"color": "",
+			"comment": "sysmon_logon_scripts_userinitmprlogonscript.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1185",
+			"tactic": "collection",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1036",
+			"tactic": "defense-evasion",
+			"score": 14,
+			"color": "",
+			"comment": "apt_ta17_293a_ps.yml\nwin_exploit_cve_2015_1641.yml\nwin_powershell_b64_shellcode.yml\nwin_susp_calc.yml\nwin_susp_csc.yml\nwin_susp_execution_path.yml\nwin_susp_exec_folder.yml\nwin_susp_procdump.yml\nwin_susp_prog_location_process_starts.yml\nwin_susp_run_locations.yml\nwin_susp_svchost.yml\nwin_susp_taskmgr_localsystem.yml\nwin_susp_taskmgr_parent.yml\nwin_system_exe_anomaly.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1031",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1112",
+			"tactic": "defense-evasion",
+			"score": 3,
+			"color": "",
+			"comment": "apt_chafer_mar18.yml\nwin_mal_ursnif.yml\nsysmon_dhcp_calloutdll.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1170",
+			"tactic": "defense-evasion",
+			"score": 4,
+			"color": "",
+			"comment": "apt_babyshark.yml\nwin_lethalhta.yml\nwin_mshta_spawn_shell.yml\nwin_possible_applocker_bypass.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1170",
+			"tactic": "execution",
+			"score": 4,
+			"color": "",
+			"comment": "apt_babyshark.yml\nwin_lethalhta.yml\nwin_mshta_spawn_shell.yml\nwin_possible_applocker_bypass.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1104",
+			"tactic": "command-and-control",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1188",
+			"tactic": "command-and-control",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1026",
+			"tactic": "command-and-control",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1079",
+			"tactic": "command-and-control",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1096",
+			"tactic": "defense-evasion",
+			"score": 1,
+			"color": "",
+			"comment": "powershell_ntfs_ads_access.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1128",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1046",
+			"tactic": "discovery",
+			"score": 1,
+			"color": "",
+			"comment": "win_vul_java_remote_debugging.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1126",
+			"tactic": "defense-evasion",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1135",
+			"tactic": "discovery",
+			"score": 1,
+			"color": "",
+			"comment": "apt_turla_commands.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1040",
+			"tactic": "credential-access",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1040",
+			"tactic": "discovery",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1050",
+			"tactic": "persistence",
+			"score": 7,
+			"color": "",
+			"comment": "apt_apt29_tor.yml\napt_carbonpaper_turla.yml\napt_stonedrill.yml\napt_turla_service_png.yml\nwin_mal_service_installs.yml\nwin_rare_service_installs.yml\nsysmon_susp_driver_load.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1050",
+			"tactic": "privilege-escalation",
+			"score": 7,
+			"color": "",
+			"comment": "apt_apt29_tor.yml\napt_carbonpaper_turla.yml\napt_stonedrill.yml\napt_turla_service_png.yml\nwin_mal_service_installs.yml\nwin_rare_service_installs.yml\nsysmon_susp_driver_load.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1027",
+			"tactic": "defense-evasion",
+			"score": 2,
+			"color": "",
+			"comment": "win_susp_ping_hex_ip.yml\nsysmon_ads_executable.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1137",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1075",
+			"tactic": "lateral-movement",
+			"score": 4,
+			"color": "",
+			"comment": "win_alert_hacktool_use.yml\nwin_overpass_the_hash.yml\nwin_pass_the_hash.yml\nwin_susp_ntlm_auth.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1097",
+			"tactic": "lateral-movement",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1174",
+			"tactic": "credential-access",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1201",
+			"tactic": "discovery",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1034",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1034",
+			"tactic": "privilege-escalation",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1120",
+			"tactic": "discovery",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1069",
+			"tactic": "discovery",
+			"score": 1,
+			"color": "",
+			"comment": "win_susp_net_recon_activity.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1150",
+			"tactic": "defense-evasion",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1150",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1150",
+			"tactic": "privilege-escalation",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1205",
+			"tactic": "defense-evasion",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1205",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1205",
+			"tactic": "command-and-control",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1013",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1013",
+			"tactic": "privilege-escalation",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1086",
+			"tactic": "execution",
+			"score": 28,
+			"color": "",
+			"comment": "apt_apt29_thinktanks.yml\napt_babyshark.yml\napt_empiremonkey.yml\npowershell_downgrade_attack.yml\npowershell_exe_calling_ps.yml\npowershell_malicious_commandlets.yml\npowershell_malicious_keywords.yml\npowershell_prompt_credentials.yml\npowershell_psattack.yml\npowershell_shellcode_b64.yml\npowershell_suspicious_download.yml\npowershell_suspicious_invocation_generic.yml\npowershell_suspicious_invocation_specific.yml\npowershell_suspicious_keywords.yml\npowershell_xor_commandline.yml\nwin_powershell_amsi_bypass.yml\nwin_powershell_dll_execution.yml\nwin_powershell_download.yml\nwin_powershell_renamed_ps.yml\nwin_powershell_suspicious_parameter_variation.yml\nwin_susp_powershell_enc_cmd.yml\nwin_susp_powershell_hidden_b64_cmd.yml\nwin_susp_powershell_parent_combo.yml\nwin_susp_ps_appdata.yml\nsysmon_powershell_exploit_scripts.yml\nsysmon_powershell_network_connection.yml\nsysmon_powersploit_schtasks.yml\nsysmon_susp_powershell_rundll32.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1145",
+			"tactic": "credential-access",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1057",
+			"tactic": "discovery",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1186",
+			"tactic": "defense-evasion",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1093",
+			"tactic": "defense-evasion",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1055",
+			"tactic": "defense-evasion",
+			"score": 8,
+			"color": "",
+			"comment": "powershell_shellcode_b64.yml\nwin_exploit_cve_2017_0261.yml\nwin_malware_dridex.yml\nwin_mavinject_proc_inj.yml\nsysmon_cactustorch.yml\nsysmon_cobaltstrike_process_injection.yml\nsysmon_malware_verclsid_shellcode.yml\nsysmon_mal_namedpipes.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1055",
+			"tactic": "privilege-escalation",
+			"score": 8,
+			"color": "",
+			"comment": "powershell_shellcode_b64.yml\nwin_exploit_cve_2017_0261.yml\nwin_malware_dridex.yml\nwin_mavinject_proc_inj.yml\nsysmon_cactustorch.yml\nsysmon_cobaltstrike_process_injection.yml\nsysmon_malware_verclsid_shellcode.yml\nsysmon_mal_namedpipes.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1012",
+			"tactic": "discovery",
+			"score": 1,
+			"color": "",
+			"comment": "apt_babyshark.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1163",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1164",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1108",
+			"tactic": "defense-evasion",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1108",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1060",
+			"tactic": "persistence",
+			"score": 2,
+			"color": "",
+			"comment": "sysmon_susp_reg_persist_explorer_run.yml\nsysmon_susp_run_key_img_folder.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1121",
+			"tactic": "defense-evasion",
+			"score": 1,
+			"color": "",
+			"comment": "win_possible_applocker_bypass.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1121",
+			"tactic": "execution",
+			"score": 1,
+			"color": "",
+			"comment": "win_possible_applocker_bypass.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1117",
+			"tactic": "defense-evasion",
+			"score": 1,
+			"color": "",
+			"comment": "win_susp_regsvr32_anomalies.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1117",
+			"tactic": "execution",
+			"score": 1,
+			"color": "",
+			"comment": "win_susp_regsvr32_anomalies.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1219",
+			"tactic": "command-and-control",
+			"score": 2,
+			"color": "",
+			"comment": "av_exploiting.yml\nwin_susp_tscon_localsystem.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1076",
+			"tactic": "lateral-movement",
+			"score": 4,
+			"color": "",
+			"comment": "win_rdp_localhost_login.yml\nwin_rdp_reverse_tunnel.yml\nwin_susp_tscon_rdp_redirect.yml\nsysmon_rdp_reverse_tunnel.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1105",
+			"tactic": "command-and-control",
+			"score": 4,
+			"color": "",
+			"comment": "apt_pandemic.yml\nwin_susp_certutil_command.yml\nsysmon_win_binary_github_com.yml\nsysmon_win_binary_susp_com.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1105",
+			"tactic": "lateral-movement",
+			"score": 4,
+			"color": "",
+			"comment": "apt_pandemic.yml\nwin_susp_certutil_command.yml\nsysmon_win_binary_github_com.yml\nsysmon_win_binary_susp_com.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1021",
+			"tactic": "lateral-movement",
+			"score": 1,
+			"color": "",
+			"comment": "win_netsh_port_fwd_3389.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1018",
+			"tactic": "discovery",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1091",
+			"tactic": "lateral-movement",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1091",
+			"tactic": "initial-access",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1014",
+			"tactic": "defense-evasion",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1085",
+			"tactic": "defense-evasion",
+			"score": 11,
+			"color": "",
+			"comment": "apt_equationgroup_dll_u_load.yml\napt_sofacy.yml\napt_tropictrooper.yml\napt_unidentified_nov_18.yml\napt_zxshell.yml\ncrime_fireball.yml\nwin_malware_notpetya.yml\nwin_susp_control_dll_load.yml\nwin_susp_rundll32_activity.yml\nsysmon_rundll32_net_connections.yml\nsysmon_susp_powershell_rundll32.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1085",
+			"tactic": "execution",
+			"score": 11,
+			"color": "",
+			"comment": "apt_equationgroup_dll_u_load.yml\napt_sofacy.yml\napt_tropictrooper.yml\napt_unidentified_nov_18.yml\napt_zxshell.yml\ncrime_fireball.yml\nwin_malware_notpetya.yml\nwin_susp_control_dll_load.yml\nwin_susp_rundll32_activity.yml\nsysmon_rundll32_net_connections.yml\nsysmon_susp_powershell_rundll32.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1178",
+			"tactic": "privilege-escalation",
+			"score": 1,
+			"color": "",
+			"comment": "win_susp_add_sid_history.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1198",
+			"tactic": "defense-evasion",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1198",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1184",
+			"tactic": "lateral-movement",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1053",
+			"tactic": "execution",
+			"score": 8,
+			"color": "",
+			"comment": "apt_chafer_mar18.yml\napt_slingshot.yml\nwin_atsvc_task.yml\nwin_GPO_scheduledtasks.yml\nwin_rare_schtasks_creations.yml\nwin_rare_schtask_creation.yml\nwin_susp_schtask_creation.yml\nsysmon_powersploit_schtasks.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1053",
+			"tactic": "persistence",
+			"score": 8,
+			"color": "",
+			"comment": "apt_chafer_mar18.yml\napt_slingshot.yml\nwin_atsvc_task.yml\nwin_GPO_scheduledtasks.yml\nwin_rare_schtasks_creations.yml\nwin_rare_schtask_creation.yml\nwin_susp_schtask_creation.yml\nsysmon_powersploit_schtasks.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1053",
+			"tactic": "privilege-escalation",
+			"score": 8,
+			"color": "",
+			"comment": "apt_chafer_mar18.yml\napt_slingshot.yml\nwin_atsvc_task.yml\nwin_GPO_scheduledtasks.yml\nwin_rare_schtasks_creations.yml\nwin_rare_schtask_creation.yml\nwin_susp_schtask_creation.yml\nsysmon_powersploit_schtasks.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1029",
+			"tactic": "exfiltration",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1113",
+			"tactic": "collection",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1180",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1064",
+			"tactic": "defense-evasion",
+			"score": 10,
+			"color": "",
+			"comment": "apt_cloudhopper.yml\nwin_malware_script_dropper.yml\nwin_mal_adwind.yml\nwin_mal_lockergoga.yml\nwin_shell_spawn_susp_program.yml\nwin_susp_rasdial_activity.yml\nwin_susp_script_execution.yml\nwin_wmi_spwns_powershell.yml\nsysmon_cactustorch.yml\nsysmon_susp_file_characteristics.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1064",
+			"tactic": "execution",
+			"score": 10,
+			"color": "",
+			"comment": "apt_cloudhopper.yml\nwin_malware_script_dropper.yml\nwin_mal_adwind.yml\nwin_mal_lockergoga.yml\nwin_shell_spawn_susp_program.yml\nwin_susp_rasdial_activity.yml\nwin_susp_script_execution.yml\nwin_wmi_spwns_powershell.yml\nsysmon_cactustorch.yml\nsysmon_susp_file_characteristics.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1063",
+			"tactic": "discovery",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1101",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1167",
+			"tactic": "credential-access",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1035",
+			"tactic": "execution",
+			"score": 3,
+			"color": "",
+			"comment": "win_hack_smbexec.yml\nwin_tool_psexec.yml\nwin_psexesvc_start.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1058",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1058",
+			"tactic": "privilege-escalation",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1166",
+			"tactic": "privilege-escalation",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1166",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1051",
+			"tactic": "lateral-movement",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1023",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1218",
+			"tactic": "defense-evasion",
+			"score": 1,
+			"color": "",
+			"comment": "win_mavinject_proc_inj.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1218",
+			"tactic": "execution",
+			"score": 1,
+			"color": "",
+			"comment": "win_mavinject_proc_inj.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1216",
+			"tactic": "defense-evasion",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1216",
+			"tactic": "execution",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1045",
+			"tactic": "defense-evasion",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1153",
+			"tactic": "execution",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1151",
+			"tactic": "defense-evasion",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1151",
+			"tactic": "execution",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1193",
+			"tactic": "initial-access",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1192",
+			"tactic": "initial-access",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1194",
+			"tactic": "initial-access",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1071",
+			"tactic": "command-and-control",
+			"score": 1,
+			"color": "",
+			"comment": "net_susp_dns_txt_exec_strings.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1032",
+			"tactic": "command-and-control",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1095",
+			"tactic": "command-and-control",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1165",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1165",
+			"tactic": "privilege-escalation",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1169",
+			"tactic": "privilege-escalation",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1206",
+			"tactic": "privilege-escalation",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1195",
+			"tactic": "initial-access",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1019",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1082",
+			"tactic": "discovery",
+			"score": 1,
+			"color": "",
+			"comment": "win_susp_commands_recon_activity.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1016",
+			"tactic": "discovery",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1049",
+			"tactic": "discovery",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1033",
+			"tactic": "discovery",
+			"score": 1,
+			"color": "",
+			"comment": "win_susp_whoami.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1007",
+			"tactic": "discovery",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1124",
+			"tactic": "discovery",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1080",
+			"tactic": "lateral-movement",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1221",
+			"tactic": "defense-evasion",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1072",
+			"tactic": "execution",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1072",
+			"tactic": "lateral-movement",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1209",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1099",
+			"tactic": "defense-evasion",
+			"score": 1,
+			"color": "",
+			"comment": "win_susp_time_modification.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1154",
+			"tactic": "execution",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1154",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1127",
+			"tactic": "defense-evasion",
+			"score": 2,
+			"color": "",
+			"comment": "win_possible_applocker_bypass.yml\nwin_workflow_compiler.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1127",
+			"tactic": "execution",
+			"score": 2,
+			"color": "",
+			"comment": "win_possible_applocker_bypass.yml\nwin_workflow_compiler.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1199",
+			"tactic": "initial-access",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1111",
+			"tactic": "credential-access",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1065",
+			"tactic": "command-and-control",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1204",
+			"tactic": "execution",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1078",
+			"tactic": "defense-evasion",
+			"score": 6,
+			"color": "",
+			"comment": "win_admin_rdp_login.yml\nwin_alert_active_directory_user_control.yml\nwin_susp_failed_logons_single_source.yml\nwin_susp_failed_logon_reasons.yml\nwin_susp_interactive_logons.yml\nwin_user_added_to_local_administrators.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1078",
+			"tactic": "persistence",
+			"score": 6,
+			"color": "",
+			"comment": "win_admin_rdp_login.yml\nwin_alert_active_directory_user_control.yml\nwin_susp_failed_logons_single_source.yml\nwin_susp_failed_logon_reasons.yml\nwin_susp_interactive_logons.yml\nwin_user_added_to_local_administrators.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1078",
+			"tactic": "privilege-escalation",
+			"score": 6,
+			"color": "",
+			"comment": "win_admin_rdp_login.yml\nwin_alert_active_directory_user_control.yml\nwin_susp_failed_logons_single_source.yml\nwin_susp_failed_logon_reasons.yml\nwin_susp_interactive_logons.yml\nwin_user_added_to_local_administrators.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1078",
+			"tactic": "initial-access",
+			"score": 6,
+			"color": "",
+			"comment": "win_admin_rdp_login.yml\nwin_alert_active_directory_user_control.yml\nwin_susp_failed_logons_single_source.yml\nwin_susp_failed_logon_reasons.yml\nwin_susp_interactive_logons.yml\nwin_user_added_to_local_administrators.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1125",
+			"tactic": "collection",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1102",
+			"tactic": "command-and-control",
+			"score": 3,
+			"color": "",
+			"comment": "proxy_cobalt_amazon.yml\nproxy_cobalt_ocsp.yml\nproxy_cobalt_onedrive.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1102",
+			"tactic": "defense-evasion",
+			"score": 3,
+			"color": "",
+			"comment": "proxy_cobalt_amazon.yml\nproxy_cobalt_ocsp.yml\nproxy_cobalt_onedrive.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1100",
+			"tactic": "persistence",
+			"score": 6,
+			"color": "",
+			"comment": "web_cve_2018_2894_weblogic_exploit.yml\nav_webshell.yml\nwin_susp_execution_path_webserver.yml\nwin_susp_iss_module_install.yml\nwin_webshell_detection.yml\nwin_webshell_spawn.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1100",
+			"tactic": "privilege-escalation",
+			"score": 6,
+			"color": "",
+			"comment": "web_cve_2018_2894_weblogic_exploit.yml\nav_webshell.yml\nwin_susp_execution_path_webserver.yml\nwin_susp_iss_module_install.yml\nwin_webshell_detection.yml\nwin_webshell_spawn.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1077",
+			"tactic": "lateral-movement",
+			"score": 5,
+			"color": "",
+			"comment": "apt_turla_commands.yml\nwin_admin_share_access.yml\nwin_hack_smbexec.yml\nwin_lm_namedpipe.yml\nwin_susp_psexec.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1047",
+			"tactic": "execution",
+			"score": 4,
+			"color": "",
+			"comment": "win_wmi_persistence.yml\nwin_bypass_squiblytwo.yml\nwin_susp_wmi_execution.yml\nwin_wmi_persistence_script_event_consumer.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1084",
+			"tactic": "persistence",
+			"score": 3,
+			"color": "",
+			"comment": "sysmon_wmi_event_subscription.yml\nsysmon_wmi_persistence_commandline_event_consumer.yml\nsysmon_wmi_persistence_script_event_consumer_write.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1028",
+			"tactic": "execution",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1028",
+			"tactic": "lateral-movement",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1004",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1220",
+			"tactic": "defense-evasion",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1220",
+			"tactic": "execution",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		}
+	],
+	"gradient": {
+		"colors": [
+			"#ffffff",
+			"#66b1ff"
+		],
+		"minValue": 0,
+		"maxValue": 2
+	},
+	"legendItems": [],
+	"metadata": [],
+	"showTacticRowBackground": false,
+	"tacticRowBackground": "#dddddd",
+	"selectTechniquesAcrossTactics": true
+}

