Sigma tools release 0.4

* Various bug fixes in quoting of specific characters
* New backend es-dsl

.travis.yml

@@ -1,12 +1,15 @@
 language: python
 python:
-  - 3.4
   - 3.5
   - 3.6
   - pypy3
+services:
+    - elasticsearch
 cache: pip
+before_install:
+    - curl -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-6.2.4.deb && sudo dpkg -i --force-confnew elasticsearch-6.2.4.deb && sudo service elasticsearch restart
 install:
   - pip install -r tools/requirements-devel.txt 
-
 script:
   - make test
+  - make test-backend-es-qs

Makefile

@@ -16,10 +16,12 @@ test-yaml:
 test-sigmac:
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -l
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-qs rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -O rulecomment -rvdI -t es-qs rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t kibana rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t xpack-watcher rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t logpoint rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-dsl rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'level>=high,level<=critical,status=stable,logsource=windows' rules/ > /dev/null
 	! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'level>=high,level<=critical,status=xstable,logsource=windows' rules/ > /dev/null
 	! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'level>=high,level<=xcritical,status=stable,logsource=windows' rules/ > /dev/null
@@ -29,7 +31,9 @@ test-sigmac:
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-windows.yml -t es-qs rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-linux.yml -t es-qs rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-windows.yml -t kibana rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-windows.yml -Ooutput=curl -t kibana rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-linux.yml -t kibana rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-linux.yml -Ooutput=curl -t kibana rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-windows.yml -t xpack-watcher rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-linux.yml -t xpack-watcher rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-defaultindex.yml -t xpack-watcher rules/ > /dev/null
@@ -56,7 +60,10 @@ test-sigmac:
 
 test-merge:
 	tests/test-merge.sh
-	! coverage run -a --include=$(COVSCOPE) tools/merge_sigma.py tests/not_existing.yml > /dev/null
+	! coverage run -a --include=$(COVSCOPE) tools/merge_sigma tests/not_existing.yml > /dev/null
+
+test-backend-es-qs:
+	tests/test-backend-es-qs.py
 
 build: tools/sigmac tools/merge_sigma tools/sigma/*.py tools/setup.py tools/setup.cfg
 	cd tools && python3 setup.py bdist_wheel

README.md

@@ -3,9 +3,10 @@
 ![sigma_logo](./images/Sigma_0.3.png)
 
 # Sigma
+
 Generic Signature Format for SIEM Systems
 
-# What is Sigma?
+# What is Sigma
 
 Sigma is a generic and open signature format that allows you to describe relevant log events in a straight forward manner. The rule format is very flexible, easy to write and applicable to any type of log file. The main purpose of this project is to provide a structured form in which researchers or analysts can describe their once developed detection methods and make them shareable with others.
 
@@ -17,6 +18,8 @@ This repository contains:
 * Open repository for sigma signatures in the `./rules`subfolder
 * A converter that generate searches/queries for different SIEM systems [work in progress]
 
+![sigma_description](./images/Sigma-description.png)
+
 ## Hack.lu 2017 Talk
 
 [![Sigma - Generic Signatures for Log Events](https://preview.ibb.co/cMCigR/Screen_Shot_2017_10_18_at_15_47_15.png)](https://www.youtube.com/watch?v=OheVuE9Ifhs "Sigma - Generic Signatures for Log Events")
@@ -31,22 +34,6 @@ This repository contains:
 * Write a rule converter for your custom log analysis tool and process new Sigma rules automatically
 * Provide a free or commercial feed for Sigma signatures
 
-# Sigma Converter
-
-The converter is currently under development in the *devel-sigmac* branch of this project. It has currently the
-following capabilities:
-
-* Parsing of Sigma rule files
-* Conversion of searches into Elasticsearch and Splunk queries
-
-Planned main features are:
-
-* Conversion of aggregation expressions (after the pipe character)
-* Output of Kibana JSON configurations
-
-Support for further SIEM solutions can be added by developing an corresponsing output backend class.
-
-![sigma_description](./images/Sigma-description.png)
 
 # Why Sigma
 
@@ -72,6 +59,10 @@ The specifications can be found in the [Wiki](https://github.com/Neo23x0/sigma/w
 
 The current specification is a proposal. Feedback is requested.
 
+# Getting Started
+
+Florian wrote a short [rule creation tutorial](https://www.nextron-systems.com/2018/02/10/write-sigma-rules/) that can help you getting started.
+
 # Examples
 
 Windows 'Security' Eventlog: Access to LSASS Process with Certain Access Mask / Object Type (experimental)
@@ -89,7 +80,7 @@ Sysmon: Web Shell Detection
 Windows 'Security' Eventlog: Suspicious Number of Failed Logons from a Single Source Workstation
 ![sigma_rule example5](./images/Sigma_rule_example5.png)
 
-## Sigma Toolchain
+## Sigma Tools
 
 Sigmac converts sigma rules into queries or inputs of the supported targets listed below. It acts as a frontend to the
 Sigma library that may be used to integrate Sigma support in other projects. Further, there's `merge_sigma.py` which
@@ -100,23 +91,48 @@ merges multiple YAML documents of a Sigma rule collection into simple Sigma rule
 ### Supported Targets
 
 * [Splunk](https://www.splunk.com/)
-* [ElasticSearch](https://www.elastic.co/)
+* [Elasticsearch](https://www.elastic.co/)
+* [Kibana](https://www.elastic.co/de/products/kibana)
 * [Elastic X-Pack Watcher](https://www.elastic.co/guide/en/x-pack/current/xpack-alerting.html)
 * [Logpoint](https://www.logpoint.com)
+* Grep with Perl-compatible regular expression support
+
+New targets are continuously developed. A current list can be obtained with `sigmac --target-list` or `sigmac -l`.
 
 ### Requirements
 
-The usage of Sigmac or the underlying library requires Python >= 3.4 and PyYAML.
+The usage of Sigmac or the underlying library requires Python >= 3.5 and PyYAML.
 
 ### Installation
 
 It's available on PyPI. Install with:
 
