Sigmatools release 0.18.1

ES and Readme from SOC Prime

CHANGELOG.md

@@ -6,6 +6,37 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html)
 from version 0.14.0.
 
+## 0.18.1 - 2020-08-25
+
+Release created for technical reasons (issues with extended README and PyPI), no real changes done.
+
+## 0.18.0 - 2020-08-25
+
+### Added
+
+* C# backend
+* STIX backend
+* Options to xpack-watcher backend (action_throttle_period, mail_from acaw, mail_profile and other)
+* More generic log sources
+* Windows Defender log sources
+* Generic DNS query log source
+* AppLocker log source
+
+### Changed
+
+* Improved backend and configuration descriptions
+* Microsoft Defender ATP mapping updated
+* Improved handling of wildcards in Elastic backends
+
+### Fixed
+
+* Powershell backend: key name was incorrectly added into regular expression
+* Grouping issue in Carbon Black backend
+* Handling of default field mapping in case field is referenced multiple from a rule
+* Code cleanup and various fixes
+* Log source mappings in configurations
+* Handling of conditional field mappings by Elastic backends
+
 ## 0.17.0 - 2020-06-12
 
 ### Added

Makefile

@@ -52,6 +52,7 @@ test-sigmac:
 	$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t arcsight -c tools/config/arcsight.yml rules/ > /dev/null
 	$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t arcsight-esm -c tools/config/arcsight.yml rules/ > /dev/null
 	$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t qradar -c tools/config/qradar.yml rules/ > /dev/null
+	$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t stix -c tools/config/stix.yml -c tools/config/stix-qradar.yml -c tools/config/stix-windows.yml rules/ > /dev/null
 	$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t limacharlie -c tools/config/limacharlie.yml rules/ > /dev/null
 	$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t carbonblack -c tools/config/carbon-black.yml rules/ > /dev/null
 	$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t qualys -c tools/config/qualys.yml rules/ > /dev/null
@@ -61,6 +62,7 @@ test-sigmac:
 	$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t crowdstrike -O rulecomment -c tools/config/crowdstrike.yml rules/ > /dev/null
 	$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t sql -c sysmon rules/ > /dev/null
 	$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t sqlite -c sysmon rules/ > /dev/null
+	$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t csharp -c sysmon rules/ > /dev/null
 	$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t logiq -c sysmon rules/ > /dev/null
 	$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml -f 'level>=high,level<=critical,status=stable,logsource=windows,tag=attack.execution' rules/ > /dev/null
 	! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml -f 'level>=high,level<=critical,status=xstable,logsource=windows' rules/ > /dev/null

README.md

@@ -8,7 +8,7 @@ Generic Signature Format for SIEM Systems
 
 # What is Sigma
 
-Sigma is a generic and open signature format that allows you to describe relevant log events in a straight forward manner. The rule format is very flexible, easy to write and applicable to any type of log file. The main purpose of this project is to provide a structured form in which researchers or analysts can describe their once developed detection methods and make them shareable with others.
+Sigma is a generic and open signature format that allows you to describe relevant log events in a straightforward manner. The rule format is very flexible, easy to write and applicable to any type of log file. The main purpose of this project is to provide a structured form in which researchers or analysts can describe their once developed detection methods and make them shareable with others.
 
 Sigma is for log files what [Snort](https://www.snort.org/) is for network traffic and [YARA](https://github.com/VirusTotal/yara) is for files.
 
@@ -71,6 +71,12 @@ Florian wrote a short [rule creation tutorial](https://www.nextron-systems.com/2
 5. Convert a whole rule directory with `python sigmac -t splunk -r ../rules/proxy/`
 6. Check the `./tools/config` folder and the [wiki](https://github.com/Neo23x0/sigma/wiki/Converter-Tool-Sigmac) if you need custom field or log source mappings in your environment
 
+## Troubles / Troubleshooting / Help
+
+If you need help for a specific supported backend you can use e.g. `sigmac --backend-help elastalert-dsl`. More details on the usage of `sigmac` can be found in the dedicated [README.md](https://github.com/Neo23x0/sigma/blob/master/tools/README.md).
+
+Be sure to checkout the [guidance on backend specific settings](https://github.com/Neo23x0/sigma/blob/master/tools/README.md#choosing-the-right-sigmac) for `sigmac`.
+
 # Examples
 
 Windows 'Security' Eventlog: Access to LSASS Process with Certain Access Mask / Object Type (experimental)
@@ -202,6 +208,7 @@ tools/sigmac -t splunk -c ~/my-splunk-mapping.yml -c tools/config/generic/window
 * [Grep](https://www.gnu.org/software/grep/manual/grep.html) with Perl-compatible regular expression support
 * [LimaCharlie](https://limacharlie.io)
 * [ee-outliers](https://github.com/NVISO-BE/ee-outliers)
+* [Structured Threat Information Expression (STIX)](https://oasis-open.github.io/cti-documentation/stix/intro.html)
 
 Current work-in-progress
 * [Splunk Data Models](https://docs.splunk.com/Documentation/Splunk/7.1.0/Knowledge/Aboutdatamodels)

contrib/sigma2sumologic.py

@@ -124,7 +124,7 @@ def get_rule_as_sumologic(file):
     return "".join(output)
 
 if args.help:
-    parser_print_help()
+    parser.print_help()
 
 if args.conf:
     with open(args.conf, 'r') as ymlfile:

rules/cloud/aws_cloudtrail_disable_logging.yml

@@ -5,20 +5,22 @@ author: vitaliy0x1
 date: 2020/01/21
 description: Detects disabling, deleting and updating of a Trail
 references:
-  - https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html
+    - https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html
 logsource:
-  service: cloudtrail
+    service: cloudtrail
 detection:
-  selection_source:
-    - eventSource: cloudtrail.amazonaws.com
-  events:
-    - eventName:
-        - StopLogging
-        - UpdateTrail
-        - DeleteTrail
-  condition: selection_source AND events
+    selection_source:
+        - eventSource: cloudtrail.amazonaws.com
+    events:
+        - eventName:
+            - StopLogging
+            - UpdateTrail
+            - DeleteTrail
+    condition: selection_source AND events
 level: medium
 falsepositives:
     - Valid change in a Trail
 tags:
-  - attack.t1089
+    - attack.defense_evasion
+    - attack.t1089
+    - attack.t1562.001

rules/cloud/aws_config_disable_recording.yml

@@ -5,17 +5,19 @@ author: vitaliy0x1
 date: 2020/01/21
 description: Detects AWS Config Service disabling
 logsource:
-  service: cloudtrail
+    service: cloudtrail
 detection:
-  selection_source:
-    - eventSource: config.amazonaws.com
-  events:
-    - eventName:
-        - DeleteDeliveryChannel
-        - StopConfigurationRecorder
-  condition: selection_source AND events
+    selection_source:
+        - eventSource: config.amazonaws.com
+    events:
+        - eventName:
+            - DeleteDeliveryChannel
+            - StopConfigurationRecorder
+    condition: selection_source AND events
 level: high
 falsepositives:
     - Valid change in AWS Config Service
 tags:
-  - attack.t1089
+    - attack.defense_evasion
+    - attack.t1089
+    - attack.t1562.001

rules/cloud/aws_ec2_startup_script_change.yml

@@ -21,3 +21,4 @@ falsepositives:
     - Valid changes to the startup script
 tags:
     - attack.t1064
+    - attack.t1059

rules/cloud/aws_guardduty_disruption.yml

@@ -18,4 +18,6 @@ level: high
 falsepositives:
     - Valid change in the GuardDuty (e.g. to ignore internal scanners)
 tags:
+    - attack.defense_evasion
     - attack.t1089
+    - attack.t1562.001

rules/compliance/cleartext_protocols.yml

@@ -30,8 +30,6 @@ tags:
     - NIST CSF 1.1 PR.AC-7
     - NIST CSF 1.1 PR.DS-1
     - NIST CSF 1.1 PR.DS-2
-    - NIST CSF 1.1 PR.PT-3
-    - NIST CSF 1.1 PR.PT-3
     - ISO 27002-2013 A.9.2.1
     - ISO 27002-2013 A.9.2.2
     - ISO 27002-2013 A.9.2.3

