Sigma tools release 0.10

Moved Sysmon schema XML from contrib directory into module
Added CAR tags
2019-03-16 01:02:48 +01:00 · 2019-03-16 00:59:29 +01:00 · 2019-03-16 00:37:09 +01:00 · 2019-03-16 00:03:27 +01:00 · 2019-03-15 23:47:24 +01:00 · 2019-03-15 23:46:38 +01:00
352 changed files with 11805 additions and 3118 deletions
@@ -1,12 +1,24 @@
 language: python
+dist: xenial
 python:
-  - 3.4
-  - 3.5
+  # - 3.5  # Deactivated because Travis CI tests failed randomly (Travis's problem)
  - 3.6
-  - pypy3
+  - 3.7
+sudo: true
+services:
+    - elasticsearch
 cache: pip
+before_install:
+    - curl -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-6.2.4.deb && sudo dpkg -i --force-confnew elasticsearch-6.2.4.deb && sudo service elasticsearch restart
 install:
  - pip install -r tools/requirements-devel.txt 
-
 script:
  - make test
+  - make test-backend-es-qs
+notifications:
+  email:
+    recipients:
+      - venom14@gmail.com
+      - thomas@patzke.org
+    on_success: change
+    on_failure: always
@@ -1,4 +1,12 @@
 ---
 # https://yamllint.readthedocs.io/en/latest/configuration.html
+extends: default
 rules:
+  comments: disable
+  comments-indentation: disable
  document-start: disable
+  empty-lines: {max: 2, max-start: 2, max-end: 2}
+  indentation: disable
+  line-length: disable
+  new-line-at-end-of-file: disable
+  trailing-spaces: disable
@@ -1,7 +1,7 @@
-.PHONY: test test-yaml test-sigmac
-TMPOUT = $(shell tempfile)
-COVSCOPE = tools/sigma/*.py,tools/sigmac,tools/merge_sigma
-test: clearcov test-yaml test-sigmac test-merge build finish
+.PHONY: test test-rules test-sigmac
+TMPOUT = $(shell tempfile||mktemp)
+COVSCOPE = tools/sigma/*.py,tools/sigma/backends/*.py,tools/sigmac,tools/merge_sigma
+test: clearcov test-rules test-sigmac test-merge build finish

 clearcov:
 	rm -f .coverage
@@ -10,35 +10,60 @@ finish:
 	coverage report --fail-under=90
 	rm -f $(TMPOUT)

-test-yaml:
+test-rules:
 	yamllint rules
+	tests/test_rules.py

 test-sigmac:
+	coverage run -a --include=$(COVSCOPE) tools/sigmac
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -h
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -l
+	! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvd -t es-qs rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-qs rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -O rulecomment -rvdI -t es-qs rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t kibana rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t graylog rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t xpack-watcher rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t elastalert -O alert_methods=http_post,email -O emails=test@test.invalid -O http_post_url=http://test.invalid rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunkxml rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t logpoint rules/ > /dev/null
-	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'level>=high,level<=critical,status=stable,logsource=windows' rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t wdatp rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t ala rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t ala --backend-config tests/backend_config.yml rules/windows/process_creation/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-dsl rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t powershell -c tools/config/powershell-windows-all.yml -Ocsv rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t arcsight -c tools/config/arcsight.yml rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t qradar -c tools/config/arcsight.yml rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t qualys -c tools/config/qualys.yml rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t netwitness -c tools/config/netwitness.yml rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t sumologic -c tools/config/sumologic.yml rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'level>=high,level<=critical,status=stable,logsource=windows,tag=attack.execution' rules/ > /dev/null
 	! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'level>=high,level<=critical,status=xstable,logsource=windows' rules/ > /dev/null
 	! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'level>=high,level<=xcritical,status=stable,logsource=windows' rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'level=critical' rules/ > /dev/null
 	! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'level=xcritical' rules/ > /dev/null
 	! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'foo=bar' rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-windows.yml -t es-qs rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/generic/sysmon.yml -c tools/config/elk-windows.yml -t es-qs rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-linux.yml -t es-qs rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-windows.yml -t kibana rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-windows.yml -Ooutput=curl -t kibana rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-linux.yml -t kibana rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-linux.yml -Ooutput=curl -t kibana rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-windows.yml -t xpack-watcher rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-linux.yml -t xpack-watcher rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-defaultindex.yml -t xpack-watcher rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/splunk-windows-all.yml -t splunk rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/splunk-windows-all-index.yml -t splunk rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/generic/sysmon.yml -c tools/config/splunk-windows-all.yml -t splunk rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/logpoint-windows-all.yml -t logpoint rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t grep rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t fieldlist rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -t xpack-watcher -O output=plain -O es=es -O foobar rules/windows/builtin/win_susp_failed_logons_single_source.yml > /dev/null
-	coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -o $(TMPOUT) tests/collection_repeat.yml > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -t kibana -c tests/config-multiple_mapping.yml -c tests/config-multiple_mapping-2.yml tests/mapping-conditional-multi.yml > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -t xpack-watcher -O output=json -O es=es -O foobar rules/windows/builtin/win_susp_failed_logons_single_source.yml > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -o $(TMPOUT) - < tests/collection_repeat.yml > /dev/null
 	! coverage run -a --include=$(COVSCOPE)  tools/sigmac -t xpack-watcher -O output=foobar -O es=es -O foobar rules/windows/builtin/win_susp_failed_logons_single_source.yml > /dev/null
 	! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs tests/not_existing.yml > /dev/null
 	! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs tests/invalid_yaml.yml > /dev/null
@@ -52,11 +77,14 @@ test-sigmac:
 	! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c not_existing rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
 	! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tests/invalid_yaml.yml rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
 	! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tests/invalid_config.yml rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
-	! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvI -c tools/config/elk-defaultindex.yml -t kibana rules/ > /dev/null
+	! coverage run -a --include=$(COVSCOPE) tools/sigmac -rv -c tools/config/elk-defaultindex.yml -t kibana rules/ > /dev/null

 test-merge:
 	tests/test-merge.sh
-	! coverage run -a --include=$(COVSCOPE) tools/merge_sigma.py tests/not_existing.yml > /dev/null
+	! coverage run -a --include=$(COVSCOPE) tools/merge_sigma tests/not_existing.yml > /dev/null
+
+test-backend-es-qs:
+	tests/test-backend-es-qs.py

 build: tools/sigmac tools/merge_sigma tools/sigma/*.py tools/setup.py tools/setup.cfg
 	cd tools && python3 setup.py bdist_wheel
@@ -3,9 +3,10 @@
 ![sigma_logo](./images/Sigma_0.3.png)

 # Sigma
+
 Generic Signature Format for SIEM Systems

-# What is Sigma?
+# What is Sigma

 Sigma is a generic and open signature format that allows you to describe relevant log events in a straight forward manner. The rule format is very flexible, easy to write and applicable to any type of log file. The main purpose of this project is to provide a structured form in which researchers or analysts can describe their once developed detection methods and make them shareable with others.

@@ -17,48 +18,31 @@ This repository contains:
 * Open repository for sigma signatures in the `./rules`subfolder
 * A converter that generate searches/queries for different SIEM systems [work in progress]

+![sigma_description](./images/Sigma-description.png)
+
 ## Hack.lu 2017 Talk

 [![Sigma - Generic Signatures for Log Events](https://preview.ibb.co/cMCigR/Screen_Shot_2017_10_18_at_15_47_15.png)](https://www.youtube.com/watch?v=OheVuE9Ifhs "Sigma - Generic Signatures for Log Events")

+## SANS Webcast on MITRE ATT&CK and Sigma
+
+The SANS webcast on Sigma contains a very good 20 min introduction to the project by John Hubbart from minute 39 onward. (SANS account required; registration is free)
+
+[MITRE ATT&CK and Sigma Alerting Webcast Recording](https://www.sans.org/webcasts/mitre-att-ck-sigma-alerting-110010 "MITRE ATT&CK and Sigma Alerting")
+
 # Use Cases

-* Describe your once discovered detection method in Sigma to make it sharable 
-* Share the signature in the appendix of your analysis along with file hashes and C2 servers
+* Describe your detection method in Sigma to make it sharable
+* Write and your SIEM searches in Sigma to avoid a vendor lock-in
+* Share the signature in the appendix of your analysis along with IOCs and YARA rules
 * Share the signature in threat intel communities - e.g. via MISP
-* Provide Sigma signatures for malicious behaviour in your own application (Error messages, access violations, manipulations) 
-* Integrate a new log into your SIEM and check the Sigma repository for available rules
-* Write a rule converter for your custom log analysis tool and process new Sigma rules automatically
-* Provide a free or commercial feed for Sigma signatures
-
-# Sigma Converter
-
-The converter is currently under development in the *devel-sigmac* branch of this project. It has currently the
-following capabilities:
-
-* Parsing of Sigma rule files
-* Conversion of searches into Elasticsearch and Splunk queries
-
-Planned main features are:
-
-* Conversion of aggregation expressions (after the pipe character)
-* Output of Kibana JSON configurations
-
-Support for further SIEM solutions can be added by developing an corresponsing output backend class.
-
-![sigma_description](./images/Sigma-description.png)
+* Provide Sigma signatures for malicious behaviour in your own application

 # Why Sigma

 Today, everyone collects log data for analysis. People start working on their own, processing numerous white papers, blog posts and log analysis guidelines, extracting the necessary information and build their own searches and dashboard. Some of their searches and correlations are great and very useful but they lack a standardized format in which they can share their work with others. 

-Others provide excellent analyses for threat groups, sharing file indicators, C2 servers and YARA rules to detect the malicious files, but describe a certain malicious service install or remote thread injection in a separate paragraph. Security analysts, who read that paragraph then extract the necessary information and create rules in their SIEM system. The detection method never finds a way into a repository that is shared, structured and archived. 
-
-The lower layers of the OSI layer are well known and described. Every SIEM vendor has rules to detect port scans, ping sweeps and threats like the ['smurf attack'](https://en.wikipedia.org/wiki/Smurf_attack). But the higher layers contain numerous applications and protocols  with special characteristics that write their own custom log files. SIEM vendors consider the signatures and correlations as their intelectual property and do not tend to share details on the coverage. 
-
-Sigma is meant to be an open standard in which detection mechanisms can be defined, shared and collected in order to improve the detection capabilities on the application layers for everyone. 
-
-![sigma_why](./images/Problem_OSI_v01.png)
+Others provide excellent analyses, include IOCs and YARA rules to detect the malicious files and network connections, but have no way to describe a specific or generic detection method in log events. Sigma is meant to be an open standard in which such detection mechanisms can be defined, shared and collected in order to improve the detection capabilities for everyone. 

 ## Slides

@@ -72,6 +56,21 @@ The specifications can be found in the [Wiki](https://github.com/Neo23x0/sigma/w

 The current specification is a proposal. Feedback is requested.

+# Getting Started
+
+## Rule Creation
+
+Florian wrote a short [rule creation tutorial](https://www.nextron-systems.com/2018/02/10/write-sigma-rules/) that can help you getting started.
+
+## Rule Usage 
+
+1. Download or clone the respository
+2. Check the `./rules` sub directory for an overview on the rule base
+3. Run `python sigmac --help` in folder `./tools` to get a help on the rule converter
+4. Convert a rule of your choice with `sigmac` like `./sigmac -t splunk -c tools/config/generic/sysmon.yml ./rules/windows/process_creation/win_susp_whoami.yml`
+5. Convert a whole rule directory with `python sigmac -t splunk -r ../rules/proxy/`
+6. Check the `./tools/config` folder and the [wiki](https://github.com/Neo23x0/sigma/wiki/Converter-Tool-Sigmac) if you need custom field or log source mappings in your environment
+
 # Examples

 Windows 'Security' Eventlog: Access to LSASS Process with Certain Access Mask / Object Type (experimental)
@@ -89,49 +88,193 @@ Sysmon: Web Shell Detection
 Windows 'Security' Eventlog: Suspicious Number of Failed Logons from a Single Source Workstation
 ![sigma_rule example5](./images/Sigma_rule_example5.png)

-## Sigma Toolchain
+# Sigma Tools 
+
+## Sigmac 

 Sigmac converts sigma rules into queries or inputs of the supported targets listed below. It acts as a frontend to the
 Sigma library that may be used to integrate Sigma support in other projects. Further, there's `merge_sigma.py` which
 merges multiple YAML documents of a Sigma rule collection into simple Sigma rules.