-```
+```bash
 pip3 install sigmatools
 ```
 
-# Next Steps 
+Alternatively, if used from the Sigma Github repository, the Python dependencies can be installed with:
+
+```bash
+pip3 install -r tools/requirements.txt
+```
+
+For development (e.g. execution of integration tests with `make` and packaging), further dependencies are required and can be installed with:
+
+```bash
+pip3 install -r tools/requirements-devel.txt
+```
+
+## Contributed Scripts
+
+The directory `contrib` contains scripts that were contributed by the community:
+
+* `sigma2elastalert.py`i by David Routin: A script that converts Sigma rules to Elastalert configurations. This tool
+  uses *sigmac* and expects it in its path.
+
+These tools are not part of the main toolchain and maintained separately by their authors.
+
+# Next Steps
 
 * Integration of feedback into the rule specifications
 * Integration into Threat Intel Exchanges, e.g. [MISP](http://www.misp-project.org/)

contrib/sigma2elastalert.py

@@ -0,0 +1,173 @@
+#!/usr/bin/python
+# Copyright 2018 David Routin
+
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+
+# You should have received a copy of the GNU Lesser General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+"""
+Project: sigma2elastalert.py
+Date: 25 Feb 2018
+Author: David ROUTIN  (@Rewt_1)
+Version: 1.0
+Description: This script creates elastalert configuration files from Sigma SIEM rules.
+"""
+
+import re
+import os
+import glob
+import subprocess
+import argparse
+import yaml
+import traceback
+
+parser = argparse.ArgumentParser()
+parser.add_argument("--eshost", help="Elasticsearch host", type=str, required=True)
+parser.add_argument("--esport", help="Elasticsearch port", type=str, required=True)
+parser.add_argument("--ruledir", help="sigma rule directory path to convert", type=str, required=True)
+parser.add_argument("--index", help="Elasticsearch index name egs: \"winlogbeat-*\"", type=str, required=True)
+parser.add_argument("--email", help="email address to send mail alert", type=str, required=True)
+parser.add_argument("--outdir", help="output directory to create elastalert rules", type=str, required=True)
+parser.add_argument("--sigmac", help="Sigmac location", default="../tools/sigmac", type=str)
+parser.add_argument("--realerttime", help="Realert time (optional value, default 5 minutes)", type=str, default=5)
+parser.add_argument("--debug", help="Show debug output", type=bool, default=False)
+args = parser.parse_args()
+
+custom_query_keys = ["sensor", "Hostname", "EventID", "src_ip", "dst_ip"]
+
+
+template="""es_host: ESHOST
+es_port: ESPORT
+name: "TITLE"
+description: "DESCRIPTION"
+index: INDEX
+filter:
+- query:
+    query_string:
+      query: 'QUERY'
+realert:
+ minutes: MINUTES
+query_key: UNIQKEYS
+type: any
+include: UNIQKEYS
+alert:
+- "email"
+
+# (required, email specific)
+# a list of email addresses to send alerts to
+email:
+- "EMAIL"
+"""
+
+def return_json_obj(x,custom_query_keys):
+    """
+    Function used to filter all ES query object as unique value including predefined list from custom_query_keys
+    :param x: must contains ES query output
+    :param custom_query_keys: takes the list of predefined element to match in document
+    :return: a clean list (set) of all the query keys (EventID,TargetUserName...)
+    """
+    # type: (str, list) -> list
+    y = x.replace(" ", "\n").split()
+    out = set()
+    for i in y:
+        out.update(re.findall("([a-zA-Z]+)\:", i))
+
+    for qk in custom_query_keys:
+        try:
+            out.remove(qk)
+        except:
+            pass
+    out = list(out)
+    count = 0
+    for qk in custom_query_keys:
+        count += 1
+        out.insert(count-1, qk)
+    return out
+
+def rule_element(file_content, elements):
+    """
+    Function used to get specific element from yaml document and return content
+    :type file_content: str
+    :type elements: list
+    :param file_content:
+    :param elements: list of elements of the yaml document to get "title", "description"
+    :return: the value of the key in the yaml document
+    """
+    try:
+        yaml.load(file_content.replace("---",""))
+    except:
+        raise Exception('Unsupported')
+    element_output = ""
+    for e in elements:
+        try:
+            element_output = yaml.load(file_content.replace("---",""))[e]
+        except:
+            pass
+    if element_output is None:
+        return ""
+    return element_output
+
+def get_rule_as_esqs(file):
+    """
+    Function used to get Elastic query output from rule fome
+    :type file: str
+    :param file: rule filename
+    :return: string es query
+    """
+    if not os.path.exists(args.sigmac):
+        print("Cannot find sigmac rule coverter at '%s', please set a correct location via '--sigmac'")
+    cmd = [args.sigmac, file, "--target", "es-qs"]
+    output = subprocess.Popen(cmd,stdout=subprocess.PIPE, stderr=subprocess.STDOUT).stdout.read()
+    if "unsupported" in output:
+        raise Exception('Unsupported output at this time')
+    output = output.split("\n")
+    # Remove empty string from \n
+    output = [a for a in output if a]
+    # Handle case of multiple queries returned
+    if len(output) > 1:
+        return " OR ".join(output)
+    return "".join(output)
+
+# Dictionary that contains args set at launch time
+convert_args = {
+    "ESHOST": args.eshost,
+    "ESPORT": args.esport,
+    "INDEX": args.index,
+    "EMAIL": args.email,
+    "MINUTES": args.realerttime
+}
+
+for file in glob.glob(args.ruledir + "/*"):
+    output_elast_config = template
+    try:
+        print("Processing %s ..." % file)
+        with open(file, "rb") as f:
+            file_content = f.read()
+
+        # Dictionary that contains args with values returned by functions
+        translate_func = {'QUERY': get_rule_as_esqs(file),
+                        'TITLE': rule_element(file_content, ["title", "name"]),
+                        'DESCRIPTION': rule_element(file_content, ["description"]),
+                        'UNIQKEYS': str(return_json_obj(get_rule_as_esqs(file), custom_query_keys))
+                        }
+        for entry in convert_args:
+            output_elast_config = re.sub(entry, str(convert_args[entry]), output_elast_config)
+        for entry in translate_func:
+            output_elast_config = re.sub(entry, translate_func[entry], output_elast_config)
+        print "Converting file " + file
+        with open(os.path.join(args.outdir, "sigma-" + file.split("/")[-1]), "w") as f:
+                f.write(output_elast_config)
+    except Exception as e:
+        if args.debug:
+            traceback.print_exc()
+        print "error " + str(file) + "----" + str(e)
+        pass
+

rules/application/app_python_sql_exceptions.yml

@@ -1,7 +1,7 @@
 title: Python SQL Exceptions
 description: Generic rule for SQL exceptions in Python according to PEP 249
 author: Thomas Patzke
-reference:
+references:
     - https://www.python.org/dev/peps/pep-0249/#exceptions
 logsource:
     category: application

rules/application/app_sqlinjection_errors.yml

@@ -2,7 +2,8 @@ title: Suspicious SQL Error Messages
 status: experimental
 description: Detects SQL error messages that indicate probing for an injection attack
 author: Bjoern Kimminich
-reference: http://www.sqlinjection.net/errors
+references:
+    - http://www.sqlinjection.net/errors
 logsource:
     category: application
     product: sql
@@ -15,7 +16,7 @@ detection:
         # SQL Server
         - Unclosed quotation mark
         # SQLite
-        - near "*": syntax error
+        - 'near "*": syntax error'
         - SELECTs to the left and right of UNION do not have the same number of result columns
     condition: keywords
 falsepositives:

rules/application/appframework_django_exceptions.yml

@@ -1,7 +1,7 @@
 title: Django framework exceptions
 description: Detects suspicious Django web application framework exceptions that could indicate exploitation attempts
 author: Thomas Patzke
-reference:
+references:
     - https://docs.djangoproject.com/en/1.11/ref/exceptions/
     - https://docs.djangoproject.com/en/1.11/topics/logging/#django-security
 logsource:

rules/application/appframework_ruby_on_rails_exceptions.yml

@@ -1,7 +1,7 @@
 title: Ruby on Rails framework exceptions
 description: Detects suspicious Ruby on Rails exceptions that could indicate exploitation attempts
 author: Thomas Patzke
-reference:
+references:
     - http://edgeguides.rubyonrails.org/security.html
     - http://guides.rubyonrails.org/action_controller_overview.html
     - https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception

rules/application/appframework_spring_exceptions.yml

@@ -1,7 +1,7 @@
 title: Spring framework exceptions
 description: Detects suspicious Spring framework exceptions that could indicate exploitation attempts
 author: Thomas Patzke
-reference:
+references:
     - https://docs.spring.io/spring-security/site/docs/current/apidocs/overview-tree.html
 logsource:
     category: application

rules/apt/apt_apt29_tor.yml

@@ -1,7 +1,9 @@
+---
 action: global
 title: APT29 Google Update Service Install
 description: 'This method detects malicious services mentioned in APT29 report by FireEye. The legitimate path for the Google update service is C:\Program Files (x86)\Google\Update\GoogleUpdate.exe so the service names and executable locations used by APT29 are specific enough to be detected in log files.' 