rules/application/app_python_sql_exceptions.yml

@@ -1,7 +1,7 @@
 title: Python SQL Exceptions
 description: Generic rule for SQL exceptions in Python according to PEP 249
 author: Thomas Patzke
-reference:
+references:
     - https://www.python.org/dev/peps/pep-0249/#exceptions
 logsource:
     category: application

rules/application/app_sqlinjection_errors.yml

@@ -2,7 +2,8 @@ title: Suspicious SQL Error Messages
 status: experimental
 description: Detects SQL error messages that indicate probing for an injection attack
 author: Bjoern Kimminich
-reference: http://www.sqlinjection.net/errors
+references:
+    - http://www.sqlinjection.net/errors
 logsource:
     category: application
     product: sql
@@ -15,7 +16,7 @@ detection:
         # SQL Server
         - Unclosed quotation mark
         # SQLite
-        - near "*": syntax error
+        - 'near "*": syntax error'
         - SELECTs to the left and right of UNION do not have the same number of result columns
     condition: keywords
 falsepositives:

rules/application/appframework_django_exceptions.yml

@@ -1,7 +1,7 @@
 title: Django framework exceptions
 description: Detects suspicious Django web application framework exceptions that could indicate exploitation attempts
 author: Thomas Patzke
-reference:
+references:
     - https://docs.djangoproject.com/en/1.11/ref/exceptions/
     - https://docs.djangoproject.com/en/1.11/topics/logging/#django-security
 logsource:

rules/application/appframework_ruby_on_rails_exceptions.yml

@@ -1,7 +1,7 @@
 title: Ruby on Rails framework exceptions
 description: Detects suspicious Ruby on Rails exceptions that could indicate exploitation attempts
 author: Thomas Patzke
-reference:
+references:
     - http://edgeguides.rubyonrails.org/security.html
     - http://guides.rubyonrails.org/action_controller_overview.html
     - https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception

rules/application/appframework_spring_exceptions.yml

@@ -1,7 +1,7 @@
 title: Spring framework exceptions
 description: Detects suspicious Spring framework exceptions that could indicate exploitation attempts
 author: Thomas Patzke
-reference:
+references:
     - https://docs.spring.io/spring-security/site/docs/current/apidocs/overview-tree.html
 logsource:
     category: application

rules/apt/apt_apt29_thinktanks.yml

@@ -0,0 +1,20 @@
+title: APT29 
+description: 'This method detects a suspicious powershell command line combination as used by APT29 in a campaign against US think tanks' 
+references:
+    - https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/
+tags:
+    - attack.execution
+    - attack.g0016
+    - attack.t1086
+author: Florian Roth
+date: 2018/12/04 
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine: '*-noni -ep bypass $*'
+    condition: selection
+falsepositives:
+    - unknown
+level: critical

rules/apt/apt_apt29_tor.yml

@@ -1,31 +1,32 @@
+---
 action: global
 title: APT29 Google Update Service Install
 description: 'This method detects malicious services mentioned in APT29 report by FireEye. The legitimate path for the Google update service is C:\Program Files (x86)\Google\Update\GoogleUpdate.exe so the service names and executable locations used by APT29 are specific enough to be detected in log files.' 
-reference: https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html
+references:
+    - https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html
+tags:
+    - attack.persistence
+    - attack.g0016
+    - attack.t1050
 logsource:
     product: windows
+    service: system
 detection:
-    service:
+    service_install:
         EventID: 7045
         ServiceName: 'Google Update'
     timeframe: 5m
-    condition: service | near process
+    condition: service_install | near process
 falsepositives:
     - Unknown
 level: high
+
 ---
-# Windows Audit Log
+logsource:
+    category: process_creation
+    product: windows
 detection:
     process:
-        EventID: 4688 
-        NewProcessName: 
-            - 'C:\Program Files(x86)\Google\GoogleService.exe'
-            - 'C:\Program Files(x86)\Google\GoogleUpdate.exe'
----
-# Sysmon
-detection:
-    process:
-        EventID: 1 
         Image: 
             - 'C:\Program Files(x86)\Google\GoogleService.exe'
             - 'C:\Program Files(x86)\Google\GoogleUpdate.exe'

rules/apt/apt_babyshark.yml

@@ -0,0 +1,28 @@
+title: Baby Shark Activity
+status: experimental
+description: Detects activity that could be related to Baby Shark malware
+references:
+    - https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/
+tags:
+    - attack.execution
+    - attack.t1059
+    - attack.t1086
+    - attack.discovery
+    - attack.t1012
+    - attack.defense_evasion
+    - attack.t1170
+logsource:
+    category: process_creation
+    product: windows
+author: Florian Roth
+date: 2019/02/24
+detection:
+    selection:
+        CommandLine:
+            - reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default"
+            - powershell.exe mshta.exe http*
+            - cmd.exe /c taskkill /im cmd.exe
+    condition: selection
+falsepositives:
+    - unknown
+level: high

rules/apt/apt_bear_activity_gtr19.yml

@@ -0,0 +1,24 @@
+title: Judgement Panda Exfil Activity
+description: Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike
+references:
+    - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
+author: Florian Roth
+date: 2019/02/21
+tags:
+    - attack.credential_access
+    - attack.t1081
+    - attack.t1003
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection1:
+        Image: '*\xcopy.exe'
+        CommandLine: '* /S /E /C /Q /H \\*'
+    selection2:
+        Image: '*\adexplorer.exe'
+        CommandLine: '* -snapshot "" c:\users\\*'
+    condition: selection1 or selection2
+falsepositives:
+    - unknown
+level: critical

rules/apt/apt_carbonpaper_turla.yml

@@ -1,6 +1,11 @@
 title: Turla Service Install
 description: 'This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET' 
-reference: https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/
+references:
+    - https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/
+tags:
+    - attack.persistence
+    - attack.g0010
+    - attack.t1050
 logsource:
     product: windows
     service: system