-![sigmac_converter](./images/Sigmac-win_susp_rc4_kerberos.png)
+### Usage
+
+```
+usage: sigmac [-h] [--recurse] [--filter FILTER]
+              [--target {arcsight,es-qs,es-dsl,kibana,xpack-watcher,elastalert,graylog,logpoint,grep,netwitness,powershell,qradar,qualys,splunk,splunkxml,sumologic,fieldlist,wdatp}]
+              [--target-list] [--config CONFIG] [--output OUTPUT]
+              [--backend-option BACKEND_OPTION] [--defer-abort]
+              [--ignore-backend-errors] [--verbose] [--debug]
+              [inputs [inputs ...]]
+
+Convert Sigma rules into SIEM signatures.
+
+positional arguments:
+  inputs                Sigma input files ('-' for stdin)
+
+optional arguments:
+  -h, --help            show this help message and exit
+  --recurse, -r         Use directory as input (recurse into subdirectories is
+                        not implemented yet)
+  --filter FILTER, -f FILTER
+                        Define comma-separated filters that must match (AND-
+                        linked) to rule to be processed. Valid filters:
+                        level<=x, level>=x, level=x, status=y, logsource=z,
+                        tag=t. x is one of: low, medium, high, critical. y is
+                        one of: experimental, testing, stable. z is a word
+                        appearing in an arbitrary log source attribute. t is a
+                        tag that must appear in the rules tag list, case-
+                        insensitive matching. Multiple log source
+                        specifications are AND linked.
+  --target {arcsight,es-qs,es-dsl,kibana,xpack-watcher,elastalert,graylog,logpoint,grep,netwitness,powershell,qradar,qualys,splunk,splunkxml,sumologic,fieldlist,wdatp}, -t {arcsight,es-qs,es-dsl,kibana,xpack-watcher,elastalert,graylog,logpoint,grep,netwitness,powershell,qradar,qualys,splunk,splunkxml,sumologic,fieldlist,wdatp}
+                        Output target format
+  --target-list, -l     List available output target formats
+  --config CONFIG, -c CONFIG
+                        Configurations with field name and index mapping for
+                        target environment. Multiple configurations are merged
+                        into one. Last config is authorative in case of
+                        conflicts.
+  --output OUTPUT, -o OUTPUT
+                        Output file or filename prefix if multiple files are
+                        generated
+  --backend-option BACKEND_OPTION, -O BACKEND_OPTION
+                        Options and switches that are passed to the backend
+  --defer-abort, -d     Don't abort on parse or conversion errors, proceed
+                        with next rule. The exit code from the last error is
+                        returned
+  --ignore-backend-errors, -I
+                        Only return error codes for parse errors and ignore
+                        errors for rules that cause backend errors. Useful,
+                        when you want to get as much queries as possible.
+  --verbose, -v         Be verbose
+  --debug, -D           Debugging output
+```
+
+### Examples
+
+#### Single Rule Translation
+Translate a single rule
+```
+tools/sigmac -t splunk rules/windows/sysmon/sysmon_susp_image_load.yml
+```
+#### Rule Set Translation
+Translate a whole rule directory and ignore backend errors (`-I`) in rule conversion for the selected backend (`-t splunk`)
+```
+tools/sigmac -I -t splunk -r rules/windows/sysmon/
+```
+#### Rule Set Translation with Custom Config 
+Apply your own config file (`-c ~/my-elk-winlogbeat.yml`) during conversion, which can contain you custom field and source mappings
+```
+tools/sigmac -t es-qs -c ~/my-elk-winlogbeat.yml -r rules/windows/sysmon
+```
+#### Generic Rule Set Translation
+Use a config file for `process_creation` rules (`-r rules/windows/process_creation`) that instructs sigmac to create queries for a Sysmon log source (`-c tools/config/generic/sysmon.yml`) and the ElasticSearch target backend (`-t es-qs`) 
+```
+tools/sigmac -t es-qs -c tools/config/generic/sysmon.yml -r rules/windows/process_creation
+```
+#### Generic Rule Set Translation with Custom Config
+Use a config file for a single `process_creation` rule (`./rules/windows/process_creation/win_susp_outlook.yml`) that instructs sigmac to create queries for process creation events generated in the Windows Security Eventlog (`-c tools/config/generic/windows-audit.yml`) and a Splunk target backend (`-t splunk`)
+```
+tools/sigmac -t splunk -c ~/my-splunk-mapping.yml -c tools/config/generic/windows-audit.yml ./rules/windows/process_creation/win_susp_outlook.yml
+```
+(See @blubbfiction's [blog post](https://patzke.org/a-guide-to-generic-log-sources-in-sigma.html) for more information)

 ### Supported Targets

-* [Splunk](https://www.splunk.com/)
-* [ElasticSearch](https://www.elastic.co/)
+* [Splunk](https://www.splunk.com/) (plainqueries and dashboards)
+* [ElasticSearch Query Strings](https://www.elastic.co/)
+* [ElasticSearch Query DSL](https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl.html)
+* [Kibana](https://www.elastic.co/de/products/kibana)
 * [Elastic X-Pack Watcher](https://www.elastic.co/guide/en/x-pack/current/xpack-alerting.html)
 * [Logpoint](https://www.logpoint.com)
+* [Windows Defender Advanced Threat Protection (WDATP)](https://www.microsoft.com/en-us/windowsforbusiness/windows-atp)
+* [ArcSight](https://software.microfocus.com/en-us/products/siem-security-information-event-management/overview)
+* [QRadar](https://www.ibm.com/de-de/marketplace/ibm-qradar-siem)
+* [Qualys](https://www.qualys.com/apps/threat-protection/)
+* [RSA NetWitness](https://www.rsa.com/en-us/products/threat-detection-response)
+* [PowerShell](https://docs.microsoft.com/en-us/powershell/scripting/getting-started/getting-started-with-windows-powershell?view=powershell-6)
+* [Grep](https://www.gnu.org/software/grep/manual/grep.html) with Perl-compatible regular expression support
+
+Current work-in-progress
+* [Splunk Data Models](https://docs.splunk.com/Documentation/Splunk/7.1.0/Knowledge/Aboutdatamodels)
+
+New targets are continuously developed. You can get a list of supported targets with `sigmac --target-list` or `sigmac -l`.

 ### Requirements

-The usage of Sigmac or the underlying library requires Python >= 3.4 and PyYAML.
+The usage of Sigmac (the Sigma Rule Converter) or the underlying library requires Python >= 3.5 and PyYAML.

 ### Installation

 It's available on PyPI. Install with:

-```
+```bash
 pip3 install sigmatools
 ```

-# Next Steps 
+Alternatively, if used from the Sigma Github repository, the Python dependencies can be installed with:

-* Integration of feedback into the rule specifications
-* Integration into Threat Intel Exchanges, e.g. [MISP](http://www.misp-project.org/)
+```bash
+pip3 install -r tools/requirements.txt
+```
+
+For development (e.g. execution of integration tests with `make` and packaging), further dependencies are required and can be installed with:
+
+```bash
+pip3 install -r tools/requirements-devel.txt
+```
+
+## Sigma2MISP
+
+Import Sigma rules to MISP events. Depends on PyMISP.
+
+Parameters that aren't changed frequently (`--url`, `--key`) can be put without the prefixing dashes `--` into a file
+and included with `@filename` as parameter on the command line.
+
+Example:
+*misp.conf*:
+```
+url https://host
+key foobarfoobarfoobarfoobarfoobarfoobarfoo 
+```
+
+Load Sigma rule into MISP event 1234:
+```
+sigma2misp @misp.conf --event 1234 sigma_rule.py
+```
+
+Load Sigma rules in directory sigma_rules/ into one newly created MISP event with info set to *Test Event*:
+```
+sigma2misp @misp.conf --same-event --info "Test Event" -r sigma_rules/
+```
+
+## Evt2Sigma
+
+[Evt2Sigma](https://github.com/Neo23x0/evt2sigma) helps you with the rule creation. It generates a Sigma rule from a log entry. 
+
+## Contributed Scripts
+
+The directory `contrib` contains scripts that were contributed by the community:
+
+* `sigma2elastalert.py`i by David Routin: A script that converts Sigma rules to Elastalert configurations. This tool
+  uses *sigmac* and expects it in its path.
+
+These tools are not part of the main toolchain and maintained separately by their authors.
+
+# Next Steps
+
+* Integration of MITRE ATT&CK framework identifier to the rule set
+* Integration into Threat Intel Exchanges
 * Attempts to convince others to use the rule format in their reports, threat feeds, blog posts, threat sharing platforms

-# Projects that use Sigma
+# Projects or Products that use Sigma

-* [Augmentd](https://augmentd.co/)
+* [MISP](http://www.misp-project.org/2017/03/26/MISP.2.4.70.released.html) (since version 2.4.70, March 2017)
 * [TA-Sigma-Searches](https://github.com/dstaulcu/TA-Sigma-Searches) (Splunk App)
-
-# Credits
-
-This is a private project mainly developed by Florian Roth and Thomas Patzke with feedback from many fellow analysts and friends. Rules are our own or have been drived from blog posts, tweets or other public sources that are referenced in the rules.
-
-Copyright for Tree Image: [studiobarcelona / 123RF Stock Photo](http://www.123rf.com/profile_studiobarcelona)
+* [SOC Prime - Sigma Rule Editor](https://tdm.socprime.com/sigma/)
+* [ypsilon](https://github.com/P4T12ICK/ypsilon) - Automated Use Case Testing 
+* [uncoder.io](https://uncoder.io/) - Online Translator for SIEM Searches
+* [SPARK](https://www.nextron-systems.com/2018/06/28/spark-applies-sigma-rules-in-eventlog-scan/) - Scan with Sigma rules on endpoints
+* [RANK VASA](https://globenewswire.com/news-release/2019/03/04/1745907/0/en/RANK-Software-to-Help-MSSPs-Scale-Cybersecurity-Offerings.html)

 # Licenses

@@ -140,3 +283,11 @@ The content of this repository is released under the following licenses:
 * The toolchain (everything under `tools/`) is licensed under the [GNU Lesser General Public License](https://www.gnu.org/licenses/lgpl-3.0.en.html).
 * The [Sigma specification](https://github.com/Neo23x0/sigma/wiki) is public domain.
 * Everything else, especially the rules contained in the `rules/` directory is released under the [GNU General Public License](https://www.gnu.org/licenses/gpl-3.0.en.html).
+
+# Credits
+
+This is a private project mainly developed by Florian Roth and Thomas Patzke with feedback from many fellow analysts and friends. Rules are our own or have been drived from blog posts, tweets or other public sources that are referenced in the rules.
+
+# Info Graphic
+
+![sigmac_info_graphic](./images/sigma_infographic_lq.png)
@@ -0,0 +1,173 @@
+#!/usr/bin/python
+# Copyright 2018 David Routin
+
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+
+# You should have received a copy of the GNU Lesser General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+"""
+Project: sigma2elastalert.py
+Date: 25 Feb 2018
+Author: David ROUTIN  (@Rewt_1)
+Version: 1.0
+Description: This script creates elastalert configuration files from Sigma SIEM rules.
+"""
+
+import re
+import os
+import glob
+import subprocess
+import argparse
+import yaml
+import traceback
+
+parser = argparse.ArgumentParser()
+parser.add_argument("--eshost", help="Elasticsearch host", type=str, required=True)
+parser.add_argument("--esport", help="Elasticsearch port", type=str, required=True)
+parser.add_argument("--ruledir", help="sigma rule directory path to convert", type=str, required=True)
+parser.add_argument("--index", help="Elasticsearch index name egs: \"winlogbeat-*\"", type=str, required=True)
+parser.add_argument("--email", help="email address to send mail alert", type=str, required=True)
+parser.add_argument("--outdir", help="output directory to create elastalert rules", type=str, required=True)
+parser.add_argument("--sigmac", help="Sigmac location", default="../tools/sigmac", type=str)
+parser.add_argument("--realerttime", help="Realert time (optional value, default 5 minutes)", type=str, default=5)
+parser.add_argument("--debug", help="Show debug output", type=bool, default=False)
+args = parser.parse_args()
+
+custom_query_keys = ["sensor", "Hostname", "EventID", "src_ip", "dst_ip"]
+
+
+template="""es_host: ESHOST
+es_port: ESPORT
+name: "TITLE"
+description: "DESCRIPTION"
+index: INDEX
+filter:
+- query:
+    query_string:
+      query: 'QUERY'
+realert:
+ minutes: MINUTES
+query_key: UNIQKEYS
+type: any
+include: UNIQKEYS
+alert:
+- "email"
+
+# (required, email specific)
+# a list of email addresses to send alerts to
+email:
+- "EMAIL"
+"""
+
+def return_json_obj(x,custom_query_keys):
+    """
+    Function used to filter all ES query object as unique value including predefined list from custom_query_keys
+    :param x: must contains ES query output
+    :param custom_query_keys: takes the list of predefined element to match in document
+    :return: a clean list (set) of all the query keys (EventID,TargetUserName...)
+    """
+    # type: (str, list) -> list
+    y = x.replace(" ", "\n").split()
+    out = set()
+    for i in y:
+        out.update(re.findall("([a-zA-Z]+)\:", i))
+
+    for qk in custom_query_keys:
+        try:
+            out.remove(qk)
+        except:
+            pass
+    out = list(out)
+    count = 0
+    for qk in custom_query_keys:
+        count += 1
+        out.insert(count-1, qk)
+    return out
+
+def rule_element(file_content, elements):
+    """
+    Function used to get specific element from yaml document and return content
+    :type file_content: str
+    :type elements: list
+    :param file_content:
+    :param elements: list of elements of the yaml document to get "title", "description"
+    :return: the value of the key in the yaml document
+    """
+    try:
+        yaml.safe_load(file_content.replace("---",""))
+    except:
+        raise Exception('Unsupported')
+    element_output = ""
+    for e in elements:
+        try:
+            element_output = yaml.safe_load(file_content.replace("---",""))[e]
+        except:
+            pass
+    if element_output is None:
+        return ""
+    return element_output
+
+def get_rule_as_esqs(file):
+    """
+    Function used to get Elastic query output from rule fome
+    :type file: str
+    :param file: rule filename
+    :return: string es query
+    """
+    if not os.path.exists(args.sigmac):
+        print("Cannot find sigmac rule coverter at '%s', please set a correct location via '--sigmac'")
+    cmd = [args.sigmac, file, "--target", "es-qs"]
+    output = subprocess.Popen(cmd,stdout=subprocess.PIPE, stderr=subprocess.STDOUT).stdout.read()
+    if "unsupported" in output:
+        raise Exception('Unsupported output at this time')
+    output = output.split("\n")
+    # Remove empty string from \n
+    output = [a for a in output if a]
+    # Handle case of multiple queries returned
+    if len(output) > 1:
+        return " OR ".join(output)
+    return "".join(output)
+
+# Dictionary that contains args set at launch time
+convert_args = {
+    "ESHOST": args.eshost,
+    "ESPORT": args.esport,
+    "INDEX": args.index,
+    "EMAIL": args.email,
+    "MINUTES": args.realerttime
+}
+
+for file in glob.glob(args.ruledir + "/*"):
+    output_elast_config = template
+    try:
+        print("Processing %s ..." % file)
+        with open(file, "rb") as f:
+            file_content = f.read()
+
+        # Dictionary that contains args with values returned by functions
+        translate_func = {'QUERY': get_rule_as_esqs(file),
+                        'TITLE': rule_element(file_content, ["title", "name"]),
+                        'DESCRIPTION': rule_element(file_content, ["description"]),
+                        'UNIQKEYS': str(return_json_obj(get_rule_as_esqs(file), custom_query_keys))
+                        }
+        for entry in convert_args:
+            output_elast_config = re.sub(entry, str(convert_args[entry]), output_elast_config)
+        for entry in translate_func:
+            output_elast_config = re.sub(entry, translate_func[entry], output_elast_config)
+        print "Converting file " + file
+        with open(os.path.join(args.outdir, "sigma-" + file.split("/")[-1]), "w") as f:
+                f.write(output_elast_config)
+    except Exception as e:
+        if args.debug:
+            traceback.print_exc()
+        print "error " + str(file) + "----" + str(e)
+        pass
+
@@ -0,0 +1,247 @@
+#!/usr/bin/python
+# Copyright 2018 juju4
+
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+
+# You should have received a copy of the GNU Lesser General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+"""
+Project: sigma2sumologic.py
+Date: 11 Jan 2019
+Author: juju4
+Version: 1.0
+Description: This script executes sumologic search queries from Sigma SIEM rules.
+Workflow:
+    1. Convert rules with sigmac
+    2. Enrich: add ignore+local custom rules, priority
+    3. Format
+    4. Get results and save to txt/xlsx files
+Requirements:
+    $ pip install sumologic-sdk pyyaml pandas
+"""
+
+import re
+import os, sys, stat
+import glob
+import subprocess
+import argparse
+import yaml
+import traceback
+import logging
+from sumologic import SumoLogic
+import time
+import datetime
+import json
+import pandas
+
+logging.basicConfig(level=logging.DEBUG)
+logger = logging.getLogger(__name__)
+formatter = logging.Formatter('%(asctime)s - %(name)s - p%(process)s {%(pathname)s:%(lineno)d} - %(levelname)s - %(message)s')
+handler = logging.FileHandler('sigma2sumo.log')
+handler.setFormatter(formatter)
+logger.addHandler(handler)
+
+parser = argparse.ArgumentParser(description='Execute sigma rules in sumologic')
+parser.add_argument("--conf", help="script yaml config file", type=str, required=True)
+parser.add_argument("--accessid", help="Sumologic Access ID", type=str, required=False)
+parser.add_argument("--accesskey", help="Sumologic Access Key", type=str, required=False)
+parser.add_argument("--endpoint", help="Sumologic url endpoint", type=str, required=False)
+parser.add_argument("--ruledir", help="sigma rule directory path to convert", type=str, required=False)
+parser.add_argument("--outdir", help="output directory to create rules", type=str, required=False)
+parser.add_argument("--sigmac", help="Sigmac location", default="../tools/sigmac", type=str)
+parser.add_argument("--realerttime", help="Realert time (optional value, default 5 minutes)", type=str, default=5)
+parser.add_argument("--debug", help="Show debug output", type=bool, default=False)
+args = parser.parse_args()
+
+LIMIT = 100
+delay = 5
+
+def rule_element(file_content, elements):
+    """
+    Function used to get specific element from yaml document and return content
+    :type file_content: str
+    :type elements: list
+    :param file_content:
+    :param elements: list of elements of the yaml document to get "title", "description"
+    :return: the value of the key in the yaml document
+    """
+    try:
+        logger.debug("file_content: %s" % file_content)
+        yaml.safe_load(file_content.replace("---",""))
+    except:
+        raise Exception('Unsupported')
+    element_output = ""
+    for e in elements:
+        try:
+            element_output = yaml.safe_load(file_content.replace("---",""))[e]
+        except:
+            pass
+    if element_output is None:
+        return ""
+    return element_output
+
+def get_rule_as_sumologic(file):
+    """
+    Function used to get sumologic query output from rule file
+    :type file: str
+    :param file: rule filename
+    :return: string query
+    """
+    if not os.path.exists(args.sigmac):
+        logger.error("Cannot find sigmac rule coverter at '%s', please set a correct location via '--sigmac'")
+    cmd = [args.sigmac, file, "--target", "sumologic"]
+    logger.info('get_rule_as_sumologic cmd: %s' % cmd)
+    process = subprocess.Popen(cmd,stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+    output, err = process.communicate()
+
+    # output is byte-string...
+    output = output.decode("utf-8")
+    err = err.decode("utf-8")
+
+    logger.info('get_rule_as_sumologic output: %s' % output)
+    logger.info('get_rule_as_sumologic stderr: %s' % err)
+    if err or "unsupported" in err:
+        logger.error('Unsupported output at this time')
+        raise Exception('Unsupported output at this time')
+    output = output.split("\n")
+    # Remove empty string from \n
+    output = [a for a in output if a]
+    # Handle case of multiple queries returned
+    if len(output) > 1:
+        return " OR ".join(output)
+    return "".join(output)
+
+if args.help:
+    parser_print_help()
+
+if args.conf:
+    with open(args.conf, 'r') as ymlfile:
+        cfg = yaml.load(ymlfile)
+    args.accessid = cfg['accessid']
+    args.accesskey = cfg['accesskey']
+    args.endpoint = cfg['endpoint']
+    args.ruledir = cfg['ruledir']
+    args.outdir = cfg['outdir']
+    args.sigmac = cfg['sigmac']
+    try:
+        args.recursive = cfg['recursive']
+    except:
+        args.recursive = False
+    if args.recursive:
+        globpath = args.ruledir + "/**/*.yml"
+    else:
+        globpath = args.ruledir + "/*.yml"
+    logger.debug("args: %s" % args)
+    logger.debug("globpath: %s" % globpath)
+
+if args.outdir and not os.path.isdir(args.outdir):
+    os.mkdir(args.outdir, stat.S_IRWXU)
+
+# recursive
+for file in glob.iglob(globpath):
+# non-recursive (above, not working...)
+#for file in glob.iglob(args.ruledir + "/*.yml"):
+
+    file_basename = os.path.basename(os.path.splitext(file)[0])
+    file_basenamepath = os.path.splitext(file)[0]
+    file_ext = os.path.splitext(file)[1]
+    try:
+        if file_ext != '.yml':
+            continue
+
+        logger.info("Processing %s ..." % file_basename)
+        with open(file, "rb") as f:
+            file_content = f.read()
+
+        logger.info("Rule file: %s" % file)
+
+        sumo_query = get_rule_as_sumologic(file)
+
+        logger.info("  Checking if custom query file: %s" % file_basenamepath + '.custom')
+        if os.path.isfile(file_basenamepath + '.custom'):
+            # FIXME! want to add something in the middle for parsing for example...
+            logger.info("  Adding custom part to end query from: %s" % file_basenamepath + '.custom')
+            with open(file_basenamepath + '.custom', "rb") as f:
+                sumo_query += " " + f.read().decode('utf-8')
+        elif 'count ' not in sumo_query and ('EventID=' in sumo_query):
+                sumo_query += " | count _sourceCategory, hostname, EventID, msg_summary, _raw"
+        elif 'count ' not in sumo_query:
+                sumo_query += " | count _sourceCategory, hostname, _raw"
+
+        logger.info("Final sumo query: %s" % sumo_query)
+
+    except Exception as e:
+        if args.debug:
+            traceback.print_exc()