-reference: https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html
+references:
+    - https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html
 logsource:
     product: windows
 detection:

rules/apt/apt_carbonpaper_turla.yml

@@ -1,6 +1,7 @@
 title: Turla Service Install
 description: 'This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET' 
-reference: https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/
+references:
+    - https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/
 logsource:
     product: windows
     service: system

rules/apt/apt_chafer_mar18.yml

@@ -0,0 +1,53 @@
+---
+action: global
+title: Chafer Activity
+description: Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018 
+references:
+    - https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/
+date: 2018/03/23
+author: Florian Roth, Markus Neis
+detection:
+    condition: 1 of them
+falsepositives:
+    - Unknown
+level: critical
+---
+logsource:
+    product: windows
+    service: system
+detection:
+    selection_service:
+        EventID: 7045
+        ServiceName:
+            - 'SC Scheduled Scan'
+            - 'UpdatMachine'
+---
+logsource:
+   product: windows
+   service: sysmon
+detection:
+    selection_reg1:
+        EventID: 13 
+        TargetObject: 
+            - '*SOFTWARE\Microsoft\Windows\CurrentVersion\UMe'
+            - '*SOFTWARE\Microsoft\Windows\CurrentVersion\UT'
+        EventType: 'SetValue'
+    selection_reg2:
+        EventID: 13 
+        TargetObject: '*\Control\SecurityProviders\WDigest\UseLogonCredential'
+        EventType: 'SetValue'
+        Details: 'DWORD (0x00000001)'
+    selection_process1:
+        EventID: 1 
+        CommandLine: 
+            - '*\Service.exe i'
+            - '*\Service.exe u'
+            - '*\microsoft\Taskbar\autoit3.exe'
+            - 'C:\wsc.exe*'
+    selection_process2:
+        EventID: 1
+        Image: '*\Windows\Temp\DB\*.exe'
+    selection_process3:
+        EventID: 1
+        CommandLine: '*\nslookup.exe -q=TXT*'
+        ParentImage: '*\Autoit*'

rules/apt/apt_cloudhopper.yml

@@ -1,7 +1,8 @@
-title: Detects an Execution of WMIExec VBS Script
+title: WMIExec VBS Script
 description: Detects suspicious file execution by wscript and cscript
 author: Florian Roth
-reference: https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
+references:
+    - https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
 logsource:
     product: windows
     service: sysmon

rules/apt/apt_dragonfly.yml

@@ -0,0 +1,36 @@
+---
+action: global
+title: CrackMapExecWin 
+description: Detects CrackMapExecWin Activity as Described by NCSC
+status: experimental
+references:
+    - https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control 
+author: Markus Neis
+detection:
+    condition: 1 of them
+falsepositives: 
+    - None 
+level: critical
+---
+# Windows Audit Log
+logsource:
+    product: windows
+    service: security
+    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+detection:
+    selection1:
+        # Does not require group policy 'Audit Process Creation' > Include command line in process creation events
+        EventID: 4688
+        NewProcessName:
+            - '*\crackmapexec.exe'
+---
+# Sysmon
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection1:
+        # Does not require group policy 'Audit Process Creation' > Include command line in process creation events
+        EventID: 1
+        Image:
+            - '*\crackmapexec.exe'

rules/apt/apt_elise.yml

@@ -0,0 +1,22 @@
+title: Elise Backdoor
+status: experimental
+description: Detects Elise backdoor acitivty as used by APT32 
+references: 
+    - https://community.rsa.com/community/products/netwitness/blog/2018/01/30/apt32-continues-asean-targeting
+author: Florian Roth
+date: 2018/01/31
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection1:
+        EventID: 1
+        Image: 'C:\Windows\SysWOW64\cmd.exe'
+        CommandLine: '*\Windows\Caches\NavShExt.dll *'
+    selection2:
+        EventID: 1
+        CommandLine: '*\AppData\Roaming\MICROS~1\Windows\Caches\NavShExt.dll,Setting'
+    condition: 1 of them
+falsepositives:
+    - Unknown
+level: critical

rules/apt/apt_equationgroup_c2.yml

@@ -1,6 +1,6 @@
 title: Equation Group C2 Communication
 description: Detects communication to C2 servers mentioned in the operational notes of the ShadowBroker leak of EquationGroup C2 tools
-reference:
+references:
     - 'https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation'
     - 'https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195'
 author: Florian Roth
@@ -15,7 +15,7 @@ detection:
         src:
             - '69.42.98.86'
             - '89.185.234.145'
-    condition: outgoing or incoming
+    condition: 1 of them
 falsepositives:
     - Unknown
 level: high

rules/apt/apt_equationgroup_dll_u_load.yml

@@ -0,0 +1,39 @@
+---
+action: global
+title: Equation Group DLL_U Load
+description: Detects a specific tool and export used by EquationGroup
+references:
+    - https://github.com/adamcaudill/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type=
+    - https://securelist.com/apt-slingshot/84312/
+    - https://twitter.com/cyb3rops/status/972186477512839170
+author: Florian Roth
+date: 2018/03/10 
+detection:
+    selection1:
+        Image: '*\rundll32.exe'
+        CommandLine: '*,dll_u'
+    selection2:
+        CommandLine: '* -export dll_u *'
+    condition: 1 of them
+falsepositives:
+    - Unknown
+level: critical
+---
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection1:
+        EventID: 1
+    selection2:
+        EventID: 1
+---
+logsource:
+    product: windows
+    service: security
+    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+detection:
+    selection1:
+        EventID: 4688
+    selection2:
+        EventID: 4688

rules/apt/apt_equationgroup_lnx.yml

@@ -1,6 +1,7 @@
 title: Equation Group Indicators
 description: Detects suspicious shell commands used in various Equation Group scripts and tools
-reference: https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
+references:
+    - https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
 author: Florian Roth
 logsource:
     product: linux

rules/apt/apt_hurricane_panda.yml

@@ -0,0 +1,35 @@
+---
+action: global
+title: Hurricane Panda Activity
+status: experimental
+description: Detects Hurricane Panda Activity 
+references: 
+    - https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/
+author: Florian Roth
+date: 2018/02/25
+detection:
+    selection:
+        CommandLine: 
+            - '* localgroup administrators admin /add'
+            - '*\Win64.exe*'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
+---
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+---
+logsource:
+    product: windows
+    service: security
+    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+detection:
+    selection:
+        EventID: 4688
+
+

rules/apt/apt_pandemic.yml

@@ -1,7 +1,7 @@
 title: Pandemic Registry Key
 status: experimental
 description: Detects Pandemic Windows Implant
-reference: 
+references:
     - https://wikileaks.org/vault7/#Pandemic
     - https://twitter.com/MalwareJake/status/870349480356454401
 author: Florian Roth
@@ -18,7 +18,7 @@ detection:
     selection2:
         EventID: 1
         Command: 'loaddll -a *'
-    condition: selection1 or selection2
+    condition: 1 of them
 fields:
     - EventID
     - CommandLine

rules/apt/apt_slingshot.yml

@@ -0,0 +1,35 @@
+---
+action: global
+title: Defrag Deactivation
+description: Detects the deactivation of the Scheduled defragmentation task as seen by Slingshot APT group
+references:
+    - https://securelist.com/apt-slingshot/84312/
+author: Florian Roth
+date: 2018/03/10
+logsource:
+    product: windows
+    service: security
+    description: 'Requirements: Audit Policy : Audit Other Object Access Events > Success'       
+detection:
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium
+---
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+        CommandLine: 
+            - '*schtasks* /delete *Defrag\ScheduledDefrag*'
+---
+logsource:
+    product: windows
+    service: security
+    description: 'Requirements: Audit Policy : Audit Other Object Access Events > Success'       
+detection:
+    selection:
+        EventID: 4701
+        TaskName: '\Microsoft\Windows\Defrag\ScheduledDefrag'

rules/apt/apt_sofacy.yml

@@ -0,0 +1,36 @@
+
+---
+action: global
+title: Sofacy Trojan Loader Activity
+status: experimental
+description: Detects Trojan loader acitivty as used by APT28 
+references: 
+    - https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/
+    - https://www.reverse.it/sample/e3399d4802f9e6d6d539e3ae57e7ea9a54610a7c4155a6541df8e94d67af086e?environmentId=100
+    - https://twitter.com/ClearskySec/status/960924755355369472
+author: Florian Roth
+date: 2018/03/01
+detection:
+    selection:
+        CommandLine: 
+            - 'rundll32.exe %APPDATA%\*.dat",*'
+            - 'rundll32.exe %APPDATA%\*.dll",#1'
+    condition: selection
+falsepositives:
+    - Unknown
+level: critical
+---
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+---
+logsource:
+    product: windows
+    service: security
+    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+detection:
+    selection:
+        EventID: 4688

rules/apt/apt_stonedrill.yml

@@ -1,7 +1,8 @@
 title: StoneDrill Service Install