rules/apt/apt_chafer_mar18.yml

@@ -0,0 +1,73 @@
+---
+action: global
+title: Chafer Activity
+description: Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018 
+references:
+    - https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/
+tags:
+    - attack.persistence
+    - attack.g0049
+    - attack.t1053
+    - attack.s0111
+    - attack.defense_evasion
+    - attack.t1112
+date: 2018/03/23
+modified: 2019/03/01
+author: Florian Roth, Markus Neis
+detection:
+    condition: 1 of them
+falsepositives:
+    - Unknown
+level: critical
+---
+logsource:
+    product: windows
+    service: system
+detection:
+    selection_service:
+        EventID: 7045
+        ServiceName:
+            - 'SC Scheduled Scan'
+            - 'UpdatMachine'
+---
+logsource:
+    product: windows
+    service: security
+detection:
+    selection_service:
+        EventID: 4698
+        TaskName:
+            - 'SC Scheduled Scan'
+            - 'UpdatMachine'
+---
+logsource:
+   product: windows
+   service: sysmon
+detection:
+    selection_reg1:
+        EventID: 13 
+        TargetObject: 
+            - '*SOFTWARE\Microsoft\Windows\CurrentVersion\UMe'
+            - '*SOFTWARE\Microsoft\Windows\CurrentVersion\UT'
+        EventType: 'SetValue'
+    selection_reg2:
+        EventID: 13 
+        TargetObject: '*\Control\SecurityProviders\WDigest\UseLogonCredential'
+        EventType: 'SetValue'
+        Details: 'DWORD (0x00000001)'
+---
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_process1:
+        CommandLine: 
+            - '*\Service.exe i'
+            - '*\Service.exe u'
+            - '*\microsoft\Taskbar\autoit3.exe'
+            - 'C:\wsc.exe*'
+    selection_process2:
+        Image: '*\Windows\Temp\DB\\*.exe'
+    selection_process3:
+        CommandLine: '*\nslookup.exe -q=TXT*'
+        ParentImage: '*\Autoit*'

rules/apt/apt_cloudhopper.yml

@@ -1,13 +1,17 @@
-title: Detects an Execution of WMIExec VBS Script
+title: WMIExec VBS Script
 description: Detects suspicious file execution by wscript and cscript
 author: Florian Roth
-reference: https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
+references:
+    - https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
+tags:
+    - attack.execution
+    - attack.g0045
+    - attack.t1064
 logsource:
+    category: process_creation
     product: windows
-    service: sysmon
 detection:
     selection:
-        EventID: 1
         Image: '*\cscript.exe'
         CommandLine: '*.vbs /shell *'
     condition: selection

rules/apt/apt_dragonfly.yml

@@ -0,0 +1,19 @@
+title: CrackMapExecWin 
+description: Detects CrackMapExecWin Activity as Described by NCSC
+status: experimental
+references:
+    - https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control 
+tags:
+    - attack.g0035
+author: Markus Neis
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image:
+            - '*\crackmapexec.exe'
+    condition: selection
+falsepositives: 
+    - None 
+level: critical

rules/apt/apt_elise.yml

@@ -0,0 +1,24 @@
+title: Elise Backdoor
+status: experimental
+description: Detects Elise backdoor acitivty as used by APT32 
+references: 
+    - https://community.rsa.com/community/products/netwitness/blog/2018/01/30/apt32-continues-asean-targeting
+tags:
+    - attack.g0030
+    - attack.g0050
+    - attack.s0081
+author: Florian Roth
+date: 2018/01/31
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection1:
+        Image: 'C:\Windows\SysWOW64\cmd.exe'
+        CommandLine: '*\Windows\Caches\NavShExt.dll *'
+    selection2:
+        CommandLine: '*\AppData\Roaming\MICROS~1\Windows\Caches\NavShExt.dll,Setting'
+    condition: 1 of them
+falsepositives:
+    - Unknown
+level: critical

rules/apt/apt_empiremonkey.yml

@@ -0,0 +1,32 @@
+---
+action: global
+title: Empire Monkey 
+description: Detects EmpireMonkey APT reported Activity 
+references:
+    - https://app.any.run/tasks/a4107649-8cb0-41af-ad75-113152d4d57b
+tags:
+    - attack.t1086
+    - attack.execution
+date: 2019/04/02
+author: Markus Neis
+detection:
+    condition: 1 of them
+falsepositives:
+    - Very Unlikely 
+level: critical
+---
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_cutil:
+        CommandLine: 
+            - '*/i:%APPDATA%\logs.txt scrobj.dll'
+        Image:
+            - '*\cutil.exe'
+    selection_regsvr32:
+        CommandLine: 
+            - '*/i:%APPDATA%\logs.txt scrobj.dll'
+        Description: 
+            - Microsoft(C) Registerserver
+        

rules/apt/apt_equationgroup_c2.yml

@@ -1,21 +1,24 @@
 title: Equation Group C2 Communication
 description: Detects communication to C2 servers mentioned in the operational notes of the ShadowBroker leak of EquationGroup C2 tools
-reference:
+references:
     - 'https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation'
     - 'https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195'
+tags:
+    - attack.command_and_control
+    - attack.g0020
 author: Florian Roth
 logsource:
-    product: firewall
+    category: firewall
 detection:
     outgoing:
-        dst:
+        dst_ip:
             - '69.42.98.86'
             - '89.185.234.145'
     incoming:
-        src:
+        src_ip:
             - '69.42.98.86'
             - '89.185.234.145'
-    condition: outgoing or incoming
+    condition: 1 of them
 falsepositives:
     - Unknown
 level: high

rules/apt/apt_equationgroup_dll_u_load.yml

@@ -0,0 +1,26 @@
+title: Equation Group DLL_U Load
+author: Florian Roth
+description: Detects a specific tool and export used by EquationGroup
+references:
+    - https://github.com/adamcaudill/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type=
+    - https://securelist.com/apt-slingshot/84312/
+    - https://twitter.com/cyb3rops/status/972186477512839170
+tags:
+    - attack.execution
+    - attack.g0020
+    - attack.t1059
+    - attack.defense_evasion
+    - attack.t1085
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection1:
+        Image: '*\rundll32.exe'
+        CommandLine: '*,dll_u'
+    selection2:
+        CommandLine: '* -export dll_u *'
+    condition: 1 of them
+falsepositives:
+    - Unknown
+level: critical

rules/apt/apt_equationgroup_lnx.yml

@@ -1,6 +1,11 @@
 title: Equation Group Indicators
 description: Detects suspicious shell commands used in various Equation Group scripts and tools
-reference: https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
+references:
+    - https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
+tags:
+    - attack.execution
+    - attack.g0020
+    - attack.t1059
 author: Florian Roth
 logsource:
     product: linux
@@ -63,7 +68,6 @@ detection:
         - 'chmod 755 /usr/vmsys/bin/pipe'
         - 'chmod -R 755 /usr/vmsys'
         - 'chmod 755 $opbin/*tunnel'
-        - '< /dev/console | uudecode && uncompress'
         - 'chmod 700 sendmail'
         - 'chmod 0700 sendmail'
         - '/usr/bin/wget http*sendmail;chmod +x sendmail;'

rules/apt/apt_hurricane_panda.yml

@@ -0,0 +1,23 @@
+title: Hurricane Panda Activity
+author: Florian Roth
+status: experimental
+description: Detects Hurricane Panda Activity 
+references: 
+    - https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/
+tags:
+    - attack.privilege_escalation
+    - attack.g0009
+    - attack.t1068
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine: 
+            - '* localgroup administrators admin /add'
+            - '*\Win64.exe*'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
+

rules/apt/apt_judgement_panda_gtr19.yml

@@ -0,0 +1,33 @@
+title: Judgement Panda Exfil Activity
+description: Detects Judgement Panda activity as described in Global Threat Report 2019 by Crowdstrike
+references:
+    - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
+author: Florian Roth
+date: 2019/02/21
+tags:
+    - attack.lateral_movement
+    - attack.g0010
+    - attack.credential_access
+    - attack.t1098
+    - attack.exfiltration
+    - attack.t1002
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection1:
+        CommandLine:
+            - '*\ldifde.exe -f -n *'
+            - '*\7za.exe a 1.7z *'
+            - '* eprod.ldf'
+            - '*\aaaa\procdump64.exe*'
+            - '*\aaaa\netsess.exe*'
+            - '*\aaaa\7za.exe*'
+            - '*copy .\1.7z \\*'
+            - '*copy \\client\c$\aaaa\*'
+    selection2:
+        Image: C:\Users\Public\7za.exe
+    condition: selection1 or selection2
+falsepositives:
+    - unknown
+level: critical

rules/apt/apt_oceanlotus_registry.yml

@@ -0,0 +1,27 @@
+title: OceanLotus Registry Activity
+status: experimental
+description: Detects registry keys created in OceanLotus (also known as APT32) attacks
+references:
+    - https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/
+tags:
+    - attack.t1112
+author: megan201296
+date: 2019/04/14
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 13
+        TargetObject: 
+            - '*\SOFTWARE\Classes\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Model' 
+            - '*\SOFTWARE\App\AppXbf13d4ea2945444d8b13e2121cb6b663\Application'
+            - '*\SOFTWARE\App\AppXbf13d4ea2945444d8b13e2121cb6b663\DefaultIcon'
+            - '*\SOFTWARE\App\AppX70162486c7554f7f80f481985d67586d\Application'
+            - '*\SOFTWARE\App\AppX70162486c7554f7f80f481985d67586d\DefaultIcon'
+            - '*\SOFTWARE\App\AppX37cc7fdccd644b4f85f4b22d5a3f105a\Application'
+            - '*\SOFTWARE\App\AppX37cc7fdccd644b4f85f4b22d5a3f105a\DefaultIcon'
+    condition: selection
+falsepositives:
+    - Unknown
+level: critical

rules/apt/apt_pandemic.yml

@@ -1,24 +1,17 @@
+---
+action: global
 title: Pandemic Registry Key
 status: experimental
 description: Detects Pandemic Windows Implant
-reference: 
+references:
     - https://wikileaks.org/vault7/#Pandemic
     - https://twitter.com/MalwareJake/status/870349480356454401
+tags:
+    - attack.lateral_movement
+    - attack.t1105
 author: Florian Roth
-logsource:
-    product: windows
-    service: sysmon
 detection:
-    selection1:
-        EventID: 13
-        TargetObject: 
-            - '\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\services\null\Instance*'
-            - '\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\null\Instance*'
-            - '\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\null\Instance*'
-    selection2:
-        EventID: 1
-        Command: 'loaddll -a *'
-    condition: selection1 or selection2
+    condition: 1 of them
 fields:
     - EventID
     - CommandLine
@@ -29,4 +22,22 @@ fields:
 falsepositives:
     - unknown
 level: critical
+---
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection1:
+        EventID: 13
+        TargetObject: 
+            - '\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\services\null\Instance*'
+            - '\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\null\Instance*'
+            - '\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\null\Instance*'
+---
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection2:
+        Command: 'loaddll -a *'
 

rules/apt/apt_slingshot.yml

@@ -0,0 +1,33 @@
+---
+action: global
+title: Defrag Deactivation
+author: Florian Roth
+description: Detects the deactivation of the Scheduled defragmentation task as seen by Slingshot APT group
+references:
+    - https://securelist.com/apt-slingshot/84312/
+tags:
+    - attack.persistence
+    - attack.t1053
+    - attack.s0111
+detection:
+    condition: 1 of them
+falsepositives:
+    - Unknown
+level: medium
+---
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection1:
+        CommandLine: 
+            - '*schtasks* /delete *Defrag\ScheduledDefrag*'
+---
+logsource:
+    product: windows
+    service: security
+    definition: 'Requirements: Audit Policy : Audit Other Object Access Events > Success'       
+detection:
+    selection2:
+        EventID: 4701
+        TaskName: '\Microsoft\Windows\Defrag\ScheduledDefrag'

rules/apt/apt_sofacy.yml

@@ -0,0 +1,27 @@
+title: Sofacy Trojan Loader Activity
+author: Florian Roth
+status: experimental
+description: Detects Trojan loader acitivty as used by APT28 
+references: 
+    - https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/
+    - https://www.reverse.it/sample/e3399d4802f9e6d6d539e3ae57e7ea9a54610a7c4155a6541df8e94d67af086e?environmentId=100
+    - https://twitter.com/ClearskySec/status/960924755355369472
+tags:
+    - attack.g0007
+    - attack.execution
+    - attack.t1059
+    - attack.defense_evasion
+    - attack.t1085
+    - car.2013-10-002
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine: 
+            - 'rundll32.exe %APPDATA%\\*.dat",*'
+            - 'rundll32.exe %APPDATA%\\*.dll",#1'
+    condition: selection
+falsepositives:
+    - Unknown
+level: critical

rules/apt/apt_sofacy_zebrocy.yml

@@ -0,0 +1,19 @@
+title: Sofacy Zebrocy
+author: Florian Roth
+description: Detects Sofacy's Zebrocy malware execution
+references:
+    - https://app.any.run/tasks/54acca9a-394e-4384-a0c8-91a96d36c81d
+tags:
+    - attack.execution
+    - attack.g0020
+    - attack.t1059
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine: '*cmd.exe /c SYSTEMINFO & TASKLIST'
+    condition: selection
+falsepositives:
+    - Unknown
+level: critical

