Sigma tools release 0.3

* Any definition: 1 of them
* All definitions: all of them
* Any of selected definitions: 1 of def* (wildcard)
* All of selected definitions: all of def* (wildcard)

.travis.yml

@@ -1,6 +1,5 @@
 language: python
 python:
-  - 3.4
   - 3.5
   - 3.6
   - pypy3

Makefile

@@ -16,6 +16,7 @@ test-yaml:
 test-sigmac:
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -l
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-qs rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -O rulecomment -rvdI -t es-qs rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t kibana rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t xpack-watcher rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk rules/ > /dev/null

README.md

@@ -3,9 +3,10 @@
 ![sigma_logo](./images/Sigma_0.3.png)
 
 # Sigma
+
 Generic Signature Format for SIEM Systems
 
-# What is Sigma?
+# What is Sigma
 
 Sigma is a generic and open signature format that allows you to describe relevant log events in a straight forward manner. The rule format is very flexible, easy to write and applicable to any type of log file. The main purpose of this project is to provide a structured form in which researchers or analysts can describe their once developed detection methods and make them shareable with others.
 
@@ -72,6 +73,10 @@ The specifications can be found in the [Wiki](https://github.com/Neo23x0/sigma/w
 
 The current specification is a proposal. Feedback is requested.
 
+# Getting Started
+
+Florian wrote a short [rule creation tutorial](https://www.nextron-systems.com/2018/02/10/write-sigma-rules/) that can help you getting started.
+
 # Examples
 
 Windows 'Security' Eventlog: Access to LSASS Process with Certain Access Mask / Object Type (experimental)
@@ -106,17 +111,26 @@ merges multiple YAML documents of a Sigma rule collection into simple Sigma rule
 
 ### Requirements
 
-The usage of Sigmac or the underlying library requires Python >= 3.4 and PyYAML.
+The usage of Sigmac or the underlying library requires Python >= 3.5 and PyYAML.
 
 ### Installation
 
 It's available on PyPI. Install with:
 