rules/linux/auditd/lnx_auditd_alter_bash_profile.yml

@@ -9,6 +9,7 @@ tags:
     - attack.s0003
     - attack.t1156
     - attack.persistence
+    - attack.t1546.004
 author: Peter Matkovski
 logsource:
     product: linux

rules/linux/auditd/lnx_auditd_auditing_config_change.yml

@@ -11,6 +11,7 @@ references:
 tags:
     - attack.defense_evasion
     - attack.t1054
+    - attack.t1562.006
 author: Mikhail Larin, oscd.community
 status: experimental
 date: 2019/10/25

rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml

@@ -6,11 +6,11 @@ author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.
 date: 2019/10/24
 modified: 2019/11/11
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.yaml
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.yaml
     - https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html
 tags:
     - attack.defense_evasion
-    - attack.t1055
+    - attack.t1574.006
 logsource:
     product: linux
     service: auditd

rules/linux/auditd/lnx_auditd_logging_config_change.yml

@@ -10,6 +10,7 @@ references:
 tags:
     - attack.defense_evasion
     - attack.t1054
+    - attack.t1562.006
 author: Mikhail Larin, oscd.community
 status: experimental
 date: 2019/10/25

rules/linux/auditd/lnx_auditd_masquerading_crond.yml

@@ -6,7 +6,10 @@ description: Masquerading occurs when the name or location of an executable, leg
 author: Timur Zinniatullin, oscd.community
 date: 2019/10/21
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.yaml
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.yaml
+tags:
+    - attack.defense_evasion
+    - attack.t1036.003
 logsource:
     product: linux
     service: auditd
@@ -19,6 +22,3 @@ detection:
         a3: '*/crond'
     condition: selection
 level: medium
-tags:
-    - attack.defense_evasion
-    - attack.t1036

rules/linux/auditd/lnx_auditd_susp_cmds.yml

@@ -4,6 +4,9 @@ status: experimental
 description: Detects relevant commands often related to malware or hacking activity
 references:
     - Internal Research - mostly derived from exploit code including code in MSF
+tags:
+    - attack.execution
+    - attack.t1059.004
 date: 2017/12/12
 author: Florian Roth
 logsource:

rules/linux/auditd/lnx_auditd_web_rce.yml

@@ -4,7 +4,7 @@ status: experimental
 description: Detects posible command execution by web application/web shell
 tags:
     - attack.persistence
-    - attack.t1100
+    - attack.t1505.003
 references:
     - personal experience
 author: Ilyas Ochkov, Beyu Denis, oscd.community

rules/linux/auditd/lnx_data_compressed.yml

@@ -1,13 +1,15 @@
 title: Data Compressed
 id: a3b5e3e9-1b49-4119-8b8e-0344a01f21ee
 status: experimental
-description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount
-    of data sent over the network
+description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network
 author: Timur Zinniatullin, oscd.community
 date: 2019/10/21
 modified: 2019/11/04
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1002/T1002.yaml
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.yaml
+tags:
+    - attack.exfiltration
+    - attack.t1560.001
 logsource:
     product: linux
     service: auditd
@@ -27,6 +29,3 @@ detection:
 falsepositives:
     - Legitimate use of archiving tools by legitimate user
 level: low
-tags:
-    - attack.exfiltration
-    - attack.t1002

rules/linux/lnx_apt_equationgroup_lnx.yml

@@ -6,7 +6,7 @@ references:
 tags:
     - attack.execution
     - attack.g0020
-    - attack.t1059
+    - attack.t1059.004
 author: Florian Roth
 date: 2017/04/09
 logsource:

rules/linux/lnx_chattr_immutable_removal.yml

@@ -4,7 +4,7 @@ description: Detects removing immutable file attribute
 status: experimental
 tags:
     - attack.defense_evasion
-    - attack.t1222
+    - attack.t1222.002
 author: Jakob Weinzettl, oscd.community
 date: 2019/09/23
 logsource:
@@ -20,4 +20,4 @@ falsepositives:
     - Administrator interacting with immutable files (for instance backups)
 level: medium
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.yaml
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.yaml

rules/linux/lnx_file_copy.yml

@@ -0,0 +1,27 @@
+title: Remote File Copy
+id: 7a14080d-a048-4de8-ae58-604ce58a795b
+description: Detects the use of tools that copy files from or to remote systems
+references:
+    - https://attack.mitre.org/techniques/T1105/
+author: Ömer Günal
+date: 2020/06/18
+tags:
+    - attack.command_and_control
+    - attack.lateral_movement
+    - attack.t1105
+level: low
+logsource:
+    product: linux
+detection:
+    keywords:
+        - Scp|contains:
+          - 'scp * *@*:*'
+          - 'scp *@*:* *'
+        - Rsync|contains:
+          - 'rsync -r *@*:* *'
+          - 'rsync -r * *@*:*'
+        - Sftp|contains:
+          - 'sftp *@*:* *'
+    condition: keywords
+falsepositives:
+    - Legitimate administration activities

rules/linux/lnx_file_or_folder_permissions.yml

@@ -1,10 +1,10 @@
 title: File or Folder Permissions Change
-description: Detects 
+description: Detects
 id: 74c01ace-0152-4094-8ae2-6fd776dd43e5
 status: experimental
 tags:
     - attack.defense_evasion
-    - attack.t1222
+    - attack.t1222.002
 author: Jakob Weinzettl, oscd.community
 date: 2019/09/23
 logsource:
@@ -21,4 +21,4 @@ falsepositives:
     - User interracting with files permissions (normal/daily behaviour)
 level: low
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.yaml
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.yaml

rules/linux/lnx_pers_systemd_reload.yml

@@ -4,7 +4,7 @@ description: Detects a reload or a start of a service
 status: experimental
 tags:
     - attack.persistence
-    - attack.t1501
+    - attack.t1543.002
 author: Jakob Weinzettl, oscd.community
 date: 2019/09/23
 logsource:
@@ -23,5 +23,5 @@ falsepositives:
     - Legitimate reconfiguration of service
 level: low
 references:
-    - https://attack.mitre.org/techniques/T1501/
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1501/T1501.yaml
+    - https://attack.mitre.org/techniques/T1543/002/
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.yaml

rules/linux/lnx_shell_clear_cmd_history.yml

@@ -7,22 +7,22 @@ description: Clear command history in linux which is used for defense evasion.
     # It monitors the size of .bash_history and log the words "empty_bash_history" whenever a previously not empty bash_history becomes empty
     # We define an empty file as a document with 0 or 1 lines (it can be a line with only one space character for example)
     # It has two advantages over the version suggested by Patrick Bareiss  :
-    #   - it is not relative to the exact command used to clear .bash_history : for instance Caldera uses "> .bash_history" to clear the history and this is not one the commands listed here. We can't be exhaustive for all the possibilities ! 
-    #   - the method suggested by Patrick Bareiss logs all the commands entered directly in a bash shell. therefore it may miss some events (for instance it doesn't log the commands launched from a Caldera agent). Here if .bash_history is cleared, it will always be detected 
+    #   - it is not relative to the exact command used to clear .bash_history : for instance Caldera uses "> .bash_history" to clear the history and this is not one the commands listed here. We can't be exhaustive for all the possibilities !
+    #   - the method suggested by Patrick Bareiss logs all the commands entered directly in a bash shell. therefore it may miss some events (for instance it doesn't log the commands launched from a Caldera agent). Here if .bash_history is cleared, it will always be detected
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1146/T1146.yaml
-    - https://attack.mitre.org/techniques/T1146/
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.yaml
+    - https://attack.mitre.org/techniques/T1070/003/
     - https://www.hackers-arise.com/single-post/2016/06/20/Covering-your-BASH-Shell-Tracks-AntiForensics
 author: Patrick Bareiss
 date: 2019/03/24
-modified: 2020/05/28
+modified: 2020/07/13
 logsource:
     product: linux
 detection:
     keywords:
         - 'rm *bash_history'
         - 'echo "" > *bash_history'
-        - 'cat /dev/null > *bash_history' 
+        - 'cat /dev/null > *bash_history'
         - 'ln -sf /dev/null *bash_history'
         - 'truncate -s0 *bash_history'
         # - 'unset HISTFILE'  # prone to false positives
@@ -37,4 +37,4 @@ falsepositives:
 level: high
 tags:
     - attack.defense_evasion
-    - attack.t1146
+    - attack.t1070.003