 description: 'This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky'   
 author: Florian Roth
-reference: https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/
+references:
+    - https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/
 logsource:
     product: windows
     service: system

rules/apt/apt_ta17_293a_ps.yml

@@ -1,6 +1,7 @@
 title: Ps.exe Renamed SysInternals Tool
 description: Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documentied in TA17-293A report
-reference: https://www.us-cert.gov/ncas/alerts/TA17-293A
+references:
+    - https://www.us-cert.gov/ncas/alerts/TA17-293A
 author: Florian Roth
 date: 2017/10/22
 logsource:

rules/apt/apt_turla_commands.yml

@@ -3,7 +3,8 @@ action: global
 title: Turla Group Lateral Movement 
 status: experimental
 description: Detects automated lateral movement by Turla group 
-reference: https://securelist.com/the-epic-turla-operation/65545/
+references:
+    - https://securelist.com/the-epic-turla-operation/65545/
 author: Markus Neis
 date: 2017/11/07
 logsource:

rules/apt/apt_turla_namedpipes.yml

@@ -1,7 +1,8 @@
 title: Turla Group Named Pipes 
 status: experimental
 description: Detects a named pipe used by Turla group samples
-reference: Internal Research
+references:
+    - Internal Research
 date: 2017/11/06
 author: Markus Neis
 logsource:

rules/apt/apt_zxshell.yml

@@ -1,7 +1,8 @@
 title: ZxShell Malware
 description: Detects a ZxShell start by the called and well-known function name   
 author: Florian Roth
-reference: https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100
+references:
+    - https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100
 logsource:
     product: windows
     service: sysmon

rules/apt/crime_fireball.yml

@@ -1,9 +1,9 @@
-title: Detects Fireball - Archer Install
+title: Fireball Archer Install
 status: experimental
 description: Detects Archer malware invocation via rundll32
 author: Florian Roth
 date: 2017/06/03
-reference: 
+references:
     - https://www.virustotal.com/en/file/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022/analysis/
     - https://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100
 logsource:

rules/linux/auditd/lnx_auditd_susp_cmds.yml

@@ -0,0 +1,28 @@
+title: Detects Suspicious Commands on Linux systems
+status: experimental
+description: Detects relevant commands often related to malware or hacking activity
+references:
+    - 'Internal Research - mostly derived from exploit code including code in MSF'
+date: 2017/12/12
+author: Florian Roth
+logsource:
+    product: linux
+    service: auditd
+detection:
+    cmds:
+        - type: 'EXECVE'
+          a0: 'chmod'
+          a1: '777'
+        - type: 'EXECVE'
+          a0: 'chmod'
+          a1: 'u+s'
+        - type: 'EXECVE'
+          a0: 'cp'
+          a1: '/bin/ksh'
+        - type: 'EXECVE'
+          a0: 'cp'
+          a1: '/bin/sh'
+    condition: 1 of cmds
+falsepositives:
+    - Admin activity
+level: medium

rules/linux/auditd/lnx_auditd_susp_exe_folders.yml

@@ -0,0 +1,39 @@
+title: Program Executions in Suspicious Folders
+status: experimental
+description: Detects program executions in suspicious non-program folders related to malware or hacking activity
+references:
+    - 'Internal Research'
+date: 2018/01/23
+author: Florian Roth
+logsource:
+    product: linux
+    service: auditd
+detection:
+    selection:
+        type: 'SYSCALL'
+        exe:
+            # Temporary folder
+            - '/tmp/*'
+            # Web server 
+            - '/var/www/*'            # Standard
+            - '/usr/local/apache2/*'  # Classical Apache
+            - '/usr/local/httpd/*'    # Old SuSE Linux 6.*
+            - '/var/apache/*'         # Solaris
+            - '/srv/www/*'            # SuSE Linux 9.*
+            - '/home/httpd/html/*'    # Redhat 6 or older
+            # Data dirs of typically exploited services (incomplete list)
+            - '/var/lib/pgsql/data/*'
+            - '/usr/local/mysql/data/*'
+            - '/var/lib/mysql/*'
+            - '/var/vsftpd/*'
+            - '/etc/bind/*'
+            - '/var/named/*'
+            # Others
+            - '*/public_html/*'
+    condition: selection
+falsepositives:
+    - Admin activity (especially in /tmp folders)
+    - Crazy web applications
+level: medium
+
+

rules/linux/lnx_buffer_overflows.yml

@@ -1,6 +1,7 @@
 title: Buffer Overflow Attempts
 description: Detects buffer overflow attempts in Linux system log files
-reference: https://github.com/ossec/ossec-hids/blob/master/etc/rules/attack_rules.xml
+references:
+    - https://github.com/ossec/ossec-hids/blob/master/etc/rules/attack_rules.xml
 logsource:
     product: linux
 detection:

rules/linux/lnx_clamav.yml

@@ -1,6 +1,7 @@
 title: Relevant ClamAV Message
 description: Detects relevant ClamAV messages
-reference: https://github.com/ossec/ossec-hids/blob/master/etc/rules/clam_av_rules.xml
+references:
+    - https://github.com/ossec/ossec-hids/blob/master/etc/rules/clam_av_rules.xml
 logsource:
     product: linux
     service: clamav

rules/linux/lnx_shell_susp_commands.yml

@@ -1,6 +1,6 @@
 title: Suspicious Activity in Shell Commands
 description: Detects suspicious shell commands used in various exploit codes (see references)
-reference: 
+references:
     - http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html
     - https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb#L121
     - http://pastebin.com/FtygZ1cg

rules/linux/lnx_shellshock.yml

@@ -1,6 +1,7 @@
 title: Shellshock Expression
 description: Detects shellshock expressions in log files
-reference: http://rubular.com/r/zxBfjWfFYs
+references:
+    - http://rubular.com/r/zxBfjWfFYs
 logsource:
     product: linux
 detection:

rules/linux/lnx_susp_failed_logons_single_source.yml

@@ -5,7 +5,7 @@ logsource:
     service: auth
 detection:
     selection:
-        log: auth
+        pam_message: "authentication failure"
         pam_user: not null
         pam_rhost: not null
     timeframe: 24h 

rules/linux/lnx_susp_named.yml

@@ -0,0 +1,20 @@
+title: Suspicious Named Error
+status: experimental
+description: Detects suspicious DNS error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts 
+references:
+    - https://github.com/ossec/ossec-hids/blob/master/etc/rules/named_rules.xml
+author: Florian Roth
+date: 2018/02/20
+logsource:
+    product: linux
+    service: syslog
+detection:
+    keywords:
+        - '* dropping source port zero packet from *'
+        - '* denied AXFR from *'
+        - '* exiting (due to fatal error)*'
+    condition: keywords
+falsepositives:
+    - Unknown
+level: high
+

rules/linux/lnx_susp_ssh.yml

@@ -1,6 +1,8 @@
-title: Suspicious SSHD error
+title: Suspicious SSHD Error
 description: Detects suspicious SSH / SSHD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts 
-reference: https://github.com/openssh/openssh-portable/blob/master/ssherr.c
+references:
+    - https://github.com/openssh/openssh-portable/blob/master/ssherr.c
+    - https://github.com/ossec/ossec-hids/blob/master/etc/rules/sshd_rules.xml
 author: Florian Roth
 date: 2017/06/30
 logsource:
@@ -8,13 +10,17 @@ logsource:
     service: sshd
 detection:
     keywords:
-        - 'unexpected internal error'
-        - 'unknown or unsupported key type'
-        - 'invalid certificate signing key'
-        - 'invalid elliptic curve value'
-        - 'incorrect signature'
-        - 'error in libcrypto'
-        - 'unexpected bytes remain after decoding'
+        - '*unexpected internal error*'
+        - '*unknown or unsupported key type*'
+        - '*invalid certificate signing key*'
+        - '*invalid elliptic curve value*'
+        - '*incorrect signature*'
+        - '*error in libcrypto*'
+        - '*unexpected bytes remain after decoding*'
+        - '*fatal: buffer_get_string: bad string*'
+        - '*Local: crc32 compensation attack*'
+        - '*bad client public DH value*'
+        - '*Corrupted MAC on input*'
     condition: keywords
 falsepositives:
     - Unknown

rules/linux/lnx_susp_vsftp.yml

@@ -1,6 +1,7 @@
-title: Suspicious VSFTPD error messages
+title: Suspicious VSFTPD Error Messages
 description: Detects suspicious VSFTPD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts 
-reference: https://github.com/dagwieers/vsftpd/
+references:
+    - https://github.com/dagwieers/vsftpd/
 author: Florian Roth
 date: 2017/07/05
 logsource:

rules/proxy/proxy_download_susp_dyndns.yml

@@ -1,7 +1,8 @@
 title: Download from Suspicious Dyndns Hosts
 status: experimental
 description: Detects download of certain file types from hosts with dynamic DNS names (selected list)
-reference: https://www.alienvault.com/blogs/security-essentials/dynamic-dns-security-and-potential-threats
+references:
+    - https://www.alienvault.com/blogs/security-essentials/dynamic-dns-security-and-potential-threats
 author: Florian Roth
 date: 2017/11/08
 logsource:

rules/proxy/proxy_download_susp_tlds_blacklist.yml

@@ -1,7 +1,7 @@
 title: Download from Suspicious TLD
 status: experimental
 description: Detects download of certain file types from hosts in suspicious TLDs 
-reference: 
+references:
     - https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap
     - https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf
     - https://www.spamhaus.org/statistics/tlds/

rules/proxy/proxy_download_susp_tlds_whitelist.yml

@@ -1,4 +1,4 @@