+        logger.exception("error generating sumo query " + str(file) + "----" + str(e))
+        pass
+
+    try:
+        # Run query
+        # https://github.com/SumoLogic/sumologic-python-sdk/blob/master/scripts/search-job.py
+        sumo = SumoLogic(args.accessid, args.accesskey, args.endpoint)
+        toTime = datetime.datetime.now().strftime("%Y-%m-%dT%H:%M:%S")
+        fromTime = datetime.datetime.strptime(toTime, "%Y-%m-%dT%H:%M:%S") - datetime.timedelta(hours = 24)
+        fromTime = fromTime.strftime("%Y-%m-%dT%H:%M:%S")
+        timeZone = 'UTC'
+        byReceiptTime = True
+
+        sj = sumo.search_job(sumo_query, fromTime, toTime, timeZone, byReceiptTime)
+
+        status = sumo.search_job_status(sj)
+        while status['state'] != 'DONE GATHERING RESULTS':
+            if status['state'] == 'CANCELLED':
+                break
+            time.sleep(delay)
+            status = sumo.search_job_status(sj)
+
+    except Exception as e:
+        if args.debug:
+            traceback.print_exc()
+        logger.exception("error seaching sumo  " + str(file) + "----" + str(e))
+        with open(os.path.join(args.outdir, "sigma-" + file_basename + '-error.txt'), "w") as f:
+            f.write(json.dumps(r, indent=4, sort_keys=True) + " ERROR: %s\n\nQUERY: %s" % (e, sumo_query))
+        pass
+
+    logger.info("Sumo search job status: %s" % status['state'])
+
+    try:
+        if status['state'] == 'DONE GATHERING RESULTS':
+            count = status['recordCount']
+            limit = count if count < LIMIT and count != 0 else LIMIT # compensate bad limit check
+            r = sumo.search_job_records(sj, limit=limit)
+            logger.info("Sumo search results: %s" % r)
+
+        logger.info("Saving final sumo query for %s to %s" % (file, os.path.join(args.outdir, "sigma-" + file_basename + '.sumo')))
+        with open(os.path.join(args.outdir, "sigma-" + file_basename + '.sumo'), "w") as f:
+            f.write(sumo_query)
+        if r and r['records'] != []:
+            logger.info("Saving results")
+            # as json text file
+            with open(os.path.join(args.outdir, "sigma-" + file_basename + '.txt'), "w") as f:
+                f.write(json.dumps(r, indent=4, sort_keys=True))
+            # as excel file
+            df = pandas.io.json.json_normalize(r['records'])
+            with pandas.ExcelWriter(os.path.join(args.outdir, "sigma-" + file_basename + ".xlsx")) as writer:
+                df.to_excel(writer, 'data')
+                pandas.DataFrame({'References': [
+                    "timeframe: from %s to %s" % (fromTime, toTime),
+                    "Sumo endpoint: %s" % args.endpoint,
+                    "Sumo query: %s" % sumo_query
+                    ]}).to_excel(writer, 'comments')
+
+        # and do whatever you want, email alert, report, ticket...
+
+    except Exception as e:
+        if args.debug:
+            traceback.print_exc()
+        logger.exception("error saving results " + str(file) + "----" + str(e))
+        pass
@@ -1,7 +1,7 @@
 title: Python SQL Exceptions
 description: Generic rule for SQL exceptions in Python according to PEP 249
 author: Thomas Patzke
-reference:
+references:
    - https://www.python.org/dev/peps/pep-0249/#exceptions
 logsource:
    category: application
@@ -2,7 +2,8 @@ title: Suspicious SQL Error Messages
 status: experimental
 description: Detects SQL error messages that indicate probing for an injection attack
 author: Bjoern Kimminich
-reference: http://www.sqlinjection.net/errors
+references:
+    - http://www.sqlinjection.net/errors
 logsource:
    category: application
    product: sql
@@ -15,7 +16,7 @@ detection:
        # SQL Server
        - Unclosed quotation mark
        # SQLite
-        - near "*": syntax error
+        - 'near "*": syntax error'
        - SELECTs to the left and right of UNION do not have the same number of result columns
    condition: keywords
 falsepositives:
@@ -1,7 +1,7 @@
 title: Django framework exceptions
 description: Detects suspicious Django web application framework exceptions that could indicate exploitation attempts
 author: Thomas Patzke
-reference:
+references:
    - https://docs.djangoproject.com/en/1.11/ref/exceptions/
    - https://docs.djangoproject.com/en/1.11/topics/logging/#django-security
 logsource:
@@ -1,7 +1,7 @@
 title: Ruby on Rails framework exceptions
 description: Detects suspicious Ruby on Rails exceptions that could indicate exploitation attempts
 author: Thomas Patzke
-reference:
+references:
    - http://edgeguides.rubyonrails.org/security.html
    - http://guides.rubyonrails.org/action_controller_overview.html
    - https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception
@@ -1,7 +1,7 @@
 title: Spring framework exceptions
 description: Detects suspicious Spring framework exceptions that could indicate exploitation attempts
 author: Thomas Patzke
-reference:
+references:
    - https://docs.spring.io/spring-security/site/docs/current/apidocs/overview-tree.html
 logsource:
    category: application
@@ -0,0 +1,20 @@
+title: APT29 
+description: 'This method detects a suspicious powershell command line combination as used by APT29 in a campaign against US think tanks' 
+references:
+    - https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/
+tags:
+    - attack.execution
+    - attack.g0016
+    - attack.t1086
+author: Florian Roth
+date: 2018/12/04 
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine: '*-noni -ep bypass $*'
+    condition: selection
+falsepositives:
+    - unknown
+level: critical
@@ -1,31 +1,32 @@
+---
 action: global
 title: APT29 Google Update Service Install
 description: 'This method detects malicious services mentioned in APT29 report by FireEye. The legitimate path for the Google update service is C:\Program Files (x86)\Google\Update\GoogleUpdate.exe so the service names and executable locations used by APT29 are specific enough to be detected in log files.' 
-reference: https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html
+references:
+    - https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html
+tags:
+    - attack.persistence
+    - attack.g0016
+    - attack.t1050
 logsource:
    product: windows
+    service: system
 detection:
-    service:
+    service_install:
        EventID: 7045
        ServiceName: 'Google Update'
    timeframe: 5m
-    condition: service | near process
+    condition: service_install | near process
 falsepositives:
    - Unknown
 level: high
+
 ---
-# Windows Audit Log
+logsource:
+    category: process_creation
+    product: windows
 detection:
    process:
-        EventID: 4688 
-        NewProcessName: 
-            - 'C:\Program Files(x86)\Google\GoogleService.exe'
-            - 'C:\Program Files(x86)\Google\GoogleUpdate.exe'
---
-# Sysmon
-detection:
-    process:
-        EventID: 1 
        Image: 
            - 'C:\Program Files(x86)\Google\GoogleService.exe'
            - 'C:\Program Files(x86)\Google\GoogleUpdate.exe'
@@ -0,0 +1,28 @@
+title: Baby Shark Activity
+status: experimental
+description: Detects activity that could be related to Baby Shark malware
+references:
+    - https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/
+tags:
+    - attack.execution
+    - attack.t1059
+    - attack.t1086
+    - attack.discovery
+    - attack.t1012
+    - attack.defense_evasion
+    - attack.t1170
+logsource:
+    category: process_creation
+    product: windows
+author: Florian Roth
+date: 2019/02/24
+detection:
+    selection:
+        CommandLine:
+            - reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default"
+            - powershell.exe mshta.exe http*
+            - cmd.exe /c taskkill /im cmd.exe
+    condition: selection
+falsepositives:
+    - unknown
+level: high
@@ -0,0 +1,24 @@
+title: Judgement Panda Exfil Activity
+description: Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike
+references:
+    - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
+author: Florian Roth
+date: 2019/02/21
+tags:
+    - attack.credential_access
+    - attack.t1081
+    - attack.t1003
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection1:
+        Image: '*\xcopy.exe'
+        CommandLine: '* /S /E /C /Q /H \\*'
+    selection2:
+        Image: '*\adexplorer.exe'
+        CommandLine: '* -snapshot "" c:\users\\*'
+    condition: selection1 or selection2
+falsepositives:
+    - unknown
+level: critical
@@ -1,6 +1,11 @@
 title: Turla Service Install
 description: 'This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET' 
-reference: https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/
+references:
+    - https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/
+tags:
+    - attack.persistence
+    - attack.g0010
+    - attack.t1050
 logsource:
    product: windows
    service: system
@@ -0,0 +1,73 @@
+---
+action: global
+title: Chafer Activity
+description: Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018 
+references:
+    - https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/
+tags:
+    - attack.persistence
+    - attack.g0049
+    - attack.t1053
+    - attack.s0111
+    - attack.defense_evasion
+    - attack.t1112
+date: 2018/03/23
+modified: 2019/03/01
+author: Florian Roth, Markus Neis
+detection:
+    condition: 1 of them
+falsepositives:
+    - Unknown
+level: critical
+---
+logsource:
+    product: windows
+    service: system
+detection:
+    selection_service:
+        EventID: 7045
+        ServiceName:
+            - 'SC Scheduled Scan'
+            - 'UpdatMachine'
+---
+logsource:
+    product: windows
+    service: security
+detection:
+    selection_service:
+        EventID: 4698
+        TaskName:
+            - 'SC Scheduled Scan'
+            - 'UpdatMachine'
+---
+logsource:
+   product: windows
+   service: sysmon
+detection:
+    selection_reg1:
+        EventID: 13 
+        TargetObject: 
+            - '*SOFTWARE\Microsoft\Windows\CurrentVersion\UMe'
+            - '*SOFTWARE\Microsoft\Windows\CurrentVersion\UT'
+        EventType: 'SetValue'
+    selection_reg2:
+        EventID: 13 
+        TargetObject: '*\Control\SecurityProviders\WDigest\UseLogonCredential'
+        EventType: 'SetValue'
+        Details: 'DWORD (0x00000001)'
+---
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_process1:
+        CommandLine: 
+            - '*\Service.exe i'
+            - '*\Service.exe u'
+            - '*\microsoft\Taskbar\autoit3.exe'
+            - 'C:\wsc.exe*'
+    selection_process2:
+        Image: '*\Windows\Temp\DB\\*.exe'
+    selection_process3:
+        CommandLine: '*\nslookup.exe -q=TXT*'
+        ParentImage: '*\Autoit*'
@@ -1,13 +1,17 @@
-title: Detects an Execution of WMIExec VBS Script
+title: WMIExec VBS Script
 description: Detects suspicious file execution by wscript and cscript
 author: Florian Roth
-reference: https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
+references:
+    - https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
+tags:
+    - attack.execution
+    - attack.g0045
+    - attack.t1064
 logsource:
+    category: process_creation
    product: windows
-    service: sysmon
 detection:
    selection:
-        EventID: 1
        Image: '*\cscript.exe'
        CommandLine: '*.vbs /shell *'
    condition: selection
@@ -0,0 +1,19 @@
+title: CrackMapExecWin 
+description: Detects CrackMapExecWin Activity as Described by NCSC
+status: experimental
+references:
+    - https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control 
+tags:
+    - attack.g0035
+author: Markus Neis
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image:
+            - '*\crackmapexec.exe'
+    condition: selection
+falsepositives: 
+    - None 
+level: critical
@@ -0,0 +1,24 @@
+title: Elise Backdoor
+status: experimental
+description: Detects Elise backdoor acitivty as used by APT32 
+references: 
+    - https://community.rsa.com/community/products/netwitness/blog/2018/01/30/apt32-continues-asean-targeting
+tags:
+    - attack.g0030
+    - attack.g0050
+    - attack.s0081
+author: Florian Roth
+date: 2018/01/31
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection1:
+        Image: 'C:\Windows\SysWOW64\cmd.exe'
+        CommandLine: '*\Windows\Caches\NavShExt.dll *'
+    selection2:
+        CommandLine: '*\AppData\Roaming\MICROS~1\Windows\Caches\NavShExt.dll,Setting'
+    condition: 1 of them
+falsepositives:
+    - Unknown
+level: critical
@@ -1,21 +1,24 @@
 title: Equation Group C2 Communication
 description: Detects communication to C2 servers mentioned in the operational notes of the ShadowBroker leak of EquationGroup C2 tools
-reference:
+references:
    - 'https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation'
    - 'https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195'
+tags:
+    - attack.command_and_control
+    - attack.g0020
 author: Florian Roth
 logsource:
-    product: firewall
+    category: firewall
 detection:
    outgoing:
-        dst:
+        dst_ip:
            - '69.42.98.86'
            - '89.185.234.145'
    incoming:
-        src:
+        src_ip:
            - '69.42.98.86'
            - '89.185.234.145'
-    condition: outgoing or incoming
+    condition: 1 of them
 falsepositives:
    - Unknown
 level: high
@@ -0,0 +1,26 @@
+title: Equation Group DLL_U Load
+author: Florian Roth
+description: Detects a specific tool and export used by EquationGroup
+references:
+    - https://github.com/adamcaudill/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type=
+    - https://securelist.com/apt-slingshot/84312/
+    - https://twitter.com/cyb3rops/status/972186477512839170
+tags:
+    - attack.execution
+    - attack.g0020
+    - attack.t1059
+    - attack.defense_evasion
+    - attack.t1085
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection1:
+        Image: '*\rundll32.exe'
+        CommandLine: '*,dll_u'
+    selection2:
+        CommandLine: '* -export dll_u *'
+    condition: 1 of them
+falsepositives:
+    - Unknown
+level: critical
@@ -1,6 +1,11 @@
 title: Equation Group Indicators
 description: Detects suspicious shell commands used in various Equation Group scripts and tools
-reference: https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
+references:
+    - https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
+tags:
+    - attack.execution
+    - attack.g0020
+    - attack.t1059
 author: Florian Roth
 logsource:
    product: linux
@@ -63,7 +68,6 @@ detection:
        - 'chmod 755 /usr/vmsys/bin/pipe'
        - 'chmod -R 755 /usr/vmsys'
        - 'chmod 755 $opbin/*tunnel'
-        - '< /dev/console | uudecode && uncompress'
        - 'chmod 700 sendmail'
        - 'chmod 0700 sendmail'
        - '/usr/bin/wget http*sendmail;chmod +x sendmail;'
@@ -0,0 +1,23 @@
+title: Hurricane Panda Activity
+author: Florian Roth
+status: experimental
+description: Detects Hurricane Panda Activity 
+references: 
+    - https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/
+tags:
+    - attack.privilege_escalation
+    - attack.g0009
+    - attack.t1068
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine: 
+            - '* localgroup administrators admin /add'
+            - '*\Win64.exe*'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
+
@@ -0,0 +1,33 @@
+title: Judgement Panda Exfil Activity
+description: Detects Judgement Panda activity as described in Global Threat Report 2019 by Crowdstrike
+references:
+    - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
+author: Florian Roth
+date: 2019/02/21
+tags:
+    - attack.lateral_movement
+    - attack.g0010
+    - attack.credential_access
+    - attack.t1098
+    - attack.exfiltration
+    - attack.t1002
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection1:
+        CommandLine:
+            - '*\ldifde.exe -f -n *'
+            - '*\7za.exe a 1.7z *'
+            - '* eprod.ldf'
+            - '*\aaaa\procdump64.exe*'
+            - '*\aaaa\netsess.exe*'
+            - '*\aaaa\7za.exe*'
+            - '*copy .\1.7z \\*'
+            - '*copy \\client\c$\aaaa\*'
+    selection2:
+        Image: C:\Users\Public\7za.exe
+    condition: selection1 or selection2
+falsepositives:
+    - unknown
+level: critical
@@ -1,24 +1,17 @@
+---
+action: global