rules/linux/lnx_shell_priv_esc_prep.yml

@@ -8,8 +8,8 @@ references:
 author: Patrick Bareiss
 date: 2019/04/05
 tags:
-    - attack.privilege_escalation
-    - attack.t1068
+    - attack.execution
+    - attack.t1059.004
 level: medium
 logsource:
     product: linux

rules/linux/lnx_shell_susp_commands.yml

@@ -6,6 +6,9 @@ references:
     - https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb#L121
     - http://pastebin.com/FtygZ1cg
     - https://artkond.com/2017/03/23/pivoting-guide/
+tags:
+    - attack.execution
+    - attack.t1059.004
 author: Florian Roth
 date: 2017/08/21
 modified: 2019/02/05
@@ -24,11 +27,11 @@ detection:
         - 'socat -O /tmp/*'
         - 'socat tcp-connect*'
         - '*echo binary >>*'
-        # Malware 
+        # Malware
         - '*wget *; chmod +x*'
         - '*wget *; chmod 777 *'
         - '*cd /tmp || cd /var/run || cd /mnt*'
-        # Apache Struts in-the-wild exploit codes  
+        # Apache Struts in-the-wild exploit codes
         - '*stop;service iptables stop;*'
         - '*stop;SuSEfirewall2 stop;*'
         - 'chmod 777 2020*'

rules/linux/lnx_shell_susp_rev_shells.yml

@@ -4,6 +4,9 @@ status: experimental
 description: Detects suspicious shell commands or program code that may be exected or used in command line to establish a reverse shell
 references:
     - https://alamot.github.io/reverse_shells/
+tags:
+    - attack.execution
+    - attack.t1059.004
 author: Florian Roth
 date: 2019/04/02
 logsource:

rules/linux/lnx_susp_guacamole.yml

@@ -0,0 +1,19 @@
+title: Guacamole Two Users Sharing Session Anomaly
+status: experimental
+id: 1edd77db-0669-4fef-9598-165bda82826d
+description: Detects suspicious session with two users present
+references:
+    - https://research.checkpoint.com/2020/apache-guacamole-rce/
+author: Florian Roth
+date: 2020/07/03
+logsource:
+    product: linux
+    service: guacamole
+detection:
+    selection:
+        - '(2 users now present)'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
+

rules/linux/lnx_susp_jexboss.yml

@@ -3,12 +3,15 @@ id: 8ec2c8b4-557a-4121-b87c-5dfb3a602fae
 description: Detects suspicious command sequence that JexBoss
 references:
     - https://www.us-cert.gov/ncas/analysis-reports/AR18-312A
+tags:
+    - attack.execution
+    - attack.t1059.004
 author: Florian Roth
 date: 2017/08/24
 logsource:
     product: linux
 detection:
-    selection1: 
+    selection1:
         - 'bash -c /bin/bash'
     selection2:
         - '&/dev/tcp/'

rules/network/cisco/aaa/cisco_cli_clear_logs.yml

@@ -11,6 +11,7 @@ tags:
     - attack.defense_evasion
     - attack.t1146
     - attack.t1070
+    - attack.t1070.003
 logsource:
     product: cisco
     service: aaa

rules/network/cisco/aaa/cisco_cli_collect_data.yml

@@ -17,6 +17,7 @@ tags:
     - attack.t1003
     - attack.t1081
     - attack.t1005
+    - attack.t1552.001
 logsource:
     product: cisco
     service: aaa

rules/network/cisco/aaa/cisco_cli_crypto_actions.yml

@@ -12,6 +12,8 @@ tags:
     - attack.defense_evasion
     - attack.t1130
     - attack.t1145
+    - attack.t1553.004
+    - attack.t1552.004
 logsource:
     product: cisco
     service: aaa

rules/network/cisco/aaa/cisco_cli_disable_logging.yml

@@ -9,6 +9,7 @@ date: 2019/08/11
 tags:
     - attack.defense_evasion
     - attack.t1089
+    - attack.t1562.001
 logsource:
     product: cisco
     service: aaa

rules/network/cisco/aaa/cisco_cli_file_deletion.yml

@@ -14,6 +14,9 @@ tags:
     - attack.t1107
     - attack.t1488
     - attack.t1487
+    - attack.t1561.002
+    - attack.t1070.004
+    - attack.t1561.001
 logsource:
     product: cisco
     service: aaa

rules/network/cisco/aaa/cisco_cli_input_capture.yml

@@ -12,6 +12,7 @@ tags:
     - attack.credential_access
     - attack.t1139
     - attack.t1056
+    - attack.t1552.003
 logsource:
     product: cisco
     service: aaa

rules/network/cisco/aaa/cisco_cli_modify_config.yml

@@ -16,6 +16,9 @@ tags:
     - attack.t1100
     - attack.t1168
     - attack.t1490
+    - attack.t1565.002
+    - attack.t1505
+    - attack.t1053
 logsource:
     product: cisco
     service: aaa

rules/network/cisco/aaa/cisco_cli_moving_data.yml

@@ -19,6 +19,8 @@ tags:
     - attack.t1105
     - attack.t1492
     - attack.t1002
+    - attack.t1560
+    - attack.t1565.001
 logsource:
     product: cisco
     service: aaa

rules/network/net_susp_dns_txt_exec_strings.yml

@@ -7,17 +7,18 @@ references:
     - https://github.com/samratashok/nishang/blob/master/Backdoors/DNS_TXT_Pwnage.ps1
 tags:
     - attack.t1071
+    - attack.t1071.004
 author: Markus Neis
 date: 2018/08/08
 logsource:
     category: dns
 detection:
     selection:
-            record_type: 'TXT'
-            answer:
-                - '*IEX*'
-                - '*Invoke-Expression*'
-                - '*cmd.exe*'
+        record_type: 'TXT'
+        answer:
+            - '*IEX*'
+            - '*Invoke-Expression*'
+            - '*cmd.exe*'
     condition: selection
 falsepositives:
     - Unknown

rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml

@@ -6,46 +6,48 @@ date: 2020/03/19
 references:
     - https://github.com/mitre-attack/bzar#indicators-for-attck-execution
 tags:
-  - attack.execution
-  - attack.t1035
-  - attack.t1047
-  - attack.t1053
+    - attack.execution
+    - attack.t1035
+    - attack.t1047
+    - attack.t1053
+    - attack.t1053.002
+    - attack.t1569.002
 logsource:
-  product: zeek
-  service: dce_rpc
+    product: zeek
+    service: dce_rpc
 detection:
-  op1:
-    endpoint: 'JobAdd'
-    operation: 'atsvc'
-  op2:
-    endpoint: 'ITaskSchedulerService'
-    operation: 'SchRpcEnableTask'
-  op3:
-    endpoint: 'ITaskSchedulerService'
-    operation: 'SchRpcRegisterTask'
-  op4:
-    endpoint: 'ITaskSchedulerService'
-    operation: 'SchRpcRun'
-  op5:
-    endpoint: 'IWbemServices'
-    operation: 'ExecMethod'
-  op6:
-    endpoint: 'IWbemServices'
-    operation: 'ExecMethodAsync'
-  op7:
-    endpoint: 'svcctl'
-    operation: 'CreateServiceA'
-  op8:
-    endpoint: 'svcctl'
-    operation: 'CreateServiceW'
-  op9:
-    endpoint: 'svcctl'
-    operation: 'StartServiceA'
-  op10:
-    endpoint: 'svcctl'
-    operation: 'StartServiceW'
-  condition: 1 of them
+    op1:
+        endpoint: 'JobAdd'
+        operation: 'atsvc'
+    op2:
+        endpoint: 'ITaskSchedulerService'
+        operation: 'SchRpcEnableTask'
+    op3:
+        endpoint: 'ITaskSchedulerService'
+        operation: 'SchRpcRegisterTask'
+    op4:
+        endpoint: 'ITaskSchedulerService'
+        operation: 'SchRpcRun'
+    op5:
+        endpoint: 'IWbemServices'
+        operation: 'ExecMethod'
+    op6:
+        endpoint: 'IWbemServices'
+        operation: 'ExecMethodAsync'
+    op7:
+        endpoint: 'svcctl'
+        operation: 'CreateServiceA'
+    op8:
+        endpoint: 'svcctl'
+        operation: 'CreateServiceW'
+    op9:
+        endpoint: 'svcctl'
+        operation: 'StartServiceA'
+    op10:
+        endpoint: 'svcctl'
+        operation: 'StartServiceW'
+    condition: 1 of them
 falsepositives:
     - 'Windows administrator tasks or troubleshooting'
     - 'Windows management scripts or software'
-level: medium
+level: medium

rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml

@@ -8,30 +8,31 @@ references:
 tags:
     - attack.persistence
     - attack.t1004
+    - attack.t1547.004
 logsource:
-  product: zeek
-  service: dce_rpc
+    product: zeek
+    service: dce_rpc
 detection:
-  op1:
-    endpoint: 'spoolss'
-    operation: 'RpcAddMonitor'
-  op2:
-    endpoint: 'spoolss'
-    operation: 'RpcAddPrintProcessor'
-  op3:
-    endpoint: 'IRemoteWinspool'
-    operation: 'RpcAsyncAddMonitor'
-  op4:
-    endpoint: 'IRemoteWinspool'
-    operation: 'RpcAsyncAddPrintProcessor'
-  op5:
-    endpoint: 'ISecLogon'
-    operation: 'SeclCreateProcessWithLogonW'
-  op6:
-    endpoint: 'ISecLogon'
-    operation: 'SeclCreateProcessWithLogonExW'
-  condition: 1 of them
+    op1:
+        endpoint: 'spoolss'
+        operation: 'RpcAddMonitor'
+    op2:
+        endpoint: 'spoolss'
+        operation: 'RpcAddPrintProcessor'
+    op3:
+        endpoint: 'IRemoteWinspool'
+        operation: 'RpcAsyncAddMonitor'
+    op4:
+        endpoint: 'IRemoteWinspool'
+        operation: 'RpcAsyncAddPrintProcessor'
+    op5:
+        endpoint: 'ISecLogon'
+        operation: 'SeclCreateProcessWithLogonW'
+    op6:
+        endpoint: 'ISecLogon'
+        operation: 'SeclCreateProcessWithLogonExW'
+    condition: 1 of them
 falsepositives:
     - 'Windows administrator tasks or troubleshooting'
     - 'Windows management scripts or software'
-level: medium
+level: medium

rules/network/zeek/zeek_http_executable_download_from_webdav.yml

@@ -8,9 +8,10 @@ references:
 tags:
     - attack.command_and_control
     - attack.t1043
+    - attack.t1571
 logsource:
-  product: zeek
-  service: http
+    product: zeek
+    service: http
 date: 2020/05/01
 detection:
     selection_webdav:
@@ -23,4 +24,4 @@ detection:
 falsepositives:
     - unknown
 level: medium
-status: experimental
+status: experimental

rules/network/zeek/zeek_rdp_public_listener.yml

@@ -0,0 +1,45 @@
+title: Publicly Accessible RDP Service
+id: 1fc0809e-06bf-4de3-ad52-25e5263b7623
+status: experimental
+description: Detects connections from routable IPs to an RDP listener - which is indicative of a publicly-accessible RDP service.
+references:
+    - https://attack.mitre.org/techniques/T1021/001/
+tags:
+    - attack.t1021
+    - attack.t1021.001
+author: 'Josh Brower @DefensiveDepth'
+date: 2020/08/22 
+logsource:
+    product: zeek
+    service: rdp
+detection:
+    selection:
+      src_ip|startswith:
+        - '192.168.'
+        - '10.'
+        - '172.16.'
+        - '172.17.'
+        - '172.18.'
+        - '172.19.'
+        - '172.20.'
+        - '172.21.'
+        - '172.22.'
+        - '172.23.'
+        - '172.24.'
+        - '172.25.'
+        - '172.26.'
+        - '172.27.'
+        - '172.28.'
+        - '172.29.'
+        - '172.30.'
+        - '172.31.'
+    #approved_rdp:
+      #dst_ip:
+        #- x.x.x.x
+    condition: not selection #and not approved_rdp
+fields:
+    - src_ip
+    - dst_ip
+falsepositives:
+    - none
+level: high

rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml

@@ -1,5 +1,5 @@
 title: Remote Task Creation via ATSVC Named Pipe - Zeek
-id: f6de6525-4509-495a-8a82-1f8b0ed73a00
+id: dde85b37-40cd-4a94-b00c-0b8794f956b5
 description: Detects remote task creation via at.exe or API interacting with ATSVC namedpipe
 author: 'Samir Bousseaden, @neu5rn'
 date: 2020/04/03
@@ -11,6 +11,7 @@ tags:
     - attack.t1053
     - car.2013-05-004
     - car.2015-04-001
+    - attack.t1053.002
 logsource:
     product: zeek
     service: smb_files

rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml

@@ -8,14 +8,17 @@ references:
 tags:
     - attack.credential_access
     - attack.t1003
+    - attack.t1003.002
+    - attack.t1003.004
+    - attack.t1003.003
 logsource:
     product: zeek
     service: smb_files
 detection:
-  selection:
-    path: '\\*ADMIN$'
-    name: '*SYSTEM32\\*.tmp'
-  condition: selection
+    selection:
+        path: '\\*ADMIN$'
+        name: '*SYSTEM32\\*.tmp'
+    condition: selection
 falsepositives:
     - 'unknown'
 level: high

rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml

@@ -1,14 +1,14 @@
 title: First Time Seen Remote Named Pipe - Zeek
-id: 52d8b0c6-53d6-439a-9e41-52ad442ad9ad
-description: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec
-    using named pipes
+id: 021310d9-30a6-480a-84b7-eaa69aeb92bb
+description: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes
 author: 'Samir Bousseaden, @neu5ron'
 date: 2020/04/02
 references:
     - https://github.com/neo23x0/sigma/blob/d42e87edd741dd646db946f30964f331f92f50e6/rules/windows/builtin/win_lm_namedpipe.yml
-tags: 
+tags:
     - attack.lateral_movement
     - attack.t1077
+    - attack.t1021.002
 logsource:
     product: zeek
     service: smb_files
@@ -18,23 +18,23 @@ detection:
     selection2:
         path: \\*\IPC$
         name:
-         - 'atsvc'
-         - 'samr'
-         - 'lsarpc'
-         - 'winreg'
-         - 'netlogon'
-         - 'srvsvc'
-         - 'protected_storage'
-         - 'wkssvc'
-         - 'browser'
-         - 'netdfs'
-         - 'svcctl'
-         - 'spoolss'
-         - 'ntsvcs'
-         - 'LSM_API_service'
-         - 'HydraLsPipe'
-         - 'TermSrv_API_service'
-         - 'MsFteWds'
+            - 'atsvc'
+            - 'samr'
+            - 'lsarpc'
+            - 'winreg'
+            - 'netlogon'
+            - 'srvsvc'
+            - 'protected_storage'
+            - 'wkssvc'
+            - 'browser'
+            - 'netdfs'
+            - 'svcctl'
+            - 'spoolss'
+            - 'ntsvcs'
+            - 'LSM_API_service'
+            - 'HydraLsPipe'
+            - 'TermSrv_API_service'
+            - 'MsFteWds'
     condition: selection1 and not selection2
 falsepositives:
     - update the excluded named pipe to filter out any newly observed legit named pipe

rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml

@@ -8,6 +8,7 @@ references:
 tags:
     - attack.lateral_movement
     - attack.t1077
+    - attack.t1021.002
 logsource:
     product: zeek
     service: smb_files
@@ -15,9 +16,9 @@ detection:
     selection1:
         path: \\*\IPC$
         name:
-         - '*-stdin'
-         - '*-stdout'
-         - '*-stderr'
+            - '*-stdin'
+            - '*-stdout'
+            - '*-stderr'
     selection2:
         name: \\*\IPC$
         path: 'PSEXESVC*'

rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml

@@ -3,7 +3,8 @@ id: 286b47ed-f6fe-40b3-b3a8-35129acd43bc
 description: Detects known sensitive file extensions via Zeek
 author: 'Samir Bousseaden, @neu5ron'
 date: 2020/04/02
-references: https://github.com/neo23x0/sigma/blob/d42e87edd741dd646db946f30964f331f92f50e6/rules/windows/builtin/win_susp_raccess_sensitive_fext.yml
+references: 
+  - https://github.com/neo23x0/sigma/blob/d42e87edd741dd646db946f30964f331f92f50e6/rules/windows/builtin/win_susp_raccess_sensitive_fext.yml
 tags:
   - attack.collection
 logsource:

rules/network/zeek/zeek_smb_converted_win_transferring_files_with_credential_data.yml