-title: Download from Suspicious TLD
+title: Download EXE from Suspicious TLD
 status: experimental
 description: Detects executable downloads from suspicious remote systems
 author: Florian Roth

rules/proxy/proxy_empty_ua.yml

@@ -1,7 +1,7 @@
 title: Empty User Agent
 status: experimental
 description: Detects suspicious empty user agent strings in proxy logs
-reference:
+references:
     - https://twitter.com/Carlos_Perez/status/883455096645931008
 author: Florian Roth
 logsource:

rules/proxy/proxy_powershell_download_webdav.yml

@@ -0,0 +1,21 @@
+title: Windows PowerShell WebDav User Agent
+status: experimental
+description: Detects Windows PowerShell Web Access
+references:
+    - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
+author: Florian Roth
+date: 2018/04/06
+logsource:
+    category: proxy
+detection:
+    selection:
+      UserAgent: 'Microsoft-WebDAV-MiniRedir/*'
+    condition: selection
+fields:
+    - ClientIP
+    - URL
+    - UserAgent
+falsepositives:
+    - Administrative scripts that download files from the Internet
+    - Administrative scripts that retrieve certain website contents
+level: high

rules/proxy/proxy_powershell_ua.yml

@@ -1,7 +1,8 @@
 title: Windows PowerShell User Agent
 status: experimental
 description: Detects Windows PowerShell Web Access
-reference: https://msdn.microsoft.com/powershell/reference/5.1/microsoft.powershell.utility/Invoke-WebRequest
+references:
+    - https://msdn.microsoft.com/powershell/reference/5.1/microsoft.powershell.utility/Invoke-WebRequest
 author: Florian Roth
 logsource:
     category: proxy

rules/proxy/proxy_susp_flash_download_loc.yml

@@ -1,7 +1,8 @@
 title: Flash Player Update from Suspicious Location
 status: experimental
 description: Detects a flashplayer update from an unofficial location
-reference: https://gist.github.com/roycewilliams/a723aaf8a6ac3ba4f817847610935cfb
+references:
+    - https://gist.github.com/roycewilliams/a723aaf8a6ac3ba4f817847610935cfb
 author: Florian Roth
 logsource:
     category: proxy

rules/proxy/proxy_ua_apt.yml

@@ -1,7 +1,8 @@
 title: APT User Agent
 status: experimental
 description: Detects suspicious user agent strings used in APT malware in proxy logs
-reference: Internal Research
+references:
+    - Internal Research
 author: Florian Roth
 logsource:
     category: proxy
@@ -27,6 +28,8 @@ detection:
         - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NETCLR 2.0.50727)'  # APT17
         - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; SV1)'  # Bronze Butler - Daserf
         - 'Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; SV1)'  # Bronze Butler - Daserf
+        - 'Mozilla/4.0 (compatible; MSIE 8.0; Win32)'  # TSCookie https://app.any.run/tasks/0996b314-5133-491b-8d23-d431ffdec597
+        - 'Mozilla v5.1 (Windows NT 6.1; rv:6.0.1) Gecko/20100101 Firefox/6.0.1'  # Delphi downloader https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/
     condition: selection
 fields:
     - ClientIP

rules/proxy/proxy_ua_frameworks.yml

@@ -1,7 +1,7 @@
 title: Exploit Framework User Agent
 status: experimental
 description: Detects suspicious user agent strings used by exploit / pentest framworks like Metasploit in proxy logs
-reference:
+references:
     - https://blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/
 author: Florian Roth
 logsource:

rules/proxy/proxy_ua_hacktool.yml

@@ -1,7 +1,7 @@
 title: Hack Tool User Agent
 status: experimental
 description: Detects suspicious user agent strings user by hack tools in proxy logs
-reference:
+references:
     - https://github.com/fastly/waf_testbed/blob/master/templates/default/scanners-user-agents.data.erb
     - http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules
 author: Florian Roth

rules/proxy/proxy_ua_malware.yml

@@ -1,7 +1,7 @@
 title: Malware User Agent
 status: experimental
 description: Detects suspicious user agent strings used by malware in proxy logs
-reference:
+references:
     - http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules
     - http://www.botopedia.org/search?searchword=scan&searchphrase=all
     - https://networkraptor.blogspot.com/2015/01/user-agent-strings.html
@@ -22,6 +22,8 @@ detection:
         - '*<|>*'  # Houdini / Iniduoh / njRAT
         - 'nsis_inetc (mozilla)'  # ZeroAccess
         - 'Wget/1.9+cvs-stable (Red Hat modified)'  # Dyre / Upatre
+        # Ghost419 https://goo.gl/rW1yvZ
+        - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; .NET CLR 1.1.4322)'
 
         # Malware
         - '*zeroup*'  # W32/Renos.Downloader
@@ -44,6 +46,8 @@ detection:
         - 'Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)'  # Fareit
         - 'Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)'  # Webshell's back connect
         - 'MSIE'  # Toby web shell
+        - '*(Charon; Inferno)'  # Loki Bot
+        - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)'  # Fareit / Pony
 
         # Others 
         - '* pxyscand*'

rules/proxy/proxy_ua_suspicious.yml

@@ -1,7 +1,7 @@
 title: Suspicious User Agent
 status: experimental
 description: Detects suspicious malformed user agent strings in proxy logs
-reference:
+references:
     - https://github.com/fastly/waf_testbed/blob/master/templates/default/scanners-user-agents.data.erb
 author: Florian Roth
 logsource:

rules/web/web_apache_segfault.yml

@@ -1,7 +1,8 @@
 title: Apache Segmentation Fault
 description: Detects a segmentation fault error message caused by a creashing apacke worker process 
 author: Florian Roth
-reference: http://www.securityfocus.com/infocus/1633
+references:
+    - http://www.securityfocus.com/infocus/1633
 logsource:
     product: apache
 detection:

rules/windows/builtin/win_admin_rdp_login.yml

@@ -1,6 +1,6 @@
-title: Admin user remote login
+title: Admin User Remote Logon
 description: Detect remote login by Administrator user depending on internal pattern
-reference:
+references:
   - https://car.mitre.org/wiki/CAR-2016-04-005
 status: experimental
 author: juju4
@@ -13,7 +13,6 @@ detection:
         EventID: 4624
         LogonType: 10
         AuthenticationPackageName: Negotiate
-        Severity: Information
         AccountName: 'Admin-*'
     condition: selection
 falsepositives: 

rules/windows/builtin/win_admin_share_access.yml

@@ -11,7 +11,7 @@ detection:
         EventID: 5140
         ShareName: Admin$
     filter:
-        SubjectAccountName: '*$'
+        SubjectUserName: '*$'
     condition: selection and not filter
 falsepositives: 
     - Legitimate administrative activity

rules/windows/builtin/win_alert_active_directory_user_control.yml

@@ -1,6 +1,6 @@
-title: Detects Enabling of a User Right in AD to Control User Objects
+title: Enabled User Right in AD to Control User Objects
 description: Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.
-reference: 
+references:
     - https://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
 author: '@neu5ron'
 logsource:
@@ -12,7 +12,7 @@ detection:
         EventID: 4707
     keywords:
         - 'SeEnableDelegationPrivilege'
-    condition: selection and keywords
+    condition: all of them
 falsepositives: 
     - Unknown
 level: high

rules/windows/builtin/win_alert_ad_user_backdoors.yml

@@ -1,6 +1,6 @@
 title: Active Directory User Backdoors
 description: Detects scenarios where one can control another users account without having to use their credentials via msDS-AllowedToDelegateTo and or service principal names (SPN).
-reference:
+references:
     - https://msdn.microsoft.com/en-us/library/cc220234.aspx
     - https://adsecurity.org/?p=3466
 author: '@neu5ron'
@@ -20,7 +20,7 @@ detection:
         EventID: 5136
         ObjectClass: 'user'
         AttributeLDAPDisplayName: 'servicePrincipalName'
-    condition: selection1 or selection2 or selection3
+    condition: 1 of them
 falsepositives: 
     - Unknown
 level: high

rules/windows/builtin/win_alert_enable_weak_encryption.yml

@@ -1,6 +1,6 @@
-title: Detects Enabling of Weak Encryption and Kerberoast
+title: Weak Encryption Enabled and Kerberoast
 description: Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking.
-reference: 
+references:
     - https://adsecurity.org/?p=2053
     - https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/
 author: '@neu5ron'

rules/windows/builtin/win_alert_mimikatz_keywords.yml

@@ -1,4 +1,4 @@
-title: Mimikatz Usage
+title: Mimikatz Use
 description: This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)
 author: Florian Roth
 logsource:

rules/windows/builtin/win_disable_event_logging.yml

@@ -6,7 +6,7 @@ description: >
     that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc".
     Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off
     specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways.
-reference:
+references:
     - https://bit.ly/WinLogsZero2Hero
 author: '@neu5ron'
 logsource:
@@ -16,7 +16,7 @@ logsource:
 detection:
     selection:
         EventID: 4719
-        Message: 'removed'
+        AuditPolicyChanges: 'removed'
     condition: selection
 falsepositives: 
     - Unknown

rules/windows/builtin/win_eventlog_cleared.yml

@@ -3,7 +3,8 @@ status: experimental
 description: Detects a cleared Windows Eventlog as e.g. caused by "wevtutil cl" command execution  
 author: Florian Roth
 date: 2017/06/27
-reference: https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100
+references:
+    - https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100