rules/apt/apt_stonedrill.yml

@@ -1,7 +1,12 @@
 title: StoneDrill Service Install
 description: 'This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky'   
 author: Florian Roth
-reference: https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/
+references:
+    - https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/
+tags:
+    - attack.persistence
+    - attack.g0064
+    - attack.t1050
 logsource:
     product: windows
     service: system

rules/apt/apt_ta17_293a_ps.yml

@@ -1,14 +1,19 @@
 title: Ps.exe Renamed SysInternals Tool
-description: Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documentied in TA17-293A report
-reference: https://www.us-cert.gov/ncas/alerts/TA17-293A
+description: Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report
+references:
+    - https://www.us-cert.gov/ncas/alerts/TA17-293A
+tags:
+    - attack.defense_evasion
+    - attack.g0035
+    - attack.t1036
+    - car.2013-05-009
 author: Florian Roth
 date: 2017/10/22
 logsource:
+    category: process_creation
     product: windows
-    service: sysmon
 detection:
     selection:
-        EventID: 1
         CommandLine: 'ps.exe -accepteula'
     condition: selection
 falsepositives:

rules/apt/apt_tropictrooper.yml

@@ -0,0 +1,17 @@
+title: TropicTrooper Campaign November 2018
+author: "@41thexplorer, Windows Defender ATP"
+status: stable
+description: Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia
+references:
+    - https://cloudblogs.microsoft.com/microsoftsecure/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/
+tags:
+    - attack.execution
+    - attack.t1085
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine: '*abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc*'
+    condition: selection
+level: high

rules/apt/apt_turla_commands.yml

@@ -3,35 +3,41 @@ action: global
 title: Turla Group Lateral Movement 
 status: experimental
 description: Detects automated lateral movement by Turla group 
-reference: https://securelist.com/the-epic-turla-operation/65545/
+references:
+    - https://securelist.com/the-epic-turla-operation/65545/
+tags:
+    - attack.g0010
+    - attack.execution
+    - attack.t1059
+    - attack.lateral_movement
+    - attack.t1077
+    - attack.discovery
+    - attack.t1083
+    - attack.t1135
 author: Markus Neis
 date: 2017/11/07
 logsource:
-   product: windows
-   service: sysmon
+    category: process_creation
+    product: windows
 falsepositives:
    - Unknown
 ---
 detection:
    selection:
-      EventID: 1
       CommandLine: 
          - 'net use \\%DomainController%\C$ "P@ssw0rd" *'
-         - 'dir c:\*.doc* /s'
-         - 'dir %TEMP%\*.exe'
+         - 'dir c:\\*.doc* /s'
+         - 'dir %TEMP%\\*.exe'
    condition: selection
 level: critical
 ---
 detection:
    netCommand1:
-      EventID: 1
       CommandLine: 'net view /DOMAIN'
    netCommand2:
-      EventID: 1
       CommandLine: 'net session'
    netCommand3:
-      EventID: 1
       CommandLine: 'net share'
    timeframe: 1m
-   condition: netCommand1 | near netCommand1 and netCommand1 
+   condition: netCommand1 | near netCommand2 and netCommand3 
 level: medium

rules/apt/apt_turla_namedpipes.yml

@@ -1,13 +1,16 @@
 title: Turla Group Named Pipes 
 status: experimental
 description: Detects a named pipe used by Turla group samples
-reference: Internal Research
+references:
+    - Internal Research
 date: 2017/11/06
+tags:
+    - attack.g0010
 author: Markus Neis
 logsource:
     product: windows
     service: sysmon
-    description: 'Note that you have to configure logging for PipeEvents in Symson config'
+    definition: 'Note that you have to configure logging for PipeEvents in Symson config'
 detection:
     selection:
         EventID: 

rules/apt/apt_turla_service_png.yml

@@ -0,0 +1,21 @@
+title: Turla PNG Dropper Service
+description: 'This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018' 
+references:
+    - https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/
+author: Florian Roth
+date: 2018/11/23
+tags:
+    - attack.persistence
+    - attack.g0010
+    - attack.t1050
+logsource:
+    product: windows
+    service: system
+detection:
+    selection:
+        EventID: 7045
+        ServiceName: 'WerFaultSvc'
+    condition: selection
+falsepositives:
+    - unlikely
+level: critical

rules/apt/apt_unidentified_nov_18.yml

@@ -0,0 +1,33 @@
+---
+action: global
+title: Unidentified Attacker November 2018
+status: stable
+description: A sigma rule detecting an unidetefied attacker who used phishing emails to target high profile orgs on November 2018. The Actor shares some TTPs with YYTRIUM/APT29 campaign in 2016.
+references:
+    - https://twitter.com/DrunkBinary/status/1063075530180886529
+author: "@41thexplorer, Windows Defender ATP"
+date: 2018/11/20
+modified: 2018/12/11
+tags:
+    - attack.execution
+    - attack.t1085
+detection:
+    condition: 1 of them
+level: high
+---
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection1:
+        CommandLine: '*cyzfc.dat, PointFunctionCall'
+---
+# Sysmon: File Creation (ID 11)
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection2:
+        EventID: 11
+        TargetFilename: 
+            - '*ds7002.lnk*' 

rules/apt/apt_zxshell.yml

@@ -1,13 +1,19 @@
 title: ZxShell Malware
 description: Detects a ZxShell start by the called and well-known function name   
 author: Florian Roth
-reference: https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100
+references:
+    - https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100
+tags:
+    - attack.g0001
+    - attack.execution
+    - attack.t1059
+    - attack.defense_evasion
+    - attack.t1085
 logsource:
+    category: process_creation
     product: windows
-    service: sysmon
 detection:
     selection:
-        EventID: 1
         Command: 
             - 'rundll32.exe *,zxFunction*'
             - 'rundll32.exe *,RemoteDiskXXXXX'

rules/apt/crime_fireball.yml

@@ -1,17 +1,21 @@
-title: Detects Fireball - Archer Install
+title: Fireball Archer Install
 status: experimental
 description: Detects Archer malware invocation via rundll32
 author: Florian Roth
 date: 2017/06/03
-reference: 
+references:
     - https://www.virustotal.com/en/file/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022/analysis/
     - https://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100
+tags:
+    - attack.execution
+    - attack.t1059
+    - attack.defense_evasion
+    - attack.t1085
 logsource:
+    category: process_creation
     product: windows
-    service: sysmon
 detection:
     selection:
-        EventID: 1
         CommandLine: '*\rundll32.exe *,InstallArcherSvc'
     condition: selection
 fields:

rules/compliance/cleartext_protocols.yml

@@ -0,0 +1,109 @@
+action: global
+title: Cleartext Protocol Usage
+description: Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels. Ensure that an encryption is used for all sensitive information in transit. Ensure that an encrypted channels is used  for all administrative account access.
+references:
+- https://www.cisecurity.org/controls/cis-controls-list/
+- https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
+- https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
+author: Alexandr Yampolskyi, SOC Prime
+status: stable
+date: 2019/03/26
+falsepositives:
+- unknown
+level: low
+tags:
+- CSC4
+- CSC4.5
+- CSC14
+- CSC14.4
+- CSC16
+- CSC16.5
+- NIST CSF 1.1 PR.AT-2
+- NIST CSF 1.1 PR.MA-2
+- NIST CSF 1.1 PR.PT-3
+- NIST CSF 1.1 PR.AC-1
+- NIST CSF 1.1 PR.AC-4
+- NIST CSF 1.1 PR.AC-5
+- NIST CSF 1.1 PR.AC-6
+- NIST CSF 1.1 PR.AC-7
+- NIST CSF 1.1 PR.DS-1
+- NIST CSF 1.1 PR.DS-2
+- NIST CSF 1.1 PR.PT-3
+- NIST CSF 1.1 PR.PT-3
+- ISO 27002-2013 A.9.2.1
+- ISO 27002-2013 A.9.2.2
+- ISO 27002-2013 A.9.2.3
+- ISO 27002-2013 A.9.2.4
+- ISO 27002-2013 A.9.2.5
+- ISO 27002-2013 A.9.2.6
+- ISO 27002-2013 A.9.3.1
+- ISO 27002-2013 A.9.4.1
+- ISO 27002-2013 A.9.4.2
+- ISO 27002-2013 A.9.4.3
+- ISO 27002-2013 A.9.4.4
+- ISO 27002-2013 A.8.3.1
+- ISO 27002-2013 A.9.1.1
+- ISO 27002-2013 A.10.1.1
+- PCI DSS 3.2 2.1
+- PCI DSS 3.2 8.1
+- PCI DSS 3.2 8.2
+- PCI DSS 3.2 8.3
+- PCI DSS 3.2 8.7
+- PCI DSS 3.2 8.8
+- PCI DSS 3.2 1.3
+- PCI DSS 3.2 1.4
+- PCI DSS 3.2 4.3
+- PCI DSS 3.2 7.1
+- PCI DSS 3.2 7.2
+- PCI DSS 3.2 7.3
+---
+logsource:
+  product: netflow
+detection:
+  selection:
+    destination.port:
+    - 8080
+    - 21
+    - 80
+    - 23
+    - 50000
+    - 1521
+    - 27017
+    - 1433
+    - 11211
+    - 3306
+    - 15672
+    - 5900
+    - 5901
+    - 5902
+    - 5903
+    - 5904
+  condition: selection
+---
+logsource:
+  product: firewall
+detection:
+  selection1:
+    destination.port:
+    - 8080
+    - 21
+    - 80
+    - 23
+    - 50000
+    - 1521
+    - 27017
+    - 3306
+    - 1433
+    - 11211
+    - 15672
+    - 5900
+    - 5901
+    - 5902
+    - 5903
+    - 5904
+  selection2:
+    action:
+    - forward
+    - accept
+    - 2
+  condition: selection1 AND selection2

rules/compliance/default_credentials_usage.yml

@@ -0,0 +1,107 @@
+title: Default Credentials Usage
+description: Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts. Sigma detects default credentials usage. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management.
+author: Alexandr Yampolskyi, SOC Prime
+status: stable
+references:
+- https://www.cisecurity.org/controls/cis-controls-list/
+- https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
+- https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
+- https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists
+date: 2019/03/26
+logsource:
+  product: qualys
+detection:
+  selection:
+    host.scan.vuln:
+    - 10693
+    - 11507
+    - 11633
+    - 11804
+    - 11821
+    - 11847
+    - 11867
+    - 11931
+    - 11935
+    - 11950
+    - 12541
+    - 12558
+    - 12559
+    - 12560
+    - 12562
+    - 12563
+    - 12565
+    - 12587
+    - 12590
+    - 12599
+    - 12702
+    - 12705
+    - 12706
+    - 12907
+    - 12928
+    - 12929
+    - 13053
+    - 13178
+    - 13200
+    - 13218
+    - 13241
+    - 13253
+    - 13274
+    - 13296
+    - 13301
+    - 13327
+    - 13373
+    - 13374
+    - 13409
+    - 13530
+    - 13532
+    - 20065
+    - 20073
+    - 20081
+    - 27202
+    - 27358
+    - 38702
+    - 38719
+    - 42045
+    - 42417
+    - 43029
+    - 43220
+    - 43221
+    - 43222
+    - 43223
+    - 43225
+    - 43246
+    - 43431
+    - 43484
+    - 86857
+    - 87098
+    - 87106
+  condition: selection
+falsepositives:
+- unknown
+level: medium
+tags:
+- CSC4
+- CSC4.2
+- NIST CSF 1.1 PR.AC-4
+- NIST CSF 1.1 PR.AT-2
+- NIST CSF 1.1 PR.MA-2
+- NIST CSF 1.1 PR.PT-3
+- ISO 27002-2013 A.9.1.1
+- ISO 27002-2013 A.9.2.2
+- ISO 27002-2013 A.9.2.3
+- ISO 27002-2013 A.9.2.4
+- ISO 27002-2013 A.9.2.5
+- ISO 27002-2013 A.9.2.6
+- ISO 27002-2013 A.9.3.1
+- ISO 27002-2013 A.9.4.1
+- ISO 27002-2013 A.9.4.2
+- ISO 27002-2013 A.9.4.3
+- ISO 27002-2013 A.9.4.4
+- PCI DSS 3.2 2.1
+- PCI DSS 3.2 7.1
+- PCI DSS 3.2 7.2
+- PCI DSS 3.2 7.3
+- PCI DSS 3.2 8.1
+- PCI DSS 3.2 8.2
+- PCI DSS 3.2 8.3
+- PCI DSS 3.2 8.7