@@ -4,26 +4,29 @@ description: Transferring files with well-known filenames (sensitive files with
 author: '@neu5ron, Teymur Kheirkhabarov, oscd.community'
 date: 2020/04/02
 references:
-  - https://github.com/neo23x0/sigma/blob/373424f14574facf9e261d5c822345a282b91479/rules/windows/builtin/win_transferring_files_with_credential_data_via_network_shares.yml
+    - https://github.com/neo23x0/sigma/blob/373424f14574facf9e261d5c822345a282b91479/rules/windows/builtin/win_transferring_files_with_credential_data_via_network_shares.yml
 tags:
-  - attack.credential_access
-  - attack.t1003
+    - attack.credential_access
+    - attack.t1003
+    - attack.t1003.002
+    - attack.t1003.001
+    - attack.t1003.003
 logsource:
-  product: zeek
-  service: smb_files
+    product: zeek
+    service: smb_files
 detection:
-  selection:
-    name:
-      - '\mimidrv'
-      - '\lsass'
-      - '\windows\minidump\'
-      - '\hiberfil'
-      - '\sqldmpr'
-      - '\sam'
-      - '\ntds.dit'
-      - '\security'      
-  condition: selection
+    selection:
+        name:
+            - '\mimidrv'
+            - '\lsass'
+            - '\windows\minidump\'
+            - '\hiberfil'
+            - '\sqldmpr'
+            - '\sam'
+            - '\ntds.dit'
+            - '\security'
+    condition: selection
 falsepositives:
     - Transferring sensitive files for legitimate administration work by legitimate administrator
 level: medium
-status: experimental
+status: experimental

rules/network/zeek/zeek_susp_kerberos_rc4.yml

@@ -8,6 +8,7 @@ references:
 tags:
     - attack.credential_access
     - attack.t1208
+    - attack.t1558.003
 logsource:
     product: zeek
     service: kerberos

rules/proxy/proxy_empire_ua_uri_combos.yml

@@ -0,0 +1,25 @@
+title: Empire UserAgent URI Combo
+id: b923f7d6-ac89-4a50-a71a-89fb846b4aa8
+status: experimental
+description: Detects user agent and URI paths used by empire agents
+references:
+    - https://github.com/BC-SECURITY/Empire
+author: Florian Roth
+date: 2020/07/13
+logsource:
+    category: proxy
+detection:
+    selection:
+        c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko'
+        cs-uri-query:
+            - '/admin/get.php'
+            - '/news.php'
+            - '/login/process.php'
+        cs-method: 'POST'
+    condition: selection
+fields:
+    - c-uri
+    - c-ip
+falsepositives:
+    - Valid requests with this exact user agent to server scripts of the defined names
+level: high

rules/proxy/proxy_pwndrop.yml

@@ -0,0 +1,21 @@
+title: PwnDrp Access
+id: 2b1ee7e4-89b6-4739-b7bb-b811b6607e5e
+status: experimental
+description: Detects downloads from PwnDrp web servers developed for red team testing and most likely also used for criminal activity
+references:
+    - https://breakdev.org/pwndrop/
+author: Florian Roth
+date: 2020/04/15
+logsource:
+    category: proxy
+detection:
+    selection:
+        c-uri|contains: '/pwndrop/'
+    condition: selection
+fields:
+    - ClientIP
+    - c-uri
+    - c-useragent
+falsepositives:
+    - Unknown
+level: critical

rules/web/web_citrix_cve_2019_19781_exploit.yml

@@ -13,7 +13,7 @@ date: 2020/01/02
 modified: 2020/03/14
 logsource:
     category: webserver
-    description: 'Make sure that your Netscaler appliance logs all kinds of attacks (test with http://your-citrix-gw.net/robots.txt). The directory traversal with ../ might not be needed on certain cloud instances or for authenticated users, so we also check for direct paths. All scripts in portal/scripts are exploitable except logout.pl.'
+    definition: 'Make sure that your Netscaler appliance logs all kinds of attacks (test with http://your-citrix-gw.net/robots.txt). The directory traversal with ../ might not be needed on certain cloud instances or for authenticated users, so we also check for direct paths. All scripts in portal/scripts are exploitable except logout.pl.'
 detection:
     selection:
         c-uri: 

rules/web/web_citrix_cve_2020_8193_8195_exploit.yml

@@ -0,0 +1,34 @@
+title: Citrix ADS Exploitation CVE-2020-8193 CVE-2020-8195
+description: Detects exploitation attempt against Citrix Netscaler, Application Delivery Controller (ADS) and Citrix Gateway exploiting vulnerabilities reported as CVE-2020-8193 and CVE-2020-8195
+id: 0d0d9a8a-a49e-4e27-b061-7ce4b936cfb7
+references:
+    - https://support.citrix.com/article/CTX276688
+    - https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/
+    - https://dmaasland.github.io/posts/citrix.html
+author: Florian Roth
+status: experimental
+date: 2020/07/10
+tags:
+    - attack.initial_access
+    - attack.t1190
+logsource:
+    category: webserver
+detection:
+    selection1:
+        c-uri|contains: 
+            - '/rapi/filedownload?filter=path:%2F'
+    selection2:
+        c-uri|contains|all:
+            - '/pcidss/report'
+            - 'type=all_signatures'
+            - 'sig_name=_default_signature_'
+    condition: 1 of them
+fields:
+    - client_ip
+    - vhost
+    - url
+    - response
+falsepositives:
+    - Unknown
+level: critical
+

rules/web/web_cve_2018_2894_weblogic_exploit.yml

@@ -13,7 +13,7 @@ logsource:
     category: webserver
 detection:
     selection:
-        c-uri: 
+        c-uri:
             - '*/config/keystore/*.js*'
     condition: selection
 fields:
@@ -28,5 +28,6 @@ tags:
     - attack.persistence
     - attack.privilege_escalation
     - cve.2018-2894
+    - attack.t1505
 level: critical
 

rules/web/web_cve_2020_5902_f5_bigip.yml

@@ -0,0 +1,34 @@
+title: CVE-2020-5902 F5 BIG-IP Exploitation Attempt
+id: 44b53b1c-e60f-4a7b-948e-3435a7918478
+status: experimental
+description: Detects the exploitation attempt of the vulnerability found in F5 BIG-IP and described in CVE-2020-5902
+references:
+    - https://support.f5.com/csp/article/K52145254
+    - https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/
+    - https://twitter.com/yorickkoster/status/1279709009151434754
+    - https://www.criticalstart.com/f5-big-ip-remote-code-execution-exploit/
+author: Florian Roth
+date: 2020/07/05
+modified: 2020/07/07
+logsource:
+    category: webserver
+detection:
+    selection_base:
+        c-uri|contains: 
+            - '/tmui/'
+            - '/hsqldb'
+    selection_traversal:
+        c-uri|contains:
+            - '..;/'
+            - '.jsp/..'
+    condition: selection_base and selection_traversal
+fields:
+    - c-ip
+    - c-dns
+falsepositives:
+    - Unknown
+tags:
+    - attack.initial_access
+    - attack.t1190
+level: critical
+

rules/web/win_webshell_regeorg.yml

@@ -0,0 +1,37 @@
+title: Webshell ReGeorg Detection Via Web Logs
+id: 2ea44a60-cfda-11ea-87d0-0242ac130003
+status: experimental
+description: Certain strings in the uri_query field when combined with null referer and null user agent can indicate activity associated with the webshell ReGeorg.
+author: Cian Heasley
+reference:
+    - https://community.rsa.com/community/products/netwitness/blog/2019/02/19/web-shells-and-netwitness-part-3
+    - https://github.com/sensepost/reGeorg
+date: 2020/08/04
+tags:
+    - attack.privilege_escalation
+    - attack.persistence
+    - attack.t1100
+    - attack.t1505.003
+logsource:
+    category: webserver
+detection:
+    selection:
+        uri_query|contains:
+            - '*cmd=read*'
+            - '*connect&target*'
+            - '*cmd=connect*'
+            - '*cmd=disconnect*'
+            - '*cmd=forward*'
+    filter:
+        referer: null
+        useragent: null
+        method: POST
+    condition: selection and filter
+fields:
+    - uri_query
+    - referer
+    - method
+    - useragent
+falsepositives:
+    - web applications that use the same URL parameters as ReGeorg
+level: high

