Sigma tools release 0.6

Merge of SOC Prime QRadar backend
Added QRadar backend to CI testing
2018-07-17 23:12:23 +02:00 · 2018-07-17 22:57:54 +02:00 · 2018-07-17 22:56:31 +02:00 · 2018-07-17 22:45:21 +02:00 · 2018-07-17 14:39:56 -06:00 · 2018-07-17 15:25:27 +03:00
121 changed files with 3044 additions and 345 deletions
@@ -2,10 +2,13 @@ language: python
 python:
  - 3.5
  - 3.6
-  - pypy3
+services:
+    - elasticsearch
 cache: pip
+before_install:
+    - curl -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-6.2.4.deb && sudo dpkg -i --force-confnew elasticsearch-6.2.4.deb && sudo service elasticsearch restart
 install:
  - pip install -r tools/requirements-devel.txt 
-
 script:
  - make test
+  - make test-backend-es-qs
@@ -18,9 +18,16 @@ test-sigmac:
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-qs rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -O rulecomment -rvdI -t es-qs rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t kibana rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t graylog rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t xpack-watcher rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunkxml rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t logpoint rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t wdatp rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-dsl rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t arcsight -c tools/config/arcsight.yml rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t qradar -c tools/config/arcsight.yml rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t qualys -c tools/config/qualys.yml rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'level>=high,level<=critical,status=stable,logsource=windows' rules/ > /dev/null
 	! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'level>=high,level<=critical,status=xstable,logsource=windows' rules/ > /dev/null
 	! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'level>=high,level<=xcritical,status=stable,logsource=windows' rules/ > /dev/null
@@ -30,7 +37,9 @@ test-sigmac:
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-windows.yml -t es-qs rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-linux.yml -t es-qs rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-windows.yml -t kibana rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-windows.yml -Ooutput=curl -t kibana rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-linux.yml -t kibana rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-linux.yml -Ooutput=curl -t kibana rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-windows.yml -t xpack-watcher rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-linux.yml -t xpack-watcher rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-defaultindex.yml -t xpack-watcher rules/ > /dev/null
@@ -53,11 +62,14 @@ test-sigmac:
 	! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c not_existing rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
 	! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tests/invalid_yaml.yml rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
 	! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tests/invalid_config.yml rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
-	! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvI -c tools/config/elk-defaultindex.yml -t kibana rules/ > /dev/null
+	! coverage run -a --include=$(COVSCOPE) tools/sigmac -rv -c tools/config/elk-defaultindex.yml -t kibana rules/ > /dev/null

 test-merge:
 	tests/test-merge.sh
-	! coverage run -a --include=$(COVSCOPE) tools/merge_sigma.py tests/not_existing.yml > /dev/null
+	! coverage run -a --include=$(COVSCOPE) tools/merge_sigma tests/not_existing.yml > /dev/null
+
+test-backend-es-qs:
+	tests/test-backend-es-qs.py

 build: tools/sigmac tools/merge_sigma tools/sigma/*.py tools/setup.py tools/setup.cfg
 	cd tools && python3 setup.py bdist_wheel
@@ -18,48 +18,25 @@ This repository contains:
 * Open repository for sigma signatures in the `./rules`subfolder
 * A converter that generate searches/queries for different SIEM systems [work in progress]

+![sigma_description](./images/Sigma-description.png)
+
 ## Hack.lu 2017 Talk

 [![Sigma - Generic Signatures for Log Events](https://preview.ibb.co/cMCigR/Screen_Shot_2017_10_18_at_15_47_15.png)](https://www.youtube.com/watch?v=OheVuE9Ifhs "Sigma - Generic Signatures for Log Events")

 # Use Cases

-* Describe your once discovered detection method in Sigma to make it sharable 
-* Share the signature in the appendix of your analysis along with file hashes and C2 servers
+* Describe your detection method in Sigma to make it sharable
+* Write and your SIEM searches in Sigma to avoid a vendor lock-in
+* Share the signature in the appendix of your analysis along with IOCs and YARA rules
 * Share the signature in threat intel communities - e.g. via MISP
-* Provide Sigma signatures for malicious behaviour in your own application (Error messages, access violations, manipulations) 
-* Integrate a new log into your SIEM and check the Sigma repository for available rules
-* Write a rule converter for your custom log analysis tool and process new Sigma rules automatically
-* Provide a free or commercial feed for Sigma signatures
-
-# Sigma Converter
-
-The converter is currently under development in the *devel-sigmac* branch of this project. It has currently the
-following capabilities:
-
-* Parsing of Sigma rule files
-* Conversion of searches into Elasticsearch and Splunk queries
-
-Planned main features are:
-
-* Conversion of aggregation expressions (after the pipe character)
-* Output of Kibana JSON configurations
-
-Support for further SIEM solutions can be added by developing an corresponsing output backend class.
-
-![sigma_description](./images/Sigma-description.png)
+* Provide Sigma signatures for malicious behaviour in your own application

 # Why Sigma

 Today, everyone collects log data for analysis. People start working on their own, processing numerous white papers, blog posts and log analysis guidelines, extracting the necessary information and build their own searches and dashboard. Some of their searches and correlations are great and very useful but they lack a standardized format in which they can share their work with others. 

-Others provide excellent analyses for threat groups, sharing file indicators, C2 servers and YARA rules to detect the malicious files, but describe a certain malicious service install or remote thread injection in a separate paragraph. Security analysts, who read that paragraph then extract the necessary information and create rules in their SIEM system. The detection method never finds a way into a repository that is shared, structured and archived. 
-
-The lower layers of the OSI layer are well known and described. Every SIEM vendor has rules to detect port scans, ping sweeps and threats like the ['smurf attack'](https://en.wikipedia.org/wiki/Smurf_attack). But the higher layers contain numerous applications and protocols  with special characteristics that write their own custom log files. SIEM vendors consider the signatures and correlations as their intelectual property and do not tend to share details on the coverage. 
-
-Sigma is meant to be an open standard in which detection mechanisms can be defined, shared and collected in order to improve the detection capabilities on the application layers for everyone. 
-
-![sigma_why](./images/Problem_OSI_v01.png)
+Others provide excellent analyses, include IOCs and YARA rules to detect the malicious files and network connections, but have no way to describe a specific or generic detection method in log events. Sigma is meant to be an open standard in which such detection mechanisms can be defined, shared and collected in order to improve the detection capabilities for everyone. 

 ## Slides

@@ -75,8 +52,19 @@ The current specification is a proposal. Feedback is requested.

 # Getting Started

+## Rule Creation
+
 Florian wrote a short [rule creation tutorial](https://www.nextron-systems.com/2018/02/10/write-sigma-rules/) that can help you getting started.

+## Rule Usage 
+
+1. Download or clone the respository
+2. Check the `./rules` sub directory for an overview on the rule base
+3. Run `python sigmac --help` in folder `./tools` to get a help on the rule converter
+4. Convert a rule of your choice with `sigmac` like `python sigmac -t splunk ../rules/windows/builtin/win_susp_process_creations.yml`
+5. Convert a whole rule directory with `python sigmac -t splunk -r ../rules/proxy/`
+6. Check the `./tools/config` folder and the [wiki](https://github.com/Neo23x0/sigma/wiki/Converter-Tool-Sigmac) if you need custom field or log source mappings in your environment
+
 # Examples

 Windows 'Security' Eventlog: Access to LSASS Process with Certain Access Mask / Object Type (experimental)
@@ -94,7 +82,9 @@ Sysmon: Web Shell Detection
 Windows 'Security' Eventlog: Suspicious Number of Failed Logons from a Single Source Workstation
 ![sigma_rule example5](./images/Sigma_rule_example5.png)

-## Sigma Toolchain
+# Sigma Tools 
+
+## Sigmac 

 Sigmac converts sigma rules into queries or inputs of the supported targets listed below. It acts as a frontend to the
 Sigma library that may be used to integrate Sigma support in other projects. Further, there's `merge_sigma.py` which
@@ -106,12 +96,21 @@ merges multiple YAML documents of a Sigma rule collection into simple Sigma rule

 * [Splunk](https://www.splunk.com/)
 * [ElasticSearch](https://www.elastic.co/)
+* [ElasticSearch Query DSL](https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl.html)
+* [Kibana](https://www.elastic.co/de/products/kibana)
 * [Elastic X-Pack Watcher](https://www.elastic.co/guide/en/x-pack/current/xpack-alerting.html)
 * [Logpoint](https://www.logpoint.com)
+* [Windows Defender Advanced Threat Protection (WDATP)](https://www.microsoft.com/en-us/windowsforbusiness/windows-atp)
+* Grep with Perl-compatible regular expression support
+
+Current work-in-progress
+* [Splunk Data Models](https://docs.splunk.com/Documentation/Splunk/7.1.0/Knowledge/Aboutdatamodels)
+
+New targets are continuously developed. You can get a list of supported targets with `sigmac --target-list` or `sigmac -l`.

 ### Requirements

-The usage of Sigmac or the underlying library requires Python >= 3.5 and PyYAML.
+The usage of Sigmac (the Sigma Rule Converter) or the underlying library requires Python >= 3.5 and PyYAML.