rules/compliance/group_modification_logging.yml

@@ -0,0 +1,57 @@
+title: Group Modification Logging
+description: Configure systems to issue a log entry and alert when an account is added to or removed from any group assigned administrative privileges. Sigma detects Event ID 4728 indicates a ‘Member is added to a Security Group’. Event ID 4729 indicates a ‘Member is removed from a Security enabled-group’. Event ID 4730 indicates a‘Security Group is deleted’. The case is not applicable for Unix OS. Supported OS - Windows 2008 R2 and 7, Windows 2012 R2 and 8.1, Windows 2016 and 10 Windows Server 2019, Windows Server 2000, Windows 2003 and XP.
+author: Alexandr Yampolskyi, SOC Prime
+status: stable
+references:
+- https://www.cisecurity.org/controls/cis-controls-list/
+- https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
+- https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
+- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728
+- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729
+- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730
+- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633
+- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632
+- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634
+date: 2019/03/26
+logsource:
+  product: windows
+  service: security
+detection:
+  selection:
+    EventID:
+    - 4728
+    - 4729
+    - 4730
+    - 633
+    - 632
+    - 634
+  condition: selection
+falsepositives:
+- unknown
+level: low
+tags:
+- CSC4
+- CSC4.8
+- NIST CSF 1.1 PR.AC-4
+- NIST CSF 1.1 PR.AT-2
+- NIST CSF 1.1 PR.MA-2
+- NIST CSF 1.1 PR.PT-3
+- ISO 27002-2013 A.9.1.1
+- ISO 27002-2013 A.9.2.2
+- ISO 27002-2013 A.9.2.3
+- ISO 27002-2013 A.9.2.4
+- ISO 27002-2013 A.9.2.5
+- ISO 27002-2013 A.9.2.6
+- ISO 27002-2013 A.9.3.1
+- ISO 27002-2013 A.9.4.1
+- ISO 27002-2013 A.9.4.2
+- ISO 27002-2013 A.9.4.3
+- ISO 27002-2013 A.9.4.4
+- PCI DSS 3.2 2.1
+- PCI DSS 3.2 7.1
+- PCI DSS 3.2 7.2
+- PCI DSS 3.2 7.3
+- PCI DSS 3.2 8.1
+- PCI DSS 3.2 8.2
+- PCI DSS 3.2 8.3
+- PCI DSS 3.2 8.7

rules/compliance/host_without_firewall.yml

@@ -0,0 +1,29 @@
+title: Host Without Firewall
+description: Host Without Firewall. Alert means not complied. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management.
+author: Alexandr Yampolskyi, SOC Prime
+references:
+- https://www.cisecurity.org/controls/cis-controls-list/
+- https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
+- https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
+date: 2019/03/19
+status: stable
+level: low
+logsource:
+  product: Qualys
+detection:
+  selection:
+    event.category: Security Policy
+    host.scan.vuln_name: Firewall Product Not Detected*
+  condition: selection
+tags:
+- CSC9
+- CSC9.4
+- NIST CSF 1.1 PR.AC-5
+- NIST CSF 1.1 PR.AC-6
+- NIST CSF 1.1 PR.AC-7
+- NIST CSF 1.1 DE.AE-1
+- ISO 27002-2013 A.9.1.2
+- ISO 27002-2013 A.13.2.1
+- ISO 27002-2013 A.13.2.2
+- ISO 27002-2013 A.14.1.2
+- PCI DSS 3.2 1.4

rules/compliance/workstation_was_locked.yml

@@ -0,0 +1,45 @@
+title: Locked Workstation
+description: Automatically lock workstation sessions after a standard period of inactivity. The case is not applicable for Unix OS. Supported OS - Windows 2008 R2 and 7, Windows 2012 R2 and 8.1, Windows 2016 and 10 Windows Server 2019.
+author: Alexandr Yampolskyi, SOC Prime
+status: stable
+references:
+- https://www.cisecurity.org/controls/cis-controls-list/
+- https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
+- https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
+- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4800
+date: 2019/03/26
+logsource:
+  product: windows
+  service: security
+detection:
+  selection:
+    EventID:
+    - 4800
+  condition: selection
+falsepositives:
+- unknown
+level: low
+tags:
+- CSC16
+- CSC16.11
+- ISO27002-2013 A.9.1.1
+- ISO27002-2013 A.9.2.1
+- ISO27002-2013 A.9.2.2
+- ISO27002-2013 A.9.2.3
+- ISO27002-2013 A.9.2.4
+- ISO27002-2013 A.9.2.5
+- ISO27002-2013 A.9.2.6
+- ISO27002-2013 A.9.3.1
+- ISO27002-2013 A.9.4.1
+- ISO27002-2013 A.9.4.3
+- ISO27002-2013 A.11.2.8
+- PCI DSS 3.1 7.1
+- PCI DSS 3.1 7.2
+- PCI DSS 3.1 7.3
+- PCI DSS 3.1 8.7
+- PCI DSS 3.1 8.8
+- NIST CSF 1.1 PR.AC-1
+- NIST CSF 1.1 PR.AC-4
+- NIST CSF 1.1 PR.AC-6
+- NIST CSF 1.1 PR.AC-7
+- NIST CSF 1.1 PR.PT-3

rules/linux/auditd/lnx_auditd_alter_bash_profile.yml

@@ -0,0 +1,30 @@
+title: Detects Suspicious edit of .bash_profile and .bashrc on Linux systems
+status: experimental
+description: Detects change of user environment. Adversaries can insert code into these files to gain persistence each time a user logs in or opens a new shell.
+references:
+    - 'MITRE Attack technique T1156; .bash_profile and .bashrc. '
+date: 2019/05/12
+tags:
+    - attack.s0003
+    - attack.t1156
+    - attack.persistence
+author: Peter Matkovski
+logsource:
+    product: linux
+    service: auditd
+detection:
+    selection:
+        type: 'PATH'
+        name:
+            - '/home/*/.bashrc'
+            - '/home/*/.bash_profile' 
+            - '/home/*/.profile'
+            - '/etc/profile'
+            - '/etc/shells'
+            - '/etc/bashrc'
+            - '/etc/csh.cshrc'
+            - '/etc/csh.login'
+    condition: selection
+falsepositives:
+    - Admin or User activity
+level: medium

rules/linux/auditd/lnx_auditd_susp_cmds.yml

@@ -0,0 +1,31 @@
+title: Detects Suspicious Commands on Linux systems
+status: experimental
+description: Detects relevant commands often related to malware or hacking activity
+references:
+    - 'Internal Research - mostly derived from exploit code including code in MSF'
+date: 2017/12/12
+author: Florian Roth
+logsource:
+    product: linux
+    service: auditd
+detection:
+    cmd1:
+        type: 'EXECVE'
+        a0: 'chmod'
+        a1: '777'
+    cmd2:
+        type: 'EXECVE'
+        a0: 'chmod'
+        a1: 'u+s'
+    cmd3: 
+        type: 'EXECVE'
+        a0: 'cp'
+        a1: '/bin/ksh'
+    cmd4:
+        type: 'EXECVE'
+        a0: 'cp'
+        a1: '/bin/sh'
+    condition: 1 of them
+falsepositives:
+    - Admin activity
+level: medium

rules/linux/auditd/lnx_auditd_susp_exe_folders.yml

@@ -0,0 +1,40 @@
+title: Program Executions in Suspicious Folders
+status: experimental
+description: Detects program executions in suspicious non-program folders related to malware or hacking activity
+references:
+    - 'Internal Research'
+date: 2018/01/23
+author: Florian Roth
+logsource:
+    product: linux
+    service: auditd
+detection:
+    selection:
+        type: 'SYSCALL'
+        exe:
+            # Temporary folder
+            - '/tmp/*'
+            # Web server 
+            - '/var/www/*'              # Standard
+            - '/home/*/public_html/*'   # Per-user
+            - '/usr/local/apache2/*'    # Classical Apache
+            - '/usr/local/httpd/*'      # Old SuSE Linux 6.* Apache
+            - '/var/apache/*'           # Solaris Apache
+            - '/srv/www/*'              # SuSE Linux 9.*
+            - '/home/httpd/html/*'      # Redhat 6 or older Apache
+            - '/srv/http/*'             # ArchLinux standard
+            - '/usr/share/nginx/html/*' # ArchLinux nginx
+            # Data dirs of typically exploited services (incomplete list)
+            - '/var/lib/pgsql/data/*'
+            - '/usr/local/mysql/data/*'
+            - '/var/lib/mysql/*'
+            - '/var/vsftpd/*'
+            - '/etc/bind/*'
+            - '/var/named/*'
+    condition: selection
+falsepositives:
+    - Admin activity (especially in /tmp folders)
+    - Crazy web applications
+level: medium
+
+

rules/linux/lnx_buffer_overflows.yml

@@ -1,8 +1,9 @@
 title: Buffer Overflow Attempts
-description: Detects buffer overflow attempts in Linux system log files
-reference: https://github.com/ossec/ossec-hids/blob/master/etc/rules/attack_rules.xml
+description: Detects buffer overflow attempts in Unix system log files
+references:
+    - https://github.com/ossec/ossec-hids/blob/master/etc/rules/attack_rules.xml
 logsource:
-    product: linux
+    product: unix
 detection:
     keywords:
         - 'attempt to execute code on stack by'

rules/linux/lnx_clamav.yml

@@ -1,6 +1,7 @@
 title: Relevant ClamAV Message
 description: Detects relevant ClamAV messages
-reference: https://github.com/ossec/ossec-hids/blob/master/etc/rules/clam_av_rules.xml
+references:
+    - https://github.com/ossec/ossec-hids/blob/master/etc/rules/clam_av_rules.xml
 logsource:
     product: linux
     service: clamav

rules/linux/lnx_shell_clear_cmd_history.yml

@@ -0,0 +1,27 @@
+title: Clear Command History
+status: experimental
+description: Clear command history in linux which is used for defense evasion. 
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1146/T1146.yaml
+    - https://attack.mitre.org/techniques/T1146/
+author: Patrick Bareiss
+date: 2019/03/24
+logsource:
+    product: linux
+detection:
+    keywords:
+        - 'rm *bash_history'
+        - 'echo "" > *bash_history'
+        - 'cat /dev/null > *bash_history' 
+        - 'ln -sf /dev/null *bash_history'
+        - 'truncate -s0 *bash_history'
+        # - 'unset HISTFILE'  # prone to false positives
+        - 'export HISTFILESIZE=0'
+        - 'history -c'
+    condition: keywords
+falsepositives:
+    - Unknown
+level: high
+tags:
+    - attack.defense_evasion
+    - attack.t1146

rules/linux/lnx_shell_priv_esc_prep.yml

@@ -0,0 +1,64 @@
+title: Privilege Escalation Preparation 
+status: experimental
+description: Detects suspicious shell commands indicating the information gathering phase as preparation for the Privilege Escalation.
+references:
+    - https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
+    - https://patrick-bareiss.com/detect-privilege-escalation-preparation-in-linux-with-sigma/
+author: Patrick Bareiss
+date: 2019/04/05
+tags:
+    - attack.privilege_escalation
+    - attack.t1068
+level: medium
+logsource:
+    product: linux
+detection:
+    keywords:
+        # distribution type and kernel version
+        - 'cat /etc/issue'
+        - 'cat /etc/*-release'
+        - 'cat /proc/version'
+        - 'uname -a'
+        - 'uname -mrs'
+        - 'rpm -q kernel'
+        - 'dmesg | grep Linux'
+        - 'ls /boot | grep vmlinuz-'
+        # environment variables
+        - 'cat /etc/profile'
+        - 'cat /etc/bashrc'
+        - 'cat ~/.bash_profile'
+        - 'cat ~/.bashrc'
+        - 'cat ~/.bash_logout'
+        # applications and services as root
+        - 'ps -aux | grep root'
+        - 'ps -ef | grep root'
+        # scheduled tasks
+        - 'crontab -l'
+        - 'cat /etc/cron*'
+        - 'cat /etc/cron.allow'
+        - 'cat /etc/cron.deny'
+        - 'cat /etc/crontab'
+        # search for plain text user/passwords
+        - 'grep -i user *'
+        - 'grep -i pass *'
+        # networking
+        - 'ifconfig'
+        - 'cat /etc/network/interfaces'
+        - 'cat /etc/sysconfig/network'
+        - 'cat /etc/resolv.conf'
+        - 'cat /etc/networks'
+        - 'iptables -L'
+        - 'lsof -i'
+        - 'netstat -antup'
+        - 'netstat -antpx'
+        - 'netstat -tulpn'
+        - 'arp -e'
+        - 'route'
+        # sensitive files
+        - 'cat /etc/passwd'
+        - 'cat /etc/group'
+        - 'cat /etc/shadow'
+    timeframe: 30m
+    condition: keywords | count() by host > 6
+falsepositives:
+    - Troubleshooting on Linux Machines