rules/windows/builtin/win_GPO_scheduledtasks.yml

@@ -10,10 +10,11 @@ tags:
     - attack.persistence
     - attack.lateral_movement
     - attack.t1053
+    - attack.t1053.005
 logsource:
     product: windows
     service: security
-    description: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
+    definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
 detection:
     selection:
         EventID: 5145

rules/windows/builtin/win_ad_object_writedac_access.yml

@@ -16,7 +16,7 @@ detection:
     selection: 
         EventID: 4662
         ObjectServer: 'DS'
-        AccessMask: 0x40000
+        AccessMask: '0x40000'
         ObjectType:
             - '19195a5b-6da0-11d0-afd3-00c04fd930c9'
             - 'domainDNS'

rules/windows/builtin/win_admin_share_access.yml

@@ -4,6 +4,7 @@ description: Detects access to $ADMIN share
 tags:
     - attack.lateral_movement
     - attack.t1077
+    - attack.t1021.002
 status: experimental
 author: Florian Roth
 date: 2017/03/04

rules/windows/builtin/win_alert_ad_user_backdoors.yml

@@ -14,8 +14,8 @@ tags:
 logsource:
     product: windows
     service: security
-    definition1: 'Requirements: Audit Policy : Account Management > Audit User Account Management, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit User Account Management'
-    definition2: 'Requirements: Audit Policy : DS Access > Audit Directory Service Changes, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\DS Access\Audit Directory Service Changes'
+    definition: 'Requirements: Audit Policy : Account Management > Audit User Account Management, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit User Account Management, 
+        DS Access > Audit Directory Service Changes, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\DS Access\Audit Directory Service Changes'
 detection:
     selection1:
         EventID: 4738

rules/windows/builtin/win_alert_enable_weak_encryption.yml

@@ -9,6 +9,7 @@ date: 2017/07/30
 tags:
     - attack.defense_evasion
     - attack.t1089
+    - attack.t1562.001
 logsource:
     product: windows
     service: security
@@ -18,9 +19,9 @@ detection:
         EventID: 4738
     keywords:
         Message:
-        - '*DES*'
-        - '*Preauth*'
-        - '*Encrypted*'
+            - '*DES*'
+            - '*Preauth*'
+            - '*Encrypted*'
     filters:
         Message:
             - '*Enabled*'

rules/windows/builtin/win_alert_lsass_access.yml

@@ -10,6 +10,7 @@ tags:
     - attack.credential_access
     - attack.t1003
 # Defender Attack Surface Reduction
+    - attack.t1003.001
 logsource:
     product: windows_defender
     definition: 'Requirements:Enabled Block credential stealing from the Windows local security authority subsystem (lsass.exe) from Attack Surface Reduction (GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2)'

rules/windows/builtin/win_alert_mimikatz_keywords.yml

@@ -1,7 +1,6 @@
 title: Mimikatz Use
 id: 06d71506-7beb-4f22-8888-e2e5e2ca7fd8
-description: This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different
-    threat groups)
+description: This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)
 author: Florian Roth
 date: 2017/01/10
 modified: 2019/10/11
@@ -12,21 +11,25 @@ tags:
     - attack.credential_access
     - car.2013-07-001
     - car.2019-04-004
+    - attack.t1003.002
+    - attack.t1003.004
+    - attack.t1003.001
+    - attack.t1003.006
 logsource:
     product: windows
 detection:
     keywords:
         Message:
-        - "* mimikatz *"
-        - "* mimilib *"
-        - "* <3 eo.oe *"
-        - "* eo.oe.kiwi *"
-        - "* privilege::debug *"
-        - "* sekurlsa::logonpasswords *"
-        - "* lsadump::sam *"
-        - "* mimidrv.sys *"
-        - "* p::d *"
-        - "* s::l *"
+            - "* mimikatz *"
+            - "* mimilib *"
+            - "* <3 eo.oe *"
+            - "* eo.oe.kiwi *"
+            - "* privilege::debug *"
+            - "* sekurlsa::logonpasswords *"
+            - "* lsadump::sam *"
+            - "* mimidrv.sys *"
+            - "* p::d *"
+            - "* s::l *"
     condition: keywords
 falsepositives:
     - Naughty administrators

rules/windows/builtin/win_alert_ruler.yml

@@ -17,18 +17,19 @@ tags:
     - attack.t1075
     - attack.t1114
     - attack.t1059
+    - attack.t1550.002
 logsource:
     product: windows
     service: security
 detection:
     selection1:
-        EventID: 
-          - 4776
+        EventID:
+            - 4776
         Workstation: 'RULER'
     selection2:
         EventID:
-          - 4624
-          - 4625
+            - 4624
+            - 4625
         WorkstationName: 'RULER'
     condition: (1 of selection*)
 falsepositives:

rules/windows/builtin/win_applocker_file_was_not_allowed_to_run.yml

@@ -0,0 +1,37 @@
+title: File Was Not Allowed To Run 
+id: 401e5d00-b944-11ea-8f9a-00163ecd60ae
+description: Detect run not allowed files. Applocker is a very useful tool, especially on servers where unprivileged users have access. For example terminal servers. You need configure applocker and log collect to receive these events.
+status: experimental
+tags:
+    - attack.execution
+    - attack.t1204
+    - attack.t1086
+    - attack.t1064
+    - attack.t1035
+references:
+    - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker
+    - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker
+    - https://nxlog.co/documentation/nxlog-user-guide/applocker.html
+author: Pushkarev Dmitry
+date: 2020/06/28
+logsource:
+    product: windows
+    service: applocker
+detection:
+    selection:
+        EventID:
+          - 8004
+          - 8007
+    condition: selection
+fields:
+    - PolicyName
+    - RuleId
+    - RuleName
+    - TargetUser
+    - TargetProcessId
+    - FilePath
+    - FileHash
+    - Fqbn
+falsepositives:
+    - need tuning applocker or add exceptions in SIEM
+level: medium

rules/windows/builtin/win_apt_carbonpaper_turla.yml

@@ -7,6 +7,7 @@ tags:
     - attack.persistence
     - attack.g0010
     - attack.t1050
+    - attack.t1543.003
 date: 2017/03/31
 author: Florian Roth
 logsource:

rules/windows/builtin/win_apt_stonedrill.yml

@@ -9,6 +9,7 @@ tags:
     - attack.persistence
     - attack.g0064
     - attack.t1050
+    - attack.t1543.003
 logsource:
     product: windows
     service: system

rules/windows/builtin/win_apt_turla_service_png.yml

@@ -9,6 +9,7 @@ tags:
     - attack.persistence
     - attack.g0010
     - attack.t1050
+    - attack.t1543.003
 logsource:
     product: windows
     service: system

rules/windows/builtin/win_atsvc_task.yml

@@ -11,10 +11,11 @@ tags:
     - attack.t1053
     - car.2013-05-004
     - car.2015-04-001
+    - attack.t1053.002
 logsource:
     product: windows
     service: security
-    description: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
+    definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
 detection:
     selection:
         EventID: 5145

rules/windows/builtin/win_dcsync.yml

@@ -12,18 +12,19 @@ tags:
     - attack.credential_access
     - attack.s0002
     - attack.t1003
+    - attack.t1003.006
 logsource:
     product: windows
     service: security
 detection:
     selection:
         EventID: 4662
-        Properties: 
+        Properties:
             - '*Replicating Directory Changes All*'
             - '*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*'
     filter1:
         SubjectDomainName: 'Window Manager'
-    filter2: 
+    filter2:
         SubjectUserName:
             - 'NT AUTHORITY*'
             - '*$'