 ### Installation

@@ -121,22 +120,44 @@ It's available on PyPI. Install with:
 pip3 install sigmatools
 ```

+Alternatively, if used from the Sigma Github repository, the Python dependencies can be installed with:
+
+```bash
+pip3 install -r tools/requirements.txt
+```
+
+For development (e.g. execution of integration tests with `make` and packaging), further dependencies are required and can be installed with:
+
+```bash
+pip3 install -r tools/requirements-devel.txt
+```
+
+## Evt2Sigma
+
+[Evt2Sigma](https://github.com/Neo23x0/evt2sigma) helps you with the rule creation. It generates a Sigma rule from a log entry. 
+
+## Contributed Scripts
+
+The directory `contrib` contains scripts that were contributed by the community:
+
+* `sigma2elastalert.py`i by David Routin: A script that converts Sigma rules to Elastalert configurations. This tool
+  uses *sigmac* and expects it in its path.
+
+These tools are not part of the main toolchain and maintained separately by their authors.
+
 # Next Steps

-* Integration of feedback into the rule specifications
-* Integration into Threat Intel Exchanges, e.g. [MISP](http://www.misp-project.org/)
+* Integration of MITRE ATT&CK framework identifier to the rule set
+* Integration into Threat Intel Exchanges
 * Attempts to convince others to use the rule format in their reports, threat feeds, blog posts, threat sharing platforms

 # Projects that use Sigma

-* [Augmentd](https://augmentd.co/)
+* [MISP](http://www.misp-project.org/2017/03/26/MISP.2.4.70.released.html) (since version 2.4.70, March 2017)
 * [TA-Sigma-Searches](https://github.com/dstaulcu/TA-Sigma-Searches) (Splunk App)
-
-# Credits
-
-This is a private project mainly developed by Florian Roth and Thomas Patzke with feedback from many fellow analysts and friends. Rules are our own or have been drived from blog posts, tweets or other public sources that are referenced in the rules.
-
-Copyright for Tree Image: [studiobarcelona / 123RF Stock Photo](http://www.123rf.com/profile_studiobarcelona)
+* [SOC Prime - Sigma Rule Editor](https://tdm.socprime.com/sigma/)
+* [ypsilon](https://github.com/P4T12ICK/ypsilon) - Automated Use Case Testing 
+* [SPARK](https://www.nextron-systems.com/2018/06/28/spark-applies-sigma-rules-in-eventlog-scan/) - Scan with Sigma rules on endpoints

 # Licenses

@@ -145,3 +166,9 @@ The content of this repository is released under the following licenses:
 * The toolchain (everything under `tools/`) is licensed under the [GNU Lesser General Public License](https://www.gnu.org/licenses/lgpl-3.0.en.html).
 * The [Sigma specification](https://github.com/Neo23x0/sigma/wiki) is public domain.
 * Everything else, especially the rules contained in the `rules/` directory is released under the [GNU General Public License](https://www.gnu.org/licenses/gpl-3.0.en.html).
+
+# Credits
+
+This is a private project mainly developed by Florian Roth and Thomas Patzke with feedback from many fellow analysts and friends. Rules are our own or have been drived from blog posts, tweets or other public sources that are referenced in the rules.
+
+Copyright for Tree Image: [studiobarcelona / 123RF Stock Photo](http://www.123rf.com/profile_studiobarcelona)
@@ -0,0 +1,173 @@
+#!/usr/bin/python
+# Copyright 2018 David Routin
+
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+
+# You should have received a copy of the GNU Lesser General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+"""
+Project: sigma2elastalert.py
+Date: 25 Feb 2018
+Author: David ROUTIN  (@Rewt_1)
+Version: 1.0
+Description: This script creates elastalert configuration files from Sigma SIEM rules.
+"""
+
+import re
+import os
+import glob
+import subprocess
+import argparse
+import yaml
+import traceback
+
+parser = argparse.ArgumentParser()
+parser.add_argument("--eshost", help="Elasticsearch host", type=str, required=True)
+parser.add_argument("--esport", help="Elasticsearch port", type=str, required=True)
+parser.add_argument("--ruledir", help="sigma rule directory path to convert", type=str, required=True)
+parser.add_argument("--index", help="Elasticsearch index name egs: \"winlogbeat-*\"", type=str, required=True)
+parser.add_argument("--email", help="email address to send mail alert", type=str, required=True)
+parser.add_argument("--outdir", help="output directory to create elastalert rules", type=str, required=True)
+parser.add_argument("--sigmac", help="Sigmac location", default="../tools/sigmac", type=str)
+parser.add_argument("--realerttime", help="Realert time (optional value, default 5 minutes)", type=str, default=5)
+parser.add_argument("--debug", help="Show debug output", type=bool, default=False)
+args = parser.parse_args()
+
+custom_query_keys = ["sensor", "Hostname", "EventID", "src_ip", "dst_ip"]
+
+
+template="""es_host: ESHOST
+es_port: ESPORT
+name: "TITLE"
+description: "DESCRIPTION"
+index: INDEX
+filter:
+- query:
+    query_string:
+      query: 'QUERY'
+realert:
+ minutes: MINUTES
+query_key: UNIQKEYS
+type: any
+include: UNIQKEYS
+alert:
+- "email"
+
+# (required, email specific)
+# a list of email addresses to send alerts to
+email:
+- "EMAIL"
+"""
+
+def return_json_obj(x,custom_query_keys):
+    """
+    Function used to filter all ES query object as unique value including predefined list from custom_query_keys
+    :param x: must contains ES query output
+    :param custom_query_keys: takes the list of predefined element to match in document
+    :return: a clean list (set) of all the query keys (EventID,TargetUserName...)
+    """
+    # type: (str, list) -> list
+    y = x.replace(" ", "\n").split()
+    out = set()
+    for i in y:
+        out.update(re.findall("([a-zA-Z]+)\:", i))
+
+    for qk in custom_query_keys:
+        try:
+            out.remove(qk)
+        except:
+            pass
+    out = list(out)
+    count = 0
+    for qk in custom_query_keys:
+        count += 1
+        out.insert(count-1, qk)
+    return out
+
+def rule_element(file_content, elements):
+    """
+    Function used to get specific element from yaml document and return content
+    :type file_content: str
+    :type elements: list
+    :param file_content:
+    :param elements: list of elements of the yaml document to get "title", "description"
+    :return: the value of the key in the yaml document
+    """
+    try:
+        yaml.load(file_content.replace("---",""))
+    except:
+        raise Exception('Unsupported')
+    element_output = ""
+    for e in elements:
+        try:
+            element_output = yaml.load(file_content.replace("---",""))[e]
+        except:
+            pass
+    if element_output is None:
+        return ""
+    return element_output
+
+def get_rule_as_esqs(file):
+    """
+    Function used to get Elastic query output from rule fome
+    :type file: str
+    :param file: rule filename
+    :return: string es query
+    """
+    if not os.path.exists(args.sigmac):
+        print("Cannot find sigmac rule coverter at '%s', please set a correct location via '--sigmac'")
+    cmd = [args.sigmac, file, "--target", "es-qs"]
+    output = subprocess.Popen(cmd,stdout=subprocess.PIPE, stderr=subprocess.STDOUT).stdout.read()
+    if "unsupported" in output:
+        raise Exception('Unsupported output at this time')
+    output = output.split("\n")
+    # Remove empty string from \n
+    output = [a for a in output if a]
+    # Handle case of multiple queries returned
+    if len(output) > 1:
+        return " OR ".join(output)
+    return "".join(output)
+
+# Dictionary that contains args set at launch time
+convert_args = {
+    "ESHOST": args.eshost,
+    "ESPORT": args.esport,
+    "INDEX": args.index,
+    "EMAIL": args.email,
+    "MINUTES": args.realerttime
+}
+
+for file in glob.glob(args.ruledir + "/*"):
+    output_elast_config = template
+    try:
+        print("Processing %s ..." % file)
+        with open(file, "rb") as f:
+            file_content = f.read()
+
+        # Dictionary that contains args with values returned by functions
+        translate_func = {'QUERY': get_rule_as_esqs(file),
+                        'TITLE': rule_element(file_content, ["title", "name"]),
+                        'DESCRIPTION': rule_element(file_content, ["description"]),
+                        'UNIQKEYS': str(return_json_obj(get_rule_as_esqs(file), custom_query_keys))
+                        }
+        for entry in convert_args:
+            output_elast_config = re.sub(entry, str(convert_args[entry]), output_elast_config)
+        for entry in translate_func:
+            output_elast_config = re.sub(entry, translate_func[entry], output_elast_config)
+        print "Converting file " + file
+        with open(os.path.join(args.outdir, "sigma-" + file.split("/")[-1]), "w") as f:
+                f.write(output_elast_config)
+    except Exception as e:
+        if args.debug:
+            traceback.print_exc()
+        print "error " + str(file) + "----" + str(e)
+        pass
+
@@ -16,7 +16,7 @@ detection:
        # SQL Server
        - Unclosed quotation mark
        # SQLite
-        - near "*": syntax error
+        - 'near "*": syntax error'
        - SELECTs to the left and right of UNION do not have the same number of result columns
    condition: keywords
 falsepositives:
@@ -1,3 +1,4 @@
+---
 action: global
 title: APT29 Google Update Service Install
 description: 'This method detects malicious services mentioned in APT29 report by FireEye. The legitimate path for the Google update service is C:\Program Files (x86)\Google\Update\GoogleUpdate.exe so the service names and executable locations used by APT29 are specific enough to be detected in log files.' 
@@ -0,0 +1,53 @@
+---
+action: global
+title: Chafer Activity
+description: Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018 
+references:
+    - https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/
+date: 2018/03/23
+author: Florian Roth, Markus Neis
+detection:
+    condition: 1 of them
+falsepositives:
+    - Unknown
+level: critical
+---
+logsource:
+    product: windows
+    service: system
+detection:
+    selection_service:
+        EventID: 7045
+        ServiceName:
+            - 'SC Scheduled Scan'
+            - 'UpdatMachine'
+---
+logsource:
+   product: windows
+   service: sysmon
+detection:
+    selection_reg1:
+        EventID: 13 
+        TargetObject: 
+            - '*SOFTWARE\Microsoft\Windows\CurrentVersion\UMe'
+            - '*SOFTWARE\Microsoft\Windows\CurrentVersion\UT'