-```
+```bash
 pip3 install sigmatools
 ```
 
-# Next Steps 
+## Contributed Scripts
+
+The directory `contrib` contains scripts that were contributed by the community:
+
+* `sigma2elastalert.py`i by David Routin: A script that converts Sigma rules to Elastalert configurations. This tool
+  uses *sigmac* and expects it in its path.
+
+These tools are not part of the main toolchain and maintained separately by their authors.
+
+# Next Steps
 
 * Integration of feedback into the rule specifications
 * Integration into Threat Intel Exchanges, e.g. [MISP](http://www.misp-project.org/)

contrib/sigma2elastalert.py

@@ -0,0 +1,173 @@
+#!/usr/bin/python
+# Copyright 2018 David Routin
+
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+
+# You should have received a copy of the GNU Lesser General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+"""
+Project: sigma2elastalert.py
+Date: 25 Feb 2018
+Author: David ROUTIN  (@Rewt_1)
+Version: 1.0
+Description: This script creates elastalert configuration files from Sigma SIEM rules.
+"""
+
+import re
+import os
+import glob
+import subprocess
+import argparse
+import yaml
+import traceback
+
+parser = argparse.ArgumentParser()
+parser.add_argument("--eshost", help="Elasticsearch host", type=str, required=True)
+parser.add_argument("--esport", help="Elasticsearch port", type=str, required=True)
+parser.add_argument("--ruledir", help="sigma rule directory path to convert", type=str, required=True)
+parser.add_argument("--index", help="Elasticsearch index name egs: \"winlogbeat-*\"", type=str, required=True)
+parser.add_argument("--email", help="email address to send mail alert", type=str, required=True)
+parser.add_argument("--outdir", help="output directory to create elastalert rules", type=str, required=True)
+parser.add_argument("--sigmac", help="Sigmac location", default="../tools/sigmac", type=str)
+parser.add_argument("--realerttime", help="Realert time (optional value, default 5 minutes)", type=str, default=5)
+parser.add_argument("--debug", help="Show debug output", type=bool, default=False)
+args = parser.parse_args()
+
+custom_query_keys = ["sensor", "Hostname", "EventID", "src_ip", "dst_ip"]
+
+
+template="""es_host: ESHOST
+es_port: ESPORT
+name: "TITLE"
+description: "DESCRIPTION"
+index: INDEX
+filter:
+- query:
+    query_string:
+      query: 'QUERY'
+realert:
+ minutes: MINUTES
+query_key: UNIQKEYS
+type: any
+include: UNIQKEYS
+alert:
+- "email"
+
+# (required, email specific)
+# a list of email addresses to send alerts to
+email:
+- "EMAIL"
+"""
+
+def return_json_obj(x,custom_query_keys):
+    """
+    Function used to filter all ES query object as unique value including predefined list from custom_query_keys
+    :param x: must contains ES query output
+    :param custom_query_keys: takes the list of predefined element to match in document
+    :return: a clean list (set) of all the query keys (EventID,TargetUserName...)
+    """
+    # type: (str, list) -> list
+    y = x.replace(" ", "\n").split()
+    out = set()
+    for i in y:
+        out.update(re.findall("([a-zA-Z]+)\:", i))
+
+    for qk in custom_query_keys:
+        try:
+            out.remove(qk)
+        except:
+            pass
+    out = list(out)
+    count = 0
+    for qk in custom_query_keys:
+        count += 1
+        out.insert(count-1, qk)
+    return out
+
+def rule_element(file_content, elements):
+    """
+    Function used to get specific element from yaml document and return content
+    :type file_content: str
+    :type elements: list
+    :param file_content:
+    :param elements: list of elements of the yaml document to get "title", "description"
+    :return: the value of the key in the yaml document
+    """
+    try:
+        yaml.load(file_content.replace("---",""))
+    except:
+        raise Exception('Unsupported')
+    element_output = ""
+    for e in elements:
+        try:
+            element_output = yaml.load(file_content.replace("---",""))[e]
+        except:
+            pass
+    if element_output is None:
+        return ""
+    return element_output
+
+def get_rule_as_esqs(file):
+    """
+    Function used to get Elastic query output from rule fome
+    :type file: str
+    :param file: rule filename
+    :return: string es query
+    """
+    if not os.path.exists(args.sigmac):
+        print("Cannot find sigmac rule coverter at '%s', please set a correct location via '--sigmac'")
+    cmd = [args.sigmac, file, "--target", "es-qs"]
+    output = subprocess.Popen(cmd,stdout=subprocess.PIPE, stderr=subprocess.STDOUT).stdout.read()
+    if "unsupported" in output:
+        raise Exception('Unsupported output at this time')
+    output = output.split("\n")
+    # Remove empty string from \n
+    output = [a for a in output if a]
+    # Handle case of multiple queries returned
+    if len(output) > 1:
+        return " OR ".join(output)
+    return "".join(output)
+
+# Dictionary that contains args set at launch time
+convert_args = {
+    "ESHOST": args.eshost,
+    "ESPORT": args.esport,
+    "INDEX": args.index,
+    "EMAIL": args.email,
+    "MINUTES": args.realerttime
+}
+
+for file in glob.glob(args.ruledir + "/*"):
+    output_elast_config = template
+    try:
+        print("Processing %s ..." % file)
+        with open(file, "rb") as f:
+            file_content = f.read()
+
+        # Dictionary that contains args with values returned by functions
+        translate_func = {'QUERY': get_rule_as_esqs(file),
+                        'TITLE': rule_element(file_content, ["title", "name"]),
+                        'DESCRIPTION': rule_element(file_content, ["description"]),
+                        'UNIQKEYS': str(return_json_obj(get_rule_as_esqs(file), custom_query_keys))
+                        }
+        for entry in convert_args:
+            output_elast_config = re.sub(entry, str(convert_args[entry]), output_elast_config)
+        for entry in translate_func:
+            output_elast_config = re.sub(entry, translate_func[entry], output_elast_config)
+        print "Converting file " + file
+        with open(os.path.join(args.outdir, "sigma-" + file.split("/")[-1]), "w") as f:
+                f.write(output_elast_config)
+    except Exception as e:
+        if args.debug:
+            traceback.print_exc()
+        print "error " + str(file) + "----" + str(e)
+        pass
+

rules/application/app_python_sql_exceptions.yml

@@ -1,7 +1,7 @@
 title: Python SQL Exceptions
 description: Generic rule for SQL exceptions in Python according to PEP 249
 author: Thomas Patzke
-reference:
+references:
     - https://www.python.org/dev/peps/pep-0249/#exceptions
 logsource:
     category: application

rules/application/app_sqlinjection_errors.yml

@@ -2,7 +2,8 @@ title: Suspicious SQL Error Messages
 status: experimental
 description: Detects SQL error messages that indicate probing for an injection attack
 author: Bjoern Kimminich
-reference: http://www.sqlinjection.net/errors
+references:
+    - http://www.sqlinjection.net/errors
 logsource:
     category: application
     product: sql

rules/application/appframework_django_exceptions.yml

@@ -1,7 +1,7 @@
 title: Django framework exceptions
 description: Detects suspicious Django web application framework exceptions that could indicate exploitation attempts
 author: Thomas Patzke
-reference:
+references:
     - https://docs.djangoproject.com/en/1.11/ref/exceptions/
     - https://docs.djangoproject.com/en/1.11/topics/logging/#django-security
 logsource:

rules/application/appframework_ruby_on_rails_exceptions.yml

@@ -1,7 +1,7 @@
 title: Ruby on Rails framework exceptions
 description: Detects suspicious Ruby on Rails exceptions that could indicate exploitation attempts
 author: Thomas Patzke
-reference:
+references:
     - http://edgeguides.rubyonrails.org/security.html