rules/windows/builtin/win_disable_event_logging.yml

@@ -1,15 +1,12 @@
 title: Disabling Windows Event Auditing
 id: 69aeb277-f15f-4d2d-b32a-55e883609563
-description: 'Detects scenarios where system auditing (ie: windows event log auditing) is disabled. This may be used in a scenario where an entity would want to bypass
-    local logging to evade detection when windows event logging is enabled and reviewed. Also, it is recommended to turn off "Local Group Policy Object Processing"
-    via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc". Please note,
-    that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off specific GPO modifications -- however it is recommended to perform
-    these modifications in Active Directory anyways.'
+description: 'Detects scenarios where system auditing (ie: windows event log auditing) is disabled. This may be used in a scenario where an entity would want to bypass local logging to evade detection when windows event logging is enabled and reviewed. Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc". Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways.'
 references:
     - https://bit.ly/WinLogsZero2Hero
 tags:
     - attack.defense_evasion
     - attack.t1054
+    - attack.t1562.006
 author: '@neu5ron'
 date: 2017/11/19
 logsource:

rules/windows/builtin/win_dpapi_domain_backupkey_extraction.yml

@@ -9,11 +9,12 @@ references:
 tags:
     - attack.credential_access
     - attack.t1003
+    - attack.t1003.004
 logsource:
     product: windows
     service: security
 detection:
-    selection: 
+    selection:
         EventID: 4662
         ObjectType: 'SecretObject'
         AccessMask: '0x2'
@@ -21,4 +22,4 @@ detection:
     condition: selection
 falsepositives:
     - Unknown
-level: critical
+level: critical

rules/windows/builtin/win_dpapi_domain_masterkey_backup_attempt.yml

@@ -9,11 +9,12 @@ references:
 tags:
     - attack.credential_access
     - attack.t1003
+    - attack.t1003.004
 logsource:
     product: windows
     service: security
 detection:
-    selection: 
+    selection:
         EventID: 4692
     condition: selection
 fields:

rules/windows/builtin/win_global_catalog_enumeration.yml

@@ -0,0 +1,23 @@
+title: Enumeration via the Global Catalog 
+description: Detects enumeration of the global catalog (that can be performed using BloodHound or others AD reconnaissance tools). Adjust Treshhold according to domain width.
+author: Chakib Gzenayi (@Chak092), Hosni Mribah
+id: 619b020f-0fd7-4f23-87db-3f51ef837a34
+date: 2020/05/11
+tags:
+    - attack.discovery
+    - attack.t1087
+logsource:
+    product: windows
+    service: system
+    definition: 'The advanced audit policy setting "Windows Filtering Platform > Filtering Platform Connection" must be configured for Success'
+detection:
+    selection:
+        EventID: 5156
+        DestinationPort:
+        - 3268
+        - 3269
+    timeframe: 1h
+    condition: selection | count() by SourceAddress > 2000
+falsepositives:
+    - Exclude known DCs.
+level: medium

rules/windows/builtin/win_hack_smbexec.yml

@@ -10,6 +10,8 @@ tags:
     - attack.execution
     - attack.t1077
     - attack.t1035
+    - attack.t1021
+    - attack.t1569.002
 logsource:
     product: windows
     service: system
@@ -25,4 +27,4 @@ fields:
 falsepositives:
     - Penetration Test
     - Unknown
-level: critical
+level: critical

rules/windows/builtin/win_impacket_secretdump.yml

@@ -8,10 +8,13 @@ references:
 tags:
     - attack.credential_access
     - attack.t1003
+    - attack.t1003.002
+    - attack.t1003.004
+    - attack.t1003.003
 logsource:
     product: windows
     service: security
-    description: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
+    definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
 detection:
     selection:
         EventID: 5145

rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml

@@ -12,7 +12,7 @@ falsepositives:
     - Unknown
 level: high
 detection:
-    selection:
+    selection_1:
         - ImagePath|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\['
         - ImagePath|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\['
         - ImagePath|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\['
@@ -20,7 +20,7 @@ detection:
         - ImagePath|re: '\*mdr\*\W\s*\)\.Name'
         - ImagePath|re: '\$VerbosePreference\.ToString\('
         - ImagePath|re: '\String\]\s*\$VerbosePreference'
-    condition: selection
+    condition: selection and selection_1
 ---
 logsource:
     product: windows

rules/windows/builtin/win_lm_namedpipe.yml

@@ -1,7 +1,6 @@
 title: First Time Seen Remote Named Pipe
 id: 52d8b0c6-53d6-439a-9e41-52ad442ad9ad
-description: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec
-    using named pipes
+description: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes
 author: Samir Bousseaden
 date: 2019/04/03
 references:
@@ -9,10 +8,11 @@ references:
 tags:
     - attack.lateral_movement
     - attack.t1077
+    - attack.t1021.002
 logsource:
     product: windows
     service: security
-    description: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
+    definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
 detection:
     selection1:
         EventID: 5145
@@ -21,23 +21,23 @@ detection:
         EventID: 5145
         ShareName: \\*\IPC$
         RelativeTargetName:
-         - 'atsvc'
-         - 'samr'
-         - 'lsarpc'
-         - 'winreg'
-         - 'netlogon'
-         - 'srvsvc'
-         - 'protected_storage'
-         - 'wkssvc'
-         - 'browser'
-         - 'netdfs'
-         - 'svcctl'
-         - 'spoolss'
-         - 'ntsvcs'
-         - 'LSM_API_service'
-         - 'HydraLsPipe'
-         - 'TermSrv_API_service'
-         - 'MsFteWds'
+            - 'atsvc'
+            - 'samr'
+            - 'lsarpc'
+            - 'winreg'
+            - 'netlogon'
+            - 'srvsvc'
+            - 'protected_storage'
+            - 'wkssvc'
+            - 'browser'
+            - 'netdfs'
+            - 'svcctl'
+            - 'spoolss'
+            - 'ntsvcs'
+            - 'LSM_API_service'
+            - 'HydraLsPipe'
+            - 'TermSrv_API_service'
+            - 'MsFteWds'
     condition: selection1 and not selection2
 falsepositives:
     - update the excluded named pipe to filter out any newly observed legit named pipe

rules/windows/builtin/win_lsass_access_non_system_account.yml

@@ -10,11 +10,12 @@ references:
 tags:
     - attack.credential_access
     - attack.t1003
+    - attack.t1003.001
 logsource:
     product: windows
     service: security
 detection:
-    selection: 
+    selection:
         EventID:
             - 4663
             - 4656

rules/windows/builtin/win_mal_service_installs.yml

@@ -11,6 +11,8 @@ tags:
     - attack.t1035
     - attack.t1050
     - car.2013-09-005
+    - attack.t1543.003
+    - attack.t1569.002
 logsource:
     product: windows
     service: system
@@ -24,6 +26,6 @@ detection:
     malsvc_persistence:
         ServiceFileName|contains: 'net user'
     condition: selection and 1 of malsvc_*
-falsepositives: 
+falsepositives:
     - Penetration testing
 level: critical

rules/windows/builtin/win_metasploit_authentication.yml

@@ -0,0 +1,29 @@
+title: Metasploit SMB Authentication
+description: Alerts on Metasploit host's authentications on the domain.
+id: 72124974-a68b-4366-b990-d30e0b2a190d
+author: Chakib Gzenayi (@Chak092), Hosni Mribah
+date: 2020/05/06
+references: 
+    - https://github.com/rapid7/metasploit-framework/blob/master/lib/rex/proto/smb/client.rb
+tags:
+    - attack.credential_access
+    - attack.t1110
+logsource:
+    product: windows
+    service: security
+detection:
+    selection1:
+        EventID:
+        - 4625
+        - 4624
+        LogonType: 3
+        AuthenticationPackage: 'NTLM'
+        WorkstationName|re: '^[A-Za-z0-9]{16}$'
+    selection2:
+        ProcessName:
+        EventID: 4776
+        SourceWorkstation|re: '^[A-Za-z0-9]{16}$'
+    condition: selection1 OR selection2
+falsepositives:
+    - Linux hostnames composed of 16 characters.
+level: high

rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml

@@ -12,7 +12,7 @@ tags:
     - attack.privilege_escalation
     - attack.t1134
 detection:
-    selection:
+    selection_1:
         # meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a
         - ServiceFileName|contains|all:
             - 'cmd'
@@ -30,7 +30,7 @@ detection:
             - 'rundll32'
             - '.dll,a'
             - '/p:'
-    condition: selection
+    condition: selection and selection_1
 fields:
     - ComputerName
     - SubjectDomainName

rules/windows/builtin/win_mmc20_lateral_movement.yml

@@ -1,23 +1,25 @@
 title: MMC20 Lateral Movement
 id: f1f3bf22-deb2-418d-8cce-e1a45e46a5bd
-description: Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of "-Embedding" as a child of svchost.exe 
+description: Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of "-Embedding" as a child of svchost.exe
 author: '@2xxeformyshirt (Security Risk Advisors)'
 date: 2020/03/04
 references:
-  - https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
-  - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view?usp=sharing 
+    - https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
+    - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view?usp=sharing
 tags:
-  - attack.execution
-  - attack.t1175
+    - attack.execution
+    - attack.t1175
+    - attack.t1021.003
+    - attack.t1559.001
 logsource:
-  category: process_creation
-  product: windows
+    category: process_creation
+    product: windows
 detection:
-  selection:
-    ParentImage: '*\svchost.exe'
-    Image: '*\mmc.exe'
-    CommandLine: '*-Embedding*'
-  condition: selection
+    selection:
+        ParentImage: '*\svchost.exe'
+        Image: '*\mmc.exe'
+        CommandLine: '*-Embedding*'
+    condition: selection
 falsepositives:
-  - Unlikely
+    - Unlikely
 level: high

rules/windows/builtin/win_not_allowed_rdp_access.yml

@@ -0,0 +1,27 @@
+title: Denied Access To Remote Desktop
+id: 8e5c03fa-b7f0-11ea-b242-07e0576828d9
+description: This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop.
+    Often, this event can be generated by attackers when searching for available windows servers in the network.
+status: experimental
+tags:
+    - attack.lateral_movement
+    - attack.t1076
+    - attack.t1021.001
+references:
+    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4825
+author: Pushkarev Dmitry
+date: 2020/06/27
+logsource:
+    product: windows
+    service: security
+detection:
+    selection:
+        EventID: 4825
+    condition: selection
+fields:
+    - EventCode
+    - AccountName
+    - ClientAddress
+falsepositives:
+    - Valid user was not added to RDP group
+level: medium

rules/windows/builtin/win_overpass_the_hash.yml

@@ -10,6 +10,7 @@ tags:
     - attack.lateral_movement
     - attack.t1075
     - attack.s0002
+    - attack.t1550.002
 logsource:
     product: windows
     service: security

rules/windows/builtin/win_pass_the_hash.yml

@@ -10,6 +10,7 @@ tags:
     - attack.lateral_movement
     - attack.t1075
     - car.2016-04-004
+    - attack.t1550.002
 logsource:
     product: windows
     service: security

rules/windows/builtin/win_pass_the_hash_2.yml

@@ -1,6 +1,6 @@
 title: Pass the Hash Activity 2
 id: 8eef149c-bd26-49f2-9e5a-9b00e3af499b
-status: production
+status: stable
 description: Detects the attack technique pass the hash which is used to move laterally inside the network
 references:
     - https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events
@@ -11,6 +11,7 @@ date: 2019/06/14
 tags:
     - attack.lateral_movement
     - attack.t1075
+    - attack.t1550.002
 logsource:
     product: windows
     service: security

rules/windows/builtin/win_quarkspwdump_clearing_hive_access_history.yml

@@ -8,6 +8,7 @@ modified: 2019/11/13
 tags:
     - attack.credential_access
     - attack.t1003
+    - attack.t1003.002
 level: critical
 logsource:
     product: windows

rules/windows/builtin/win_rare_schtasks_creations.yml

@@ -10,6 +10,7 @@ tags:
     - attack.persistence
     - attack.t1053
     - car.2013-08-001
+    - attack.t1053.005
 logsource:
     product: windows
     service: security

rules/windows/builtin/win_rare_service_installs.yml

@@ -9,6 +9,7 @@ tags:
     - attack.privilege_escalation
     - attack.t1050
     - car.2013-09-005
+    - attack.t1543.003
 logsource:
     product: windows
     service: system

rules/windows/builtin/win_rdp_localhost_login.yml

@@ -9,6 +9,7 @@ tags:
     - attack.lateral_movement
     - attack.t1076
     - car.2013-07-002
+    - attack.t1021.001
 status: experimental
 author: Thomas Patzke
 logsource:

rules/windows/builtin/win_rdp_reverse_tunnel.yml

@@ -14,6 +14,7 @@ tags:
     - attack.t1076
     - attack.t1090
     - car.2013-07-002
+    - attack.t1021
 logsource:
     product: windows
     service: security

rules/windows/builtin/win_register_new_logon_process_by_rubeus.yml

@@ -8,6 +8,7 @@ tags:
     - attack.lateral_movement
     - attack.privilege_escalation
     - attack.t1208
+    - attack.t1558.003
 author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community
 date: 2019/10/24
 logsource:

rules/windows/builtin/win_remote_powershell_session.yml

@@ -9,11 +9,12 @@ references:
 tags:
     - attack.execution
     - attack.t1086
+    - attack.t1059.001
 logsource:
     product: windows
     service: security
 detection:
-    selection: 
+    selection:
         EventID: 5156
         DestPort:
             - 5985

rules/windows/builtin/win_susp_add_sid_history.yml

@@ -10,6 +10,7 @@ tags:
     - attack.persistence
     - attack.privilege_escalation
     - attack.t1178
+    - attack.t1134.005
 logsource:
     product: windows
     service: security
@@ -25,7 +26,7 @@ detection:
             - '-'
             - '%%1793'
     filter_null:
-        SidHistory: null
+        SidHistory:
     condition: selection1 or (selection2 and not selection3 and not filter_null)
 falsepositives:
     - Migration of an account into a new domain

rules/windows/builtin/win_susp_backup_delete.yml

@@ -10,6 +10,7 @@ date: 2017/05/12
 tags:
     - attack.defense_evasion
     - attack.t1107
+    - attack.t1070.004
 logsource:
     product: windows
     service: application

rules/windows/builtin/win_susp_codeintegrity_check_failure.yml

@@ -7,6 +7,7 @@ date: 2019/12/03
 tags:
     - attack.defense_evasion
     - attack.t1009
+    - attack.t1027
 logsource:
     product: windows
     service: security

rules/windows/builtin/win_susp_dhcp_config.yml

@@ -11,6 +11,7 @@ author: Dimitrios Slamaris
 tags:
     - attack.defense_evasion
     - attack.t1073
+    - attack.t1574.002
 logsource:
     product: windows
     service: system
@@ -19,6 +20,6 @@ detection:
         EventID: 1033
         Source: Microsoft-Windows-DHCP-Server
     condition: selection
-falsepositives: 
+falsepositives:
     - Unknown
 level: critical

rules/windows/builtin/win_susp_dhcp_config_failed.yml

@@ -11,18 +11,19 @@ modified: 2019/07/17
 tags:
     - attack.defense_evasion
     - attack.t1073
+    - attack.t1574.002
 author: "Dimitrios Slamaris, @atc_project (fix)"
 logsource:
     product: windows
     service: system
 detection:
     selection:
-        EventID: 
+        EventID:
             - 1031
             - 1032
             - 1034
-        Source: Microsoft-Windows-DHCP-Server            
+        Source: Microsoft-Windows-DHCP-Server
     condition: selection
-falsepositives: 
+falsepositives:
     - Unknown
 level: critical

rules/windows/builtin/win_susp_dns_config.yml

@@ -10,17 +10,18 @@ references:
 tags:
     - attack.defense_evasion
     - attack.t1073
+    - attack.t1574.002
 author: Florian Roth
 logsource:
     product: windows
     service: dns-server
 detection:
     selection:
-        EventID: 
+        EventID:
             - 150
             - 770
     condition: selection
-falsepositives: 
+falsepositives:
     - Unknown
 level: critical
 

rules/windows/builtin/win_susp_lsass_dump.yml

@@ -8,6 +8,7 @@ references:
 tags:
     - attack.credential_access
     - attack.t1003
+    - attack.t1003.001
 logsource:
     product: windows
     service: security