rules/linux/lnx_shell_susp_commands.yml

@@ -1,11 +1,13 @@
 title: Suspicious Activity in Shell Commands
 description: Detects suspicious shell commands used in various exploit codes (see references)
-reference: 
+references:
     - http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html
     - https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb#L121
     - http://pastebin.com/FtygZ1cg
     - https://artkond.com/2017/03/23/pivoting-guide/
 author: Florian Roth
+date: 2017/08/21
+modified: 2019/02/05
 logsource:
     product: linux
 detection:
@@ -15,30 +17,37 @@ detection:
         - 'wget * - http* | sh'
         - 'wget * - http* | bash'
         - 'python -m SimpleHTTPServer'
-        - 'import pty; pty.spawn'
+        - '-m http.server'  # Python 3
+        - 'import pty; pty.spawn*'
+        - 'socat exec:*'
+        - 'socat -O /tmp/*'
+        - 'socat tcp-connect*'
+        - '*echo binary >>*'
         # Malware 
         - '*wget *; chmod +x*'
         - '*wget *; chmod 777 *'
         - '*cd /tmp || cd /var/run || cd /mnt*'
         # Apache Struts in-the-wild exploit codes  
-        - 'stop;service iptables stop;'
-        - 'stop;SuSEfirewall2 stop;'
-        - 'chmod 777 2020'
-        - '">>/etc/rc.local;'
-        - 'wget -c *;chmod 777'
+        - '*stop;service iptables stop;*'
+        - '*stop;SuSEfirewall2 stop;*'
+        - 'chmod 777 2020*'
+        - '*>>/etc/rc.local'
         # Metasploit framework exploit codes
-        - 'base64 -d /tmp/'
-        - ' | base64 -d'
-        - '/bin/chmod u+s'
-        - 'chmod +s /tmp/'
-        - 'chmod u+s /tmp/'
-        - '/tmp/haxhax'
-        - '/tmp/ns_sploit'
-        - 'nc -l -p '
-        - 'cp /bin/ksh '
-        - 'cp /bin/sh '
-        - ' /tmp/*.b64 '
-        - '/tmp/ysocereal.jar'
+        - '*base64 -d /tmp/*'
+        - '* | base64 -d *'
+        - '*/chmod u+s *'
+        - '*chmod +s /tmp/*'
+        - '*chmod u+s /tmp/*'
+        - '* /tmp/haxhax*'
+        - '* /tmp/ns_sploit*'
+        - 'nc -l -p *'
+        - 'cp /bin/ksh *'
+        - 'cp /bin/sh *'
+        - '* /tmp/*.b64 *'
+        - '*/tmp/ysocereal.jar*'
+        - '*/tmp/x *'
+        - '*; chmod +x /tmp/*'
+        - '*;chmod +x /tmp/*'
     condition: keywords
 falsepositives:
     - Unknown

rules/linux/lnx_shell_susp_rev_shells.yml

@@ -0,0 +1,40 @@
+title: Suspicious Reverse Shell Command Line
+status: experimental
+description: Detects suspicious shell commands or program code that may be exected or used in command line to establish a reverse shell
+references:
+    - https://alamot.github.io/reverse_shells/
+author: Florian Roth
+date: 2019/04/02
+logsource:
+    product: linux
+detection:
+    keywords:
+        - 'BEGIN {s = "/inet/tcp/0/'
+        - 'bash -i >& /dev/tcp/'
+        - 'bash -i >& /dev/udp/'
+        - 'sh -i >$ /dev/udp/'
+        - 'sh -i >$ /dev/tcp/'
+        - '&& while read line 0<&5; do'
+        - '/bin/bash -c exec 5<>/dev/tcp/'
+        - '/bin/bash -c exec 5<>/dev/udp/'
+        - 'nc -e /bin/sh '
+        - '/bin/sh | nc'
+        - 'rm -f backpipe; mknod /tmp/backpipe p && nc '
+        - ';socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i))))'
+        - ';STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
+        - '/bin/sh -i <&3 >&3 2>&3'
+        - 'uname -a; w; id; /bin/bash -i'
+        - '$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()};'
+        - ";os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);os.putenv('HISTFILE','/dev/null');"
+        - '.to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
+        - ';while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print'
+        - "socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:"
+        - 'rm -f /tmp/p; mknod /tmp/p p &&'
+        - ' | /bin/bash | telnet '
+        - ',echo=0,raw tcp-listen:'
+        - 'nc -lvvp '
+        - 'xterm -display 1'
+    condition: keywords
+falsepositives:
+    - Unknown
+level: high

rules/linux/lnx_shellshock.yml

@@ -1,6 +1,7 @@
 title: Shellshock Expression
 description: Detects shellshock expressions in log files
-reference: http://rubular.com/r/zxBfjWfFYs
+references:
+    - http://rubular.com/r/zxBfjWfFYs
 logsource:
     product: linux
 detection:

rules/linux/lnx_ssh_cve_2018_15473.yml

@@ -0,0 +1,16 @@
+title: SSHD Error Message CVE-2018-15473
+description: Detects exploitation attempt using public exploit code for CVE-2018-15473
+references:
+    - https://github.com/Rhynorater/CVE-2018-15473-Exploit
+author: Florian Roth
+date: 2017/08/24
+logsource:
+    product: linux
+    service: sshd
+detection:
+    keywords:
+        - 'error: buffer_get_ret: trying to get more bytes 1907 than in buffer 308 [preauth]'
+    condition: keywords
+falsepositives:
+    - Unknown
+level: medium

rules/linux/lnx_susp_failed_logons_single_source.yml

@@ -5,9 +5,9 @@ logsource:
     service: auth
 detection:
     selection:
-        log: auth
-        pam_user: not null
-        pam_rhost: not null
+        pam_message: "authentication failure"
+        pam_user: '*'
+        pam_rhost: '*'
     timeframe: 24h 
     condition: selection | count(pam_user) by pam_rhost > 3
 falsepositives:

rules/linux/lnx_susp_jexboss.yml

@@ -0,0 +1,17 @@
+title: JexBoss Command Sequence
+description: Detects suspicious command sequence that JexBoss
+references:
+    - https://www.us-cert.gov/ncas/analysis-reports/AR18-312A
+author: Florian Roth
+date: 2017/08/24
+logsource:
+    product: linux
+detection:
+    selection1: 
+        - 'bash -c /bin/bash'
+    selection2:
+        - '&/dev/tcp/'
+    condition: selection1 and selection2
+falsepositives:
+    - Unknown
+level: high

rules/linux/lnx_susp_named.yml

@@ -0,0 +1,20 @@
+title: Suspicious Named Error
+status: experimental
+description: Detects suspicious DNS error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts 
+references:
+    - https://github.com/ossec/ossec-hids/blob/master/etc/rules/named_rules.xml
+author: Florian Roth
+date: 2018/02/20
+logsource:
+    product: linux
+    service: syslog
+detection:
+    keywords:
+        - '* dropping source port zero packet from *'
+        - '* denied AXFR from *'
+        - '* exiting (due to fatal error)*'
+    condition: keywords
+falsepositives:
+    - Unknown
+level: high
+

rules/linux/lnx_susp_ssh.yml

@@ -1,6 +1,8 @@
-title: Suspicious SSHD error
+title: Suspicious SSHD Error
 description: Detects suspicious SSH / SSHD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts 
-reference: https://github.com/openssh/openssh-portable/blob/master/ssherr.c
+references:
+    - https://github.com/openssh/openssh-portable/blob/master/ssherr.c
+    - https://github.com/ossec/ossec-hids/blob/master/etc/rules/sshd_rules.xml
 author: Florian Roth
 date: 2017/06/30
 logsource:
@@ -8,13 +10,17 @@ logsource:
     service: sshd
 detection:
     keywords:
-        - 'unexpected internal error'
-        - 'unknown or unsupported key type'
-        - 'invalid certificate signing key'
-        - 'invalid elliptic curve value'
-        - 'incorrect signature'
-        - 'error in libcrypto'
-        - 'unexpected bytes remain after decoding'
+        - '*unexpected internal error*'
+        - '*unknown or unsupported key type*'
+        - '*invalid certificate signing key*'
+        - '*invalid elliptic curve value*'
+        - '*incorrect signature*'
+        - '*error in libcrypto*'
+        - '*unexpected bytes remain after decoding*'
+        - '*fatal: buffer_get_string: bad string*'
+        - '*Local: crc32 compensation attack*'
+        - '*bad client public DH value*'
+        - '*Corrupted MAC on input*'
     condition: keywords
 falsepositives:
     - Unknown

rules/linux/lnx_susp_vsftp.yml

@@ -1,6 +1,7 @@
-title: Suspicious VSFTPD error messages
+title: Suspicious VSFTPD Error Messages
 description: Detects suspicious VSFTPD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts 
-reference: https://github.com/dagwieers/vsftpd/
+references:
+    - https://github.com/dagwieers/vsftpd/
 author: Florian Roth
 date: 2017/07/05
 logsource:

rules/network/net_dns_c2_detection.yml

@@ -0,0 +1,19 @@
+title: Possible DNS Tunneling
+status: experimental
+description: Normally, DNS logs contain a limited amount of different dns queries for a single domain. This rule detects a high amount of queries for a single domain, which can be an indicator that DNS is used to transfer data. 
+references:
+    - https://zeltser.com/c2-dns-tunneling/
+    - https://patrick-bareiss.com/detect-c2-traffic-over-dns-using-sigma/
+author: Patrick Bareiss
+date: 2019/04/07
+logsource:
+    product: dns
+detection:
+    selection:
+        parent_domain: '*'
+    condition: selection | count(dns_query) by parent_domain > 1000
+falsepositives:
+    - Valid software, which uses dns for transferring data
+level: high
+tags:
+    - attack.t1043

rules/network/net_mal_dns_cobaltstrike.yml

@@ -0,0 +1,19 @@
+title: Cobalt Strike DNS Beaconing
+status: experimental
+description: Detects suspicious DNS queries known from Cobalt Strike beacons
+references:
+    - https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns
+author: Florian Roth
+date: 2018/05/10
+logsource:
+    category: dns
+detection:
+    selection:
+        query:
+            - 'aaa.stage.*' 
+            - 'post.1*'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
+

rules/network/net_susp_dns_b64_queries.yml

@@ -0,0 +1,17 @@
+title: Suspicious DNS Query with B64 Encoded String   
+status: experimental
+description: Detects suspicious DNS queries using base64 encoding
+references:
+    - https://github.com/krmaxwell/dns-exfiltration
+author: Florian Roth
+date: 2018/05/10
+logsource:
+    category: dns
+detection:
+    selection:
+        query:
+            - '*==.*'
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium

rules/network/net_susp_dns_txt_exec_strings.yml

@@ -0,0 +1,23 @@
+title: DNS TXT Answer with possible execution strings    
+status: experimental
+description: Detects strings used in command execution in DNS TXT Answer 
+references:
+    - https://twitter.com/stvemillertime/status/1024707932447854592
+    - https://github.com/samratashok/nishang/blob/master/Backdoors/DNS_TXT_Pwnage.ps1
+tags:
+    - attack.t1071
+author: Markus Neis
+date: 2018/08/08
+logsource:
+    category: dns
+detection:
+    selection:
+            record_type: 'TXT'
+            answer:
+                - '*IEX*'
+                - '*Invoke-Expression*'
+                - '*cmd.exe*'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high

rules/network/net_susp_telegram_api.yml

@@ -0,0 +1,20 @@
+title: Telegram Bot API Request
+status: experimental
+description: Detects suspicious DNS queries to api.telegram.org used by Telegram Bots of any kind
+references:
+    - https://core.telegram.org/bots/faq
+    - https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/
+    - https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/
+    - https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/
+author: Florian Roth
+date: 2018/06/05
+logsource:
+    category: dns
+detection:
+    selection:
+        query:
+            - 'api.telegram.org'   # Telegram Bot API Request https://core.telegram.org/bots/faq
+    condition: selection
+falsepositives:
+    - Legitimate use of Telegram bots in the company
+level: medium

rules/proxy/proxy_apt40.yml

@@ -0,0 +1,20 @@
+title: APT40 Dropbox Tool User Agent
+status: experimental
+description: Detects suspicious user agent string of APT40 Dropbox tool
+references:
+    - Internal research from Florian Roth
+author: Thomas Patzke
+logsource:
+    category: proxy
+detection:
+    selection:
+      UserAgent: 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36'
+      r-dns: 'api.dropbox.com'
+    condition: selection
+fields:
+    - c-ip
+    - cs-uri
+falsepositives:
+    - Old browsers
+level: high
+

rules/proxy/proxy_chafer_malware.yml

@@ -0,0 +1,20 @@
+title: Chafer Malware URL Pattern
+status: experimental
+description: Detects HTTP requests used by Chafer malware
+references:
+    - https://securelist.com/chafer-used-remexi-malware/89538/
+author: Florian Roth
+date: 2019/01/31
+logsource:
+    category: proxy
+detection:
+    selection:
+        c-uri-query: '*/asp.asp?ui=*'
+    condition: selection
+fields:
+    - ClientIP
+    - URL
+    - UserAgent
+falsepositives:
+    - Unknown
+level: critical