 logsource:
     product: windows
     service: system

rules/windows/builtin/win_hack_smbexec.yml

@@ -0,0 +1,21 @@
+title: smbexec.py Service Installation
+description: Detects the use of smbexec.py tool by detecting a specific service installation
+author: Omer Faruk Celik
+date: 2018/03/20
+references:
+    - https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/
+logsource:
+    product: windows
+detection:
+    service_installation:
+        EventID: 7045
+        ServiceName: 'BTOBTO'
+        ServiceFileName: '*\execute.bat'
+    condition: service_installation
+fields:
+    - ServiceName
+    - ServiceFileName
+falsepositives:
+    - Penetration Test
+    - Unknown
+level: critical

rules/windows/builtin/win_mal_service_installs.yml

@@ -1,4 +1,4 @@
-title: Malicious Service Installs
+title: Malicious Service Installations
 description: Detects known malicious service installs that only appear in cases of lateral movement, credential dumping and other suspicious activity
 author: Florian Roth
 logsource:
@@ -7,26 +7,26 @@ logsource:
 detection:
     selection:
         EventID: 7045
-    wce:
+    malsvc_wce:
         ServiceName: 
             - 'WCESERVICE'
             - 'WCE SERVICE'
-    paexec:
+    malsvc_paexec:
         ServiceFileName: '*\PAExec*'
-    winexe:
+    malsvc_winexe:
         ServiceFileName: 'winexesvc.exe*'
-    pwdumpx:
+    malsvc_pwdumpx:
         ServiceFileName: '*\DumpSvc.exe'
-    wannacry:
+    malsvc_wannacry:
         ServiceName: 'mssecsvc2.0'
-    persistence:
+    malsvc_persistence:
         ServiceFileName: '* net user *'
-    others:
+    malsvc_others:
         ServiceName:
             - 'pwdump*'
             - 'gsecdump*'
             - 'cachedump*'
-    condition: selection and ( wce or paexec or winexe or pwdumpx or wannacry or persistence or others )
+    condition: selection and 1 of malsvc_*
 falsepositives: 
     - Penetration testing
 level: critical

rules/windows/builtin/win_mal_wceaux_dll.yml

@@ -1,8 +1,10 @@
-title: WCE wceaux.dll access
+title: WCE wceaux.dll Access
 status: experimental
 description: Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host
 author: Thomas Patzke
-reference: https://www.jpcert.or.jp/english/pub/sr/ir_research.html
+references:
+    - https://www.jpcert.or.jp/english/pub/sr/ir_research.html
+    - https://jpcertcc.github.io/ToolAnalysisResultSheet
 logsource:
     product: windows
     service: security

rules/windows/builtin/win_multiple_suspicious_cli.yml

@@ -1,8 +1,8 @@
 action: global
-title: Detects Quick execution of a series of suspicious commands
+title: Quick Execution of a Series of Suspicious Commands
 description: Detects multiple suspicious process in a limited timeframe
 status: experimental
-reference: 
+references:
     - https://car.mitre.org/wiki/CAR-2013-04-002
 author: juju4
 detection:

rules/windows/builtin/win_net_ntlm_downgrade.yml

@@ -0,0 +1,40 @@
+--- 
+action: global
+title: NetNTLM Downgrade Attack
+description: Detects post exploitation using NetNTLM downgrade attacks
+reference: 
+    - https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks
+author: Florian Roth
+date: 2018/03/20
+detection:
+    condition: 1 of them
+falsepositives:
+    - Unknown
+level: critical
+--- 
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection1:
+        EventID: 13
+        TargetObject: 
+            - '*SYSTEM\*ControlSet*\Control\Lsa\lmcompatibilitylevel'
+            - '*SYSTEM\*ControlSet*\Control\Lsa\NtlmMinClientSec'
+            - '*SYSTEM\*ControlSet*\Control\Lsa\RestrictSendingNTLMTraffic'
+        EventType: 'SetValue'
+---
+# Windows Security Eventlog: Process Creation with Full Command Line
+logsource:
+    product: windows
+    service: security
+    description: 'Requirements: Audit Policy : Object Access > Audit Registry (Success)'
+detection:
+    selection2:
+        EventID: 4657
+        OperationType: 'Existing registry value modified'
+        ObjectName: '\REGISTRY\MACHINE\SYSTEM\*ControlSet*\Control\Lsa'
+        ObjectValueName: 
+            - 'LmCompatibilityLevel'
+            - 'NtlmMinClientSec'
+            - 'RestrictSendingNTLMTraffic'

rules/windows/builtin/win_overpass_the_hash.yml

@@ -0,0 +1,20 @@
+title: Successful Overpass the Hash Attempt
+status: experimental
+description: Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.
+references: 
+    - https://cyberwardog.blogspot.de/2017/04/chronicles-of-threat-hunter-hunting-for.html
+author: Roberto Rodriguez (source), Dominik Schaudel (rule)
+date: 2018/02/12
+logsource:
+    product: windows
+    service: security
+detection:
+    selection:
+        EventID: 4624
+        LogonType: 9
+        LogonProcessName: seclogo
+        AuthenticationPackageName: Negotiate
+    condition: selection
+falsepositives:
+    - Runas command-line tool using /netonly parameter
+level: high

rules/windows/builtin/win_pass_the_hash.yml

@@ -1,7 +1,8 @@
-title: Detects Pass the Hash Activity
+title: Pass the Hash Activity
 status: experimental
 description: 'Detects the attack technique pass the hash which is used to move laterally inside the network'
-reference: https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events
+references:
+    - https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events
 author: Ilias el Matani (rule), The Information Assurance Directorate at the NSA (method)
 logsource:
     product: windows
@@ -11,12 +12,12 @@ detection:
     selection:
         - EventID: 4624
           LogonType: '3'
-          LogonProcess: 'NtLmSsp'
+          LogonProcessName: 'NtLmSsp'
           WorkstationName: '%Workstations%'
           ComputerName: '%Workstations%'
         - EventID: 4625
           LogonType: '3'
-          LogonProcess: 'NtLmSsp'
+          LogonProcessName: 'NtLmSsp'
           WorkstationName: '%Workstations%'
           ComputerName: '%Workstations%'
     filter:

rules/windows/builtin/win_plugx_susp_exe_locations.yml

@@ -1,7 +1,7 @@
 title: Executable used by PlugX in Uncommon Location
 status: experimental
 description: Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location
-reference: 
+references:
     - 'http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/'
     - 'https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/'
 author: Florian Roth
@@ -14,50 +14,50 @@ detection:
     # CamMute
     selection_cammute:
         EventID: 4688
-        ProcessCommandLine: '*\CamMute.exe'
+        CommandLine: '*\CamMute.exe'
     filter_cammute:
         EventID: 4688
-        ProcessCommandLine: '*\Lenovo\Communication Utility\*'
+        CommandLine: '*\Lenovo\Communication Utility\*'
 
     # Chrome Frame Helper
     selection_chrome_frame:
         EventID: 4688
-        ProcessCommandLine: '*\chrome_frame_helper.exe'
+        CommandLine: '*\chrome_frame_helper.exe'
     filter_chrome_frame:
         EventID: 4688
-        ProcessCommandLine: '*\Google\Chrome\application\*'    
+        CommandLine: '*\Google\Chrome\application\*'    
 
     # Microsoft Device Emulator
     selection_devemu:
         EventID: 4688
-        ProcessCommandLine: '*\dvcemumanager.exe'
+        CommandLine: '*\dvcemumanager.exe'
     filter_devemu:
         EventID: 4688
-        ProcessCommandLine: '*\Microsoft Device Emulator\*'   
+        CommandLine: '*\Microsoft Device Emulator\*'   
 
     # Windows Media Player Gadget
     selection_gadget:
         EventID: 4688
-        ProcessCommandLine: '*\Gadget.exe'
+        CommandLine: '*\Gadget.exe'
     filter_gadget:
         EventID: 4688
-        ProcessCommandLine: '*\Windows Media Player\*'
+        CommandLine: '*\Windows Media Player\*'
 
     # HTML Help Workshop
     selection_hcc:
         EventID: 4688
-        ProcessCommandLine: '*\hcc.exe'
+        CommandLine: '*\hcc.exe'
     filter_hcc:
         EventID: 4688
-        ProcessCommandLine: '*\HTML Help Workshop\*'
+        CommandLine: '*\HTML Help Workshop\*'
 
     # Hotkey Command Module for Intel Graphics Contollers
     selection_hkcmd:
         EventID: 4688
-        ProcessCommandLine: '*\hkcmd.exe'
+        CommandLine: '*\hkcmd.exe'
     filter_hkcmd:
         EventID: 4688
-        ProcessCommandLine: 
+        CommandLine: 
             - '*\System32\*'
             - '*\SysNative\*'
             - '*\SysWowo64\*'
@@ -65,10 +65,10 @@ detection:
     # McAfee component
     selection_mc:
         EventID: 4688
-        ProcessCommandLine: '*\Mc.exe'
+        CommandLine: '*\Mc.exe'
     filter_mc:
         EventID: 4688
-        ProcessCommandLine: 
+        CommandLine: 
             - '*\Microsoft Visual Studio*'
             - '*\Microsoft SDK*'
             - '*\Windows Kit*'
@@ -76,10 +76,10 @@ detection:
     # MsMpEng - Microsoft Malware Protection Engine
     selection_msmpeng:
         EventID: 4688
-        ProcessCommandLine: '*\MsMpEng.exe'
+        CommandLine: '*\MsMpEng.exe'
     filter_msmpeng:
         EventID: 4688
-        ProcessCommandLine: 
+        CommandLine: 
             - '*\Microsoft Security Client\*'
             - '*\Windows Defender\*'
             - '*\AntiMalware\*'
@@ -87,26 +87,26 @@ detection:
     # Microsoft Security Center
     selection_msseces:
         EventID: 4688
-        ProcessCommandLine: '*\msseces.exe'
+        CommandLine: '*\msseces.exe'
     filter_msseces:
         EventID: 4688
-        ProcessCommandLine: '*\Microsoft Security Center\*'