     - http://guides.rubyonrails.org/action_controller_overview.html
     - https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception

rules/application/appframework_spring_exceptions.yml

@@ -1,7 +1,7 @@
 title: Spring framework exceptions
 description: Detects suspicious Spring framework exceptions that could indicate exploitation attempts
 author: Thomas Patzke
-reference:
+references:
     - https://docs.spring.io/spring-security/site/docs/current/apidocs/overview-tree.html
 logsource:
     category: application

rules/apt/apt_apt29_tor.yml

@@ -1,7 +1,9 @@
+---
 action: global
 title: APT29 Google Update Service Install
 description: 'This method detects malicious services mentioned in APT29 report by FireEye. The legitimate path for the Google update service is C:\Program Files (x86)\Google\Update\GoogleUpdate.exe so the service names and executable locations used by APT29 are specific enough to be detected in log files.' 
-reference: https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html
+references:
+    - https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html
 logsource:
     product: windows
 detection:

rules/apt/apt_carbonpaper_turla.yml

@@ -1,6 +1,7 @@
 title: Turla Service Install
 description: 'This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET' 
-reference: https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/
+references:
+    - https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/
 logsource:
     product: windows
     service: system

rules/apt/apt_cloudhopper.yml

@@ -1,7 +1,8 @@
-title: Detects an Execution of WMIExec VBS Script
+title: WMIExec VBS Script
 description: Detects suspicious file execution by wscript and cscript
 author: Florian Roth
-reference: https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
+references:
+    - https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
 logsource:
     product: windows
     service: sysmon

rules/apt/apt_elise.yml

@@ -0,0 +1,22 @@
+title: Elise Backdoor
+status: experimental
+description: Detects Elise backdoor acitivty as used by APT32 
+references: 
+    - https://community.rsa.com/community/products/netwitness/blog/2018/01/30/apt32-continues-asean-targeting
+author: Florian Roth
+date: 2018/01/31
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection1:
+        EventID: 1
+        Image: 'C:\Windows\SysWOW64\cmd.exe'
+        CommandLine: '*\Windows\Caches\NavShExt.dll *'
+    selection2:
+        EventID: 1
+        CommandLine: '*\AppData\Roaming\MICROS~1\Windows\Caches\NavShExt.dll,Setting'
+    condition: 1 of them
+falsepositives:
+    - Unknown
+level: critical

rules/apt/apt_equationgroup_c2.yml

@@ -1,6 +1,6 @@
 title: Equation Group C2 Communication
 description: Detects communication to C2 servers mentioned in the operational notes of the ShadowBroker leak of EquationGroup C2 tools
-reference:
+references:
     - 'https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation'
     - 'https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195'
 author: Florian Roth
@@ -15,7 +15,7 @@ detection:
         src:
             - '69.42.98.86'
             - '89.185.234.145'
-    condition: outgoing or incoming
+    condition: 1 of them
 falsepositives:
     - Unknown
 level: high

rules/apt/apt_equationgroup_lnx.yml

@@ -1,6 +1,7 @@
 title: Equation Group Indicators
 description: Detects suspicious shell commands used in various Equation Group scripts and tools
-reference: https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
+references:
+    - https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
 author: Florian Roth
 logsource:
     product: linux

rules/apt/apt_hurricane_panda.yml

@@ -0,0 +1,35 @@
+---
+action: global
+title: Hurricane Panda Activity
+status: experimental
+description: Detects Hurricane Panda Activity 
+references: 
+    - https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/
+author: Florian Roth
+date: 2018/02/25
+detection:
+    selection:
+        CommandLine: 
+            - '* localgroup administrators admin /add'
+            - '*\Win64.exe*'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
+---
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+---
+logsource:
+    product: windows
+    service: security
+    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+detection:
+    selection:
+        EventID: 4688
+
+

rules/apt/apt_pandemic.yml

@@ -1,7 +1,7 @@
 title: Pandemic Registry Key
 status: experimental
 description: Detects Pandemic Windows Implant
-reference: 
+references:
     - https://wikileaks.org/vault7/#Pandemic
     - https://twitter.com/MalwareJake/status/870349480356454401
 author: Florian Roth
@@ -18,7 +18,7 @@ detection:
     selection2:
         EventID: 1
         Command: 'loaddll -a *'
-    condition: selection1 or selection2
+    condition: 1 of them
 fields:
     - EventID
     - CommandLine

rules/apt/apt_sofacy.yml

@@ -0,0 +1,36 @@
+
+---
+action: global
+title: Sofacy Trojan Loader Activity
+status: experimental
+description: Detects Trojan loader acitivty as used by APT28 
+references: 
+    - https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/
+    - https://www.reverse.it/sample/e3399d4802f9e6d6d539e3ae57e7ea9a54610a7c4155a6541df8e94d67af086e?environmentId=100
+    - https://twitter.com/ClearskySec/status/960924755355369472
+author: Florian Roth
+date: 2018/03/01
+detection:
+    selection:
+        CommandLine: 
+            - 'rundll32.exe %APPDATA%\*.dat",*'
+            - 'rundll32.exe %APPDATA%\*.dll",#1'
+    condition: selection
+falsepositives:
+    - Unknown
+level: critical
+---
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+---
+logsource:
+    product: windows
+    service: security
+    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+detection:
+    selection:
+        EventID: 4688

rules/apt/apt_stonedrill.yml

@@ -1,7 +1,8 @@
 title: StoneDrill Service Install
 description: 'This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky'   
 author: Florian Roth
-reference: https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/
+references:
+    - https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/
 logsource:
     product: windows
     service: system

rules/apt/apt_ta17_293a_ps.yml

@@ -1,6 +1,7 @@
 title: Ps.exe Renamed SysInternals Tool
 description: Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documentied in TA17-293A report
-reference: https://www.us-cert.gov/ncas/alerts/TA17-293A
+references:
+    - https://www.us-cert.gov/ncas/alerts/TA17-293A
 author: Florian Roth
 date: 2017/10/22
 logsource:

rules/apt/apt_turla_commands.yml

@@ -3,7 +3,8 @@ action: global
 title: Turla Group Lateral Movement 
 status: experimental
 description: Detects automated lateral movement by Turla group 
-reference: https://securelist.com/the-epic-turla-operation/65545/
+references:
+    - https://securelist.com/the-epic-turla-operation/65545/
 author: Markus Neis
 date: 2017/11/07
 logsource:

rules/apt/apt_turla_namedpipes.yml

@@ -1,7 +1,8 @@
 title: Turla Group Named Pipes 
 status: experimental
 description: Detects a named pipe used by Turla group samples
-reference: Internal Research
+references:
+    - Internal Research
 date: 2017/11/06
 author: Markus Neis
 logsource:

rules/apt/apt_zxshell.yml

@@ -1,7 +1,8 @@
 title: ZxShell Malware
 description: Detects a ZxShell start by the called and well-known function name   
 author: Florian Roth
-reference: https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100
+references:
+    - https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100
 logsource:
     product: windows
     service: sysmon

rules/apt/crime_fireball.yml

@@ -1,9 +1,9 @@
-title: Detects Fireball - Archer Install
+title: Fireball Archer Install
 status: experimental
 description: Detects Archer malware invocation via rundll32