rules/proxy/proxy_cobalt_amazon.yml

@@ -0,0 +1,27 @@
+title: CobaltStrike Malleable Amazon browsing traffic profile
+status: experimental
+description: Detects Malleable Amazon Profile 
+references:
+    - https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/amazon.profile
+    - https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100
+author: Markus Neis
+tags:
+    - attack.t1102
+logsource:
+    category: proxy
+detection:
+    selection1:
+      UserAgent: "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
+      HttpMethod: 'GET'
+      URL: '/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books'
+      Host: 'www.amazon.com'
+      Cookie: '*=csm-hit=s-24KU11BB82RZSYGJ3BDK|1419899012996'
+    selection2:
+      UserAgent: "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
+      HttpMethod: 'POST'
+      URL: '/N4215/adj/amzn.us.sr.aps'
+      Host: 'www.amazon.com'
+    condition: selection1 or selection2
+falsepositives:
+    - Unknown
+level: high

rules/proxy/proxy_cobalt_ocsp.yml

@@ -0,0 +1,19 @@
+title: CobaltStrike Malleable (OCSP) Profile
+status: experimental
+description: Detects Malleable (OCSP) Profile with Typo (OSCP) in URL
+references:
+    - https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/ocsp.profile
+author: Markus Neis
+tags:
+    - attack.t1102
+logsource:
+    category: proxy
+detection:
+    selection:
+      URL: '*/oscp/*'
+      Host: 'ocsp.verisign.com'
+     
+    condition: selection 
+falsepositives:
+    - Unknown
+level: high

rules/proxy/proxy_cobalt_onedrive.yml

@@ -0,0 +1,21 @@
+title: CobaltStrike Malleable OneDrive browsing traffic profile
+status: experimental
+description: Detects Malleable OneDrive Profile 
+references:
+    - https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/onedrive_getonly.profile    
+author: Markus Neis
+tags:
+    - attack.t1102
+logsource:
+    category: proxy
+detection:
+    selection:
+      HttpMethod: 'GET'
+      URL: '*?manifest=wac'
+      Host: 'onedrive.live.com'
+    filter:
+      URL: 'http*://onedrive.live.com/*'     
+    condition: selection and not filter
+falsepositives:
+    - Unknown
+level: high

rules/proxy/proxy_download_susp_dyndns.yml

@@ -1,7 +1,8 @@
 title: Download from Suspicious Dyndns Hosts
 status: experimental
 description: Detects download of certain file types from hosts with dynamic DNS names (selected list)
-reference: https://www.alienvault.com/blogs/security-essentials/dynamic-dns-security-and-potential-threats
+references:
+    - https://www.alienvault.com/blogs/security-essentials/dynamic-dns-security-and-potential-threats
 author: Florian Roth
 date: 2017/11/08
 logsource:
@@ -55,7 +56,6 @@ detection:
             - '*.mooo.com'
             - '*.dns-dns.com'
             - '*.strangled.net'
-            - '*.ddns.info'
             - '*.adultdns.net'
             - '*.craftx.biz'
             - '*.ddns01.com'

rules/proxy/proxy_download_susp_tlds_blacklist.yml

@@ -1,12 +1,13 @@
 title: Download from Suspicious TLD
 status: experimental
 description: Detects download of certain file types from hosts in suspicious TLDs 
-reference: 
+references:
     - https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap
     - https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf
     - https://www.spamhaus.org/statistics/tlds/
+    - https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/
 author: Florian Roth
-date: 2017/11/07
+date: 2018/06/13
 logsource:
     category: proxy
 detection:
@@ -52,15 +53,13 @@ detection:
             - '*.vip'
             - '*.party'
             - '*.tech'
-            - '*.tech'
             - '*.xyz'
             - '*.date'
             - '*.faith'
             - '*.zip'
             - '*.cricket'
             - '*.space'
-            - '*.top'
-            # McAfee report
+            # McAfee report 
             - '*.info'
             - '*.vn'
             - '*.cm'
@@ -83,7 +82,6 @@ detection:
             - '*.tt'
             - '*.name'
             - '*.tv'
-            - '*.tv'
             - '*.kz'
             - '*.tc'
             - '*.mobi'
@@ -93,10 +91,17 @@ detection:
             - '*.link'
             - '*.trade'
             - '*.accountant'
+            # Spamhaus 2018 https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/
+            - '*.cf'
+            - '*.gq'
+            - '*.ml'
+            - '*.ga'
+            # Custom 
+            - '*.pw'
     condition: selection
 fields:
     - ClientIP
     - URL
 falsepositives:
-    - All kind of software downloads
+    - All kinds of software downloads
 level: low

rules/proxy/proxy_download_susp_tlds_whitelist.yml

@@ -1,4 +1,4 @@
-title: Download from Suspicious TLD
+title: Download EXE from Suspicious TLD
 status: experimental
 description: Detects executable downloads from suspicious remote systems
 author: Florian Roth

rules/proxy/proxy_downloadcradle_webdav.yml

@@ -0,0 +1,24 @@
+title: Windows WebDAV User Agent
+status: experimental
+description: Detects WebDav DownloadCradle
+references:
+    - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
+author: Florian Roth
+date: 2018/04/06
+logsource:
+    category: proxy
+detection:
+    selection:
+      UserAgent: 'Microsoft-WebDAV-MiniRedir/*'
+      HttpMethod: 'GET'
+    condition: selection
+fields:
+    - ClientIP
+    - URL
+    - UserAgent
+    - HttpMethod
+falsepositives:
+    - Administrative scripts that download files from the Internet
+    - Administrative scripts that retrieve certain website contents
+    - Legitimate WebDAV administration
+level: high

rules/proxy/proxy_empty_ua.yml

@@ -1,16 +1,15 @@
 title: Empty User Agent
 status: experimental
 description: Detects suspicious empty user agent strings in proxy logs
-reference:
+references:
     - https://twitter.com/Carlos_Perez/status/883455096645931008
 author: Florian Roth
 logsource:
     category: proxy
 detection:
     selection:
-      UserAgent:
-        # Empty string - as used by Powershell's (New-Object Net.WebClient).DownloadString 
-        - ''
+      # Empty string - as used by Powershell's (New-Object Net.WebClient).DownloadString 
+      UserAgent: ''
     condition: selection
 fields:
     - ClientIP

rules/proxy/proxy_powershell_ua.yml

@@ -1,7 +1,8 @@
 title: Windows PowerShell User Agent
 status: experimental
 description: Detects Windows PowerShell Web Access
-reference: https://msdn.microsoft.com/powershell/reference/5.1/microsoft.powershell.utility/Invoke-WebRequest
+references:
+    - https://msdn.microsoft.com/powershell/reference/5.1/microsoft.powershell.utility/Invoke-WebRequest
 author: Florian Roth
 logsource:
     category: proxy

rules/proxy/proxy_susp_flash_download_loc.yml

@@ -1,7 +1,8 @@
 title: Flash Player Update from Suspicious Location
 status: experimental
 description: Detects a flashplayer update from an unofficial location
-reference: https://gist.github.com/roycewilliams/a723aaf8a6ac3ba4f817847610935cfb
+references:
+    - https://gist.github.com/roycewilliams/a723aaf8a6ac3ba4f817847610935cfb
 author: Florian Roth
 logsource:
     category: proxy
@@ -11,7 +12,7 @@ detection:
             - '*/install_flash_player.exe'
             - '*/flash_install.php*'
     filter:
-        cs-uri-query: '*.adobe.com/*'
+        cs-uri-stem: '*.adobe.com/*'
     condition: selection and not filter
 falsepositives:
     - Unknown flash download locations

rules/proxy/proxy_telegram_api.yml

@@ -0,0 +1,29 @@
+title: Telegram API Access
+status: experimental
+description: Detects suspicious requests to Telegram API without the usual Telegram User-Agent
+references:
+    - https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/
+    - https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/
+    - https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/
+author: Florian Roth
+date: 2018/06/05
+logsource:
+    category: proxy
+detection:
+    selection:
+        r-dns: 
+            - 'api.telegram.org'  # Often used by Bots
+    filter:
+        UserAgent: 
+            # Used https://core.telegram.org/bots/samples for this list
+            - '*Telegram*'
+            - '*Bot*'
+    condition: selection and not filter
+fields:
+    - ClientIP
+    - URL
+    - UserAgent
+falsepositives:
+    - Legitimate use of Telegram bots in the company
+level: medium
+

rules/proxy/proxy_ua_apt.yml

@@ -1,38 +1,52 @@
-title: APT User Agent
-status: experimental
-description: Detects suspicious user agent strings used in APT malware in proxy logs
-reference: Internal Research
-author: Florian Roth
-logsource:
-    category: proxy
-detection:
-    selection:
-      UserAgent:
-         # APT Related
-        - 'SJZJ (compatible; MSIE 6.0; Win32)'  # APT Backspace
-        - 'Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0'  # APT GrizzlySteppe - ChopStick - US CERT https://goo.gl/1DTHwi
-        - 'User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC'  # Comment Crew Miniasp
-        - 'Mozilla/4.0 (compatible; MSIE 7.4; Win32;32-bit)'  # Comment Crew Miniasp
-        - 'webclient'  # Naikon APT
-        - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/200'  # Naikon APT
-        - 'Mozilla/4.0 (compatible; MSI 6.0;'  # SnowGlobe Babar - yes, it is cut
-        - 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0'  # Sofacy - Xtunnel
-        - 'Mozilla/5.0 (Windows NT 6.2; WOW64; rv:20.0) Gecko/20100101 Firefox/'  # Sofacy - Xtunnel
-        - 'Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/2'  # Sofacy - Xtunnel
-        - 'Mozilla/4.0'  # Derusbi backdoor ELF https://github.com/fideliscyber/indicators/tree/master/FTA-1021
-        - 'Netscape'  # Unit78020 Malware 
-        - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/20100719 Firefox/1.0.7'  # Unit78020 Malware
-        - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Firefox/3.6.13 GTB7.1'  # Winnti related
-        - 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)'  # Winnti related
-        - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NETCLR 2.0.50727)'  # APT17
-        - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; SV1)'  # Bronze Butler - Daserf
-        - 'Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; SV1)'  # Bronze Butler - Daserf
-    condition: selection
-fields:
-    - ClientIP
-    - URL
-    - UserAgent
-falsepositives:
-    - Old browsers
-level: high
-
+title: APT User Agent
+status: experimental
+description: Detects suspicious user agent strings used in APT malware in proxy logs
+references:
+    - Internal Research
+author: Florian Roth, Markus Neis
+logsource:
+    category: proxy
+detection:
+    selection:
+      UserAgent:
+         # APT Related
+        - 'SJZJ (compatible; MSIE 6.0; Win32)'  # APT Backspace
+        - 'Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0'  # APT GrizzlySteppe - ChopStick - US CERT https://goo.gl/1DTHwi
+        - 'User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC'  # Comment Crew Miniasp
+        - 'Mozilla/4.0 (compatible; MSIE 7.4; Win32;32-bit)'  # Comment Crew Miniasp
+        - 'webclient'  # Naikon APT
+        - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/200'  # Naikon APT
+        - 'Mozilla/4.0 (compatible; MSI 6.0;'  # SnowGlobe Babar - yes, it is cut
+        - 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0'  # Sofacy - Xtunnel
+        - 'Mozilla/5.0 (Windows NT 6.2; WOW64; rv:20.0) Gecko/20100101 Firefox/'  # Sofacy - Xtunnel
+        - 'Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/2'  # Sofacy - Xtunnel
+        - 'Mozilla/4.0'  # Derusbi backdoor ELF https://github.com/fideliscyber/indicators/tree/master/FTA-1021
+        - 'Netscape'  # Unit78020 Malware 
+        - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/20100719 Firefox/1.0.7'  # Unit78020 Malware
+        - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Firefox/3.6.13 GTB7.1'  # Winnti related
+        - 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)'  # Winnti related
+        - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NETCLR 2.0.50727)'  # APT17
+        - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; SV1)'  # Bronze Butler - Daserf
+        - 'Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; SV1)'  # Bronze Butler - Daserf
+        - 'Mozilla/4.0 (compatible; MSIE 8.0; Win32)'  # TSCookie https://app.any.run/tasks/0996b314-5133-491b-8d23-d431ffdec597
+        - 'Mozilla v5.1 (Windows NT 6.1; rv:6.0.1) Gecko/20100101 Firefox/6.0.1'  # Delphi downloader https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/
+        - 'Mozilla/6.1 (compatible; MSIE 9.0; Windows NT 5.3; Trident/5.0)'  # VPNFilter https://blog.talosintelligence.com/2018/05/VPNFilter.html
+        - 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; InfoPath.1)'  # Sofacy User-Agent https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/
+        - 'Mozilla/5.0 (Windows NT 6.1; WOW64) WinHttp/1.6.3.8 (WinHTTP/5.1) like Gecko'  # Sofacy User-Agent https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/
+        - 'Mozilla v5.1 *'  # Sofacy Zebrocy samples 
+        - 'MSIE 8.0'  # Sofacy Azzy Backdoor  from https://www.hybrid-analysis.com/sample/a80e29c0757bee05338fd5c22a542d852ad86c477068e3eb4aacc1c3e59e2eef?environmentId=100
+        - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)'  # https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html
+        - 'Mozilla/4.0 (compatible; RMS)'  # Attacks on industrial enterprises using RMS and TeamViewer https://goo.gl/GthvTw
+        - 'Mozilla/4.0 (compatible; MSIE 6.0; DynGate)'  # Attacks on industrial enterprises using RMS and TeamViewer https://goo.gl/GthvTw
+        - 'O/9.27 (W; U; Z)' # Cmstar https://www.virustotal.com/#/file/e4328011bb2b04abc856ccd04404c9f95d67167f6c291d343e8ffa8aa2aa2099/details
+        - 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0;  Trident/5.0*'  # KerrDown UA https://goo.gl/s2WU6o
+        - 'Mozilla/5.0 (Windows NT 9; *'  # Suspicious 'Windows NT 9' user agent - used by APT33 malware in 2018
+    condition: selection
+fields:
+    - ClientIP
+    - URL
+    - UserAgent
+falsepositives:
+    - Old browsers
+level: high
+