+        EventType: 'SetValue'
+    selection_reg2:
+        EventID: 13 
+        TargetObject: '*\Control\SecurityProviders\WDigest\UseLogonCredential'
+        EventType: 'SetValue'
+        Details: 'DWORD (0x00000001)'
+    selection_process1:
+        EventID: 1 
+        CommandLine: 
+            - '*\Service.exe i'
+            - '*\Service.exe u'
+            - '*\microsoft\Taskbar\autoit3.exe'
+            - 'C:\wsc.exe*'
+    selection_process2:
+        EventID: 1
+        Image: '*\Windows\Temp\DB\*.exe'
+    selection_process3:
+        EventID: 1
+        CommandLine: '*\nslookup.exe -q=TXT*'
+        ParentImage: '*\Autoit*'
@@ -0,0 +1,36 @@
+---
+action: global
+title: CrackMapExecWin 
+description: Detects CrackMapExecWin Activity as Described by NCSC
+status: experimental
+references:
+    - https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control 
+author: Markus Neis
+detection:
+    condition: 1 of them
+falsepositives: 
+    - None 
+level: critical
+---
+# Windows Audit Log
+logsource:
+    product: windows
+    service: security
+    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+detection:
+    selection1:
+        # Does not require group policy 'Audit Process Creation' > Include command line in process creation events
+        EventID: 4688
+        NewProcessName:
+            - '*\crackmapexec.exe'
+---
+# Sysmon
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection1:
+        # Does not require group policy 'Audit Process Creation' > Include command line in process creation events
+        EventID: 1
+        Image:
+            - '*\crackmapexec.exe'
@@ -16,7 +16,7 @@ detection:
    selection2:
        EventID: 1
        CommandLine: '*\AppData\Roaming\MICROS~1\Windows\Caches\NavShExt.dll,Setting'
-    condition: selection1 or selection2
+    condition: 1 of them
 falsepositives:
    - Unknown
 level: critical
@@ -15,7 +15,7 @@ detection:
        src:
            - '69.42.98.86'
            - '89.185.234.145'
-    condition: outgoing or incoming
+    condition: 1 of them
 falsepositives:
    - Unknown
 level: high
@@ -0,0 +1,39 @@
+---
+action: global
+title: Equation Group DLL_U Load
+description: Detects a specific tool and export used by EquationGroup
+references:
+    - https://github.com/adamcaudill/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type=
+    - https://securelist.com/apt-slingshot/84312/
+    - https://twitter.com/cyb3rops/status/972186477512839170
+author: Florian Roth
+date: 2018/03/10 
+detection:
+    selection1:
+        Image: '*\rundll32.exe'
+        CommandLine: '*,dll_u'
+    selection2:
+        CommandLine: '* -export dll_u *'
+    condition: 1 of them
+falsepositives:
+    - Unknown
+level: critical
+---
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection1:
+        EventID: 1
+    selection2:
+        EventID: 1
+---
+logsource:
+    product: windows
+    service: security
+    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+detection:
+    selection1:
+        EventID: 4688
+    selection2:
+        EventID: 4688
@@ -18,7 +18,7 @@ detection:
    selection2:
        EventID: 1
        Command: 'loaddll -a *'
-    condition: selection1 or selection2
+    condition: 1 of them
 fields:
    - EventID
    - CommandLine
@@ -0,0 +1,35 @@
+---
+action: global
+title: Defrag Deactivation
+description: Detects the deactivation of the Scheduled defragmentation task as seen by Slingshot APT group
+references:
+    - https://securelist.com/apt-slingshot/84312/
+author: Florian Roth
+date: 2018/03/10
+logsource:
+    product: windows
+    service: security
+    description: 'Requirements: Audit Policy : Audit Other Object Access Events > Success'       
+detection:
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium
+---
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+        CommandLine: 
+            - '*schtasks* /delete *Defrag\ScheduledDefrag*'
+---
+logsource:
+    product: windows
+    service: security
+    description: 'Requirements: Audit Policy : Audit Other Object Access Events > Success'       
+detection:
+    selection:
+        EventID: 4701
+        TaskName: '\Microsoft\Windows\Defrag\ScheduledDefrag'
@@ -15,12 +15,15 @@ detection:
            # Temporary folder
            - '/tmp/*'
            # Web server 
-            - '/var/www/*'            # Standard
-            - '/usr/local/apache2/*'  # Classical Apache
-            - '/usr/local/httpd/*'    # Old SuSE Linux 6.*
-            - '/var/apache/*'         # Solaris
-            - '/srv/www/*'            # SuSE Linux 9.*
-            - '/home/httpd/html/*'    # Redhat 6 or older
+            - '/var/www/*'              # Standard
+            - '/home/*/public_html/*'   # Per-user
+            - '/usr/local/apache2/*'    # Classical Apache
+            - '/usr/local/httpd/*'      # Old SuSE Linux 6.* Apache
+            - '/var/apache/*'           # Solaris Apache
+            - '/srv/www/*'              # SuSE Linux 9.*
+            - '/home/httpd/html/*'      # Redhat 6 or older Apache
+            - '/srv/http/*'             # ArchLinux standard
+            - '/usr/share/nginx/html/*' # ArchLinux nginx
            # Data dirs of typically exploited services (incomplete list)
            - '/var/lib/pgsql/data/*'
            - '/usr/local/mysql/data/*'
@@ -28,8 +31,6 @@ detection:
            - '/var/vsftpd/*'
            - '/etc/bind/*'
            - '/var/named/*'
-            # Others
-            - '*/public_html/*'
    condition: selection
 falsepositives:
    - Admin activity (especially in /tmp folders)
@@ -6,8 +6,8 @@ logsource:
 detection:
    selection:
        pam_message: "authentication failure"
-        pam_user: not null
-        pam_rhost: not null
+        pam_user: '*'
+        pam_rhost: '*'
    timeframe: 24h 
    condition: selection | count(pam_user) by pam_rhost > 3
 falsepositives:
@@ -0,0 +1,19 @@
+title: Cobalt Strike DNS Beaconing
+status: experimental
+description: Detects suspicious DNS queries known from Cobalt Strike beacons
+references:
+    - https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns
+author: Florian Roth
+date: 2018/05/10
+logsource:
+    category: dns
+detection:
+    selection:
+        query:
+            - 'aaa.stage.*' 
+            - 'post.1*'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
+
@@ -0,0 +1,17 @@
+title: Suspicious DNS Query with B64 Encoded String   
+status: experimental
+description: Detects suspicious DNS queries using base64 encoding
+references:
+    - https://github.com/krmaxwell/dns-exfiltration
+author: Florian Roth
+date: 2018/05/10
+logsource:
+    category: dns
+detection:
+    selection:
+        query:
+            - '*==.*'
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium
@@ -0,0 +1,20 @@
+title: Telegram Bot API Request
+status: experimental
+description: Detects suspicious DNS queries to api.telegram.org used by Telegram Bots of any kind
+references:
+    - https://core.telegram.org/bots/faq
+    - https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/
+    - https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/
+    - https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/
+author: Florian Roth
+date: 2018/06/05
+logsource:
+    category: dns
+detection:
+    selection:
+        query:
+            - 'api.telegram.org'   # Telegram Bot API Request https://core.telegram.org/bots/faq
+    condition: selection
+falsepositives:
+    - Legitimate use of Telegram bots in the company
+level: medium
@@ -5,8 +5,9 @@ references:
    - https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap
    - https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf
    - https://www.spamhaus.org/statistics/tlds/
+    - https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/
 author: Florian Roth
-date: 2017/11/07
+date: 2018/06/13
 logsource:
    category: proxy
 detection:
@@ -60,7 +61,7 @@ detection:
            - '*.cricket'
            - '*.space'
            - '*.top'
-            # McAfee report
+            # McAfee report 
            - '*.info'
            - '*.vn'
            - '*.cm'
@@ -83,7 +84,6 @@ detection:
            - '*.tt'
            - '*.name'
            - '*.tv'
-            - '*.tv'
            - '*.kz'
            - '*.tc'
            - '*.mobi'
@@ -93,10 +93,16 @@ detection:
            - '*.link'
            - '*.trade'
            - '*.accountant'
+            # Spamhaus 2018 https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/
+            - '*.click'
+            - '*.cf'
+            - '*.gq'
+            - '*.ml'
+            - '*.ga'
    condition: selection
 fields:
    - ClientIP
    - URL
 falsepositives:
-    - All kind of software downloads
+    - All kinds of software downloads
 level: low
@@ -0,0 +1,24 @@
+title: Windows WebDAV User Agent
+status: experimental
+description: Detects WebDav DownloadCradle
+references:
+    - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
+author: Florian Roth
+date: 2018/04/06
+logsource:
+    category: proxy
+detection:
+    selection:
+      UserAgent: 'Microsoft-WebDAV-MiniRedir/*'
+      HttpMethod: 'GET'
+    condition: selection
+fields:
+    - ClientIP
+    - URL
+    - UserAgent
+    - HttpMethod
+falsepositives:
+    - Administrative scripts that download files from the Internet
+    - Administrative scripts that retrieve certain website contents
+    - Legitimate WebDAV administration
+level: high
@@ -12,7 +12,7 @@ detection:
            - '*/install_flash_player.exe'
            - '*/flash_install.php*'
    filter:
-        cs-uri-query: '*.adobe.com/*'
+        cs-uri-stem: '*.adobe.com/*'
    condition: selection and not filter
 falsepositives:
    - Unknown flash download locations
@@ -0,0 +1,29 @@
+title: Telegram API Access
+status: experimental
+description: Detects suspicious requests to Telegram API without the usual Telegram User-Agent
+references:
+    - https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/
+    - https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/
+    - https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/
+author: Florian Roth
+date: 2018/06/05
+logsource:
+    category: proxy
+detection:
+    selection:
+        r-dns: 
+            - 'api.telegram.org'  # Often used by Bots
+    filter:
+        UserAgent: 
+            # Used https://core.telegram.org/bots/samples for this list
+            - '*Telegram*'