 author: Florian Roth
 date: 2017/06/03
-reference: 
+references:
     - https://www.virustotal.com/en/file/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022/analysis/
     - https://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100
 logsource:

rules/linux/auditd/lnx_auditd_susp_cmds.yml

@@ -0,0 +1,28 @@
+title: Detects Suspicious Commands on Linux systems
+status: experimental
+description: Detects relevant commands often related to malware or hacking activity
+references:
+    - 'Internal Research - mostly derived from exploit code including code in MSF'
+date: 2017/12/12
+author: Florian Roth
+logsource:
+    product: linux
+    service: auditd
+detection:
+    cmds:
+        - type: 'EXECVE'
+          a0: 'chmod'
+          a1: '777'
+        - type: 'EXECVE'
+          a0: 'chmod'
+          a1: 'u+s'
+        - type: 'EXECVE'
+          a0: 'cp'
+          a1: '/bin/ksh'
+        - type: 'EXECVE'
+          a0: 'cp'
+          a1: '/bin/sh'
+    condition: 1 of cmds
+falsepositives:
+    - Admin activity
+level: medium

rules/linux/auditd/lnx_auditd_susp_exe_folders.yml

@@ -0,0 +1,39 @@
+title: Program Executions in Suspicious Folders
+status: experimental
+description: Detects program executions in suspicious non-program folders related to malware or hacking activity
+references:
+    - 'Internal Research'
+date: 2018/01/23
+author: Florian Roth
+logsource:
+    product: linux
+    service: auditd
+detection:
+    selection:
+        type: 'SYSCALL'
+        exe:
+            # Temporary folder
+            - '/tmp/*'
+            # Web server 
+            - '/var/www/*'            # Standard
+            - '/usr/local/apache2/*'  # Classical Apache
+            - '/usr/local/httpd/*'    # Old SuSE Linux 6.*
+            - '/var/apache/*'         # Solaris
+            - '/srv/www/*'            # SuSE Linux 9.*
+            - '/home/httpd/html/*'    # Redhat 6 or older
+            # Data dirs of typically exploited services (incomplete list)
+            - '/var/lib/pgsql/data/*'
+            - '/usr/local/mysql/data/*'
+            - '/var/lib/mysql/*'
+            - '/var/vsftpd/*'
+            - '/etc/bind/*'
+            - '/var/named/*'
+            # Others
+            - '*/public_html/*'
+    condition: selection
+falsepositives:
+    - Admin activity (especially in /tmp folders)
+    - Crazy web applications
+level: medium
+
+

rules/linux/lnx_buffer_overflows.yml

@@ -1,6 +1,7 @@
 title: Buffer Overflow Attempts
 description: Detects buffer overflow attempts in Linux system log files
-reference: https://github.com/ossec/ossec-hids/blob/master/etc/rules/attack_rules.xml
+references:
+    - https://github.com/ossec/ossec-hids/blob/master/etc/rules/attack_rules.xml
 logsource:
     product: linux
 detection:

rules/linux/lnx_clamav.yml

@@ -1,6 +1,7 @@
 title: Relevant ClamAV Message
 description: Detects relevant ClamAV messages
-reference: https://github.com/ossec/ossec-hids/blob/master/etc/rules/clam_av_rules.xml
+references:
+    - https://github.com/ossec/ossec-hids/blob/master/etc/rules/clam_av_rules.xml
 logsource:
     product: linux
     service: clamav

rules/linux/lnx_shell_susp_commands.yml

@@ -1,6 +1,6 @@
 title: Suspicious Activity in Shell Commands
 description: Detects suspicious shell commands used in various exploit codes (see references)
-reference: 
+references:
     - http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html
     - https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb#L121
     - http://pastebin.com/FtygZ1cg

rules/linux/lnx_shellshock.yml

@@ -1,6 +1,7 @@
 title: Shellshock Expression
 description: Detects shellshock expressions in log files
-reference: http://rubular.com/r/zxBfjWfFYs
+references:
+    - http://rubular.com/r/zxBfjWfFYs
 logsource:
     product: linux
 detection:

rules/linux/lnx_susp_failed_logons_single_source.yml

@@ -5,7 +5,7 @@ logsource:
     service: auth
 detection:
     selection:
-        log: auth
+        pam_message: "authentication failure"
         pam_user: not null
         pam_rhost: not null
     timeframe: 24h 

rules/linux/lnx_susp_named.yml

@@ -0,0 +1,20 @@
+title: Suspicious Named Error
+status: experimental
+description: Detects suspicious DNS error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts 
+references:
+    - https://github.com/ossec/ossec-hids/blob/master/etc/rules/named_rules.xml
+author: Florian Roth
+date: 2018/02/20
+logsource:
+    product: linux
+    service: syslog
+detection:
+    keywords:
+        - '* dropping source port zero packet from *'
+        - '* denied AXFR from *'
+        - '* exiting (due to fatal error)*'
+    condition: keywords
+falsepositives:
+    - Unknown
+level: high
+

rules/linux/lnx_susp_ssh.yml

@@ -1,6 +1,8 @@
-title: Suspicious SSHD error
+title: Suspicious SSHD Error
 description: Detects suspicious SSH / SSHD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts 
-reference: https://github.com/openssh/openssh-portable/blob/master/ssherr.c
+references:
+    - https://github.com/openssh/openssh-portable/blob/master/ssherr.c
+    - https://github.com/ossec/ossec-hids/blob/master/etc/rules/sshd_rules.xml
 author: Florian Roth
 date: 2017/06/30
 logsource:
@@ -8,13 +10,17 @@ logsource:
     service: sshd
 detection:
     keywords:
-        - 'unexpected internal error'
-        - 'unknown or unsupported key type'
-        - 'invalid certificate signing key'
-        - 'invalid elliptic curve value'
-        - 'incorrect signature'
-        - 'error in libcrypto'
-        - 'unexpected bytes remain after decoding'
+        - '*unexpected internal error*'
+        - '*unknown or unsupported key type*'
+        - '*invalid certificate signing key*'
+        - '*invalid elliptic curve value*'
+        - '*incorrect signature*'
+        - '*error in libcrypto*'
+        - '*unexpected bytes remain after decoding*'
+        - '*fatal: buffer_get_string: bad string*'
+        - '*Local: crc32 compensation attack*'
+        - '*bad client public DH value*'
+        - '*Corrupted MAC on input*'
     condition: keywords
 falsepositives:
     - Unknown

rules/linux/lnx_susp_vsftp.yml

@@ -1,6 +1,7 @@
-title: Suspicious VSFTPD error messages
+title: Suspicious VSFTPD Error Messages
 description: Detects suspicious VSFTPD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts 
-reference: https://github.com/dagwieers/vsftpd/
+references:
+    - https://github.com/dagwieers/vsftpd/
 author: Florian Roth
 date: 2017/07/05
 logsource:

rules/proxy/proxy_download_susp_dyndns.yml

@@ -1,7 +1,8 @@
 title: Download from Suspicious Dyndns Hosts
 status: experimental
 description: Detects download of certain file types from hosts with dynamic DNS names (selected list)
-reference: https://www.alienvault.com/blogs/security-essentials/dynamic-dns-security-and-potential-threats
+references:
+    - https://www.alienvault.com/blogs/security-essentials/dynamic-dns-security-and-potential-threats
 author: Florian Roth
 date: 2017/11/08
 logsource:

rules/proxy/proxy_download_susp_tlds_blacklist.yml

@@ -1,7 +1,7 @@
 title: Download from Suspicious TLD
 status: experimental
 description: Detects download of certain file types from hosts in suspicious TLDs 
-reference: 
+references:
     - https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap
     - https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf
     - https://www.spamhaus.org/statistics/tlds/

rules/proxy/proxy_download_susp_tlds_whitelist.yml

@@ -1,4 +1,4 @@
-title: Download from Suspicious TLD
+title: Download EXE from Suspicious TLD
 status: experimental
 description: Detects executable downloads from suspicious remote systems
 author: Florian Roth

rules/proxy/proxy_empty_ua.yml

@@ -1,7 +1,7 @@
 title: Empty User Agent
 status: experimental