 title: Pandemic Registry Key
 status: experimental
 description: Detects Pandemic Windows Implant
-reference: 
+references:
    - https://wikileaks.org/vault7/#Pandemic
    - https://twitter.com/MalwareJake/status/870349480356454401
+tags:
+    - attack.lateral_movement
+    - attack.t1105
 author: Florian Roth
-logsource:
-    product: windows
-    service: sysmon
 detection:
-    selection1:
-        EventID: 13
-        TargetObject: 
-            - '\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\services\null\Instance*'
-            - '\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\null\Instance*'
-            - '\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\null\Instance*'
-    selection2:
-        EventID: 1
-        Command: 'loaddll -a *'
-    condition: selection1 or selection2
+    condition: 1 of them
 fields:
    - EventID
    - CommandLine
@@ -29,4 +22,22 @@ fields:
 falsepositives:
    - unknown
 level: critical
+---
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection1:
+        EventID: 13
+        TargetObject: 
+            - '\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\services\null\Instance*'
+            - '\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\null\Instance*'
+            - '\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\null\Instance*'
+---
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection2:
+        Command: 'loaddll -a *'

@@ -0,0 +1,33 @@
+---
+action: global
+title: Defrag Deactivation
+author: Florian Roth
+description: Detects the deactivation of the Scheduled defragmentation task as seen by Slingshot APT group
+references:
+    - https://securelist.com/apt-slingshot/84312/
+tags:
+    - attack.persistence
+    - attack.t1053
+    - attack.s0111
+detection:
+    condition: 1 of them
+falsepositives:
+    - Unknown
+level: medium
+---
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection1:
+        CommandLine: 
+            - '*schtasks* /delete *Defrag\ScheduledDefrag*'
+---
+logsource:
+    product: windows
+    service: security
+    definition: 'Requirements: Audit Policy : Audit Other Object Access Events > Success'       
+detection:
+    selection2:
+        EventID: 4701
+        TaskName: '\Microsoft\Windows\Defrag\ScheduledDefrag'
@@ -0,0 +1,26 @@
+title: Sofacy Trojan Loader Activity
+author: Florian Roth
+status: experimental
+description: Detects Trojan loader acitivty as used by APT28 
+references: 
+    - https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/
+    - https://www.reverse.it/sample/e3399d4802f9e6d6d539e3ae57e7ea9a54610a7c4155a6541df8e94d67af086e?environmentId=100
+    - https://twitter.com/ClearskySec/status/960924755355369472
+tags:
+    - attack.g0007
+    - attack.execution
+    - attack.t1059
+    - attack.defense_evasion
+    - attack.t1085
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine: 
+            - 'rundll32.exe %APPDATA%\\*.dat",*'
+            - 'rundll32.exe %APPDATA%\\*.dll",#1'
+    condition: selection
+falsepositives:
+    - Unknown
+level: critical
@@ -0,0 +1,19 @@
+title: Sofacy Zebrocy
+author: Florian Roth
+description: Detects Sofacy's Zebrocy malware execution
+references:
+    - https://app.any.run/tasks/54acca9a-394e-4384-a0c8-91a96d36c81d
+tags:
+    - attack.execution
+    - attack.g0020
+    - attack.t1059
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine: '*cmd.exe /c SYSTEMINFO & TASKLIST'
+    condition: selection
+falsepositives:
+    - Unknown
+level: critical
@@ -1,7 +1,12 @@
 title: StoneDrill Service Install
 description: 'This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky'   
 author: Florian Roth
-reference: https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/
+references:
+    - https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/
+tags:
+    - attack.persistence
+    - attack.g0064
+    - attack.t1050
 logsource:
    product: windows
    service: system
@@ -1,14 +1,18 @@
 title: Ps.exe Renamed SysInternals Tool
 description: Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documentied in TA17-293A report
-reference: https://www.us-cert.gov/ncas/alerts/TA17-293A
+references:
+    - https://www.us-cert.gov/ncas/alerts/TA17-293A
+tags:
+    - attack.defense_evasion
+    - attack.g0035
+    - attack.t1036
 author: Florian Roth
 date: 2017/10/22
 logsource:
+    category: process_creation
    product: windows
-    service: sysmon
 detection:
    selection:
-        EventID: 1
        CommandLine: 'ps.exe -accepteula'
    condition: selection
 falsepositives:
@@ -0,0 +1,17 @@
+title: TropicTrooper Campaign November 2018
+author: "@41thexplorer, Windows Defender ATP"
+status: stable
+description: Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia
+references:
+    - https://cloudblogs.microsoft.com/microsoftsecure/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/
+tags:
+    - attack.execution
+    - attack.t1085
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine: '*abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc*'
+    condition: selection
+level: high
@@ -3,35 +3,41 @@ action: global
 title: Turla Group Lateral Movement 
 status: experimental
 description: Detects automated lateral movement by Turla group 
-reference: https://securelist.com/the-epic-turla-operation/65545/
+references:
+    - https://securelist.com/the-epic-turla-operation/65545/
+tags:
+    - attack.g0010
+    - attack.execution
+    - attack.t1059
+    - attack.lateral_movement
+    - attack.t1077
+    - attack.discovery
+    - attack.t1083
+    - attack.t1135
 author: Markus Neis
 date: 2017/11/07
 logsource:
-   product: windows
-   service: sysmon
+    category: process_creation
+    product: windows
 falsepositives:
   - Unknown
 ---
 detection:
   selection:
-      EventID: 1
      CommandLine: 
         - 'net use \\%DomainController%\C$ "P@ssw0rd" *'
-         - 'dir c:\*.doc* /s'
-         - 'dir %TEMP%\*.exe'
+         - 'dir c:\\*.doc* /s'
+         - 'dir %TEMP%\\*.exe'
   condition: selection
 level: critical
 ---
 detection:
   netCommand1:
-      EventID: 1
      CommandLine: 'net view /DOMAIN'
   netCommand2:
-      EventID: 1
      CommandLine: 'net session'
   netCommand3:
-      EventID: 1
      CommandLine: 'net share'
   timeframe: 1m
-   condition: netCommand1 | near netCommand1 and netCommand1 
+   condition: netCommand1 | near netCommand2 and netCommand3 
 level: medium
@@ -1,13 +1,16 @@
 title: Turla Group Named Pipes 
 status: experimental
 description: Detects a named pipe used by Turla group samples
-reference: Internal Research
+references:
+    - Internal Research
 date: 2017/11/06
+tags:
+    - attack.g0010
 author: Markus Neis
 logsource:
    product: windows
    service: sysmon
-    description: 'Note that you have to configure logging for PipeEvents in Symson config'
+    definition: 'Note that you have to configure logging for PipeEvents in Symson config'
 detection:
    selection:
        EventID: 
@@ -0,0 +1,21 @@
+title: Turla PNG Dropper Service
+description: 'This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018' 
+references:
+    - https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/
+author: Florian Roth
+date: 2018/11/23
+tags:
+    - attack.persistence
+    - attack.g0010
+    - attack.t1050
+logsource:
+    product: windows
+    service: system
+detection:
+    selection:
+        EventID: 7045
+        ServiceName: 'WerFaultSvc'
+    condition: selection
+falsepositives:
+    - unlikely
+level: critical
@@ -0,0 +1,33 @@
+---
+action: global
+title: Unidentified Attacker November 2018
+status: stable
+description: A sigma rule detecting an unidetefied attacker who used phishing emails to target high profile orgs on November 2018. The Actor shares some TTPs with YYTRIUM/APT29 campaign in 2016.
+references:
+    - https://twitter.com/DrunkBinary/status/1063075530180886529
+author: "@41thexplorer, Windows Defender ATP"
+date: 2018/11/20
+modified: 2018/12/11
+tags:
+    - attack.execution
+    - attack.t1085
+detection:
+    condition: 1 of them
+level: high
+---
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection1:
+        CommandLine: '*cyzfc.dat, PointFunctionCall'
+---
+# Sysmon: File Creation (ID 11)
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection2:
+        EventID: 11
+        TargetFilename: 
+            - '*ds7002.lnk*' 
@@ -1,13 +1,19 @@
 title: ZxShell Malware
 description: Detects a ZxShell start by the called and well-known function name   
 author: Florian Roth
-reference: https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100
+references:
+    - https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100
+tags:
+    - attack.g0001
+    - attack.execution
+    - attack.t1059
+    - attack.defense_evasion
+    - attack.t1085
 logsource:
+    category: process_creation
    product: windows
-    service: sysmon
 detection:
    selection:
-        EventID: 1
        Command: 
            - 'rundll32.exe *,zxFunction*'
            - 'rundll32.exe *,RemoteDiskXXXXX'
@@ -1,17 +1,21 @@
-title: Detects Fireball - Archer Install
+title: Fireball Archer Install
 status: experimental
 description: Detects Archer malware invocation via rundll32
 author: Florian Roth
 date: 2017/06/03
-reference: 
+references:
    - https://www.virustotal.com/en/file/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022/analysis/
    - https://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100
+tags:
+    - attack.execution
+    - attack.t1059
+    - attack.defense_evasion
+    - attack.t1085
 logsource:
+    category: process_creation
    product: windows
-    service: sysmon
 detection:
    selection:
-        EventID: 1
        CommandLine: '*\rundll32.exe *,InstallArcherSvc'
    condition: selection
 fields:
@@ -0,0 +1,28 @@
+title: Detects Suspicious Commands on Linux systems
+status: experimental
+description: Detects relevant commands often related to malware or hacking activity
+references:
+    - 'Internal Research - mostly derived from exploit code including code in MSF'
+date: 2017/12/12
+author: Florian Roth
+logsource:
+    product: linux
+    service: auditd
+detection:
+    cmds:
+        - type: 'EXECVE'
+          a0: 'chmod'
+          a1: '777'
+        - type: 'EXECVE'
+          a0: 'chmod'
+          a1: 'u+s'
+        - type: 'EXECVE'
+          a0: 'cp'
+          a1: '/bin/ksh'
+        - type: 'EXECVE'
+          a0: 'cp'
+          a1: '/bin/sh'
+    condition: 1 of cmds
+falsepositives:
+    - Admin activity
+level: medium
@@ -0,0 +1,40 @@
+title: Program Executions in Suspicious Folders
+status: experimental
+description: Detects program executions in suspicious non-program folders related to malware or hacking activity
+references:
+    - 'Internal Research'
+date: 2018/01/23
+author: Florian Roth
+logsource:
+    product: linux
+    service: auditd
+detection:
+    selection:
+        type: 'SYSCALL'
+        exe:
+            # Temporary folder
+            - '/tmp/*'
+            # Web server 
+            - '/var/www/*'              # Standard
+            - '/home/*/public_html/*'   # Per-user
+            - '/usr/local/apache2/*'    # Classical Apache
+            - '/usr/local/httpd/*'      # Old SuSE Linux 6.* Apache
+            - '/var/apache/*'           # Solaris Apache
+            - '/srv/www/*'              # SuSE Linux 9.*
+            - '/home/httpd/html/*'      # Redhat 6 or older Apache
+            - '/srv/http/*'             # ArchLinux standard
+            - '/usr/share/nginx/html/*' # ArchLinux nginx
+            # Data dirs of typically exploited services (incomplete list)
+            - '/var/lib/pgsql/data/*'
+            - '/usr/local/mysql/data/*'
+            - '/var/lib/mysql/*'
+            - '/var/vsftpd/*'
+            - '/etc/bind/*'
+            - '/var/named/*'
+    condition: selection
+falsepositives:
+    - Admin activity (especially in /tmp folders)
+    - Crazy web applications
+level: medium
+
+
@@ -1,8 +1,9 @@
 title: Buffer Overflow Attempts
-description: Detects buffer overflow attempts in Linux system log files
-reference: https://github.com/ossec/ossec-hids/blob/master/etc/rules/attack_rules.xml
+description: Detects buffer overflow attempts in Unix system log files
+references:
+    - https://github.com/ossec/ossec-hids/blob/master/etc/rules/attack_rules.xml
 logsource:
-    product: linux
+    product: unix
 detection:
    keywords:
        - 'attempt to execute code on stack by'
@@ -1,6 +1,7 @@
 title: Relevant ClamAV Message
 description: Detects relevant ClamAV messages
-reference: https://github.com/ossec/ossec-hids/blob/master/etc/rules/clam_av_rules.xml
+references:
+    - https://github.com/ossec/ossec-hids/blob/master/etc/rules/clam_av_rules.xml
 logsource:
    product: linux
    service: clamav
@@ -1,11 +1,13 @@
 title: Suspicious Activity in Shell Commands
 description: Detects suspicious shell commands used in various exploit codes (see references)
-reference: 
+references:
    - http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html
    - https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb#L121
    - http://pastebin.com/FtygZ1cg
    - https://artkond.com/2017/03/23/pivoting-guide/
 author: Florian Roth
+date: 2017/08/21
+modified: 2019/02/05
 logsource:
    product: linux
 detection:
@@ -15,30 +17,37 @@ detection:
        - 'wget * - http* | sh'
        - 'wget * - http* | bash'
        - 'python -m SimpleHTTPServer'
-        - 'import pty; pty.spawn'
+        - '-m http.server'  # Python 3
+        - 'import pty; pty.spawn*'
+        - 'socat exec:*'
+        - 'socat -O /tmp/*'
+        - 'socat tcp-connect*'
+        - '*echo binary >>*'
        # Malware 
        - '*wget *; chmod +x*'
        - '*wget *; chmod 777 *'
        - '*cd /tmp || cd /var/run || cd /mnt*'
        # Apache Struts in-the-wild exploit codes  
-        - 'stop;service iptables stop;'
-        - 'stop;SuSEfirewall2 stop;'
-        - 'chmod 777 2020'
-        - '">>/etc/rc.local;'
-        - 'wget -c *;chmod 777'
+        - '*stop;service iptables stop;*'
+        - '*stop;SuSEfirewall2 stop;*'
+        - 'chmod 777 2020*'
+        - '*>>/etc/rc.local'
        # Metasploit framework exploit codes
-        - 'base64 -d /tmp/'
-        - ' | base64 -d'
-        - '/bin/chmod u+s'
-        - 'chmod +s /tmp/'
-        - 'chmod u+s /tmp/'
-        - '/tmp/haxhax'
-        - '/tmp/ns_sploit'
-        - 'nc -l -p '
-        - 'cp /bin/ksh '
-        - 'cp /bin/sh '
-        - ' /tmp/*.b64 '
-        - '/tmp/ysocereal.jar'
+        - '*base64 -d /tmp/*'
+        - '* | base64 -d *'
+        - '*/chmod u+s *'
+        - '*chmod +s /tmp/*'
+        - '*chmod u+s /tmp/*'
+        - '* /tmp/haxhax*'
+        - '* /tmp/ns_sploit*'
+        - 'nc -l -p *'
+        - 'cp /bin/ksh *'
+        - 'cp /bin/sh *'
+        - '* /tmp/*.b64 *'
+        - '*/tmp/ysocereal.jar*'
+        - '*/tmp/x *'
+        - '*; chmod +x /tmp/*'
+        - '*;chmod +x /tmp/*'
    condition: keywords
 falsepositives:
    - Unknown
@@ -1,6 +1,7 @@
 title: Shellshock Expression
 description: Detects shellshock expressions in log files
-reference: http://rubular.com/r/zxBfjWfFYs
+references:
+    - http://rubular.com/r/zxBfjWfFYs
 logsource:
    product: linux
 detection:
@@ -0,0 +1,16 @@
+title: SSHD Error Message CVE-2018-15473
+description: Detects exploitation attempt using public exploit code for CVE-2018-15473
+references:
+    - https://github.com/Rhynorater/CVE-2018-15473-Exploit
+author: Florian Roth
+date: 2017/08/24
+logsource:
+    product: linux
+    service: sshd
+detection:
+    keywords:
+        - 'error: buffer_get_ret: trying to get more bytes 1907 than in buffer 308 [preauth]'
+    condition: keywords
+falsepositives:
+    - Unknown
+level: medium
@@ -5,9 +5,9 @@ logsource:
    service: auth
 detection:
    selection:
-        log: auth
-        pam_user: not null
-        pam_rhost: not null
+        pam_message: "authentication failure"
+        pam_user: '*'
+        pam_rhost: '*'
    timeframe: 24h 
    condition: selection | count(pam_user) by pam_rhost > 3
 falsepositives:
@@ -0,0 +1,17 @@
+title: JexBoss Command Sequence
+description: Detects suspicious command sequence that JexBoss
+references:
+    - https://www.us-cert.gov/ncas/analysis-reports/AR18-312A
+author: Florian Roth
+date: 2017/08/24
+logsource:
+    product: linux
+detection:
+    selection1: 
+        - 'bash -c /bin/bash'
+    selection2:
+        - '&/dev/tcp/'
+    condition: selection1 and selection2
+falsepositives:
+    - Unknown
+level: high
@@ -0,0 +1,20 @@
+title: Suspicious Named Error
+status: experimental
+description: Detects suspicious DNS error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts 
+references:
+    - https://github.com/ossec/ossec-hids/blob/master/etc/rules/named_rules.xml
+author: Florian Roth
+date: 2018/02/20
+logsource:
+    product: linux
+    service: syslog
+detection:
+    keywords:
+        - '* dropping source port zero packet from *'
+        - '* denied AXFR from *'
+        - '* exiting (due to fatal error)*'
+    condition: keywords
+falsepositives:
+    - Unknown
+level: high
+
@@ -1,6 +1,8 @@
-title: Suspicious SSHD error
+title: Suspicious SSHD Error
 description: Detects suspicious SSH / SSHD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts 
-reference: https://github.com/openssh/openssh-portable/blob/master/ssherr.c
+references:
+    - https://github.com/openssh/openssh-portable/blob/master/ssherr.c
+    - https://github.com/ossec/ossec-hids/blob/master/etc/rules/sshd_rules.xml
 author: Florian Roth
 date: 2017/06/30
 logsource:
@@ -8,13 +10,17 @@ logsource:
    service: sshd
 detection:
    keywords:
-        - 'unexpected internal error'
-        - 'unknown or unsupported key type'
-        - 'invalid certificate signing key'
-        - 'invalid elliptic curve value'
-        - 'incorrect signature'
-        - 'error in libcrypto'
-        - 'unexpected bytes remain after decoding'
+        - '*unexpected internal error*'
+        - '*unknown or unsupported key type*'
+        - '*invalid certificate signing key*'
+        - '*invalid elliptic curve value*'
+        - '*incorrect signature*'
+        - '*error in libcrypto*'
+        - '*unexpected bytes remain after decoding*'
+        - '*fatal: buffer_get_string: bad string*'
+        - '*Local: crc32 compensation attack*'
+        - '*bad client public DH value*'
+        - '*Corrupted MAC on input*'
    condition: keywords
 falsepositives:
    - Unknown
@@ -1,6 +1,7 @@
-title: Suspicious VSFTPD error messages
+title: Suspicious VSFTPD Error Messages
 description: Detects suspicious VSFTPD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts 
-reference: https://github.com/dagwieers/vsftpd/
+references:
+    - https://github.com/dagwieers/vsftpd/
 author: Florian Roth
 date: 2017/07/05
 logsource:
@@ -0,0 +1,19 @@
+title: Cobalt Strike DNS Beaconing
+status: experimental
+description: Detects suspicious DNS queries known from Cobalt Strike beacons
+references:
+    - https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns
+author: Florian Roth
+date: 2018/05/10
+logsource:
+    category: dns
+detection:
+    selection:
+        query:
+            - 'aaa.stage.*' 
+            - 'post.1*'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
+
@@ -0,0 +1,17 @@
+title: Suspicious DNS Query with B64 Encoded String   
+status: experimental
+description: Detects suspicious DNS queries using base64 encoding
+references:
+    - https://github.com/krmaxwell/dns-exfiltration
+author: Florian Roth
+date: 2018/05/10
+logsource:
+    category: dns
+detection:
+    selection:
+        query:
+            - '*==.*'
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium
@@ -0,0 +1,22 @@
+title: DNS TXT Answer with possible execution strings    
+status: experimental
+description: Detects strings used in command execution in DNS TXT Answer 
+references:
+    - https://twitter.com/stvemillertime/status/1024707932447854592
+    - https://github.com/samratashok/nishang/blob/master/Backdoors/DNS_TXT_Pwnage.ps1
+tags:
+    - attack.t1071
+author: Markus Neis
+date: 2018/08/08
+logsource:
+    category: dns
+detection:
+    selection:
+        answer:
+            - '*IEX*'
+            - '*Invoke-Expression*'
+            - '*cmd.exe*'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
@@ -0,0 +1,20 @@
+title: Telegram Bot API Request
+status: experimental
+description: Detects suspicious DNS queries to api.telegram.org used by Telegram Bots of any kind
+references:
+    - https://core.telegram.org/bots/faq
+    - https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/
+    - https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/
+    - https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/
+author: Florian Roth
+date: 2018/06/05
+logsource:
+    category: dns
+detection:
+    selection:
+        query:
+            - 'api.telegram.org'   # Telegram Bot API Request https://core.telegram.org/bots/faq
+    condition: selection
+falsepositives:
+    - Legitimate use of Telegram bots in the company
+level: medium
@@ -0,0 +1,20 @@
+title: Chafer Malware URL Pattern
+status: experimental
+description: Detects HTTP requests used by Chafer malware
+references:
+    - https://securelist.com/chafer-used-remexi-malware/89538/
+author: Florian Roth
+date: 2019/01/31
+logsource:
+    category: proxy
+detection:
+    selection:
+        c-uri-query: '*/asp.asp?ui=*'
+    condition: selection
+fields:
+    - ClientIP
+    - URL
+    - UserAgent
+falsepositives:
+    - Unknown
+level: critical
@@ -0,0 +1,27 @@
+title: CobaltStrike Malleable Amazon browsing traffic profile
+status: experimental
+description: Detects Malleable Amazon Profile 
+references:
+    - https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/amazon.profile
+    - https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100
+author: Markus Neis
+tags:
+    - attack.t1102
+logsource:
+    category: proxy
+detection:
+    selection1:
+      UserAgent: "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
+      HttpMethod: 'GET'
+      URL: '/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books'
+      Host: 'www.amazon.com'
+      Cookie: '*=csm-hit=s-24KU11BB82RZSYGJ3BDK|1419899012996'
+    selection2:
+      UserAgent: "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
+      HttpMethod: 'POST'
+      URL: '/N4215/adj/amzn.us.sr.aps'
+      Host: 'www.amazon.com'
+    condition: selection1 or selection2
+falsepositives:
+    - Unknown
+level: high
@@ -0,0 +1,19 @@
+title: CobaltStrike Malleable (OCSP) Profile
+status: experimental
+description: Detects Malleable (OCSP) Profile with Typo (OSCP) in URL
+references:
+    - https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/ocsp.profile
+author: Markus Neis
+tags:
+    - attack.t1102
+logsource:
+    category: proxy
+detection:
+    selection:
+      URL: '*/oscp/*'
+      Host: 'ocsp.verisign.com'
+     
+    condition: selection 
+falsepositives:
+    - Unknown
+level: high
@@ -0,0 +1,21 @@
+title: CobaltStrike Malleable OneDrive browsing traffic profile
+status: experimental
+description: Detects Malleable OneDrive Profile 
+references:
+    - https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/onedrive_getonly.profile    
+author: Markus Neis
+tags:
+    - attack.t1102
+logsource:
+    category: proxy
+detection:
+    selection:
+      HttpMethod: 'GET'
+      URL: '*?manifest=wac'
+      Host: 'onedrive.live.com'
+    filter:
+      URL: 'http*://onedrive.live.com/*'     
+    condition: selection and not filter
+falsepositives:
+    - Unknown
+level: high
@@ -1,7 +1,8 @@
 title: Download from Suspicious Dyndns Hosts
 status: experimental
 description: Detects download of certain file types from hosts with dynamic DNS names (selected list)
-reference: https://www.alienvault.com/blogs/security-essentials/dynamic-dns-security-and-potential-threats
+references:
+    - https://www.alienvault.com/blogs/security-essentials/dynamic-dns-security-and-potential-threats
 author: Florian Roth
 date: 2017/11/08
 logsource:
@@ -55,7 +56,6 @@ detection:
            - '*.mooo.com'
            - '*.dns-dns.com'
            - '*.strangled.net'
-            - '*.ddns.info'
            - '*.adultdns.net'
            - '*.craftx.biz'
            - '*.ddns01.com'
@@ -1,12 +1,13 @@
 title: Download from Suspicious TLD
 status: experimental
 description: Detects download of certain file types from hosts in suspicious TLDs 
-reference: 
+references:
    - https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap
    - https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf
    - https://www.spamhaus.org/statistics/tlds/
+    - https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/
 author: Florian Roth
-date: 2017/11/07
+date: 2018/06/13
 logsource:
    category: proxy
 detection:
@@ -52,15 +53,13 @@ detection:
            - '*.vip'
            - '*.party'
            - '*.tech'
-            - '*.tech'
            - '*.xyz'
            - '*.date'
            - '*.faith'
            - '*.zip'
            - '*.cricket'
            - '*.space'
-            - '*.top'
-            # McAfee report
+            # McAfee report 
            - '*.info'
            - '*.vn'
            - '*.cm'
@@ -83,7 +82,6 @@ detection:
            - '*.tt'
            - '*.name'
            - '*.tv'
-            - '*.tv'
            - '*.kz'
            - '*.tc'
            - '*.mobi'
@@ -93,10 +91,17 @@ detection:
            - '*.link'
            - '*.trade'
            - '*.accountant'
+            # Spamhaus 2018 https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/
+            - '*.cf'
+            - '*.gq'
+            - '*.ml'
+            - '*.ga'
+            # Custom 
+            - '*.pw'
    condition: selection
 fields:
    - ClientIP
    - URL
 falsepositives:
-    - All kind of software downloads
+    - All kinds of software downloads
 level: low
@@ -1,4 +1,4 @@
-title: Download from Suspicious TLD
+title: Download EXE from Suspicious TLD
 status: experimental
 description: Detects executable downloads from suspicious remote systems
 author: Florian Roth
@@ -0,0 +1,24 @@
+title: Windows WebDAV User Agent
+status: experimental
+description: Detects WebDav DownloadCradle
+references:
+    - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
+author: Florian Roth
+date: 2018/04/06
+logsource:
+    category: proxy
+detection:
+    selection:
+      UserAgent: 'Microsoft-WebDAV-MiniRedir/*'
+      HttpMethod: 'GET'
+    condition: selection
+fields:
+    - ClientIP
+    - URL
+    - UserAgent
+    - HttpMethod
+falsepositives:
+    - Administrative scripts that download files from the Internet
+    - Administrative scripts that retrieve certain website contents
+    - Legitimate WebDAV administration
+level: high
@@ -1,16 +1,15 @@
 title: Empty User Agent
 status: experimental
 description: Detects suspicious empty user agent strings in proxy logs
-reference:
+references:
    - https://twitter.com/Carlos_Perez/status/883455096645931008
 author: Florian Roth
 logsource:
    category: proxy
 detection:
    selection:
-      UserAgent:
-        # Empty string - as used by Powershell's (New-Object Net.WebClient).DownloadString 
-        - ''
+      # Empty string - as used by Powershell's (New-Object Net.WebClient).DownloadString 
+      UserAgent: ''
    condition: selection
 fields:
    - ClientIP
@@ -1,7 +1,8 @@
 title: Windows PowerShell User Agent
 status: experimental
 description: Detects Windows PowerShell Web Access
-reference: https://msdn.microsoft.com/powershell/reference/5.1/microsoft.powershell.utility/Invoke-WebRequest
+references:
+    - https://msdn.microsoft.com/powershell/reference/5.1/microsoft.powershell.utility/Invoke-WebRequest
 author: Florian Roth
 logsource:
    category: proxy
@@ -1,7 +1,8 @@
 title: Flash Player Update from Suspicious Location
 status: experimental
 description: Detects a flashplayer update from an unofficial location
-reference: https://gist.github.com/roycewilliams/a723aaf8a6ac3ba4f817847610935cfb
+references:
+    - https://gist.github.com/roycewilliams/a723aaf8a6ac3ba4f817847610935cfb
 author: Florian Roth
 logsource:
    category: proxy
@@ -11,7 +12,7 @@ detection:
            - '*/install_flash_player.exe'
            - '*/flash_install.php*'
    filter:
-        cs-uri-query: '*.adobe.com/*'
+        cs-uri-stem: '*.adobe.com/*'
    condition: selection and not filter
 falsepositives:
    - Unknown flash download locations
@@ -0,0 +1,29 @@
+title: Telegram API Access
+status: experimental
+description: Detects suspicious requests to Telegram API without the usual Telegram User-Agent
+references:
+    - https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/
+    - https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/
+    - https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/
+author: Florian Roth
+date: 2018/06/05
+logsource:
+    category: proxy
+detection:
+    selection:
+        r-dns: 
+            - 'api.telegram.org'  # Often used by Bots
+    filter:
+        UserAgent: 
+            # Used https://core.telegram.org/bots/samples for this list
+            - '*Telegram*'
+            - '*Bot*'
+    condition: selection and not filter
+fields:
+    - ClientIP
+    - URL
+    - UserAgent
+falsepositives:
+    - Legitimate use of Telegram bots in the company
+level: medium
+
@@ -1,38 +1,52 @@
-title: APT User Agent
-status: experimental
-description: Detects suspicious user agent strings used in APT malware in proxy logs
-reference: Internal Research
-author: Florian Roth
-logsource:
-    category: proxy
-detection:
-    selection:
-      UserAgent:
-         # APT Related
-        - 'SJZJ (compatible; MSIE 6.0; Win32)'  # APT Backspace
-        - 'Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0'  # APT GrizzlySteppe - ChopStick - US CERT https://goo.gl/1DTHwi
-        - 'User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC'  # Comment Crew Miniasp
-        - 'Mozilla/4.0 (compatible; MSIE 7.4; Win32;32-bit)'  # Comment Crew Miniasp
-        - 'webclient'  # Naikon APT
-        - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/200'  # Naikon APT
-        - 'Mozilla/4.0 (compatible; MSI 6.0;'  # SnowGlobe Babar - yes, it is cut
-        - 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0'  # Sofacy - Xtunnel
-        - 'Mozilla/5.0 (Windows NT 6.2; WOW64; rv:20.0) Gecko/20100101 Firefox/'  # Sofacy - Xtunnel
-        - 'Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/2'  # Sofacy - Xtunnel
-        - 'Mozilla/4.0'  # Derusbi backdoor ELF https://github.com/fideliscyber/indicators/tree/master/FTA-1021
-        - 'Netscape'  # Unit78020 Malware 
-        - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/20100719 Firefox/1.0.7'  # Unit78020 Malware
-        - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Firefox/3.6.13 GTB7.1'  # Winnti related
-        - 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)'  # Winnti related
-        - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NETCLR 2.0.50727)'  # APT17
-        - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; SV1)'  # Bronze Butler - Daserf
-        - 'Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; SV1)'  # Bronze Butler - Daserf
-    condition: selection
-fields:
-    - ClientIP
-    - URL
-    - UserAgent
-falsepositives:
-    - Old browsers
-level: high
-
+title: APT User Agent
+status: experimental
+description: Detects suspicious user agent strings used in APT malware in proxy logs
+references:
+    - Internal Research
+author: Florian Roth, Markus Neis
+logsource:
+    category: proxy
+detection:
+    selection:
+      UserAgent:
+         # APT Related
+        - 'SJZJ (compatible; MSIE 6.0; Win32)'  # APT Backspace
+        - 'Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0'  # APT GrizzlySteppe - ChopStick - US CERT https://goo.gl/1DTHwi
+        - 'User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC'  # Comment Crew Miniasp
+        - 'Mozilla/4.0 (compatible; MSIE 7.4; Win32;32-bit)'  # Comment Crew Miniasp
+        - 'webclient'  # Naikon APT
+        - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/200'  # Naikon APT
+        - 'Mozilla/4.0 (compatible; MSI 6.0;'  # SnowGlobe Babar - yes, it is cut
+        - 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0'  # Sofacy - Xtunnel