+            - '*Bot*'
+    condition: selection and not filter
+fields:
+    - ClientIP
+    - URL
+    - UserAgent
+falsepositives:
+    - Legitimate use of Telegram bots in the company
+level: medium
+
@@ -28,6 +28,13 @@ detection:
        - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NETCLR 2.0.50727)'  # APT17
        - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; SV1)'  # Bronze Butler - Daserf
        - 'Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; SV1)'  # Bronze Butler - Daserf
+        - 'Mozilla/4.0 (compatible; MSIE 8.0; Win32)'  # TSCookie https://app.any.run/tasks/0996b314-5133-491b-8d23-d431ffdec597
+        - 'Mozilla v5.1 (Windows NT 6.1; rv:6.0.1) Gecko/20100101 Firefox/6.0.1'  # Delphi downloader https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/
+        - 'Mozilla/6.1 (compatible; MSIE 9.0; Windows NT 5.3; Trident/5.0)'  # VPNFilter https://blog.talosintelligence.com/2018/05/VPNFilter.html
+        - 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; InfoPath.1)'  # Sofacy User-Agent https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/
+        - 'Mozilla/5.0 (Windows NT 6.1; WOW64) WinHttp/1.6.3.8 (WinHTTP/5.1) like Gecko'  # Sofacy User-Agent https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/
+        - 'Mozilla v5.1 *'  # Sofacy Zebrocy samples 
+        - 'MSIE 8.0'  # Sofacy Azzy Backdoor  from https://www.hybrid-analysis.com/sample/a80e29c0757bee05338fd5c22a542d852ad86c477068e3eb4aacc1c3e59e2eef?environmentId=100
    condition: selection
 fields:
    - ClientIP
@@ -13,7 +13,6 @@ detection:
        EventID: 4624
        LogonType: 10
        AuthenticationPackageName: Negotiate
-        Severity: Information
        AccountName: 'Admin-*'
    condition: selection
 falsepositives: 
@@ -1,5 +1,5 @@
 title: Access to ADMIN$ Share
-description: 
+description: Detects access to $ADMIN share
 status: experimental
 author: Florian Roth
 logsource:
@@ -11,7 +11,7 @@ detection:
        EventID: 5140
        ShareName: Admin$
    filter:
-        SubjectAccountName: '*$'
+        SubjectUserName: '*$'
    condition: selection and not filter
 falsepositives: 
    - Legitimate administrative activity
@@ -9,10 +9,10 @@ logsource:
    description: 'Requirements: Audit Policy : Policy Change > Audit Authorization Policy Change, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Authorization Policy Change'
 detection:
    selection:
-        EventID: 4707
+        EventID: 4704
    keywords:
        - 'SeEnableDelegationPrivilege'
-    condition: selection and keywords
+    condition: all of them
 falsepositives: 
    - Unknown
 level: high
@@ -12,7 +12,8 @@ logsource:
 detection:
    selection1:
        EventID: 4738
-        AllowedToDelegateTo: '*'
+    filter1:
+        AllowedToDelegateTo: null
    selection2:
        EventID: 5136
        AttributeLDAPDisplayName: 'msDS-AllowedToDelegateTo'
@@ -20,7 +21,7 @@ detection:
        EventID: 5136
        ObjectClass: 'user'
        AttributeLDAPDisplayName: 'servicePrincipalName'
-    condition: selection1 or selection2 or selection3
+    condition: (selection1 and not filter1) or selection2 or selection3
 falsepositives: 
    - Unknown
 level: high
@@ -3,7 +3,7 @@ description: This method detects well-known keywords, certain field combination
 author: Florian Roth
 logsource:
    product: windows
-    service: system
+    service: security
 detection:
    # Ruler https://github.com/sensepost/ruler
    selection1:
@@ -0,0 +1,22 @@
+title: Mimikatz DC Sync
+description: Detects Mimikatz DC sync security events
+status: experimental
+date: 2018/06/03
+author: Benjamin Delpy, Florian Roth
+references:
+    - https://twitter.com/gentilkiwi/status/1003236624925413376
+    - https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2
+logsource:
+    product: windows
+    service: security
+detection:
+    selection:
+        EventID: 4662
+        Properties: 
+            - '*Replicating Directory Changes All*'
+            - '*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*'
+    condition: selection
+falsepositives:
+    - Unkown
+level: critical
+
@@ -16,7 +16,7 @@ logsource:
 detection:
    selection:
        EventID: 4719
-        Message: 'removed'
+        AuditPolicyChanges: 'removed'
    condition: selection
 falsepositives: 
    - Unknown
@@ -0,0 +1,21 @@
+title: smbexec.py Service Installation
+description: Detects the use of smbexec.py tool by detecting a specific service installation
+author: Omer Faruk Celik
+date: 2018/03/20
+references:
+    - https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/
+logsource:
+    product: windows
+detection:
+    service_installation:
+        EventID: 7045
+        ServiceName: 'BTOBTO'
+        ServiceFileName: '*\execute.bat'
+    condition: service_installation
+fields:
+    - ServiceName
+    - ServiceFileName
+falsepositives:
+    - Penetration Test
+    - Unknown
+level: critical
@@ -7,26 +7,26 @@ logsource:
 detection:
    selection:
        EventID: 7045
-    wce:
+    malsvc_wce:
        ServiceName: 
            - 'WCESERVICE'
            - 'WCE SERVICE'
-    paexec:
+    malsvc_paexec:
        ServiceFileName: '*\PAExec*'
-    winexe:
+    malsvc_winexe:
        ServiceFileName: 'winexesvc.exe*'
-    pwdumpx:
+    malsvc_pwdumpx:
        ServiceFileName: '*\DumpSvc.exe'
-    wannacry:
+    malsvc_wannacry:
        ServiceName: 'mssecsvc2.0'
-    persistence:
+    malsvc_persistence:
        ServiceFileName: '* net user *'
-    others:
+    malsvc_others:
        ServiceName:
            - 'pwdump*'
            - 'gsecdump*'
            - 'cachedump*'
-    condition: selection and ( wce or paexec or winexe or pwdumpx or wannacry or persistence or others )
+    condition: selection and 1 of malsvc_*
 falsepositives: 
    - Penetration testing
 level: critical
@@ -4,6 +4,7 @@ description: Detects wceaux.dll access while WCE pass-the-hash remote command ex
 author: Thomas Patzke
 references:
    - https://www.jpcert.or.jp/english/pub/sr/ir_research.html
+    - https://jpcertcc.github.io/ToolAnalysisResultSheet
 logsource:
    product: windows
    service: security
@@ -0,0 +1,38 @@
+--- 
+action: global
+title: NetNTLM Downgrade Attack
+description: Detects post exploitation using NetNTLM downgrade attacks
+reference: 
+    - https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks
+author: Florian Roth
+date: 2018/03/20
+detection:
+    condition: 1 of them
+falsepositives:
+    - Unknown
+level: critical
+--- 
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection1:
+        EventID: 13
+        TargetObject: 
+            - '*SYSTEM\*ControlSet*\Control\Lsa\lmcompatibilitylevel'
+            - '*SYSTEM\*ControlSet*\Control\Lsa\NtlmMinClientSec'
+            - '*SYSTEM\*ControlSet*\Control\Lsa\RestrictSendingNTLMTraffic'
+---
+# Windows Security Eventlog: Process Creation with Full Command Line
+logsource:
+    product: windows
+    service: security
+    description: 'Requirements: Audit Policy : Object Access > Audit Registry (Success)'
+detection:
+    selection2:
+        EventID: 4657
+        ObjectName: '\REGISTRY\MACHINE\SYSTEM\*ControlSet*\Control\Lsa'
+        ObjectValueName: 
+            - 'LmCompatibilityLevel'
+            - 'NtlmMinClientSec'
+            - 'RestrictSendingNTLMTraffic'
@@ -12,12 +12,12 @@ detection:
    selection:
        - EventID: 4624
          LogonType: '3'
-          LogonProcess: 'NtLmSsp'
+          LogonProcessName: 'NtLmSsp'
          WorkstationName: '%Workstations%'
          ComputerName: '%Workstations%'
        - EventID: 4625
          LogonType: '3'
-          LogonProcess: 'NtLmSsp'
+          LogonProcessName: 'NtLmSsp'
          WorkstationName: '%Workstations%'
          ComputerName: '%Workstations%'
    filter:
@@ -14,50 +14,50 @@ detection:
    # CamMute
    selection_cammute:
        EventID: 4688
-        ProcessCommandLine: '*\CamMute.exe'
+        CommandLine: '*\CamMute.exe'
    filter_cammute:
        EventID: 4688
-        ProcessCommandLine: '*\Lenovo\Communication Utility\*'
+        CommandLine: '*\Lenovo\Communication Utility\*'

    # Chrome Frame Helper
    selection_chrome_frame:
        EventID: 4688
-        ProcessCommandLine: '*\chrome_frame_helper.exe'
+        CommandLine: '*\chrome_frame_helper.exe'
    filter_chrome_frame:
        EventID: 4688
-        ProcessCommandLine: '*\Google\Chrome\application\*'    
+        CommandLine: '*\Google\Chrome\application\*'    

    # Microsoft Device Emulator
    selection_devemu:
        EventID: 4688
-        ProcessCommandLine: '*\dvcemumanager.exe'
+        CommandLine: '*\dvcemumanager.exe'
    filter_devemu:
        EventID: 4688
-        ProcessCommandLine: '*\Microsoft Device Emulator\*'   
+        CommandLine: '*\Microsoft Device Emulator\*'   

    # Windows Media Player Gadget
    selection_gadget:
        EventID: 4688
-        ProcessCommandLine: '*\Gadget.exe'
+        CommandLine: '*\Gadget.exe'
    filter_gadget:
        EventID: 4688
-        ProcessCommandLine: '*\Windows Media Player\*'
+        CommandLine: '*\Windows Media Player\*'

    # HTML Help Workshop
    selection_hcc:
        EventID: 4688
-        ProcessCommandLine: '*\hcc.exe'
+        CommandLine: '*\hcc.exe'
    filter_hcc:
        EventID: 4688
-        ProcessCommandLine: '*\HTML Help Workshop\*'
+        CommandLine: '*\HTML Help Workshop\*'

    # Hotkey Command Module for Intel Graphics Contollers
    selection_hkcmd:
        EventID: 4688
-        ProcessCommandLine: '*\hkcmd.exe'
+        CommandLine: '*\hkcmd.exe'
    filter_hkcmd:
        EventID: 4688
-        ProcessCommandLine: 
+        CommandLine: 
            - '*\System32\*'
            - '*\SysNative\*'
            - '*\SysWowo64\*'
@@ -65,10 +65,10 @@ detection:
    # McAfee component
    selection_mc:
        EventID: 4688
-        ProcessCommandLine: '*\Mc.exe'
+        CommandLine: '*\Mc.exe'
    filter_mc:
        EventID: 4688
-        ProcessCommandLine: 
+        CommandLine: 
            - '*\Microsoft Visual Studio*'
            - '*\Microsoft SDK*'
            - '*\Windows Kit*'
@@ -76,10 +76,10 @@ detection:
    # MsMpEng - Microsoft Malware Protection Engine
    selection_msmpeng:
        EventID: 4688
-        ProcessCommandLine: '*\MsMpEng.exe'
+        CommandLine: '*\MsMpEng.exe'
    filter_msmpeng:
        EventID: 4688
-        ProcessCommandLine: 
+        CommandLine: 