 description: Detects suspicious empty user agent strings in proxy logs
-reference:
+references:
     - https://twitter.com/Carlos_Perez/status/883455096645931008
 author: Florian Roth
 logsource:

rules/proxy/proxy_powershell_ua.yml

@@ -1,7 +1,8 @@
 title: Windows PowerShell User Agent
 status: experimental
 description: Detects Windows PowerShell Web Access
-reference: https://msdn.microsoft.com/powershell/reference/5.1/microsoft.powershell.utility/Invoke-WebRequest
+references:
+    - https://msdn.microsoft.com/powershell/reference/5.1/microsoft.powershell.utility/Invoke-WebRequest
 author: Florian Roth
 logsource:
     category: proxy

rules/proxy/proxy_susp_flash_download_loc.yml

@@ -1,7 +1,8 @@
 title: Flash Player Update from Suspicious Location
 status: experimental
 description: Detects a flashplayer update from an unofficial location
-reference: https://gist.github.com/roycewilliams/a723aaf8a6ac3ba4f817847610935cfb
+references:
+    - https://gist.github.com/roycewilliams/a723aaf8a6ac3ba4f817847610935cfb
 author: Florian Roth
 logsource:
     category: proxy

rules/proxy/proxy_ua_apt.yml

@@ -1,7 +1,8 @@
 title: APT User Agent
 status: experimental
 description: Detects suspicious user agent strings used in APT malware in proxy logs
-reference: Internal Research
+references:
+    - Internal Research
 author: Florian Roth
 logsource:
     category: proxy

rules/proxy/proxy_ua_frameworks.yml

@@ -1,7 +1,7 @@
 title: Exploit Framework User Agent
 status: experimental
 description: Detects suspicious user agent strings used by exploit / pentest framworks like Metasploit in proxy logs
-reference:
+references:
     - https://blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/
 author: Florian Roth
 logsource:

rules/proxy/proxy_ua_hacktool.yml

@@ -1,7 +1,7 @@
 title: Hack Tool User Agent
 status: experimental
 description: Detects suspicious user agent strings user by hack tools in proxy logs
-reference:
+references:
     - https://github.com/fastly/waf_testbed/blob/master/templates/default/scanners-user-agents.data.erb
     - http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules
 author: Florian Roth

rules/proxy/proxy_ua_malware.yml

@@ -1,7 +1,7 @@
 title: Malware User Agent
 status: experimental
 description: Detects suspicious user agent strings used by malware in proxy logs
-reference:
+references:
     - http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules
     - http://www.botopedia.org/search?searchword=scan&searchphrase=all
     - https://networkraptor.blogspot.com/2015/01/user-agent-strings.html
@@ -22,6 +22,8 @@ detection:
         - '*<|>*'  # Houdini / Iniduoh / njRAT
         - 'nsis_inetc (mozilla)'  # ZeroAccess
         - 'Wget/1.9+cvs-stable (Red Hat modified)'  # Dyre / Upatre
+        # Ghost419 https://goo.gl/rW1yvZ
+        - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; .NET CLR 1.1.4322)'
 
         # Malware
         - '*zeroup*'  # W32/Renos.Downloader
@@ -44,6 +46,8 @@ detection:
         - 'Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)'  # Fareit
         - 'Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)'  # Webshell's back connect
         - 'MSIE'  # Toby web shell
+        - '*(Charon; Inferno)'  # Loki Bot
+        - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)'  # Fareit / Pony
 
         # Others 
         - '* pxyscand*'

rules/proxy/proxy_ua_suspicious.yml

@@ -1,7 +1,7 @@
 title: Suspicious User Agent
 status: experimental
 description: Detects suspicious malformed user agent strings in proxy logs
-reference:
+references:
     - https://github.com/fastly/waf_testbed/blob/master/templates/default/scanners-user-agents.data.erb
 author: Florian Roth
 logsource:

rules/web/web_apache_segfault.yml

@@ -1,7 +1,8 @@
 title: Apache Segmentation Fault
 description: Detects a segmentation fault error message caused by a creashing apacke worker process 
 author: Florian Roth
-reference: http://www.securityfocus.com/infocus/1633
+references:
+    - http://www.securityfocus.com/infocus/1633
 logsource:
     product: apache
 detection:

rules/windows/builtin/win_admin_rdp_login.yml

@@ -1,6 +1,6 @@
-title: Admin user remote login
+title: Admin User Remote Logon
 description: Detect remote login by Administrator user depending on internal pattern
-reference:
+references:
   - https://car.mitre.org/wiki/CAR-2016-04-005
 status: experimental
 author: juju4

rules/windows/builtin/win_alert_active_directory_user_control.yml

@@ -1,6 +1,6 @@
-title: Detects Enabling of a User Right in AD to Control User Objects
+title: Enabled User Right in AD to Control User Objects
 description: Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.
-reference: 
+references:
     - https://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
 author: '@neu5ron'
 logsource:
@@ -12,7 +12,7 @@ detection:
         EventID: 4707
     keywords:
         - 'SeEnableDelegationPrivilege'
-    condition: selection and keywords
+    condition: all of them
 falsepositives: 
     - Unknown
 level: high

rules/windows/builtin/win_alert_ad_user_backdoors.yml

@@ -1,6 +1,6 @@
 title: Active Directory User Backdoors
 description: Detects scenarios where one can control another users account without having to use their credentials via msDS-AllowedToDelegateTo and or service principal names (SPN).
-reference:
+references:
     - https://msdn.microsoft.com/en-us/library/cc220234.aspx
     - https://adsecurity.org/?p=3466
 author: '@neu5ron'
@@ -20,7 +20,7 @@ detection:
         EventID: 5136
         ObjectClass: 'user'
         AttributeLDAPDisplayName: 'servicePrincipalName'
-    condition: selection1 or selection2 or selection3
+    condition: 1 of them
 falsepositives: 
     - Unknown
 level: high

rules/windows/builtin/win_alert_enable_weak_encryption.yml

@@ -1,6 +1,6 @@
-title: Detects Enabling of Weak Encryption and Kerberoast
+title: Weak Encryption Enabled and Kerberoast
 description: Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking.
-reference: 
+references:
     - https://adsecurity.org/?p=2053
     - https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/
 author: '@neu5ron'

rules/windows/builtin/win_alert_mimikatz_keywords.yml

@@ -1,4 +1,4 @@
-title: Mimikatz Usage
+title: Mimikatz Use
 description: This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)
 author: Florian Roth
 logsource:

rules/windows/builtin/win_disable_event_logging.yml

@@ -6,7 +6,7 @@ description: >
     that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc".
     Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off
     specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways.
-reference:
+references:
     - https://bit.ly/WinLogsZero2Hero
 author: '@neu5ron'
 logsource:

rules/windows/builtin/win_eventlog_cleared.yml

@@ -3,7 +3,8 @@ status: experimental
 description: Detects a cleared Windows Eventlog as e.g. caused by "wevtutil cl" command execution  
 author: Florian Roth
 date: 2017/06/27
-reference: https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100
+references:
+    - https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100
 logsource:
     product: windows
     service: system

rules/windows/builtin/win_mal_service_installs.yml

@@ -1,4 +1,4 @@
-title: Malicious Service Installs
+title: Malicious Service Installations
 description: Detects known malicious service installs that only appear in cases of lateral movement, credential dumping and other suspicious activity
 author: Florian Roth
 logsource:
@@ -7,26 +7,26 @@ logsource:
 detection:
     selection:
         EventID: 7045
-    wce:
+    malsvc_wce:
         ServiceName: 
             - 'WCESERVICE'
             - 'WCE SERVICE'
-    paexec:
+    malsvc_paexec:
         ServiceFileName: '*\PAExec*'
-    winexe:
+    malsvc_winexe:
         ServiceFileName: 'winexesvc.exe*'