+        CommandLine: '*\Microsoft Security Center\*'
 
     # Microsoft Office 2003 OInfo
     selection_oinfo:
         EventID: 4688
-        ProcessCommandLine: '*\OInfoP11.exe'
+        CommandLine: '*\OInfoP11.exe'
     filter_oinfo:
         EventID: 4688
-        ProcessCommandLine: '*\Common Files\Microsoft Shared\*'      
+        CommandLine: '*\Common Files\Microsoft Shared\*'      
 
     # OLE View
     selection_oleview:
         EventID: 4688
-        ProcessCommandLine: '*\OleView.exe'
+        CommandLine: '*\OleView.exe'
     filter_oleview:
         EventID: 4688
-        ProcessCommandLine: 
+        CommandLine: 
             - '*\Microsoft Visual Studio*'
             - '*\Microsoft SDK*'
             - '*\Windows Kit*'   
@@ -115,10 +115,10 @@ detection:
     # RC
     selection_rc:
         EventID: 4688
-        ProcessCommandLine: '*\OleView.exe'
+        CommandLine: '*\OleView.exe'
     filter_rc:
         EventID: 4688
-        ProcessCommandLine: 
+        CommandLine: 
             - '*\Microsoft Visual Studio*'
             - '*\Microsoft SDK*'
             - '*\Windows Kit*'   

rules/windows/builtin/win_possible_applocker_bypass.yml

@@ -1,8 +1,8 @@
 action: global
-title: Detects Possible Applocker Bypass
+title: Possible Applocker Bypass
 description: Detects execution of executables that can be used to bypass Applocker whitelisting
 status: experimental
-reference:
+references:
     - https://github.com/subTee/ApplicationWhitelistBypassTechniques/blob/master/TheList.txt
     - https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/
 author: juju4

rules/windows/builtin/win_psexesvc_start.yml

@@ -0,0 +1,16 @@
+title: PsExec Service Start
+description: Detects a PsExec service start
+author: Florian Roth
+date: 2018/03/13
+logsource:
+    product: windows
+    service: security
+    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+detection:
+    selection:
+        EventID: 4688
+        CommandLine: 'C:\Windows\PSEXESVC.exe'
+    condition: 1 of them
+falsepositives:
+    - Administrative activity
+level: low

rules/windows/builtin/win_rare_schtasks_creations.yml

@@ -1,4 +1,4 @@
-title: Rare SchTasks Creations
+title: Rare Schtasks Creations
 description: Detects rare scheduled tasks creations that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious code
 status: experimental
 author: Florian Roth

rules/windows/builtin/win_susp_add_sid_history.yml

@@ -1,7 +1,8 @@
 title: Addition of SID History to Active Directory Object
 status: stable
 description: An attacker can use the SID history attribute to gain additional privileges.
-reference: https://adsecurity.org/?p=1772
+references:
+    - https://adsecurity.org/?p=1772
 author: Thomas Patzke
 logsource:
     product: windows

rules/windows/builtin/win_susp_backup_delete.yml

@@ -1,7 +1,7 @@
 title: Backup Catalog Deleted
 status: experimental
 description: Detects backup catalog deletions
-reference: 
+references:
     - https://technet.microsoft.com/en-us/library/cc742154(v=ws.11).aspx
     - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
 author: Florian Roth (rule), Tom U. @c_APT_ure (collection) 

rules/windows/builtin/win_susp_cli_escape.yml

@@ -1,8 +1,8 @@
 action: global
-title: Detects Suspicious Commandline escape
+title: Suspicious Commandline Escape
 description: Detects suspicious process that use escape characters
 status: experimental
-reference: 
+references:
     - https://twitter.com/vysecurity/status/885545634958385153
     - https://twitter.com/Hexacorn/status/885553465417756673
     - https://twitter.com/Hexacorn/status/885570278637678592

rules/windows/builtin/win_susp_commands_recon_activity.yml

@@ -1,9 +1,9 @@
 ---
 action: global
-title: Detects Reconnaissance Activity with Net Command
+title: Reconnaissance Activity with Net Command
 status: experimental
 description: 'Detects a set of commands often used in recon stages by different attack groups' 
-reference: 
+references:
     - https://twitter.com/haroonmeer/status/939099379834658817
     - https://twitter.com/c_APT_ure/status/939475433711722497
 author: Florian Roth

rules/windows/builtin/win_susp_dhcp_config.yml

@@ -1,7 +1,7 @@
-title: DHCP Server loaded the CallOut DLL
+title: DHCP Server Loaded the CallOut DLL
 status: experimental
 description: This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded
-reference:
+references:
     - https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html
     - https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx
     - https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx
@@ -12,7 +12,6 @@ logsource:
     service: system
 detection:
     selection:
-        EventLog: System
         EventID: 1033
     condition: selection
 falsepositives: 

rules/windows/builtin/win_susp_dhcp_config_failed.yml

@@ -1,7 +1,7 @@
 title: DHCP Server Error Failed Loading the CallOut DLL
 description: This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded
 status: experimental
-reference:
+references:
     - https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html
     - https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx
     - https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx
@@ -12,7 +12,6 @@ logsource:
     service: system
 detection:
     selection:
-        - EventLog: System
           EventID: 
             - 1031
             - 1032

rules/windows/builtin/win_susp_dns_config.yml

@@ -2,7 +2,7 @@ title: DNS Server Error Failed Loading the ServerLevelPluginDLL
 description: This rule detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded
 status: experimental
 date: 2017/05/08
-reference: 
+references:
     - https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
     - https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx
     - https://twitter.com/gentilkiwi/status/861641945944391680

rules/windows/builtin/win_susp_dsrm_password_change.yml

@@ -1,7 +1,8 @@
 title: Password Change on Directory Service Restore Mode (DSRM) Account
 status: stable
 description: The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence.
-reference: https://adsecurity.org/?p=1714
+references:
+    - https://adsecurity.org/?p=1714
 author: Thomas Patzke
 logsource:
     product: windows

rules/windows/builtin/win_susp_eventlog_cleared.yml

@@ -1,6 +1,7 @@
 title: Eventlog Cleared
 description: One of the Windows Eventlogs has been cleared
-reference: https://twitter.com/deviouspolack/status/832535435960209408
+references:
+    - https://twitter.com/deviouspolack/status/832535435960209408
 author: Florian Roth
 logsource:
     product: windows

rules/windows/builtin/win_susp_failed_logons_single_source.yml

@@ -5,15 +5,20 @@ logsource:
     product: windows
     service: security
 detection:
-    selection:
+    selection1:
         EventID:
             - 529
             - 4625
-            - 4776
         UserName: not null
-        SourceWorkstation: not null
+        WorkstationName: not null
+    selection2:
+        EventID: 4776
+        UserName: not null
+        Workstation: not null
     timeframe: 24h 
-    condition: selection | count(UserName) by SourceWorkstation > 3
+    condition:
+        - selection1 | count(UserName) by WorkstationName > 3
+        - selection2 | count(UserName) by Workstation > 3
 falsepositives:
     - Terminal servers
     - Jump servers

rules/windows/builtin/win_susp_iss_module_install.yml

@@ -0,0 +1,31 @@
+---
+action: global
+title: IIS Native-Code Module Command Line Installation
+description: Detects suspicious IIS native-code module installations via command line
+status: experimental
+references:
+    - https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/
+author: Florian Roth
+detection:
+    selection:
+        CommandLine: 
+            - '*\APPCMD.EXE install module /name:*'
+    condition: selection
+falsepositives: 
+    - Unknown as it may vary from organisation to arganisation how admins use to install IIS modules
+level: medium
+---
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+---
+logsource:
+    product: windows
+    service: security
+    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+detection:
+    selection:
+        EventID: 4688

rules/windows/builtin/win_susp_lsass_dump.yml

@@ -1,7 +1,8 @@
 title: Password Dumper Activity on LSASS
 description: Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN 
 status: experimental
-reference: https://twitter.com/jackcr/status/807385668833968128
+references:
+    - https://twitter.com/jackcr/status/807385668833968128
 logsource:
     product: windows
     service: security

rules/windows/builtin/win_susp_msiexec_web_install.yml

@@ -0,0 +1,32 @@
+---
+action: global
+title: MsiExec Web Install
+status: experimental
+description: Detects suspicious msiexec proess starts with web addreses as parameter
+references:
+    - https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/
+author: Florian Roth
+date: 2018/02/09
+detection:
+    selection:
+        CommandLine: 
+            - '* msiexec*:\/\/*'
+    condition: selection
+falsepositives: 
+    - False positives depend on scripts and administrative tools used in the monitored environment
+level: medium
+---
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+---
+logsource:
+    product: windows
+    service: security
+    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+detection:
+    selection:
+        EventID: 4688

rules/windows/builtin/win_susp_msmpeng_crash.yml