            - '*\Microsoft Security Client\*'
            - '*\Windows Defender\*'
            - '*\AntiMalware\*'
@@ -87,26 +87,26 @@ detection:
    # Microsoft Security Center
    selection_msseces:
        EventID: 4688
-        ProcessCommandLine: '*\msseces.exe'
+        CommandLine: '*\msseces.exe'
    filter_msseces:
        EventID: 4688
-        ProcessCommandLine: '*\Microsoft Security Center\*'
+        CommandLine: '*\Microsoft Security Center\*'

    # Microsoft Office 2003 OInfo
    selection_oinfo:
        EventID: 4688
-        ProcessCommandLine: '*\OInfoP11.exe'
+        CommandLine: '*\OInfoP11.exe'
    filter_oinfo:
        EventID: 4688
-        ProcessCommandLine: '*\Common Files\Microsoft Shared\*'      
+        CommandLine: '*\Common Files\Microsoft Shared\*'      

    # OLE View
    selection_oleview:
        EventID: 4688
-        ProcessCommandLine: '*\OleView.exe'
+        CommandLine: '*\OleView.exe'
    filter_oleview:
        EventID: 4688
-        ProcessCommandLine: 
+        CommandLine: 
            - '*\Microsoft Visual Studio*'
            - '*\Microsoft SDK*'
            - '*\Windows Kit*'   
@@ -115,10 +115,10 @@ detection:
    # RC
    selection_rc:
        EventID: 4688
-        ProcessCommandLine: '*\OleView.exe'
+        CommandLine: '*\OleView.exe'
    filter_rc:
        EventID: 4688
-        ProcessCommandLine: 
+        CommandLine: 
            - '*\Microsoft Visual Studio*'
            - '*\Microsoft SDK*'
            - '*\Windows Kit*'   
@@ -22,7 +22,7 @@ detection:
    condition: selection
 falsepositives: 
    - False positives depend on scripts and administrative tools used in the monitored environment
-level: medium
+level: low
 ---
 # Windows Audit Log
 logsource:
@@ -0,0 +1,16 @@
+title: PsExec Service Start
+description: Detects a PsExec service start
+author: Florian Roth
+date: 2018/03/13
+logsource:
+    product: windows
+    service: security
+    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+detection:
+    selection:
+        EventID: 4688
+        CommandLine: 'C:\Windows\PSEXESVC.exe'
+    condition: 1 of them
+falsepositives:
+    - Administrative activity
+level: low
@@ -12,19 +12,19 @@ author: juju4
 detection:
    selection:
        CommandLine: 
-            - '^'
-            - '@'
+            #- '^'
+            #- '@'
 # 0x002D -, 0x2013 , 0x2014 , 0x2015 ― ... FIXME! how to match hexa form?
-            - '-'
-            - '―'
-            - 'c:/'
+            # - '-'
+            # - '―'
+            #- 'c:/'
            - '<TAB>'
            - '^h^t^t^p'
            - 'h"t"t"p'
    condition: selection
 falsepositives: 
    - False positives depend on scripts and administrative tools used in the monitored environment
-level: medium
+level: low
 ---
 # Windows Audit Log
 logsource:
@@ -12,7 +12,6 @@ logsource:
    service: system
 detection:
    selection:
-        EventLog: System
        EventID: 1033
    condition: selection
 falsepositives: 
@@ -12,7 +12,6 @@ logsource:
    service: system
 detection:
    selection:
-        - EventLog: System
          EventID: 
            - 1031
            - 1032
@@ -10,11 +10,11 @@ detection:
            - 4625
            - 4776
        Status:
-            - 0xC0000072
-            - 0xC000006F
-            - 0xC0000070
-            - 0xC0000413
-            - 0xC000018C
+            - '0xC0000072'
+            - '0xC000006F'
+            - '0xC0000070'
+            - '0xC0000413'
+            - '0xC000018C'
    condition: selection
 falsepositives:
    - User using a disabled account
@@ -5,15 +5,20 @@ logsource:
    product: windows
    service: security
 detection:
-    selection:
+    selection1:
        EventID:
            - 529
            - 4625
-            - 4776
-        UserName: not null
-        SourceWorkstation: not null
+        UserName: '*'
+        WorkstationName: '*'
+    selection2:
+        EventID: 4776
+        UserName: '*'
+        Workstation: '*'
    timeframe: 24h 
-    condition: selection | count(UserName) by SourceWorkstation > 3
+    condition:
+        - selection1 | count(UserName) by WorkstationName > 3
+        - selection2 | count(UserName) by Workstation > 3
 falsepositives:
    - Terminal servers
    - Jump servers
@@ -16,12 +16,11 @@ detection:
    selection2:
        Source: 'Windows Error Reporting'
        EventID: 1001
-    keyword1:
+    keywords:
        - 'MsMpEng.exe'
-    keyword2:
        - 'mpengine.dll'
-    condition: (selection1 or selection2) and keyword1 and keyword2
+    condition: 1 of selection* and all of keywords
 falsepositives: 
-    - Unknown
+    - MsMpEng.exe can crash when C:\ is full
 level: high

@@ -7,7 +7,7 @@ author: Florian Roth (rule), Jack Croock (method)
 logsource:
    product: windows
    service: security
-    description: The volume of Event ID 4661 ist high on Domain Controllers and therefore "Audit SAM" and "Audit Kernel Object" advanced audit policy settings are not configured in the recommandations for server systems
+    description: The volume of Event ID 4661 is high on Domain Controllers and therefore "Audit SAM" and "Audit Kernel Object" advanced audit policy settings are not configured in the recommandations for server systems
 detection:
    selection:
        - EventID: 4661
@@ -0,0 +1,31 @@
+---
+action: global
+title: Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)
+description: Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)
+status: experimental
+references:
+    - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm
+author: Thomas Patzke
+detection:
+    selection:
+        CommandLine: '*\ntdsutil.exe *'
+    condition: selection
+falsepositives: 
+    - NTDS maintenance
+level: high
+---
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+---
+logsource:
+    product: windows
+    service: security
+    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+detection:
+    selection:
+        EventID: 4688
+
@@ -0,0 +1,20 @@
+title: NTLM Logon
+status: experimental
+description: Detects logons using NTLM, which could be caused by a legacy source or attackers
+references:
+    - https://twitter.com/JohnLaTwC/status/1004895028995477505
+    - https://goo.gl/PsqrhT
+author: Florian Roth
+date: 2018/06/08
+logsource:
+    product: windows
+    service: ntlm
+    description: Reqiures events from Microsoft-Windows-NTLM/Operational
+detection:
+    selection:
+        EventID: 8002
+        CallingProcessName: '*'  # We use this to avoid false positives with ID 8002 on other log sources if the logsource isn't set correctly
+    condition: selection
+falsepositives:
+    - Legacy hosts
+level: low
@@ -1,83 +0,0 @@
-action: global
-title: Phantom DLLs Usage
-description: Detects Phantom DLLs usage and matching executable
-status: experimental
-references:
-    - http://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
-    - http://www.hexacorn.com/blog/2015/02/23/beyond-good-ol-run-key-part-28/
-author: juju4
-detection:
-    selection:
-        CommandLine: 
-            - '*ntbackup*'
-            - '*\edbbcli.dll*'
-            - '*\esebcli2.dll*'
-#            - '*mrt*'
-            - '*\bcrypt.dll*'
-            - '*sessmgr*'
-            - '*\SalemHook.dll*'
-            - '*certreq*'
-            - '*\msfte.dll*'
-            - '*\mstracer.dll*'
-            - '*fxscover*'
-            - '*\TPPrnUIENU.dll*'
-            - '*dxdiag*'
-            - '*\DXGIDebug.dll*'
-            - '*msinfo32*'
-            - '*\fveapi.dll*'
-            - '*narrator*'
-            - '*\MSTTSLocEnUS.dll*'
-            - '*\Wow64Log.dll*'
-            - '*Dism*'
-            - '*\Dism\wimgapi.dll*'
-            - '*\DismCore.dll*'
-            - '*FileHistory*'
-            - '*\Microsoft.NET\Framework\v4.0.30319\api-ms-win-core-winrt-l1-1-0.dll*'
-            - '*\Microsoft.NET\Framework\v4.0.30319\mscoree.dll*'
-            - '*\Microsoft.NET\Framework\v4.0.30319\ole32.dll*'
-            - '*\Microsoft.NET\Framework\v4.0.30319\urlmon.dll*'
-#            - '*mmc*'
-            - '*\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\oleaut32.dll*'
-            - '*\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\shell32.dll*'
-            - '*\Microsoft.Net\assembly\GAC_MSIL\MIGUIControls\v4.0_1.0.0.0__31bf3856ad364e35\ntdll.dll*'
-            - '*\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\comctl32.dll*'
-            - '*\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\uxtheme.dll*'
-            - '*\Microsoft.NET\Framework\v4.0.30319\api-ms-win-core-winrt-l1-1-0.dll*'
-            - '*\Microsoft.NET\Framework\v4.0.30319\mscoree.dll*'
-            - '*\Microsoft.NET\Framework\v4.0.30319\ole32.dll*'
-            - '*\Microsoft.NET\Framework\v4.0.30319\VERSION.dll*'
-            - '*Narrator*'
-            - '*speech\engines\tts\MSTTSLocEnUS.DLL'
-            - '*omadmclient*'
-            - '*cmnet.dll*'
-            - '*PresentationHost*'
-            - '*\Microsoft.NET\Framework\v4.0.30319\WPF\PresentationHost_v0400.dll*'
-            - '*provtool*'
-            - '*MvHelper.dll*'
-            - '*SearchIndexer*'
-            - '*msfte.dll*'
-            - '*msTracer.dll*'
-            - '*SearchProtocolHost*'
-            - '*msfte.dll*'
-            - '*msTracer.dll*'
-    condition: selection
-falsepositives: 
-    - False positives depend on environment
-level: medium
---
-# Windows Audit Log
-logsource:
-    product: windows
-    service: security
-    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection:
-        EventID: 4688
---
-# Sysmon
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 1
@@ -2,7 +2,8 @@ title: Suspicious Kerberos RC4 Ticket Encryption
 status: experimental
 references:
    - https://adsecurity.org/?p=3458
-description: Detects logons using RC4 encryption type
+    - https://www.trimarcsecurity.com/single-post/TrimarcResearch/Detecting-Kerberoasting-Activity
+description: Detects service ticket requests using RC4 encryption type
 logsource:
    product: windows
    service: security
@@ -10,10 +11,9 @@ detection:
    selection:
        EventID: 4769
        TicketOptions: '0x40810000'
-        TicketEncryption: '0x17'
+        TicketEncryptionType: '0x17'
    reduction:
        - ServiceName: '$*'
-        - Type: 'Success Audit'
    condition: selection and not reduction
 falsepositives:
    - Service accounts used on legacy systems (e.g. NetApp)
@@ -11,7 +11,7 @@ detection:
        EventID: 16
    keywords:
        - '*\AppData\Local\Temp\SAM-*.dmp *'
-    condition: selection and keywords
+    condition: all of them
 falsepositives: 
    - Penetration testing
 level: high
@@ -6,13 +6,12 @@ logsource:
    service: security
 detection:
    samrpipe:
-            - EventLog: Security
-              EventID: 5145
-              RelativeTargetName: samr
+        EventID: 5145
+        RelativeTargetName: samr
    passwordchanged:
-            - EventLog: Security
-              EventID: 4738
-              PasswordLastSet: (any) 
+        EventID: 4738
+    passwordchanged_filter:
+        PasswordLastSet: null
    timeframe: 15s 
-    condition: samrpipe | near passwordchanged
+    condition: ( passwordchanged and not passwordchanged_filter ) | near samrpipe
 level: medium
@@ -3,6 +3,7 @@ status: experimental
 description: Detects renaming of file while deletion with SDelete tool
 author: Thomas Patzke
 references:
+    - https://jpcertcc.github.io/ToolAnalysisResultSheet
    - https://www.jpcert.or.jp/english/pub/sr/ir_research.html
    - https://technet.microsoft.com/en-us/en-en/sysinternals/sdelete.aspx
 logsource:
@@ -0,0 +1,34 @@
+---
+action: global
+title: Sysprep on AppData Folder
+status: experimental
+description: Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec)
+references:
+    - https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets
+    - https://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b
+author: Florian Roth
+date: 2018/06/22
+detection:
+    selection:
+        CommandLine: 
+            - '*\sysprep.exe *\AppData\*'
+            - 'sysprep.exe *\AppData\*'
+    condition: selection
+falsepositives: 
+    - False positives depend on scripts and administrative tools used in the monitored environment
+level: medium
+---
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+---
+logsource:
+    product: windows
+    service: security
+    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+detection:
+    selection:
+        EventID: 4688
@@ -0,0 +1,33 @@
+---
+action: global
+title: Whoami Execution
+status: experimental
+description: 'Detects the execution of whoami, which is often used by attackers after exloitation / privilege escalation but rarely used by administrators' 
+references:
+    - https://twitter.com/haroonmeer/status/939099379834658817
+    - https://twitter.com/c_APT_ure/status/939475433711722497
+author: Florian Roth
+date: 2018/05/22
+detection:
+    condition: selection
+falsepositives: 
+    - Admin activity
+    - Scripts and administrative tools used in the monitored environment
+level: high
+---
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+        CommandLine: 'whoami'
+---
+logsource:
+    product: windows
+    service: security
+    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+detection:
+    selection:
+        EventID: 4688
+        NewProcessName: '*\whoami.exe'
@@ -10,7 +10,7 @@ detection:
        EventID: 4732
        GroupName: Administrators
    filter:
-        SubjectAccountName: '*$'
+        SubjectUserName: '*$'
    condition: selection and not filter
 falsepositives: 
    - Legitimate administrative activity
@@ -0,0 +1,32 @@
+---
+action: global
+title: WMI Persistence - Script Event Consumer
+status: experimental
+description: Detects WMI script event consumers
+references:
+    - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
+author: Thomas Patzke
+date: 2018/03/07
+detection:
+    selection:
+        Image: 'C:\WINDOWS\system32\wbem\scrcons.exe'
+        ParentImage: 'C:\Windows\System32\svchost.exe'
+    condition: selection
+falsepositives: 
+    - Legitimate event consumers
+level: high
+---
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+---
+logsource:
+    product: windows
+    service: security
+    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+detection:
+    selection:
+        EventID: 4688
@@ -26,7 +26,7 @@ detection:
        CommandLine: '*.dat,#1'       
    perfc_keyword:
        - '*\perfc.dat*'
-    condition: fsutil_clean_journal or pipe_com or event_clean or rundll32_dash1 or perfc_keyword
+    condition: 1 of them
 fields:
    - CommandLine
    - ParentCommandLine
@@ -30,7 +30,7 @@ detection:
            - '*bcdedit /set {default} recoveryenabled no*'
            - '*wbadmin delete catalog -quiet*'
            - '*@Please_Read_Me@.txt*'
-    condition: selection1 or selection2
+    condition: 1 of them
 fields:
    - CommandLine
    - ParentCommandLine
@@ -40,7 +40,7 @@ logsource:
 detection:
    selection:
        EventID: 11
-        TargetFileName: 
+        TargetFilename: 
            - '*\AppData\Roaming\Oracle\bin\java*.exe'
            - '*\Retrive*.vbs'
 ---
@@ -12,7 +12,7 @@ detection:
            - '*icacls * /grant Everyone:F /T /C /Q*'
            - '*bcdedit /set {default} recoveryenabled no*'
            - '*wbadmin delete catalog -quiet*'
-    condition: selection1 or selection2
+    condition: 1 of them
 falsepositives: 
    - Unknown
 level: critical
@@ -4,6 +4,7 @@ description: Detects PsExec service installation and execution events (service a
 author: Thomas Patzke
 references:
    - https://www.jpcert.or.jp/english/pub/sr/ir_research.html
+    - https://jpcertcc.github.io/ToolAnalysisResultSheet
 logsource:
    product: windows
 detection:
@@ -18,7 +19,7 @@ detection:
        EventID: 1
        Image: '*\PSEXESVC.exe'
        User: 'NT AUTHORITY\SYSTEM'
-    condition: service_installation or service_execution or sysmon_processcreation
+    condition: 1 of them
 fields:
    - EventID
    - CommandLine
@@ -1,9 +1,10 @@
 title: WMI Persistence
 status: experimental
-description: Detects suspicious WMI event filter and command line event consumer based on event id 5861 (Windows 10, 2012 and higher)
+description: Detects suspicious WMI event filter and command line event consumer based on event id 5861 and 5859 (Windows 10, 2012 and higher)
 author: Florian Roth
 references:
    - https://twitter.com/mattifestation/status/899646620148539397
+    - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
 logsource:
    product: windows
    service: wmi
@@ -11,10 +12,13 @@ detection:
    selection:
        EventID: 5861
    keywords:
+        - 'ActiveScriptEventConsumer'
        - 'CommandLineEventConsumer'
        - 'CommandLineTemplate'
        - 'Binding EventFilter'
-    condition: selection and 1 of keywords
+    selection2:
+        EventID: 5859
+    condition: selection and 1 of keywords or selection2
 falsepositives:
    - Unknown (data set is too small; further testing needed)
 level: high
@@ -1,6 +1,6 @@
-title: Malicious PowerShell Commandlets
+title: Malicious PowerShell Keywords
 status: experimental
-description: Detects Commandlet names from well-known PowerShell exploitation frameworks
+description: Detects keywords from well-known PowerShell exploitation frameworks
 references:
    - https://adsecurity.org/?p=2921
 author: Sean Metcalf (source), Florian Roth (rule)
@@ -14,7 +14,7 @@ detection:
        EventID: 4104
    keyword:
        - 'PromptForCredential'
-    condition: selection and keyword
+    condition: all of them
 falsepositives:
    - Unknown
 level: high
@@ -11,9 +11,9 @@ logsource:
 detection:
    selection:
        EventID: 4103
-    keywords: 
+    keyword: 
        - 'PS ATTACK!!!'
-    condition: selection and keywords
+    condition: all of them
 falsepositives:
    - Pentesters
 level: high
@@ -16,8 +16,9 @@ detection:
    noninteractive:
        - ' -noni '
        - ' -noninteractive '
-    condition: encoded and hidden and noninteractive
+    condition: all of them
 falsepositives:
    - Penetration tests
+    - Very special / sneaky PowerShell scripts
 level: high

@@ -0,0 +1,24 @@
+title: Executable in ADS
+status: experimental
+description: Detects the creation of an ADS data stream that contains an executable (non-empty imphash)
+references:
+    - https://twitter.com/0xrawsec/status/1002478725605273600?s=21
+author: Florian Roth, @0xrawsec
+date: 2018/06/03
+logsource:
+    product: windows
+    service: sysmon
+    description: 'Requirements: Sysmon config with Imphash logging activated'
+detection:
+    selection:
+        EventID: 15
+    filter:
+        Imphash: '00000000000000000000000000000000'
+    condition: selection and not filter
+fields:
+    - TargetFilename
+    - Image
+falsepositives:
+    - unknown
+level: critical
+
@@ -0,0 +1,33 @@
+title: SquiblyTwo
+status: experimental
+description: Detects WMI SquiblyTwo Attack with possible renamed WMI by looking for imphash
+references:
+    - https://subt0x11.blogspot.ch/2018/04/wmicexe-whitelisting-bypass-hacking.html
+    - https://twitter.com/mattifestation/status/986280382042595328
+author: Markus Neis / Florian Roth
+falsepositives:
+    - Unknown
+level: medium
+logsource:
+   product: windows
+   service: sysmon
+detection:
+    selection1:
+        EventID: 1
+        Image:
+            - '*\wmic.exe'
+        CommandLine:
+            - 'wmic * *format:\"http*'
+            - "wmic * /format:'http"
+            - 'wmic * /format:http*'
+    selection2:
+        EventID: 1
+        Imphash:
+             - '1B1A3F43BF37B5BFE60751F2EE2F326E'
+             - '37777A96245A3C74EB217308F3546F4C'
+             - '9D87C9D67CE724033C0B40CC4CA1B206'
+        CommandLine:
+            - '* *format:\"http*'
+            - "* /format:'http"
+            - '* /format:http*'
+    condition: 1 of them
@@ -0,0 +1,23 @@
+title: cmdkey Cached Credentials Recon
+status: experimental
+description: Detects usage of cmdkey to look for cached credentials.
+reference: 
+    - https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation
+    - https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx
+author: jmallette
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+        Image: '*\cmdkey.exe'
+        CommandLine: '* /list *'
+    condition: selection
+fields:
+    - CommandLine
+    - ParentCommandLine
+    - User
+falsepositives:
+    - Legitimate administrative tasks.
+level: low
@@ -0,0 +1,34 @@
+title: CMSTP Execution
+status: stable
+description: Detects various indicators of Microsoft Connection Manager Profile Installer execution
+author: Nik Seetharaman
+references:
+    - http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    # CMSTP Spawning Child Process
+    selection1:
+        EventID: 1
+        ParentImage: '*\cmstp.exe'
+    # Registry Object Add