rules/proxy/proxy_ua_bitsadmin_susp_tld.yml

@@ -0,0 +1,26 @@
+title: Bitsadmin to Uncommon TLD
+status: experimental
+description: Detects Bitsadmin connections to domains with uncommon TLDs 
+    - https://twitter.com/jhencinski/status/1102695118455349248
+    - https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/
+author: Florian Roth
+date: 2019/03/07
+logsource:
+    category: proxy
+detection:
+    selection:
+        UserAgent:
+            - 'Microsoft BITS/*'
+    falsepositives:
+        r-dns:
+            - '*.com' 
+            - '*.net' 
+            - '*.org' 
+    condition: selection and not falsepositives
+fields:
+    - ClientIP
+    - URL
+    - UserAgent
+falsepositives:
+    - Rare programs that use Bitsadmin and update from regional TLDs e.g. .uk or .ca
+level: high

rules/proxy/proxy_ua_frameworks.yml

@@ -1,7 +1,7 @@
 title: Exploit Framework User Agent
 status: experimental
 description: Detects suspicious user agent strings used by exploit / pentest framworks like Metasploit in proxy logs
-reference:
+references:
     - https://blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/
 author: Florian Roth
 logsource:
@@ -22,6 +22,7 @@ detection:
         - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; SIMBAR={7DB0F6DE-8DE7-4841-9084-28FA914B0F2E}; SLCC1; .N'
         - 'Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)'  # only use in proxy logs - not for detection in web server logs
         - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/4.0.221.6 Safari/525.13'
+        - 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MAAU)'  # Payloads
 
         # Metasploit Update by Florian Roth 08.07.2017
         - 'Mozilla/5.0'
@@ -33,6 +34,7 @@ detection:
         - 'X-FORWARDED-FOR'
         - 'DotDotPwn v2.1'
         - 'SIPDROID'
+        - 'Mozilla/5.0 (Windows NT 10.0; Win32; x32; rv:60.0)'  # CobaltStrike https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/
 
         # Exploits
         - '*wordpress hash grabber*'

rules/proxy/proxy_ua_hacktool.yml

@@ -1,7 +1,7 @@
 title: Hack Tool User Agent
 status: experimental
 description: Detects suspicious user agent strings user by hack tools in proxy logs
-reference:
+references:
     - https://github.com/fastly/waf_testbed/blob/master/templates/default/scanners-user-agents.data.erb
     - http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules
 author: Florian Roth
@@ -60,6 +60,7 @@ detection:
 
         # Hack tool
         - 'ruler'  # https://www.crowdstrike.com/blog/using-outlook-forms-lateral-movement-persistence/
+        - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)'  # SQLi Dumper
     condition: selection
 fields:
     - ClientIP

rules/proxy/proxy_ua_malware.yml

@@ -1,7 +1,7 @@
 title: Malware User Agent
 status: experimental
 description: Detects suspicious user agent strings used by malware in proxy logs
-reference:
+references:
     - http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules
     - http://www.botopedia.org/search?searchword=scan&searchphrase=all
     - https://networkraptor.blogspot.com/2015/01/user-agent-strings.html
@@ -22,6 +22,8 @@ detection:
         - '*<|>*'  # Houdini / Iniduoh / njRAT
         - 'nsis_inetc (mozilla)'  # ZeroAccess
         - 'Wget/1.9+cvs-stable (Red Hat modified)'  # Dyre / Upatre
+        # Ghost419 https://goo.gl/rW1yvZ
+        - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; .NET CLR 1.1.4322)'
 
         # Malware
         - '*zeroup*'  # W32/Renos.Downloader
@@ -44,6 +46,10 @@ detection:
         - 'Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)'  # Fareit
         - 'Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)'  # Webshell's back connect
         - 'MSIE'  # Toby web shell
+        - '*(Charon; Inferno)'  # Loki Bot
+        - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)'  # Fareit / Pony
+        - 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)'  # https://goo.gl/g43qjs
+        - 'Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.1)'  # MacControl malware https://goo.gl/sqY3Ja https://www.symantec.com/connect/blogs/osxmacontrol-back-it-again
 
         # Others 
         - '* pxyscand*'

rules/proxy/proxy_ua_suspicious.yml

@@ -1,7 +1,7 @@
 title: Suspicious User Agent
 status: experimental
 description: Detects suspicious malformed user agent strings in proxy logs
-reference:
+references:
     - https://github.com/fastly/waf_testbed/blob/master/templates/default/scanners-user-agents.data.erb
 author: Florian Roth
 logsource:
@@ -20,7 +20,12 @@ detection:
         - ' Mozilla/*'  # leading space 
         - 'Mozila/*'  # single 'l'
         - '_'
-    condition: selection
+        - 'CertUtil URL Agent'  # https://twitter.com/stvemillertime/status/985150675527974912
+        - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0)'  # CobaltStrike Beacon https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/
+    falsepositives:
+        UserAgent:
+            - 'Mozilla/3.0 * Acrobat *'  # Acrobat with linked content
+    condition: selection and not falsepositives
 fields:
     - ClientIP
     - URL

rules/web/web_apache_segfault.yml

@@ -1,7 +1,8 @@
 title: Apache Segmentation Fault
 description: Detects a segmentation fault error message caused by a creashing apacke worker process 
 author: Florian Roth
-reference: http://www.securityfocus.com/infocus/1633
+references:
+    - http://www.securityfocus.com/infocus/1633
 logsource:
     product: apache
 detection:

rules/web/web_apache_threading_error.yml

@@ -0,0 +1,16 @@
+title: Apache Threading Error
+status: experimental
+description: Detects an issue in apache logs that reports threading related errors
+author: Florian Roth
+date: 2019/01/22
+references:
+    - https://github.com/hannob/apache-uaf/blob/master/README.md
+logsource:
+    product: apache
+detection:
+    keywords:
+        - '__pthread_tpp_change_priority: Assertion `new_prio == -1 || (new_prio >= fifo_min_prio && new_prio <= fifo_max_prio)'
+    condition: keywords
+falsepositives:
+    - https://bz.apache.org/bugzilla/show_bug.cgi?id=46185
+level: medium

rules/web/web_cve_2018_2894_weblogic_exploit.yml

@@ -0,0 +1,30 @@
+title: Oracle WebLogic Exploit
+description: Detects access to a webshell droped into a keytore folder on the WebLogic server
+author: Florian Roth
+date: 2018/07/22
+status: experimental
+references: 
+    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2894
+    - https://twitter.com/pyn3rd/status/1020620932967223296
+    - https://github.com/LandGrey/CVE-2018-2894
+logsource:
+    category: webserver
+detection:
+    selection:
+        c-uri-path: 
+            - '*/config/keystore/*.js*'
+    condition: selection
+fields:
+    - c-ip
+    - c-dns
+falsepositives:
+    - Unknown
+tags:
+    - attack.t1100
+    - attack.t1190
+    - attack.initial_access
+    - attack.persistence
+    - attack.privilege_escalation
+    - cve.2018-2894
+level: critical
+

rules/web/web_source_code_enumeration.yml

@@ -0,0 +1,20 @@
+title: Source Code Enumeration Detection by Keyword
+description: Detects source code enumeration that use GET requests by keyword searches in URL strings
+author: James Ahearn
+references: 
+    - 'https://pentester.land/tutorials/2018/10/25/source-code-disclosure-via-exposed-git-folder.html'
+    - 'https://medium.com/@logicbomb_1/bugbounty-how-i-was-able-to-download-the-source-code-of-indias-largest-telecom-service-52cf5c5640a1'
+logsource:
+    category: webserver
+detection:
+    keywords:
+        - '*.git/*'
+    condition: keywords
+fields:
+    - client_ip
+    - vhost
+    - url
+    - response
+falsepositives:
+    - unknown
+level: medium

rules/web/web_webshell_keyword.yml

@@ -1,5 +1,5 @@
 title: Webshell Detection by Keyword
-description: Detects webshells that use GET requests by keyword sarches in URL strings
+description: Detects webshells that use GET requests by keyword searches in URL strings
 author: Florian Roth
 logsource:
     category: webserver

rules/windows/builtin/win_GPO_scheduledtasks.yml

@@ -0,0 +1,23 @@
+title: Persistence and Execution at scale via GPO scheduled task
+description: Detect lateral movement using GPO scheduled task, ususally used to deploy ransomware at scale
+author: Samir Bousseaden
+references:
+    - https://twitter.com/menasec1/status/1106899890377052160
+tags:
+    - attack.persistence
+    - attack.lateral_movement
+    - attack.t1053
+logsource:
+    product: windows
+    service: security
+    description: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
+detection:
+    selection:
+        EventID: 5145
+        ShareName: \\*\SYSVOL
+        RelativeTargetName: '*ScheduledTasks.xml'
+        Accesses: '*WriteData*'
+    condition: selection
+falsepositives: 
+    - if the source IP is not localhost then it's super suspicious, better to monitor both local and remote changes to GPO scheduledtasks
+level: high

rules/windows/builtin/win_account_backdoor_dcsync_rights.yml

@@ -0,0 +1,25 @@
+title: Powerview Add-DomainObjectAcl DCSync AD Extend Right
+description: backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer
+status: experimental
+date: 2019/04/03
+author: Samir Bousseaden
+references:
+    - https://twitter.com/menasec1/status/1111556090137903104
+    - https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf
+tags:
+    - attack.credential_access
+    - attack.persistence
+logsource:
+    product: windows
+    service: security
+detection:
+    selection:
+        EventID: 5136
+        LDAPDisplayName: 'ntSecurityDescriptor'
+        Value: 
+         - '*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*'
+         - '*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*'
+    condition: selection
+falsepositives:
+    - New Domain Controller computer account, check user SIDs witin the value attribute of event 5136 and verify if it's a regular user or DC computer account.
+level: critical

rules/windows/builtin/win_account_discovery.yml

@@ -0,0 +1,34 @@
+title: AD Privileged Users or Groups Reconnaissance
+description: Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs
+references:
+    - https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html
+tags:
+    - attack.discovery
+    - attack.t1087
+status: experimental
+author: Samir Bousseaden
+logsource:
+    product: windows
+    service: security
+    definition: 'Requirements: enable Object Access SAM on your Domain Controllers'
+detection:
+    selection:
+        EventID: 4661
+        ObjectType:
+        - 'SAM_USER'
+        - 'SAM_GROUP'
+        ObjectName:
+         - '*-512'
+         - '*-502'
+         - '*-500'
+         - '*-505'
+         - '*-519'
+         - '*-520'
+         - '*-544'
+         - '*-551'
+         - '*-555'
+         - '*admin*'
+    condition: selection
+falsepositives:
+    - if source account name is not an admin then its super suspicious
+level: high

rules/windows/builtin/win_admin_rdp_login.yml

@@ -1,21 +1,24 @@
-title: Admin user remote login
+title: Admin User Remote Logon
 description: Detect remote login by Administrator user depending on internal pattern
-reference:
-  - https://car.mitre.org/wiki/CAR-2016-04-005
+references:
+    - https://car.mitre.org/wiki/CAR-2016-04-005
+tags:
+    - attack.lateral_movement
+    - attack.t1078
+    - car.2016-04-005
 status: experimental
 author: juju4
 logsource:
     product: windows
     service: security
-    description: 'Requirements: Identifiable administrators usernames (pattern or special unique character. ex: "Admin-*"), internal policy mandating use only as secondary account'
+    definition: 'Requirements: Identifiable administrators usernames (pattern or special unique character. ex: "Admin-*"), internal policy mandating use only as secondary account'
 detection:
     selection:
         EventID: 4624
         LogonType: 10
         AuthenticationPackageName: Negotiate
-        Severity: Information
         AccountName: 'Admin-*'
     condition: selection
-falsepositives: 
+falsepositives:
     - Legitimate administrative activity
 level: low