+        - 'Mozilla/5.0 (Windows NT 6.2; WOW64; rv:20.0) Gecko/20100101 Firefox/'  # Sofacy - Xtunnel
+        - 'Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/2'  # Sofacy - Xtunnel
+        - 'Mozilla/4.0'  # Derusbi backdoor ELF https://github.com/fideliscyber/indicators/tree/master/FTA-1021
+        - 'Netscape'  # Unit78020 Malware 
+        - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/20100719 Firefox/1.0.7'  # Unit78020 Malware
+        - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Firefox/3.6.13 GTB7.1'  # Winnti related
+        - 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)'  # Winnti related
+        - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NETCLR 2.0.50727)'  # APT17
+        - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; SV1)'  # Bronze Butler - Daserf
+        - 'Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; SV1)'  # Bronze Butler - Daserf
+        - 'Mozilla/4.0 (compatible; MSIE 8.0; Win32)'  # TSCookie https://app.any.run/tasks/0996b314-5133-491b-8d23-d431ffdec597
+        - 'Mozilla v5.1 (Windows NT 6.1; rv:6.0.1) Gecko/20100101 Firefox/6.0.1'  # Delphi downloader https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/
+        - 'Mozilla/6.1 (compatible; MSIE 9.0; Windows NT 5.3; Trident/5.0)'  # VPNFilter https://blog.talosintelligence.com/2018/05/VPNFilter.html
+        - 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; InfoPath.1)'  # Sofacy User-Agent https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/
+        - 'Mozilla/5.0 (Windows NT 6.1; WOW64) WinHttp/1.6.3.8 (WinHTTP/5.1) like Gecko'  # Sofacy User-Agent https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/
+        - 'Mozilla v5.1 *'  # Sofacy Zebrocy samples 
+        - 'MSIE 8.0'  # Sofacy Azzy Backdoor  from https://www.hybrid-analysis.com/sample/a80e29c0757bee05338fd5c22a542d852ad86c477068e3eb4aacc1c3e59e2eef?environmentId=100
+        - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)'  # https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html
+        - 'Mozilla/4.0 (compatible; RMS)'  # Attacks on industrial enterprises using RMS and TeamViewer https://goo.gl/GthvTw
+        - 'Mozilla/4.0 (compatible; MSIE 6.0; DynGate)'  # Attacks on industrial enterprises using RMS and TeamViewer https://goo.gl/GthvTw
+        - 'O/9.27 (W; U; Z)' # Cmstar https://www.virustotal.com/#/file/e4328011bb2b04abc856ccd04404c9f95d67167f6c291d343e8ffa8aa2aa2099/details
+        - 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0;  Trident/5.0*'  # KerrDown UA https://goo.gl/s2WU6o
+        - 'Mozilla/5.0 (Windows NT 9; *'  # Suspicious 'Windows NT 9' user agent - used by APT33 malware in 2018
+    condition: selection
+fields:
+    - ClientIP
+    - URL
+    - UserAgent
+falsepositives:
+    - Old browsers
+level: high
+
@@ -0,0 +1,26 @@
+title: Bitsadmin to Uncommon TLD
+status: experimental
+description: Detects Bitsadmin connections to domains with uncommon TLDs 
+    - https://twitter.com/jhencinski/status/1102695118455349248
+    - https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/
+author: Florian Roth
+date: 2019/03/07
+logsource:
+    category: proxy
+detection:
+    selection:
+        UserAgent:
+            - 'Microsoft BITS/*'
+    falsepositives:
+        r-dns:
+            - '*.com' 
+            - '*.net' 
+            - '*.org' 
+    condition: selection and not falsepositives
+fields:
+    - ClientIP
+    - URL
+    - UserAgent
+falsepositives:
+    - Rare programs that use Bitsadmin and update from regional TLDs e.g. .uk or .ca
+level: high
@@ -1,7 +1,7 @@
 title: Exploit Framework User Agent
 status: experimental
 description: Detects suspicious user agent strings used by exploit / pentest framworks like Metasploit in proxy logs
-reference:
+references:
    - https://blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/
 author: Florian Roth
 logsource:
@@ -33,6 +33,7 @@ detection:
        - 'X-FORWARDED-FOR'
        - 'DotDotPwn v2.1'
        - 'SIPDROID'
+        - 'Mozilla/5.0 (Windows NT 10.0; Win32; x32; rv:60.0)'  # CobaltStrike https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/

        # Exploits
        - '*wordpress hash grabber*'
@@ -1,7 +1,7 @@
 title: Hack Tool User Agent
 status: experimental
 description: Detects suspicious user agent strings user by hack tools in proxy logs
-reference:
+references:
    - https://github.com/fastly/waf_testbed/blob/master/templates/default/scanners-user-agents.data.erb
    - http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules
 author: Florian Roth
@@ -60,6 +60,7 @@ detection:

        # Hack tool
        - 'ruler'  # https://www.crowdstrike.com/blog/using-outlook-forms-lateral-movement-persistence/
+        - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)'  # SQLi Dumper
    condition: selection
 fields:
    - ClientIP
@@ -1,7 +1,7 @@
 title: Malware User Agent
 status: experimental
 description: Detects suspicious user agent strings used by malware in proxy logs
-reference:
+references:
    - http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules
    - http://www.botopedia.org/search?searchword=scan&searchphrase=all
    - https://networkraptor.blogspot.com/2015/01/user-agent-strings.html
@@ -22,6 +22,8 @@ detection:
        - '*<|>*'  # Houdini / Iniduoh / njRAT
        - 'nsis_inetc (mozilla)'  # ZeroAccess
        - 'Wget/1.9+cvs-stable (Red Hat modified)'  # Dyre / Upatre
+        # Ghost419 https://goo.gl/rW1yvZ
+        - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; .NET CLR 1.1.4322)'

        # Malware
        - '*zeroup*'  # W32/Renos.Downloader
@@ -44,6 +46,10 @@ detection:
        - 'Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)'  # Fareit
        - 'Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)'  # Webshell's back connect
        - 'MSIE'  # Toby web shell
+        - '*(Charon; Inferno)'  # Loki Bot
+        - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)'  # Fareit / Pony
+        - 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)'  # https://goo.gl/g43qjs
+        - 'Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.1)'  # MacControl malware https://goo.gl/sqY3Ja https://www.symantec.com/connect/blogs/osxmacontrol-back-it-again

        # Others 
        - '* pxyscand*'
@@ -1,7 +1,7 @@
 title: Suspicious User Agent
 status: experimental
 description: Detects suspicious malformed user agent strings in proxy logs
-reference:
+references:
    - https://github.com/fastly/waf_testbed/blob/master/templates/default/scanners-user-agents.data.erb
 author: Florian Roth
 logsource:
@@ -20,7 +20,12 @@ detection:
        - ' Mozilla/*'  # leading space 
        - 'Mozila/*'  # single 'l'
        - '_'
-    condition: selection
+        - 'CertUtil URL Agent'  # https://twitter.com/stvemillertime/status/985150675527974912
+        - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0)'  # CobaltStrike Beacon https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/
+    falsepositives:
+        UserAgent:
+            - 'Mozilla/3.0 * Acrobat *'  # Acrobat with linked content
+    condition: selection and not falsepositives
 fields:
    - ClientIP
    - URL
@@ -1,7 +1,8 @@
 title: Apache Segmentation Fault
 description: Detects a segmentation fault error message caused by a creashing apacke worker process 
 author: Florian Roth
-reference: http://www.securityfocus.com/infocus/1633
+references:
+    - http://www.securityfocus.com/infocus/1633
 logsource:
    product: apache
 detection:
@@ -0,0 +1,16 @@
+title: Apache Threading Error
+status: experimental
+description: Detects an issue in apache logs that reports threading related errors
+author: Florian Roth
+date: 2019/01/22
+references:
+    - https://github.com/hannob/apache-uaf/blob/master/README.md
+logsource:
+    product: apache
+detection:
+    keywords:
+        - '__pthread_tpp_change_priority: Assertion `new_prio == -1 || (new_prio >= fifo_min_prio && new_prio <= fifo_max_prio)'
+    condition: keywords
+falsepositives:
+    - https://bz.apache.org/bugzilla/show_bug.cgi?id=46185
+level: medium
@@ -0,0 +1,30 @@
+title: Oracle WebLogic Exploit
+description: Detects access to a webshell droped into a keytore folder on the WebLogic server
+author: Florian Roth
+date: 2018/07/22
+status: experimental
+references: 
+    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2894
+    - https://twitter.com/pyn3rd/status/1020620932967223296
+    - https://github.com/LandGrey/CVE-2018-2894
+logsource:
+    category: webserver
+detection:
+    selection:
+        c-uri-path: 
+            - '*/config/keystore/*.js*'
+    condition: selection
+fields:
+    - c-ip
+    - c-dns
+falsepositives:
+    - Unknown
+tags:
+    - attack.t1100
+    - attack.t1190
+    - attack.initial_access
+    - attack.persistence
+    - attack.privilege_escalation
+    - cve.2018-2894
+level: critical
+
@@ -1,5 +1,5 @@
 title: Webshell Detection by Keyword
-description: Detects webshells that use GET requests by keyword sarches in URL strings
+description: Detects webshells that use GET requests by keyword searches in URL strings
 author: Florian Roth
 logsource:
    category: webserver
@@ -1,21 +1,24 @@
-title: Admin user remote login
+title: Admin User Remote Logon
 description: Detect remote login by Administrator user depending on internal pattern
-reference:
-  - https://car.mitre.org/wiki/CAR-2016-04-005
+references:
+    - https://car.mitre.org/wiki/CAR-2016-04-005
+tags:
+    - attack.lateral_movement
+    - attack.t1078
+    - car.2016-04-005
 status: experimental
 author: juju4
 logsource:
    product: windows
    service: security
-    description: 'Requirements: Identifiable administrators usernames (pattern or special unique character. ex: "Admin-*"), internal policy mandating use only as secondary account'
+    definition: 'Requirements: Identifiable administrators usernames (pattern or special unique character. ex: "Admin-*"), internal policy mandating use only as secondary account'
 detection:
    selection:
        EventID: 4624
        LogonType: 10
        AuthenticationPackageName: Negotiate
-        Severity: Information
        AccountName: 'Admin-*'
    condition: selection
-falsepositives: 
+falsepositives:
    - Legitimate administrative activity
 level: low
@@ -1,17 +1,20 @@
 title: Access to ADMIN$ Share
-description: 
+description: Detects access to $ADMIN share
+tags:
+    - attack.lateral_movement
+    - attack.t1077
 status: experimental
 author: Florian Roth
 logsource:
    product: windows
    service: security
-    description: 'The advanced audit policy setting "Object Access > Audit File Share" must be configured for Success/Failure'
+    definition: 'The advanced audit policy setting "Object Access > Audit File Share" must be configured for Success/Failure'
 detection:
    selection:
        EventID: 5140
        ShareName: Admin$
    filter:
-        SubjectAccountName: '*$'
+        SubjectUserName: '*$'
    condition: selection and not filter
 falsepositives: 
    - Legitimate administrative activity
@@ -1,18 +1,21 @@
-title: Detects Enabling of a User Right in AD to Control User Objects
+title: Enabled User Right in AD to Control User Objects
 description: Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.
-reference: 
+tags:
+    - attack.privilege_escalation
+    - attack.t1078
+references:
    - https://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
 author: '@neu5ron'
 logsource:
    product: windows
    service: security
-    description: 'Requirements: Audit Policy : Policy Change > Audit Authorization Policy Change, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Authorization Policy Change'
+    definition: 'Requirements: Audit Policy : Policy Change > Audit Authorization Policy Change, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Authorization Policy Change'
 detection:
    selection:
-        EventID: 4707
+        EventID: 4704
    keywords:
        - 'SeEnableDelegationPrivilege'
-    condition: selection and keywords
+    condition: all of them
 falsepositives: 
    - Unknown
 level: high
@@ -1,18 +1,24 @@
 title: Active Directory User Backdoors
-description: Detects scenarios where one can control another users account without having to use their credentials via msDS-AllowedToDelegateTo and or service principal names (SPN).
-reference:
+description: Detects scenarios where one can control another users or computers account without having to use their credentials.
+references:
    - https://msdn.microsoft.com/en-us/library/cc220234.aspx
    - https://adsecurity.org/?p=3466
+    - https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/
 author: '@neu5ron'
+tags:
+    - attack.t1098
+    - attack.credential_access
+    - attack.persistence
 logsource:
    product: windows
    service: security
-    description1: 'Requirements: Audit Policy : Account Management > Audit User Account Management, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit User Account Management'
-    description2: 'Requirements: Audit Policy : DS Access > Audit Directory Service Changes, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\DS Access\Audit Directory Service Changes'
+    definition1: 'Requirements: Audit Policy : Account Management > Audit User Account Management, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit User Account Management'
+    definition2: 'Requirements: Audit Policy : DS Access > Audit Directory Service Changes, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\DS Access\Audit Directory Service Changes'
 detection:
    selection1:
        EventID: 4738
-        AllowedToDelegateTo: '*'
+    filter1:
+        AllowedToDelegateTo: null
    selection2:
        EventID: 5136
        AttributeLDAPDisplayName: 'msDS-AllowedToDelegateTo'
@@ -20,7 +26,10 @@ detection:
        EventID: 5136
        ObjectClass: 'user'
        AttributeLDAPDisplayName: 'servicePrincipalName'
-    condition: selection1 or selection2 or selection3
+    selection4:
+        EventID: 5136
+        AttributeLDAPDisplayName: 'msDS-AllowedToActOnBehalfOfOtherIdentity'        
+    condition: (selection1 and not filter1) or selection2 or selection3 or selection4
 falsepositives: 
    - Unknown
 level: high
@@ -1,13 +1,16 @@
-title: Detects Enabling of Weak Encryption and Kerberoast
+title: Weak Encryption Enabled and Kerberoast
 description: Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking.
-reference: 
+references:
    - https://adsecurity.org/?p=2053
    - https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/
 author: '@neu5ron'
+tags:
+    - attack.defense_evasion
+    - attack.t1089
 logsource:
    product: windows
    service: security
-    description: 'Requirements: Audit Policy : Account Management > Audit User Account Management, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit User Account Management'
+    definition: 'Requirements: Audit Policy : Account Management > Audit User Account Management, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit User Account Management'
 detection:
    selection:
        EventID: 4738
@@ -1,9 +1,16 @@
 title: Hacktool Use
 description: This method detects well-known keywords, certain field combination that appear in Windows Eventlog when certain hack tools are used
 author: Florian Roth
+tags:
+    - attack.discovery
+    - attack.execution
+    - attack.t1087
+    - attack.t1075
+    - attack.t1114
+    - attack.t1059
 logsource:
    product: windows
-    service: system
+    service: security
 detection:
    # Ruler https://github.com/sensepost/ruler
    selection1:
@@ -0,0 +1,23 @@
+title: LSASS Access Detected via Attack Surface Reduction
+description: Detects Access to LSASS Process
+status: experimental
+references:
+    - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard?WT.mc_id=twitter
+author: Markus Neis
+date: 2018/08/26
+tags:
+    - attack.credential_access
+    - attack.t1003
+# Defender Attack Surface Reduction
+logsource:
+    product: windows_defender
+    definition: 'Requirements:Enabled Block credential stealing from the Windows local security authority subsystem (lsass.exe) from Attack Surface Reduction (GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2)'
+detection:
+    selection:
+        EventID: 1121
+        Path: '*\lsass.exe'
+    condition: selection
+falsepositives:
+    - Google Chrome GoogleUpdate.exe
+    - Some Taskmgr.exe related activity
+level: high
@@ -1,6 +1,11 @@
-title: Mimikatz Usage
+title: Mimikatz Use
 description: This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)
 author: Florian Roth
+tags:
+    - attack.s0002
+    - attack.t1003
+    - attack.lateral_movement
+    - attack.credential_access
 logsource:
    product: windows
 detection:
@@ -0,0 +1,26 @@
+title: Mimikatz DC Sync
+description: Detects Mimikatz DC sync security events
+status: experimental
+date: 2018/06/03
+author: Benjamin Delpy, Florian Roth
+references:
+    - https://twitter.com/gentilkiwi/status/1003236624925413376
+    - https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2
+tags:
+    - attack.credential_access
+    - attack.s0002
+    - attack.t1003
+logsource:
+    product: windows
+    service: security
+detection:
+    selection:
+        EventID: 4662
+        Properties: 
+            - '*Replicating Directory Changes All*'
+            - '*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*'
+    condition: selection
+falsepositives:
+    - Unkown
+level: critical
+
@@ -1,22 +1,24 @@
 title: Disabling Windows Event Auditing
-description: >
-    Detects scenarios where system auditing (ie: windows event log auditing) is disabled. This may be used in a scenario
+description: 'Detects scenarios where system auditing (ie: windows event log auditing) is disabled. This may be used in a scenario
    where an entity would want to bypass local logging to evade detection when windows event logging is enabled and
    reviewed. Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO, which will make sure
    that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc".
    Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off
-    specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways.
-reference:
+    specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways.'
+references:
    - https://bit.ly/WinLogsZero2Hero
+tags:
+    - attack.defense_evasion
+    - attack.t1054
 author: '@neu5ron'
 logsource:
    product: windows
    service: security
-    description: 'Requirements: Audit Policy : Computer Management > Audit Policy Configuration, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Audit Policy Change'
+    definition: 'Requirements: Audit Policy : Computer Management > Audit Policy Configuration, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Audit Policy Change'
 detection:
    selection:
        EventID: 4719
-        Message: 'removed'
+        AuditPolicyChanges: 'removed'
    condition: selection
 falsepositives: 
    - Unknown
@@ -1,17 +0,0 @@
-title: Eventlog Cleared
-status: experimental
-description: Detects a cleared Windows Eventlog as e.g. caused by "wevtutil cl" command execution  
-author: Florian Roth
-date: 2017/06/27
-reference: https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100
-logsource:
-    product: windows
-    service: system
-detection:
-    selection:
-        EventID: 104
-        Source: Eventlog
-    condition: selection
-falsepositives:
-    - unknown
-level: high
@@ -0,0 +1,27 @@
+title: smbexec.py Service Installation
+description: Detects the use of smbexec.py tool by detecting a specific service installation
+author: Omer Faruk Celik
+date: 2018/03/20
+references:
+    - https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/
+tags:
+    - attack.lateral_movement
+    - attack.execution
+    - attack.t1077
+    - attack.t1035
+logsource:
+    product: windows
+    service: system
+detection:
+    service_installation:
+        EventID: 7045
+        ServiceName: 'BTOBTO'
+        ServiceFileName: '*\execute.bat'
+    condition: service_installation
+fields:
+    - ServiceName
+    - ServiceFileName
+falsepositives:
+    - Penetration Test
+    - Unknown
+level: critical
@@ -1,14 +1,19 @@
+---
+action: global
 title: Malicious Service Install
 description: This method detects well-known keywords of malicious services in the Windows System Eventlog 
 author: Florian Roth
+tags:
+    - attack.credential_access
+    - attack.t1003
+    - attack.s0005
 logsource:
    product: windows
    service: system
 detection:
-    selection:
+    selection1:
        EventID: 
          - 7045
-          - 4697
    keywords:
      - 'WCE SERVICE'
      - 'WCESERVICE'
@@ -16,7 +21,14 @@ detection:
    quarkspwdump:
        EventID: 16
        HiveName: '*\AppData\Local\Temp\SAM*.dmp'
-    condition: ( selection and keywords ) or quarkspwdump
+    condition: ( selection1 and keywords ) or ( selection2 and keywords ) or quarkspwdump
 falsepositives:
    - Unlikely
 level: high
+---
+logsource:
+    product: windows
+    service: security
+detection:
+    selection2:
+        EventID: 4697
@@ -1,32 +1,36 @@
-title: Malicious Service Installs
+title: Malicious Service Installations
 description: Detects known malicious service installs that only appear in cases of lateral movement, credential dumping and other suspicious activity
 author: Florian Roth
+tags:
+    - attack.persistence
+    - attack.privilege_escalation
+    - attack.t1050
 logsource:
    product: windows
    service: system
 detection:
    selection:
        EventID: 7045
-    wce:
+    malsvc_wce:
        ServiceName: 
            - 'WCESERVICE'
            - 'WCE SERVICE'
-    paexec:
+    malsvc_paexec:
        ServiceFileName: '*\PAExec*'
-    winexe:
+    malsvc_winexe:
        ServiceFileName: 'winexesvc.exe*'
-    pwdumpx:
+    malsvc_pwdumpx:
        ServiceFileName: '*\DumpSvc.exe'
-    wannacry:
+    malsvc_wannacry:
        ServiceName: 'mssecsvc2.0'
-    persistence:
+    malsvc_persistence:
        ServiceFileName: '* net user *'
-    others:
+    malsvc_others:
        ServiceName:
            - 'pwdump*'
            - 'gsecdump*'
            - 'cachedump*'
-    condition: selection and ( wce or paexec or winexe or pwdumpx or wannacry or persistence or others )
+    condition: selection and 1 of malsvc_*
 falsepositives: 
    - Penetration testing
 level: critical
@@ -1,8 +1,14 @@
-title: WCE wceaux.dll access
+title: WCE wceaux.dll Access
 status: experimental
 description: Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host
 author: Thomas Patzke
-reference: https://www.jpcert.or.jp/english/pub/sr/ir_research.html
+references:
+    - https://www.jpcert.or.jp/english/pub/sr/ir_research.html
+    - https://jpcertcc.github.io/ToolAnalysisResultSheet
+tags:
+    - attack.credential_access
+    - attack.t1003
+    - attack.s0005
 logsource:
    product: windows
    service: security
@@ -0,0 +1,41 @@
+--- 
+action: global
+title: NetNTLM Downgrade Attack
+description: Detects post exploitation using NetNTLM downgrade attacks
+references: 
+    - https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks
+author: Florian Roth
+date: 2018/03/20
+tags:
+    - attack.credential_access
+    - attack.t1212
+detection:
+    condition: 1 of them
+falsepositives:
+    - Unknown
+level: critical
+--- 
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection1:
+        EventID: 13
+        TargetObject: 
+            - '*SYSTEM\\*ControlSet*\Control\Lsa\lmcompatibilitylevel'
+            - '*SYSTEM\\*ControlSet*\Control\Lsa\NtlmMinClientSec'
+            - '*SYSTEM\\*ControlSet*\Control\Lsa\RestrictSendingNTLMTraffic'
+---
+# Windows Security Eventlog: Process Creation with Full Command Line
+logsource:
+    product: windows
+    service: security
+    definition: 'Requirements: Audit Policy : Object Access > Audit Registry (Success)'
+detection:
+    selection2:
+        EventID: 4657
+        ObjectName: '\REGISTRY\MACHINE\SYSTEM\\*ControlSet*\Control\Lsa'
+        ObjectValueName: 
+            - 'LmCompatibilityLevel'
+            - 'NtlmMinClientSec'
+            - 'RestrictSendingNTLMTraffic'
@@ -0,0 +1,24 @@
+title: Successful Overpass the Hash Attempt
+status: experimental
+description: Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.
+references: 
+    - https://cyberwardog.blogspot.de/2017/04/chronicles-of-threat-hunter-hunting-for.html
+author: Roberto Rodriguez (source), Dominik Schaudel (rule)
+date: 2018/02/12
+tags:
+    - attack.lateral_movement
+    - attack.t1075
+    - attack.s0002
+logsource:
+    product: windows
+    service: security
+detection:
+    selection:
+        EventID: 4624
+        LogonType: 9
+        LogonProcessName: seclogo
+        AuthenticationPackageName: Negotiate
+    condition: selection
+falsepositives:
+    - Runas command-line tool using /netonly parameter
+level: high
@@ -1,22 +1,26 @@
-title: Detects Pass the Hash Activity
+title: Pass the Hash Activity
 status: experimental
 description: 'Detects the attack technique pass the hash which is used to move laterally inside the network'
-reference: https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events
+references:
+    - https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events
 author: Ilias el Matani (rule), The Information Assurance Directorate at the NSA (method)
+tags:
+    - attack.lateral_movement
+    - attack.t1075
 logsource:
    product: windows
    service: security
-    description: The successful use of PtH for lateral movement between workstations would trigger event ID 4624, a failed logon attempt would trigger an event ID 4625
+    definition: The successful use of PtH for lateral movement between workstations would trigger event ID 4624, a failed logon attempt would trigger an event ID 4625
 detection:
    selection:
        - EventID: 4624
          LogonType: '3'
-          LogonProcess: 'NtLmSsp'
+          LogonProcessName: 'NtLmSsp'
          WorkstationName: '%Workstations%'
          ComputerName: '%Workstations%'
        - EventID: 4625
          LogonType: '3'
-          LogonProcess: 'NtLmSsp'
+          LogonProcessName: 'NtLmSsp'
          WorkstationName: '%Workstations%'
          ComputerName: '%Workstations%'
    filter:
@@ -1,144 +0,0 @@
-title: Executable used by PlugX in Uncommon Location
-status: experimental
-description: Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location
-reference: 
-    - 'http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/'
-    - 'https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/'
-author: Florian Roth
-date: 2017/06/12
-logsource:
-    product: windows
-    service: security
-detection:
-
-    # CamMute
-    selection_cammute:
-        EventID: 4688
-        ProcessCommandLine: '*\CamMute.exe'
-    filter_cammute:
-        EventID: 4688
-        ProcessCommandLine: '*\Lenovo\Communication Utility\*'
-
-    # Chrome Frame Helper
-    selection_chrome_frame:
-        EventID: 4688
-        ProcessCommandLine: '*\chrome_frame_helper.exe'
-    filter_chrome_frame:
-        EventID: 4688
-        ProcessCommandLine: '*\Google\Chrome\application\*'    
-
-    # Microsoft Device Emulator
-    selection_devemu:
-        EventID: 4688
-        ProcessCommandLine: '*\dvcemumanager.exe'
-    filter_devemu:
-        EventID: 4688
-        ProcessCommandLine: '*\Microsoft Device Emulator\*'   
-
-    # Windows Media Player Gadget
-    selection_gadget:
-        EventID: 4688
-        ProcessCommandLine: '*\Gadget.exe'
-    filter_gadget:
-        EventID: 4688
-        ProcessCommandLine: '*\Windows Media Player\*'
-
-    # HTML Help Workshop
-    selection_hcc:
-        EventID: 4688
-        ProcessCommandLine: '*\hcc.exe'
-    filter_hcc:
-        EventID: 4688
-        ProcessCommandLine: '*\HTML Help Workshop\*'
-
-    # Hotkey Command Module for Intel Graphics Contollers
-    selection_hkcmd:
-        EventID: 4688
-        ProcessCommandLine: '*\hkcmd.exe'
-    filter_hkcmd:
-        EventID: 4688
-        ProcessCommandLine: 
-            - '*\System32\*'
-            - '*\SysNative\*'
-            - '*\SysWowo64\*'
-
-    # McAfee component
-    selection_mc:
-        EventID: 4688
-        ProcessCommandLine: '*\Mc.exe'
-    filter_mc:
-        EventID: 4688
-        ProcessCommandLine: 
-            - '*\Microsoft Visual Studio*'
-            - '*\Microsoft SDK*'
-            - '*\Windows Kit*'
-
-    # MsMpEng - Microsoft Malware Protection Engine
-    selection_msmpeng:
-        EventID: 4688
-        ProcessCommandLine: '*\MsMpEng.exe'
-    filter_msmpeng:
-        EventID: 4688
-        ProcessCommandLine: 
-            - '*\Microsoft Security Client\*'
-            - '*\Windows Defender\*'
-            - '*\AntiMalware\*'
-
-    # Microsoft Security Center
-    selection_msseces:
-        EventID: 4688
-        ProcessCommandLine: '*\msseces.exe'
-    filter_msseces:
-        EventID: 4688
-        ProcessCommandLine: '*\Microsoft Security Center\*'
-
-    # Microsoft Office 2003 OInfo
-    selection_oinfo:
-        EventID: 4688
-        ProcessCommandLine: '*\OInfoP11.exe'
-    filter_oinfo:
-        EventID: 4688
-        ProcessCommandLine: '*\Common Files\Microsoft Shared\*'      
-
-    # OLE View
-    selection_oleview:
-        EventID: 4688
-        ProcessCommandLine: '*\OleView.exe'
-    filter_oleview:
-        EventID: 4688
-        ProcessCommandLine: 
-            - '*\Microsoft Visual Studio*'
-            - '*\Microsoft SDK*'
-            - '*\Windows Kit*'   
-            - '*\Windows Resource Kit\*'
-
-    # RC
-    selection_rc:
-        EventID: 4688
-        ProcessCommandLine: '*\OleView.exe'
-    filter_rc:
-        EventID: 4688
-        ProcessCommandLine: 
-            - '*\Microsoft Visual Studio*'
-            - '*\Microsoft SDK*'
-            - '*\Windows Kit*'   
-            - '*\Windows Resource Kit\*'
-            - '*\Microsoft.NET\*'  
-
-    condition: ( selection_cammute and not filter_cammute ) or  
-                ( selection_chrome_frame and not filter_chrome_frame ) or
-                ( selection_devemu and not filter_devemu ) or
-                ( selection_gadget and not filter_gadget ) or 
-                ( selection_hcc and not filter_hcc ) or 
-                ( selection_hkcmd and not filter_hkcmd ) or 
-                ( selection_mc and not filter_mc ) or
-                ( selection_msmpeng and not filter_msmpeng ) or
-                ( selection_msseces and not filter_msseces ) or
-                ( selection_oinfo and not filter_oinfo ) or 
-                ( selection_oleview and not filter_oleview ) or 
-                ( selection_rc and not filter_rc ) 
-falsepositives:
-    - Unknown
-level: high
-
-
@@ -1,16 +1,21 @@
-title: Rare SchTasks Creations
+title: Rare Schtasks Creations
 description: Detects rare scheduled tasks creations that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious code
 status: experimental
 author: Florian Roth
+tags:
+    - attack.execution
+    - attack.privilege_escalation
+    - attack.persistence
+    - attack.t1053
 logsource:
    product: windows
    service: security
-    description: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection (not in the baseline recommendations by Microsoft). We also recommend extracting the Command field from the embedded XML in the event data.'
+    definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection (not in the baseline recommendations by Microsoft). We also recommend extracting the Command field from the embedded XML in the event data.'
 detection:
    selection:
        EventID: 4698
    timeframe: 7d
-    condition: selection | count(TaskName) < 5 
+    condition: selection | count() by TaskName < 5 
 falsepositives: 
    - Software installation
    - Software updates
@@ -2,6 +2,10 @@ title: Rare Service Installs
 description: Detects rare service installs that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious services 
 status: experimental
 author: Florian Roth
+tags:
+    - attack.persistence
+    - attack.privilege_escalation
+    - attack.t1050
 logsource:
    product: windows
    service: system
@@ -9,8 +13,8 @@ detection:
    selection:
        EventID: 7045
    timeframe: 7d
-    condition: selection | count(ServiceFileName) < 5 
+    condition: selection | count() by ServiceFileName < 5 
 falsepositives: 
    - Software installation
    - Software updates
-level: low
+level: low
--- a/Show More
+++ b/Show More