@@ -2,7 +2,7 @@ title: Microsoft Malware Protection Engine Crash
 description: This rule detects a suspicious crash of the Microsoft Malware Protection Engine
 status: experimental
 date: 2017/05/09
-reference: 
+references:
     - https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5
     - https://technet.microsoft.com/en-us/library/security/4022344
 author: Florian Roth
@@ -16,11 +16,10 @@ detection:
     selection2:
         Source: 'Windows Error Reporting'
         EventID: 1001
-    keyword1:
+    keywords:
         - 'MsMpEng.exe'
-    keyword2:
         - 'mpengine.dll'
-    condition: (selection1 or selection2) and keyword1 and keyword2
+    condition: 1 of selection* and all of keywords
 falsepositives: 
     - Unknown
 level: high

rules/windows/builtin/win_susp_net_recon_activity.yml

@@ -1,7 +1,8 @@
-title: Detects Reconnaissance Activity
+title: Reconnaissance Activity
 status: experimental
 description: 'Detects activity as "net user administrator /domain" and "net group domain admins /domain"' 
-reference: https://findingbad.blogspot.de/2017/01/hunting-what-does-it-look-like.html
+references:
+    - https://findingbad.blogspot.de/2017/01/hunting-what-does-it-look-like.html
 author: Florian Roth (rule), Jack Croock (method)
 logsource:
     product: windows

rules/windows/builtin/win_susp_ntdsutil.yml

@@ -0,0 +1,31 @@
+---
+action: global
+title: Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)
+description: Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)
+status: experimental
+references:
+    - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm
+author: Thomas Patzke
+detection:
+    selection:
+        CommandLine: '*\ntdsutil.exe *'
+    condition: selection
+falsepositives: 
+    - NTDS maintenance
+level: high
+---
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+---
+logsource:
+    product: windows
+    service: security
+    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+detection:
+    selection:
+        EventID: 4688
+

rules/windows/builtin/win_susp_phantom_dll.yml

@@ -1,8 +1,8 @@
 action: global
-title: Detects Phantom DLLs usage
+title: Phantom DLLs Usage
 description: Detects Phantom DLLs usage and matching executable
 status: experimental
-reference: 
+references:
     - http://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
     - http://www.hexacorn.com/blog/2015/02/23/beyond-good-ol-run-key-part-28/
 author: juju4

rules/windows/builtin/win_susp_process_creations.yml

@@ -1,9 +1,9 @@
 ---
 action: global
-title: Detects Suspicious Process Creations
+title: Suspicious Process Creation
 description: Detects suspicious process starts on Windows systems bsed on keywords
 status: experimental
-reference: 
+references:
     - https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/
     - https://www.youtube.com/watch?v=H3t_kHQG1Js&feature=youtu.be&t=15m35s
     - https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/
@@ -43,6 +43,7 @@ detection:
             - '*\certutil.exe -ping *'
             - 'icacls * /grant Everyone:F /T /C /Q'
             - '* wmic shadowcopy delete *'
+            - '* wbadmin.exe delete catalog -quiet*'  # http://blog.talosintelligence.com/2018/02/olympic-destroyer.html
             # Scripts
             - '*\wscript.exe *.jse'
             - '*\wscript.exe *.js'

rules/windows/builtin/win_susp_rasdial_activity.yml

@@ -1,8 +1,8 @@
 action: global
-title: Detects Suspicious rasdial activity
+title: Suspicious RASdial Activity
 description: Detects suspicious process related to rasdial.exe
 status: experimental
-reference: 
+references:
     - https://twitter.com/subTee/status/891298217907830785
 author: juju4
 detection:

rules/windows/builtin/win_susp_rc4_kerberos.yml

@@ -1,7 +1,9 @@
 title: Suspicious Kerberos RC4 Ticket Encryption
 status: experimental
-reference: https://adsecurity.org/?p=3458
-description: Detects logons using RC4 encryption type
+references:
+    - https://adsecurity.org/?p=3458
+    - https://www.trimarcsecurity.com/single-post/TrimarcResearch/Detecting-Kerberoasting-Activity
+description: Detects service ticket requests using RC4 encryption type
 logsource:
     product: windows
     service: security
@@ -9,10 +11,9 @@ detection:
     selection:
         EventID: 4769
         TicketOptions: '0x40810000'
-        TicketEncryption: '0x17'
+        TicketEncryptionType: '0x17'
     reduction:
         - ServiceName: '$*'
-        - Type: 'Success Audit'
     condition: selection and not reduction
 falsepositives:
     - Service accounts used on legacy systems (e.g. NetApp)

rules/windows/builtin/win_susp_run_locations.yml

@@ -1,8 +1,8 @@
 action: global
-title: Detects Suspicious Run Locations
+title: Suspicious Process Start Locations
 description: Detects suspicious process run from unusual locations
 status: experimental
-reference: 
+references:
     - https://car.mitre.org/wiki/CAR-2013-05-002
 author: juju4
 detection:

rules/windows/builtin/win_susp_rundll32_activity.yml

@@ -1,8 +1,8 @@
 action: global
-title: Detects Suspicious Rundll32 activity
+title: Suspicious Rundll32 Activity
 description: Detects suspicious process related to rundll32 based on arguments
 status: experimental
-reference: 
+references:
     - http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/
     - https://twitter.com/Hexacorn/status/885258886428725250
     - https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52

rules/windows/builtin/win_susp_sam_dump.yml

@@ -1,4 +1,4 @@
-title: Suspicious SAM Dumps to AppData
+title: SAM Dump to AppData
 status: experimental
 description: Detects suspicious SAM dump activity as cause by QuarksPwDump and other password dumpers
 author: Florian Roth
@@ -11,7 +11,7 @@ detection:
         EventID: 16
     keywords:
         - '*\AppData\Local\Temp\SAM-*.dmp *'
-    condition: selection and keywords
+    condition: all of them
 falsepositives: 
     - Penetration testing
 level: high

rules/windows/builtin/win_susp_samr_pwset.yml

@@ -1,4 +1,4 @@
-title: Possible remote password change (NTLM hash only) through SAMR 
+title: Possible Remote Password Change Through SAMR 
 description: Detects a possible remote NTLM hash change through SAMR API SamiChangePasswordUser() or SamSetInformationUser(). "Audit User Account Management" in "Advanced Audit Policy Configuration" has to be enabled in your local security policy / GPO to see this events.
 author: Dimitrios Slamaris
 logsource:
@@ -6,11 +6,9 @@ logsource:
     service: security
 detection:
     samrpipe:
-            - EventLog: Security
               EventID: 5145
               RelativeTargetName: samr
     passwordchanged:
-            - EventLog: Security
               EventID: 4738
               PasswordLastSet: (any) 
     timeframe: 15s 

rules/windows/builtin/win_susp_sdelete.yml

@@ -1,8 +1,9 @@
-title: Secure deletion with SDelete
+title: Secure Deletion with SDelete
 status: experimental
 description: Detects renaming of file while deletion with SDelete tool
 author: Thomas Patzke
-reference:
+references:
+    - https://jpcertcc.github.io/ToolAnalysisResultSheet
     - https://www.jpcert.or.jp/english/pub/sr/ir_research.html
     - https://technet.microsoft.com/en-us/en-en/sysinternals/sdelete.aspx
 logsource:

rules/windows/builtin/win_usb_device_plugged.yml

@@ -1,6 +1,6 @@
 title: USB Device Plugged
 description: Detects plugged USB devices
-reference:
+references:
     - https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/
     - https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/
 status: experimental

rules/windows/builtin/win_user_added_to_local_administrators.yml

@@ -10,7 +10,7 @@ detection:
         EventID: 4732
         GroupName: Administrators
     filter:
-        SubjectAccountName: '*$'
+        SubjectUserName: '*$'
     condition: selection and not filter
 falsepositives: 
     - Legitimate administrative activity

rules/windows/builtin/win_wmi_persistence_script_event_consumer.yml

@@ -0,0 +1,32 @@
+---
+action: global
+title: WMI Persistence - Script Event Consumer
+status: experimental
+description: Detects WMI script event consumers
+references:
+    - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
+author: Thomas Patzke
+date: 2018/03/07
+detection:
+    selection:
+        Image: 'C:\WINDOWS\system32\wbem\scrcons.exe'
+        ParentImage: 'C:\Windows\System32\svchost.exe'
+    condition: selection
+falsepositives: 
+    - Legitimate event consumers
+level: high
+---
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+---
+logsource:
+    product: windows
+    service: security
+    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+detection:
+    selection:
+        EventID: 4688

rules/windows/malware/sysmon_malware_notpetya.yml

@@ -2,7 +2,7 @@ title: NotPetya Ransomware Activity
 status: experimental
 description: Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and windows eventlogs are cleared using wevtutil
 author: Florian Roth, Tom Ueltschi
-reference: 
+references:
     - https://securelist.com/schroedingers-petya/78870/
     - https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100
 logsource:
@@ -26,7 +26,7 @@ detection:
         CommandLine: '*.dat,#1'       
     perfc_keyword:
         - '*\perfc.dat*'
-    condition: fsutil_clean_journal or pipe_com or event_clean or rundll32_dash1 or perfc_keyword
+    condition: 1 of them
 fields:
     - CommandLine
     - ParentCommandLine