+    selection2:
+        EventID: 12
+        TargetObject: '*\cmmgr32.exe*'
+    # Registry Object Value Set
+    selection3:
+        EventID: 13
+        TargetObject: '*\cmmgr32.exe*'
+    # Process Access Call Trace
+    selection4:
+        EventID: 10
+        CallTrace: '*cmlua.dll*'
+    condition: 1 of them
+fields:
+    - CommandLine
+    - ParentCommandLine
+    - Details
+falsepositives:
+    - Legitimate CMSTP use (unlikely in modern enterprise environments)
+level: high
@@ -15,7 +15,7 @@ detection:
    dnsregmod:
        EventID: 13
        TargetObject: '*\services\DNS\Parameters\ServerLevelPluginDll'
-    condition: dnsadmin or dnsregmod
+    condition: 1 of them
 fields:
    - EventID
    - CommandLine
@@ -0,0 +1,19 @@
+title: MSHTA spwaned by SVCHOST as seen in LethalHTA 
+status: experimental
+description: Detects MSHTA.EXE spwaned by SVCHOST described in report
+references:
+    - https://codewhitesec.blogspot.com/2018/07/lethalhta.html
+author: Markus Neis
+date: 2018/06/07
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+        ParentImage: '*\svchost.exe'
+        Image: '*\mshta.exe'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
@@ -1,6 +1,6 @@
 title: Suspicious Typical Malware Back Connect Ports
 status: experimental
-description: Detects programs that connect to typical malware back connetc ports based on statistical analysis from two different sandbox system databases
+description: Detects programs that connect to typical malware back connect ports based on statistical analysis from two different sandbox system databases
 references:
    - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
 author: Florian Roth
@@ -68,4 +68,4 @@ detection:
    condition: selection and not filter
 falsepositives:
    - unknown
-level: medium
+level: medium
@@ -1,6 +1,6 @@
 title: Malware Shellcode in Verclsid Target Process
 status: experimental
-description: Detetcs a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro
+description: Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro
 references:
    - https://twitter.com/JohnLaTwC/status/837743453039534080
 author: John Lambert (tech), Florian Roth (rule)
@@ -19,7 +19,7 @@ detection:
    combination2:
        SourceImage: '*\Microsoft Office\*'
        CallTrace: '*|UNKNOWN*'
-    condition: selection and ( combination1 or combination2 )
+    condition: selection and 1 of combination*
 falsepositives:
    - unknown
 level: high
@@ -22,7 +22,7 @@ detection:
            - '*\regsvr32.exe'
            - '*\BITSADMIN*'
    filter:
-        Commandline:
+        CommandLine:
            - '*/HP/HP*'
            - '*\HP\HP*'
    condition: selection and not filter
@@ -3,7 +3,9 @@ status: experimental
 description: Detects a Windows command line executable started from Microsoft Word, Excel, Powerpoint, Publisher and Visio.
 references:
    - https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100
-author: Michael Haag
+    - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
+author: Michael Haag, Florian Roth
+date: 2018/04/06
 logsource:
    product: windows
    service: sysmon
@@ -16,6 +18,7 @@ detection:
            - '*\POWERPNT.exe'
            - '*\MSPUB.exe'
            - '*\VISIO.exe'
+            - '*\OUTLOOK.EXE'
        Image:
            - '*\cmd.exe'
            - '*\powershell.exe'
@@ -27,6 +30,10 @@ detection:
            - '*\schtasks.exe'  # see https://www.hybrid-analysis.com/sample/b409538c99f99b94a5035d9fa44a506b41be0feb23e89b7e4d272ba791aa6002?environmentId=100
            - '*\regsvr32.exe'  # see https://twitter.com/subTee/status/899283365647458305
            - '*\hh.exe'  # see https://www.hybrid-analysis.com/sample/6abc2b63f1865a847ff7f5a9d49bb944397b36f5503b9718d6f91f93d60f7cd7?environmentId=100
+            - '*\wmic.exe'  # see https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
+            - '*\mshta.exe'  # see https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
+            - '*\rundll32.exe'  # see https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
+            - '*\msiexec.exe'  # see https://twitter.com/DissectMalware/status/984252467474026497
    condition: selection
 fields:
    - CommandLine
@@ -0,0 +1,31 @@
+title: Microsoft Outlook Spawning Windows Shell
+status: experimental
+description: Detects a Windows command line executable started from Microsoft Outlook
+references:
+    - https://www2.cybereason.com/asset/60:research-cobalt-kitty-attack-lifecycle
+author: Florian Roth
+date: 2018/03/06
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+        ParentImage:
+            - '*\OUTLOOK.EXE'
+        Image:
+            - '*\cmd.exe'
+            - '*\powershell.exe'
+            - '*\wscript.exe'
+            - '*\cscript.exe'
+            - '*\sh.exe'
+            - '*\bash.exe'
+            - '*\schtasks.exe'
+    condition: selection
+fields:
+    - CommandLine
+    - ParentCommandLine
+falsepositives:
+    - False positives are possible, depends on organisation and processes
+level: high
+
@@ -7,11 +7,9 @@ logsource:
 detection:
    selection:
        EventID: 8
-        TargetProcess: 'C:\Windows\System32\lsass.exe'
+        TargetImage: 'C:\Windows\System32\lsass.exe'
        StartModule: null
    condition: selection
 falsepositives:
    - unknown
 level: high
-
-
@@ -1,6 +1,6 @@
 title: PowerShell Download from URL
 status: experimental
-description: Detetcs a Powershell process that contains download commands in its command line string
+description: Detects a Powershell process that contains download commands in its command line string
 author: Florian Roth
 logsource:
    product: windows
@@ -0,0 +1,115 @@
+title: Malicious PowerShell Commandlet Names
+status: experimental
+description: Detects the creation of known powershell scripts for exploitation
+references:
+    - https://raw.githubusercontent.com/Neo23x0/sigma/f35c50049fa896dff91ff545cb199319172701e8/rules/windows/powershell/powershell_malicious_commandlets.yml
+author: Markus Neis
+date: 2018/04/07
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 11
+        TargetFilename:
+            - '*\Invoke-DllInjection.ps1'   
+            - '*\Invoke-WmiCommand.ps1'
+            - '*\Get-GPPPassword.ps1'
+            - '*\Get-Keystrokes.ps1'
+            - '*\Get-VaultCredential.ps1'
+            - '*\Invoke-CredentialInjection.ps1'
+            - '*\Invoke-Mimikatz.ps1'
+            - '*\Invoke-NinjaCopy.ps1'
+            - '*\Invoke-TokenManipulation.ps1'
+            - '*\Out-Minidump.ps1'
+            - '*\VolumeShadowCopyTools.ps1'
+            - '*\Invoke-ReflectivePEInjection.ps1'
+            - '*\Get-TimedScreenshot.ps1'
+            - '*\Invoke-UserHunter.ps1'
+            - '*\Find-GPOLocation.ps1'
+            - '*\Invoke-ACLScanner.ps1'
+            - '*\Invoke-DowngradeAccount.ps1'
+            - '*\Get-ServiceUnquoted.ps1'
+            - '*\Get-ServiceFilePermission.ps1'
+            - '*\Get-ServicePermission.ps1'
+            - '*\Invoke-ServiceAbuse.ps1'
+            - '*\Install-ServiceBinary.ps1'
+            - '*\Get-RegAutoLogon.ps1'
+            - '*\Get-VulnAutoRun.ps1'
+            - '*\Get-VulnSchTask.ps1'
+            - '*\Get-UnattendedInstallFile.ps1'
+            - '*\Get-WebConfig.ps1'
+            - '*\Get-ApplicationHost.ps1'
+            - '*\Get-RegAlwaysInstallElevated.ps1'
+            - '*\Get-Unconstrained.ps1'
+            - '*\Add-RegBackdoor.ps1'
+            - '*\Add-ScrnSaveBackdoor.ps1'
+            - '*\Gupt-Backdoor.ps1'
+            - '*\Invoke-ADSBackdoor.ps1'
+            - '*\Enabled-DuplicateToken.ps1'
+            - '*\Invoke-PsUaCme.ps1'
+            - '*\Remove-Update.ps1'
+            - '*\Check-VM.ps1'
+            - '*\Get-LSASecret.ps1'
+            - '*\Get-PassHashes.ps1'
+            - '*\Invoke-Mimikatz.ps1'
+            - '*\Show-TargetScreen.ps1'
+            - '*\Port-Scan.ps1'
+            - '*\Invoke-PoshRatHttp.ps1'
+            - '*\Invoke-PowerShellTCP.ps1'
+            - '*\Invoke-PowerShellWMI.ps1'
+            - '*\Add-Exfiltration.ps1'
+            - '*\Add-Persistence.ps1'
+            - '*\Do-Exfiltration.ps1'
+            - '*\Start-CaptureServer.ps1'
+            - '*\Invoke-ShellCode.ps1'
+            - '*\Get-ChromeDump.ps1'
+            - '*\Get-ClipboardContents.ps1'
+            - '*\Get-FoxDump.ps1'
+            - '*\Get-IndexedItem.ps1'
+            - '*\Get-Screenshot.ps1'
+            - '*\Invoke-Inveigh.ps1'
+            - '*\Invoke-NetRipper.ps1'
+            - '*\Invoke-EgressCheck.ps1'
+            - '*\Invoke-PostExfil.ps1'
+            - '*\Invoke-PSInject.ps1'
+            - '*\Invoke-RunAs.ps1'
+            - '*\MailRaider.ps1'
+            - '*\New-HoneyHash.ps1'
+            - '*\Set-MacAttribute.ps1'
+            - '*\Invoke-DCSync.ps1'
+            - '*\Invoke-PowerDump.ps1'
+            - '*\Exploit-Jboss.ps1'
+            - '*\Invoke-ThunderStruck.ps1'
+            - '*\Invoke-VoiceTroll.ps1'
+            - '*\Set-Wallpaper.ps1'
+            - '*\Invoke-InveighRelay.ps1'
+            - '*\Invoke-PsExec.ps1'
+            - '*\Invoke-SSHCommand.ps1'
+            - '*\Get-SecurityPackages.ps1'
+            - '*\Install-SSP.ps1'
+            - '*\Invoke-BackdoorLNK.ps1'
+            - '*\PowerBreach.ps1'
+            - '*\Get-SiteListPassword.ps1'
+            - '*\Get-System.ps1'
+            - '*\Invoke-BypassUAC.ps1'
+            - '*\Invoke-Tater.ps1'
+            - '*\Invoke-WScriptBypassUAC.ps1'
+            - '*\PowerUp.ps1'
+            - '*\PowerView.ps1'
+            - '*\Get-RickAstley.ps1'
+            - '*\Find-Fruit.ps1'
+            - '*\HTTP-Login.ps1'
+            - '*\Find-TrustedDocuments.ps1'
+            - '*\Invoke-Paranoia.ps1'
+            - '*\Invoke-WinEnum.ps1'
+            - '*\Invoke-ARPScan.ps1'
+            - '*\Invoke-PortScan.ps1'
+            - '*\Invoke-ReverseDNSLookup.ps1'
+            - '*\Invoke-SMBScanner.ps1'
+            - '*\Invoke-Mimikittenz.ps1'
+    condition: selection
+falsepositives:
+    - Penetration Tests
+level: high
+        
@@ -1,6 +1,6 @@
 title: PowerShell Network Connections
 status: experimental
-description: "Detetcs a Powershell process that opens network connections - check for suspicious target ports and target systems - adjust to your environment (e.g. extend filters with company's ip range')"  