-    pwdumpx:
+    malsvc_pwdumpx:
         ServiceFileName: '*\DumpSvc.exe'
-    wannacry:
+    malsvc_wannacry:
         ServiceName: 'mssecsvc2.0'
-    persistence:
+    malsvc_persistence:
         ServiceFileName: '* net user *'
-    others:
+    malsvc_others:
         ServiceName:
             - 'pwdump*'
             - 'gsecdump*'
             - 'cachedump*'
-    condition: selection and ( wce or paexec or winexe or pwdumpx or wannacry or persistence or others )
+    condition: selection and 1 of malsvc_*
 falsepositives: 
     - Penetration testing
 level: critical

rules/windows/builtin/win_mal_wceaux_dll.yml

@@ -1,8 +1,9 @@
-title: WCE wceaux.dll access
+title: WCE wceaux.dll Access
 status: experimental
 description: Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host
 author: Thomas Patzke
-reference: https://www.jpcert.or.jp/english/pub/sr/ir_research.html
+references:
+    - https://www.jpcert.or.jp/english/pub/sr/ir_research.html
 logsource:
     product: windows
     service: security

rules/windows/builtin/win_multiple_suspicious_cli.yml

@@ -1,8 +1,8 @@
 action: global
-title: Detects Quick execution of a series of suspicious commands
+title: Quick Execution of a Series of Suspicious Commands
 description: Detects multiple suspicious process in a limited timeframe
 status: experimental
-reference: 
+references:
     - https://car.mitre.org/wiki/CAR-2013-04-002
 author: juju4
 detection:

rules/windows/builtin/win_overpass_the_hash.yml

@@ -0,0 +1,20 @@
+title: Successful Overpass the Hash Attempt
+status: experimental
+description: Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.
+references: 
+    - https://cyberwardog.blogspot.de/2017/04/chronicles-of-threat-hunter-hunting-for.html
+author: Roberto Rodriguez (source), Dominik Schaudel (rule)
+date: 2018/02/12
+logsource:
+    product: windows
+    service: security
+detection:
+    selection:
+        EventID: 4624
+        LogonType: 9
+        LogonProcessName: seclogo
+        AuthenticationPackageName: Negotiate
+    condition: selection
+falsepositives:
+    - Runas command-line tool using /netonly parameter
+level: high

rules/windows/builtin/win_pass_the_hash.yml

@@ -1,7 +1,8 @@
-title: Detects Pass the Hash Activity
+title: Pass the Hash Activity
 status: experimental
 description: 'Detects the attack technique pass the hash which is used to move laterally inside the network'
-reference: https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events
+references:
+    - https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events
 author: Ilias el Matani (rule), The Information Assurance Directorate at the NSA (method)
 logsource:
     product: windows

rules/windows/builtin/win_plugx_susp_exe_locations.yml

@@ -1,7 +1,7 @@
 title: Executable used by PlugX in Uncommon Location
 status: experimental
 description: Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location
-reference: 
+references:
     - 'http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/'
     - 'https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/'
 author: Florian Roth

rules/windows/builtin/win_possible_applocker_bypass.yml

@@ -1,8 +1,8 @@
 action: global
-title: Detects Possible Applocker Bypass
+title: Possible Applocker Bypass
 description: Detects execution of executables that can be used to bypass Applocker whitelisting
 status: experimental
-reference:
+references:
     - https://github.com/subTee/ApplicationWhitelistBypassTechniques/blob/master/TheList.txt
     - https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/
 author: juju4

rules/windows/builtin/win_rare_schtasks_creations.yml

@@ -1,4 +1,4 @@
-title: Rare SchTasks Creations
+title: Rare Schtasks Creations
 description: Detects rare scheduled tasks creations that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious code
 status: experimental
 author: Florian Roth

rules/windows/builtin/win_susp_add_sid_history.yml

@@ -1,7 +1,8 @@
 title: Addition of SID History to Active Directory Object
 status: stable
 description: An attacker can use the SID history attribute to gain additional privileges.
-reference: https://adsecurity.org/?p=1772
+references:
+    - https://adsecurity.org/?p=1772
 author: Thomas Patzke
 logsource:
     product: windows

rules/windows/builtin/win_susp_backup_delete.yml

@@ -1,7 +1,7 @@
 title: Backup Catalog Deleted
 status: experimental
 description: Detects backup catalog deletions
-reference: 
+references:
     - https://technet.microsoft.com/en-us/library/cc742154(v=ws.11).aspx
     - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
 author: Florian Roth (rule), Tom U. @c_APT_ure (collection) 

rules/windows/builtin/win_susp_cli_escape.yml

@@ -1,8 +1,8 @@
 action: global
-title: Detects Suspicious Commandline escape
+title: Suspicious Commandline Escape
 description: Detects suspicious process that use escape characters
 status: experimental
-reference: 
+references:
     - https://twitter.com/vysecurity/status/885545634958385153
     - https://twitter.com/Hexacorn/status/885553465417756673
     - https://twitter.com/Hexacorn/status/885570278637678592

rules/windows/builtin/win_susp_commands_recon_activity.yml

@@ -1,9 +1,9 @@
 ---
 action: global
-title: Detects Reconnaissance Activity with Net Command
+title: Reconnaissance Activity with Net Command
 status: experimental
 description: 'Detects a set of commands often used in recon stages by different attack groups' 
-reference: 
+references:
     - https://twitter.com/haroonmeer/status/939099379834658817
     - https://twitter.com/c_APT_ure/status/939475433711722497
 author: Florian Roth

rules/windows/builtin/win_susp_dhcp_config.yml

@@ -1,7 +1,7 @@
-title: DHCP Server loaded the CallOut DLL
+title: DHCP Server Loaded the CallOut DLL
 status: experimental
 description: This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded
-reference:
+references:
     - https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html
     - https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx
     - https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx

rules/windows/builtin/win_susp_dhcp_config_failed.yml

@@ -1,7 +1,7 @@
 title: DHCP Server Error Failed Loading the CallOut DLL
 description: This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded
 status: experimental
-reference:
+references:
     - https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html
     - https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx
     - https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx

rules/windows/builtin/win_susp_dns_config.yml

@@ -2,7 +2,7 @@ title: DNS Server Error Failed Loading the ServerLevelPluginDLL
 description: This rule detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded
 status: experimental
 date: 2017/05/08
-reference: 
+references:
     - https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
     - https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx
     - https://twitter.com/gentilkiwi/status/861641945944391680

rules/windows/builtin/win_susp_dsrm_password_change.yml

@@ -1,7 +1,8 @@
 title: Password Change on Directory Service Restore Mode (DSRM) Account
 status: stable
 description: The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence.
-reference: https://adsecurity.org/?p=1714
+references:
+    - https://adsecurity.org/?p=1714
 author: Thomas Patzke
 logsource:
     product: windows

rules/windows/builtin/win_susp_eventlog_cleared.yml

@@ -1,6 +1,7 @@
 title: Eventlog Cleared
 description: One of the Windows Eventlogs has been cleared
-reference: https://twitter.com/deviouspolack/status/832535435960209408
+references:
+    - https://twitter.com/deviouspolack/status/832535435960209408
 author: Florian Roth
 logsource:
     product: windows

rules/windows/builtin/win_susp_iss_module_install.yml