+description: "Detects a Powershell process that opens network connections - check for suspicious target ports and target systems - adjust to your environment (e.g. extend filters with company's ip range')"  
 author: Florian Roth
 references:
    - https://www.youtube.com/watch?v=DLtJTxMWZ2o
@@ -1,25 +0,0 @@
-title: Suspicious PowerShell Parameter Combination
-status: experimental
-description: Detects suspicious PowerShell invocation command parameters
-author: Florian Roth
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    keywords:
-        - 'powershell'
-    encoded:
-        - ' -enc '
-        - ' -EncodedCommand '
-    hidden:
-        - ' -w hidden '
-        - ' -window hidden '
-        - ' -windowstyle hidden '
-    noninteractive:
-        - ' -noni '
-        - ' -noninteractive '
-    condition: keywords and encoded and hidden and noninteractive
-falsepositives:
-    - Penetration tests
-    - Very special / sneaky PowerShell scripts
-level: high
@@ -51,7 +51,7 @@ detection:
        - ' -encod '
        - ' -enco '
        - ' -en '
-    condition: keywords and substrings
+    condition: all of them
 falsepositives:
    - Penetration tests
 level: high
@@ -0,0 +1,23 @@
+title: Default PowerSploit Schtasks Persistence 
+status: experimental
+description: Detects the creation of a schtask via PowerSploit Default Configuration 
+references:
+    - https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1
+author: Markus Neis
+date: 2018/03/06
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        ParentImage:
+            - '*\Powershell.exe'
+        CommandLine:
+            - '*\schtasks.exe*/Create*/RU*system*/SC*ONLOGON*'
+            - '*\schtasks.exe*/Create*/RU*system*/SC*DAILY*'
+            - '*\schtasks.exe*/Create*/RU*system*/SC*ONIDLE*'
+            - '*\schtasks.exe*/Create*/RU*system*/SC*HOURLY*'
+    condition: selection
+falsepositives:
+    - False positives are possible, depends on organisation and processes
+level: high
@@ -13,7 +13,7 @@ detection:
    selection:
        # Sysmon: File Creation (ID 11)
        EventID: 11
-        TargetFileName: '*\AppData\Local\Temp\SAM-*.dmp*'
+        TargetFilename: '*\AppData\Local\Temp\SAM-*.dmp*'
    condition: selection
 falsepositives:
    - Unknown
@@ -0,0 +1,35 @@
+title: Windows Shell Spawning Suspicious Program
+status: experimental
+description: Detects a suspicious child process of a Windows shell
+references:
+    - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
+author: Florian Roth
+date: 20018/04/06
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+        ParentImage:
+            - '*\mshta.exe'
+            - '*\powershell.exe'
+            - '*\cmd.exe'
+            - '*\rundll32.exe'
+            - '*\cscript.exe'
+            - '*\wscript.exe'
+            - '*\wmiprvse.exe'
+        Image:
+            - '*\schtasks.exe'
+            - '*\nslookup.exe'
+            - '*\certutil.exe'
+            - '*\bitsadmin.exe'
+            - '*\mshta.exe'
+    condition: selection
+fields:
+    - CommandLine
+    - ParentCommandLine
+falsepositives:
+    - Administrative scripts
+level: high
+
@@ -0,0 +1,36 @@
+title: Sticky Key Like Backdoor Usage
+description: Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen
+references:
+    - https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/
+author: Florian Roth, @twjackomo
+date: 2018/03/15
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection_process:
+        EventID: 1
+        ParentImage:
+            - '*\winlogon.exe'
+        CommandLine:
+            - '*\cmd.exe sethc.exe *'
+            - '*\cmd.exe utilman.exe *'
+            - '*\cmd.exe osk.exe *'
+            - '*\cmd.exe Magnify.exe *'
+            - '*\cmd.exe Narrator.exe *'
+            - '*\cmd.exe DisplaySwitch.exe *'
+    selection_registry:
+        EventID: 13
+        TargetObject: 
+            - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger'
+            - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger'
+            - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\Debugger'
+            - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe\Debugger'
+            - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Narrator.exe\Debugger'
+            - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe\Debugger'
+        EventType: 'SetValue'
+    condition: 1 of them
+falsepositives:
+    - Unlikely
+level: critical
+
@@ -1,9 +1,7 @@
 title: Suspicious Certutil Command
 status: experimental
-description: Detetcs a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code with the built-in certutil utility
-author:
-    - Florian Roth
-    - juju4
+description: Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code with the built-in certutil utility
+author: Florian Roth, juju4
 references:
    - https://twitter.com/JohnLaTwC/status/835149808817991680
    - https://twitter.com/subTee/status/888102593838362624
@@ -1,5 +1,5 @@
 title: Suspicious Driver Load from Temp
-description: Detetcs a driver load from a temporary directory
+description: Detects a driver load from a temporary directory
 author: Florian Roth
 logsource:
    product: windows
@@ -10,5 +10,5 @@ detection:
        ImageLoaded: '*\Temp\*'
    condition: selection
 falsepositives:
-    - there is a relevant set of false positives depending on applications in the envirnment 
+    - there is a relevant set of false positives depending on applications in the environment 
 level: medium
@@ -0,0 +1,22 @@
+title: Possible Process Hollowing Image Loading 
+status: experimental
+description: Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. through process hollowing by Mimikatz
+references:
+    - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html
+author: Markus Neis
+date: 2018/01/07
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 7
+        Image:
+            - '*\notepad.exe'
+        ImageLoaded:
+            - '*\samlib.dll'
+            - '*\WinSCard.dll'
+    condition: selection
+falsepositives:
+    - Very likely, needs more tuning
+level: high
@@ -1,6 +1,6 @@
 title: Processes created by MMC 
 status: experimental
-description: Processes started by MMC could by a sign of lateral movement using MMC application COM object 
+description: Processes started by MMC could be a sign of lateral movement using MMC application COM object 
 references:
    - https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
 logsource:
@@ -27,4 +27,4 @@ fields:
    - ParentCommandLine
 falsepositives:
    - Will need to be tuned. If using Splunk, I recommend | stats count by Computer,CommandLine following the search for easy hunting by computer/CommandLine.
-level: medium
+level: low
@@ -0,0 +1,23 @@
+title: Ping Hex IP
+description: Detects a ping command that uses a hex encoded IP address
+references:
+    - https://github.com/vysec/Aggressor-VYSEC/blob/master/ping.cna
+    - https://twitter.com/vysecurity/status/977198418354491392
+author: Florian Roth
+date: 2018/03/23
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+        CommandLine:
+            - '*\ping.exe 0x*'
+            - '*\ping 0x*'
+    condition: selection
+fields:
+    - ParentCommandLine
+falsepositives:
+    - Unlikely, because no sane admin pings IP addresses in a hexadecimal form
+level: high
+
@@ -0,0 +1,19 @@
+title: PowerShell Rundll32 Remote Thread Creation
+status: experimental
+description: Detects PowerShell remote thread creation in Rundll32.exe 
+author: Florian Roth
+references:
+    - https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html
+date: 2018/06/25
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 8
+        SourceImage: '*\powershell.exe'
+        TargetImage: '*\rundll32.exe'
+    condition: selection
+falsepositives:
+    - Unkown
+level: high
@@ -22,7 +22,7 @@ detection:
    selection3:
        EventID: 1
        Image: '*\regsvr32.exe'
-        Commandline: 
+        CommandLine: 
            - '*/i:http* scrobj.dll'
            - '*/i:ftp* scrobj.dll'
    # Regsvr32.exe spawned wscript.exe process - indicator of COM scriptlet
@@ -31,7 +31,12 @@ detection:
        EventID: 1
        Image: '*\wscript.exe'
        ParentImage: '*\regsvr32.exe'
-    condition: selection1 or selection2 or selection3 or selection4
+    # https://twitter.com/danielhbohannon/status/974321840385531904
+    selection5:
+        EventID: 1
+        Image: '*\EXCEL.EXE'
+        CommandLine: '*..\..\..\Windows\System32\regsvr32.exe *'
+    condition: 1 of them
 fields:
    - CommandLine
    - ParentCommandLine
@@ -1,6 +1,6 @@
 title: Suspicious Svchost Process
 status: experimental
-description: Detects a suspicious scvhost process start 
+description: Detects a suspicious svchost process start 
 author: Florian Roth
 date: 2017/08/15
 logsource:
@@ -11,7 +11,9 @@ detection:
        EventID: 1
        Image: '*\svchost.exe'
    filter:
-        ParentImage: '*\services.exe'
+        ParentImage: 
+            - '*\services.exe'
+            - '*\MsMpEng.exe'
    condition: selection and not filter
 fields:
    - CommandLine
@@ -0,0 +1,17 @@
+title: Taskmgr as LOCAL_SYSTEM
+status: experimental
+description: Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM
+author: Florian Roth
+date: 2018/03/18
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+        User: 'NT AUTHORITY\SYSTEM'
+        Image: '*\taskmgr.exe'
+    condition: selection
+falsepositives:
+    - Unkown
+level: high
@@ -0,0 +1,24 @@
+title: Taskmgr as Parent
+status: experimental
+description: Detects the creation of a process from Windows task manager
+author: Florian Roth
+date: 2018/03/13
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+        ParentImage: '*\taskmgr.exe'
+    filter:
+        Image: 
+            - 'resmon.exe'
+            - 'mmc.exe'
+    condition: selection and not filter
+fields:
+    - Image
+    - CommandLine
+    - ParentCommandLine
+falsepositives:
+    - Administrative activity
+level: low
@@ -0,0 +1,20 @@
+title: Suspicious TSCON Start
+status: experimental
+description: Detects a tscon.exe start as LOCAL SYSTEM 
+reference: 
+    - http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html
+    - https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6
+author: Florian Roth
+date: 2018/03/17
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+        User: 'NT AUTHORITY\SYSTEM'
+        Image: '*\tscon.exe'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
--- a/Show More
+++ b/Show More