@@ -0,0 +1,31 @@
+---
+action: global
+title: IIS Native-Code Module Command Line Installation
+description: Detects suspicious IIS native-code module installations via command line
+status: experimental
+references:
+    - https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/
+author: Florian Roth
+detection:
+    selection:
+        CommandLine: 
+            - '*\APPCMD.EXE install module /name:*'
+    condition: selection
+falsepositives: 
+    - Unknown as it may vary from organisation to arganisation how admins use to install IIS modules
+level: medium
+---
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+---
+logsource:
+    product: windows
+    service: security
+    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+detection:
+    selection:
+        EventID: 4688

rules/windows/builtin/win_susp_lsass_dump.yml

@@ -1,7 +1,8 @@
 title: Password Dumper Activity on LSASS
 description: Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN 
 status: experimental
-reference: https://twitter.com/jackcr/status/807385668833968128
+references:
+    - https://twitter.com/jackcr/status/807385668833968128
 logsource:
     product: windows
     service: security

rules/windows/builtin/win_susp_msiexec_web_install.yml

@@ -0,0 +1,32 @@
+---
+action: global
+title: MsiExec Web Install
+status: experimental
+description: Detects suspicious msiexec proess starts with web addreses as parameter
+references:
+    - https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/
+author: Florian Roth
+date: 2018/02/09
+detection:
+    selection:
+        CommandLine: 
+            - '* msiexec*:\/\/*'
+    condition: selection
+falsepositives: 
+    - False positives depend on scripts and administrative tools used in the monitored environment
+level: medium
+---
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+---
+logsource:
+    product: windows
+    service: security
+    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+detection:
+    selection:
+        EventID: 4688

rules/windows/builtin/win_susp_msmpeng_crash.yml

@@ -2,7 +2,7 @@ title: Microsoft Malware Protection Engine Crash
 description: This rule detects a suspicious crash of the Microsoft Malware Protection Engine
 status: experimental
 date: 2017/05/09
-reference: 
+references:
     - https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5
     - https://technet.microsoft.com/en-us/library/security/4022344
 author: Florian Roth
@@ -16,11 +16,10 @@ detection:
     selection2:
         Source: 'Windows Error Reporting'
         EventID: 1001
-    keyword1:
+    keywords:
         - 'MsMpEng.exe'
-    keyword2:
         - 'mpengine.dll'
-    condition: (selection1 or selection2) and keyword1 and keyword2
+    condition: 1 of selection* and all of keywords
 falsepositives: 
     - Unknown
 level: high

rules/windows/builtin/win_susp_net_recon_activity.yml

@@ -1,7 +1,8 @@
-title: Detects Reconnaissance Activity
+title: Reconnaissance Activity
 status: experimental
 description: 'Detects activity as "net user administrator /domain" and "net group domain admins /domain"' 
-reference: https://findingbad.blogspot.de/2017/01/hunting-what-does-it-look-like.html
+references:
+    - https://findingbad.blogspot.de/2017/01/hunting-what-does-it-look-like.html
 author: Florian Roth (rule), Jack Croock (method)
 logsource:
     product: windows

rules/windows/builtin/win_susp_phantom_dll.yml

@@ -1,8 +1,8 @@
 action: global
-title: Detects Phantom DLLs usage
+title: Phantom DLLs Usage
 description: Detects Phantom DLLs usage and matching executable
 status: experimental
-reference: 
+references:
     - http://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
     - http://www.hexacorn.com/blog/2015/02/23/beyond-good-ol-run-key-part-28/
 author: juju4

rules/windows/builtin/win_susp_process_creations.yml

@@ -1,9 +1,9 @@
 ---
 action: global
-title: Detects Suspicious Process Creations
+title: Suspicious Process Creation
 description: Detects suspicious process starts on Windows systems bsed on keywords
 status: experimental
-reference: 
+references:
     - https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/
     - https://www.youtube.com/watch?v=H3t_kHQG1Js&feature=youtu.be&t=15m35s
     - https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/
@@ -43,6 +43,7 @@ detection:
             - '*\certutil.exe -ping *'
             - 'icacls * /grant Everyone:F /T /C /Q'
             - '* wmic shadowcopy delete *'
+            - '* wbadmin.exe delete catalog -quiet*'  # http://blog.talosintelligence.com/2018/02/olympic-destroyer.html
             # Scripts
             - '*\wscript.exe *.jse'
             - '*\wscript.exe *.js'

rules/windows/builtin/win_susp_rasdial_activity.yml

@@ -1,8 +1,8 @@
 action: global
-title: Detects Suspicious rasdial activity
+title: Suspicious RASdial Activity
 description: Detects suspicious process related to rasdial.exe
 status: experimental
-reference: 
+references:
     - https://twitter.com/subTee/status/891298217907830785
 author: juju4
 detection:

rules/windows/builtin/win_susp_rc4_kerberos.yml

@@ -1,6 +1,7 @@
 title: Suspicious Kerberos RC4 Ticket Encryption
 status: experimental
-reference: https://adsecurity.org/?p=3458
+references:
+    - https://adsecurity.org/?p=3458
 description: Detects logons using RC4 encryption type
 logsource:
     product: windows

rules/windows/builtin/win_susp_run_locations.yml

@@ -1,8 +1,8 @@
 action: global
-title: Detects Suspicious Run Locations
+title: Suspicious Process Start Locations
 description: Detects suspicious process run from unusual locations
 status: experimental
-reference: 
+references:
     - https://car.mitre.org/wiki/CAR-2013-05-002
 author: juju4
 detection:

rules/windows/builtin/win_susp_rundll32_activity.yml

@@ -1,8 +1,8 @@
 action: global
-title: Detects Suspicious Rundll32 activity
+title: Suspicious Rundll32 Activity
 description: Detects suspicious process related to rundll32 based on arguments
 status: experimental
-reference: 
+references:
     - http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/
     - https://twitter.com/Hexacorn/status/885258886428725250
     - https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52

rules/windows/builtin/win_susp_sam_dump.yml

@@ -1,4 +1,4 @@
-title: Suspicious SAM Dumps to AppData
+title: SAM Dump to AppData
 status: experimental
 description: Detects suspicious SAM dump activity as cause by QuarksPwDump and other password dumpers
 author: Florian Roth
@@ -11,7 +11,7 @@ detection:
         EventID: 16
     keywords:
         - '*\AppData\Local\Temp\SAM-*.dmp *'
-    condition: selection and keywords
+    condition: all of them
 falsepositives: 
     - Penetration testing
 level: high

rules/windows/builtin/win_susp_samr_pwset.yml

@@ -1,4 +1,4 @@
-title: Possible remote password change (NTLM hash only) through SAMR 
+title: Possible Remote Password Change Through SAMR 
 description: Detects a possible remote NTLM hash change through SAMR API SamiChangePasswordUser() or SamSetInformationUser(). "Audit User Account Management" in "Advanced Audit Policy Configuration" has to be enabled in your local security policy / GPO to see this events.
 author: Dimitrios Slamaris
 logsource:

rules/windows/builtin/win_susp_sdelete.yml

@@ -1,8 +1,8 @@
-title: Secure deletion with SDelete
+title: Secure Deletion with SDelete
 status: experimental
 description: Detects renaming of file while deletion with SDelete tool
 author: Thomas Patzke
-reference:
+references:
     - https://www.jpcert.or.jp/english/pub/sr/ir_research.html
     - https://technet.microsoft.com/en-us/en-en/sysinternals/sdelete.aspx
 logsource:

rules/windows/builtin/win_usb_device_plugged.yml

@@ -1,6 +1,6 @@
 title: USB Device Plugged
 description: Detects plugged USB devices
-reference:
+references:
     - https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/
     - https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/
 status: experimental

rules/windows/malware/sysmon_malware_notpetya.yml

@@ -2,7 +2,7 @@ title: NotPetya Ransomware Activity
 status: experimental
 description: Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and windows eventlogs are cleared using wevtutil
 author: Florian Roth, Tom Ueltschi
-reference: 
+references:
     - https://securelist.com/schroedingers-petya/78870/
     - https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100
 logsource:
@@ -26,7 +26,7 @@ detection:
         CommandLine: '*.dat,#1'       
     perfc_keyword:
         - '*\perfc.dat*'
-    condition: fsutil_clean_journal or pipe_com or event_clean or rundll32_dash1 or perfc_keyword
+    condition: 1 of them
 fields:
     - CommandLine
     - ParentCommandLine

rules/windows/malware/sysmon_malware_wannacry.yml

@@ -1,7 +1,8 @@
 title: WannaCry Ransomware via Sysmon
 status: experimental
 description: Detects WannaCry ransomware activity via Sysmon
-reference: https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
+references:
+    - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
 author: Florian Roth (rule), Tom U. @c_APT_ure (collection) 
 logsource:
     product: windows
@@ -29,7 +30,7 @@ detection:
             - '*bcdedit /set {default} recoveryenabled no*'
             - '*wbadmin delete catalog -quiet*'
             - '*@Please_Read_Me@.txt*'
-    condition: selection1 or selection2
+    condition: 1 of them
 fields:
     - CommandLine
     - ParentCommandLine

rules/windows/malware/win_mal_adwind.yml

@@ -3,7 +3,7 @@ action: global
 title: Adwind RAT / JRAT
 status: experimental
 description: Detects javaw.exe in AppData folder as used by Adwind / JRAT
-reference:
+references:
     - https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100
     - https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf
 author: Florian Roth, Tom Ueltschi

rules/windows/malware/win_mal_wannacry.yml

@@ -2,7 +2,7 @@ action: global
 title: WannaCry Ransomware 
 description: Detects WannaCry Ransomware Activity
 status: experimental
-reference: 
+references:
     - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
 author: Florian Roth
 detection:
@@ -12,7 +12,7 @@ detection:
             - '*icacls * /grant Everyone:F /T /C /Q*'
             - '*bcdedit /set {default} recoveryenabled no*'
             - '*wbadmin delete catalog -quiet*'
-    condition: selection1 or selection2
+    condition: 1 of them
 falsepositives: 
     - Unknown
 level: critical

rules/windows/other/win_tool_psexec.yml

@@ -1,8 +1,9 @@
-title: PsExec tool execution on destination host
+title: PsExec Tool Execution
 status: experimental
 description: Detects PsExec service installation and execution events (service and Sysmon)
 author: Thomas Patzke
-reference: https://www.jpcert.or.jp/english/pub/sr/ir_research.html
+references:
+    - https://www.jpcert.or.jp/english/pub/sr/ir_research.html
 logsource:
     product: windows
 detection:
@@ -17,7 +18,7 @@ detection:
         EventID: 1
         Image: '*\PSEXESVC.exe'
         User: 'NT AUTHORITY\SYSTEM'
-    condition: service_installation or service_execution or sysmon_processcreation
+    condition: 1 of them
 fields:
     - EventID
     - CommandLine

rules/windows/other/win_wmi_persistence.yml

@@ -2,7 +2,8 @@ title: WMI Persistence
 status: experimental
 description: Detects suspicious WMI event filter and command line event consumer based on event id 5861 (Windows 10, 2012 and higher)
 author: Florian Roth
-reference: https://twitter.com/mattifestation/status/899646620148539397
+references:
+    - https://twitter.com/mattifestation/status/899646620148539397
 logsource:
     product: windows
     service: wmi

rules/windows/powershell/powershell_downgrade_attack.yml

@@ -1,7 +1,8 @@
 title: PowerShell Downgrade Attack
 status: experimental
 description: Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
-reference: http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/
+references:
+    - http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/
 author: Florian Roth (rule), Lee Holmes (idea)
 logsource:
     product: windows

rules/windows/powershell/powershell_exe_calling_ps.yml

@@ -1,7 +1,8 @@
 title: PowerShell called from an Executable Version Mismatch
 status: experimental
 description: Detects PowerShell called from an executable by the version mismatch method
-reference: https://adsecurity.org/?p=2921
+references:
+    - https://adsecurity.org/?p=2921
 author: Sean Metcalf (source), Florian Roth (rule)
 logsource:
     product: windows

rules/windows/powershell/powershell_malicious_commandlets.yml

@@ -1,7 +1,8 @@
 title: Malicious PowerShell Commandlets
 status: experimental
 description: Detects Commandlet names from well-known PowerShell exploitation frameworks
-reference: https://adsecurity.org/?p=2921
+references:
+    - https://adsecurity.org/?p=2921
 author: Sean Metcalf (source), Florian Roth (rule)
 logsource:
     product: windows

rules/windows/powershell/powershell_malicious_keywords.yml

@@ -1,7 +1,8 @@
 title: Malicious PowerShell Commandlets
 status: experimental
 description: Detects Commandlet names from well-known PowerShell exploitation frameworks
-reference: https://adsecurity.org/?p=2921
+references:
+    - https://adsecurity.org/?p=2921
 author: Sean Metcalf (source), Florian Roth (rule)
 logsource:
     product: windows

rules/windows/powershell/powershell_prompt_credentials.yml

@@ -1,7 +1,7 @@
 title: PowerShell Credential Prompt
 status: experimental
 description: Detects PowerShell calling a credential prompt
-reference: 
+references:
     - https://twitter.com/JohnLaTwC/status/850381440629981184
     - https://t.co/ezOTGy1a1G
 author: John Lambert (idea), Florian Roth (rule)
@@ -14,7 +14,7 @@ detection:
         EventID: 4104
     keyword:
         - 'PromptForCredential'
-    condition: selection and keyword
+    condition: all of them
 falsepositives:
     - Unknown
 level: high

rules/windows/powershell/powershell_psattack.yml

@@ -1,7 +1,8 @@
 title: PowerShell PSAttack 
 status: experimental
 description: Detects the use of PSAttack PowerShell hack tool
-reference: https://adsecurity.org/?p=2921
+references:
+    - https://adsecurity.org/?p=2921
 author: Sean Metcalf (source), Florian Roth (rule)
 logsource:
     product: windows
@@ -10,9 +11,9 @@ logsource:
 detection:
     selection:
         EventID: 4103
-    keywords: 
+    keyword: 
         - 'PS ATTACK!!!'
-    condition: selection and keywords
+    condition: all of them
 falsepositives:
     - Pentesters
 level: high

rules/windows/powershell/powershell_suspicious_invocation_generic.yml

@@ -16,8 +16,9 @@ detection:
     noninteractive:
         - ' -noni '
         - ' -noninteractive '
-    condition: encoded and hidden and noninteractive
+    condition: all of them
 falsepositives:
     - Penetration tests
+    - Very special / sneaky PowerShell scripts
 level: high
 

rules/windows/sysmon/sysmon_bitsadmin_download.yml

@@ -1,7 +1,7 @@
-title: Bitsadmin download
+title: Bitsadmin Download
 status: experimental
 description: Detects usage of bitsadmin downloading a file
-reference: 
+references:
     - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
     - https://isc.sans.edu/diary/22264
 author: Michael Haag

rules/windows/sysmon/sysmon_dhcp_calloutdll.yml

@@ -1,7 +1,7 @@
 title: DHCP Callout DLL installation
 status: experimental
 description: Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)
-reference: 
+references:
     - https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html
     - https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx
     - https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx