Sigma tools release 0.6

Merge of SOC Prime QRadar backend
Added QRadar backend to CI testing
2018-07-17 23:12:23 +02:00 · 2018-07-17 22:57:54 +02:00 · 2018-07-17 22:56:31 +02:00 · 2018-07-17 22:45:21 +02:00 · 2018-07-17 14:39:56 -06:00 · 2018-07-17 15:25:27 +03:00
104 changed files with 2802 additions and 285 deletions
@@ -2,10 +2,13 @@ language: python
 python:
  - 3.5
  - 3.6
-  - pypy3
+services:
+    - elasticsearch
 cache: pip
+before_install:
+    - curl -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-6.2.4.deb && sudo dpkg -i --force-confnew elasticsearch-6.2.4.deb && sudo service elasticsearch restart
 install:
  - pip install -r tools/requirements-devel.txt 
-
 script:
  - make test
+  - make test-backend-es-qs
@@ -18,9 +18,16 @@ test-sigmac:
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-qs rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -O rulecomment -rvdI -t es-qs rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t kibana rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t graylog rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t xpack-watcher rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunkxml rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t logpoint rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t wdatp rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-dsl rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t arcsight -c tools/config/arcsight.yml rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t qradar -c tools/config/arcsight.yml rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t qualys -c tools/config/qualys.yml rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'level>=high,level<=critical,status=stable,logsource=windows' rules/ > /dev/null
 	! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'level>=high,level<=critical,status=xstable,logsource=windows' rules/ > /dev/null
 	! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'level>=high,level<=xcritical,status=stable,logsource=windows' rules/ > /dev/null
@@ -30,7 +37,9 @@ test-sigmac:
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-windows.yml -t es-qs rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-linux.yml -t es-qs rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-windows.yml -t kibana rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-windows.yml -Ooutput=curl -t kibana rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-linux.yml -t kibana rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-linux.yml -Ooutput=curl -t kibana rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-windows.yml -t xpack-watcher rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-linux.yml -t xpack-watcher rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-defaultindex.yml -t xpack-watcher rules/ > /dev/null
@@ -53,11 +62,14 @@ test-sigmac:
 	! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c not_existing rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
 	! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tests/invalid_yaml.yml rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
 	! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tests/invalid_config.yml rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
-	! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvI -c tools/config/elk-defaultindex.yml -t kibana rules/ > /dev/null
+	! coverage run -a --include=$(COVSCOPE) tools/sigmac -rv -c tools/config/elk-defaultindex.yml -t kibana rules/ > /dev/null

 test-merge:
 	tests/test-merge.sh
-	! coverage run -a --include=$(COVSCOPE) tools/merge_sigma.py tests/not_existing.yml > /dev/null
+	! coverage run -a --include=$(COVSCOPE) tools/merge_sigma tests/not_existing.yml > /dev/null
+
+test-backend-es-qs:
+	tests/test-backend-es-qs.py

 build: tools/sigmac tools/merge_sigma tools/sigma/*.py tools/setup.py tools/setup.cfg
 	cd tools && python3 setup.py bdist_wheel
@@ -18,48 +18,25 @@ This repository contains:
 * Open repository for sigma signatures in the `./rules`subfolder
 * A converter that generate searches/queries for different SIEM systems [work in progress]

+![sigma_description](./images/Sigma-description.png)
+
 ## Hack.lu 2017 Talk

 [![Sigma - Generic Signatures for Log Events](https://preview.ibb.co/cMCigR/Screen_Shot_2017_10_18_at_15_47_15.png)](https://www.youtube.com/watch?v=OheVuE9Ifhs "Sigma - Generic Signatures for Log Events")

 # Use Cases

-* Describe your once discovered detection method in Sigma to make it sharable 
-* Share the signature in the appendix of your analysis along with file hashes and C2 servers
+* Describe your detection method in Sigma to make it sharable
+* Write and your SIEM searches in Sigma to avoid a vendor lock-in
+* Share the signature in the appendix of your analysis along with IOCs and YARA rules
 * Share the signature in threat intel communities - e.g. via MISP
-* Provide Sigma signatures for malicious behaviour in your own application (Error messages, access violations, manipulations) 
-* Integrate a new log into your SIEM and check the Sigma repository for available rules
-* Write a rule converter for your custom log analysis tool and process new Sigma rules automatically
-* Provide a free or commercial feed for Sigma signatures
-
-# Sigma Converter
-
-The converter is currently under development in the *devel-sigmac* branch of this project. It has currently the
-following capabilities:
-
-* Parsing of Sigma rule files
-* Conversion of searches into Elasticsearch and Splunk queries
-
-Planned main features are:
-
-* Conversion of aggregation expressions (after the pipe character)
-* Output of Kibana JSON configurations
-
-Support for further SIEM solutions can be added by developing an corresponsing output backend class.
-
-![sigma_description](./images/Sigma-description.png)
+* Provide Sigma signatures for malicious behaviour in your own application

 # Why Sigma

 Today, everyone collects log data for analysis. People start working on their own, processing numerous white papers, blog posts and log analysis guidelines, extracting the necessary information and build their own searches and dashboard. Some of their searches and correlations are great and very useful but they lack a standardized format in which they can share their work with others. 

-Others provide excellent analyses for threat groups, sharing file indicators, C2 servers and YARA rules to detect the malicious files, but describe a certain malicious service install or remote thread injection in a separate paragraph. Security analysts, who read that paragraph then extract the necessary information and create rules in their SIEM system. The detection method never finds a way into a repository that is shared, structured and archived. 
-
-The lower layers of the OSI layer are well known and described. Every SIEM vendor has rules to detect port scans, ping sweeps and threats like the ['smurf attack'](https://en.wikipedia.org/wiki/Smurf_attack). But the higher layers contain numerous applications and protocols  with special characteristics that write their own custom log files. SIEM vendors consider the signatures and correlations as their intelectual property and do not tend to share details on the coverage. 
-
-Sigma is meant to be an open standard in which detection mechanisms can be defined, shared and collected in order to improve the detection capabilities on the application layers for everyone. 
-
-![sigma_why](./images/Problem_OSI_v01.png)
+Others provide excellent analyses, include IOCs and YARA rules to detect the malicious files and network connections, but have no way to describe a specific or generic detection method in log events. Sigma is meant to be an open standard in which such detection mechanisms can be defined, shared and collected in order to improve the detection capabilities for everyone. 

 ## Slides

@@ -75,8 +52,19 @@ The current specification is a proposal. Feedback is requested.

 # Getting Started

+## Rule Creation
+
 Florian wrote a short [rule creation tutorial](https://www.nextron-systems.com/2018/02/10/write-sigma-rules/) that can help you getting started.

+## Rule Usage 
+
+1. Download or clone the respository
+2. Check the `./rules` sub directory for an overview on the rule base
+3. Run `python sigmac --help` in folder `./tools` to get a help on the rule converter
+4. Convert a rule of your choice with `sigmac` like `python sigmac -t splunk ../rules/windows/builtin/win_susp_process_creations.yml`
+5. Convert a whole rule directory with `python sigmac -t splunk -r ../rules/proxy/`
+6. Check the `./tools/config` folder and the [wiki](https://github.com/Neo23x0/sigma/wiki/Converter-Tool-Sigmac) if you need custom field or log source mappings in your environment
+
 # Examples

 Windows 'Security' Eventlog: Access to LSASS Process with Certain Access Mask / Object Type (experimental)
@@ -94,7 +82,9 @@ Sysmon: Web Shell Detection
 Windows 'Security' Eventlog: Suspicious Number of Failed Logons from a Single Source Workstation
 ![sigma_rule example5](./images/Sigma_rule_example5.png)

-## Sigma Toolchain
+# Sigma Tools 
+
+## Sigmac 

 Sigmac converts sigma rules into queries or inputs of the supported targets listed below. It acts as a frontend to the
 Sigma library that may be used to integrate Sigma support in other projects. Further, there's `merge_sigma.py` which
@@ -106,12 +96,21 @@ merges multiple YAML documents of a Sigma rule collection into simple Sigma rule

 * [Splunk](https://www.splunk.com/)
 * [ElasticSearch](https://www.elastic.co/)
+* [ElasticSearch Query DSL](https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl.html)
+* [Kibana](https://www.elastic.co/de/products/kibana)
 * [Elastic X-Pack Watcher](https://www.elastic.co/guide/en/x-pack/current/xpack-alerting.html)
 * [Logpoint](https://www.logpoint.com)
+* [Windows Defender Advanced Threat Protection (WDATP)](https://www.microsoft.com/en-us/windowsforbusiness/windows-atp)
+* Grep with Perl-compatible regular expression support
+
+Current work-in-progress
+* [Splunk Data Models](https://docs.splunk.com/Documentation/Splunk/7.1.0/Knowledge/Aboutdatamodels)
+
+New targets are continuously developed. You can get a list of supported targets with `sigmac --target-list` or `sigmac -l`.

 ### Requirements

-The usage of Sigmac or the underlying library requires Python >= 3.5 and PyYAML.
+The usage of Sigmac (the Sigma Rule Converter) or the underlying library requires Python >= 3.5 and PyYAML.

 ### Installation

@@ -121,6 +120,22 @@ It's available on PyPI. Install with:
 pip3 install sigmatools
 ```

+Alternatively, if used from the Sigma Github repository, the Python dependencies can be installed with:
+
+```bash
+pip3 install -r tools/requirements.txt
+```
+
+For development (e.g. execution of integration tests with `make` and packaging), further dependencies are required and can be installed with:
+
+```bash
+pip3 install -r tools/requirements-devel.txt
+```
+
+## Evt2Sigma
+
+[Evt2Sigma](https://github.com/Neo23x0/evt2sigma) helps you with the rule creation. It generates a Sigma rule from a log entry. 
+
 ## Contributed Scripts

 The directory `contrib` contains scripts that were contributed by the community:
@@ -132,20 +147,17 @@ These tools are not part of the main toolchain and maintained separately by thei

 # Next Steps

-* Integration of feedback into the rule specifications
-* Integration into Threat Intel Exchanges, e.g. [MISP](http://www.misp-project.org/)
+* Integration of MITRE ATT&CK framework identifier to the rule set
+* Integration into Threat Intel Exchanges
 * Attempts to convince others to use the rule format in their reports, threat feeds, blog posts, threat sharing platforms

 # Projects that use Sigma

-* [Augmentd](https://augmentd.co/)
+* [MISP](http://www.misp-project.org/2017/03/26/MISP.2.4.70.released.html) (since version 2.4.70, March 2017)
 * [TA-Sigma-Searches](https://github.com/dstaulcu/TA-Sigma-Searches) (Splunk App)
-
-# Credits
-
-This is a private project mainly developed by Florian Roth and Thomas Patzke with feedback from many fellow analysts and friends. Rules are our own or have been drived from blog posts, tweets or other public sources that are referenced in the rules.
-
-Copyright for Tree Image: [studiobarcelona / 123RF Stock Photo](http://www.123rf.com/profile_studiobarcelona)
+* [SOC Prime - Sigma Rule Editor](https://tdm.socprime.com/sigma/)
+* [ypsilon](https://github.com/P4T12ICK/ypsilon) - Automated Use Case Testing 
+* [SPARK](https://www.nextron-systems.com/2018/06/28/spark-applies-sigma-rules-in-eventlog-scan/) - Scan with Sigma rules on endpoints

 # Licenses

@@ -154,3 +166,9 @@ The content of this repository is released under the following licenses:
 * The toolchain (everything under `tools/`) is licensed under the [GNU Lesser General Public License](https://www.gnu.org/licenses/lgpl-3.0.en.html).
 * The [Sigma specification](https://github.com/Neo23x0/sigma/wiki) is public domain.
 * Everything else, especially the rules contained in the `rules/` directory is released under the [GNU General Public License](https://www.gnu.org/licenses/gpl-3.0.en.html).
+
+# Credits
+
+This is a private project mainly developed by Florian Roth and Thomas Patzke with feedback from many fellow analysts and friends. Rules are our own or have been drived from blog posts, tweets or other public sources that are referenced in the rules.
+
+Copyright for Tree Image: [studiobarcelona / 123RF Stock Photo](http://www.123rf.com/profile_studiobarcelona)
@@ -16,7 +16,7 @@ detection:
        # SQL Server
        - Unclosed quotation mark
        # SQLite
-        - near "*": syntax error
+        - 'near "*": syntax error'
        - SELECTs to the left and right of UNION do not have the same number of result columns
    condition: keywords
 falsepositives:
@@ -0,0 +1,53 @@
+---
+action: global
+title: Chafer Activity
+description: Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018 
+references:
+    - https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/
+date: 2018/03/23
+author: Florian Roth, Markus Neis
+detection:
+    condition: 1 of them
+falsepositives:
+    - Unknown
+level: critical
+---
+logsource:
+    product: windows
+    service: system
+detection:
+    selection_service:
+        EventID: 7045
+        ServiceName:
+            - 'SC Scheduled Scan'
+            - 'UpdatMachine'
+---
+logsource:
+   product: windows
+   service: sysmon
+detection:
+    selection_reg1:
+        EventID: 13 
+        TargetObject: 
+            - '*SOFTWARE\Microsoft\Windows\CurrentVersion\UMe'
+            - '*SOFTWARE\Microsoft\Windows\CurrentVersion\UT'
+        EventType: 'SetValue'
+    selection_reg2:
+        EventID: 13 
+        TargetObject: '*\Control\SecurityProviders\WDigest\UseLogonCredential'
+        EventType: 'SetValue'
+        Details: 'DWORD (0x00000001)'
+    selection_process1:
+        EventID: 1 
+        CommandLine: 
+            - '*\Service.exe i'
+            - '*\Service.exe u'
+            - '*\microsoft\Taskbar\autoit3.exe'
+            - 'C:\wsc.exe*'
+    selection_process2:
+        EventID: 1
+        Image: '*\Windows\Temp\DB\*.exe'
+    selection_process3:
+        EventID: 1
+        CommandLine: '*\nslookup.exe -q=TXT*'
+        ParentImage: '*\Autoit*'
@@ -0,0 +1,36 @@
+---
+action: global
+title: CrackMapExecWin 
+description: Detects CrackMapExecWin Activity as Described by NCSC
+status: experimental
+references:
+    - https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control 
+author: Markus Neis
+detection:
+    condition: 1 of them
+falsepositives: 
+    - None 
+level: critical
+---
+# Windows Audit Log
+logsource:
+    product: windows
+    service: security
+    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+detection:
+    selection1:
+        # Does not require group policy 'Audit Process Creation' > Include command line in process creation events
+        EventID: 4688
+        NewProcessName:
+            - '*\crackmapexec.exe'
+---
+# Sysmon
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection1:
+        # Does not require group policy 'Audit Process Creation' > Include command line in process creation events
+        EventID: 1
+        Image:
+            - '*\crackmapexec.exe'
@@ -0,0 +1,39 @@
+---
+action: global
+title: Equation Group DLL_U Load
+description: Detects a specific tool and export used by EquationGroup
+references:
+    - https://github.com/adamcaudill/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type=
+    - https://securelist.com/apt-slingshot/84312/
+    - https://twitter.com/cyb3rops/status/972186477512839170
+author: Florian Roth
+date: 2018/03/10 
+detection:
+    selection1:
+        Image: '*\rundll32.exe'
+        CommandLine: '*,dll_u'
+    selection2:
+        CommandLine: '* -export dll_u *'
+    condition: 1 of them
+falsepositives:
+    - Unknown
+level: critical
+---
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection1:
+        EventID: 1
+    selection2:
+        EventID: 1
+---
+logsource:
+    product: windows
+    service: security
+    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+detection:
+    selection1:
+        EventID: 4688
+    selection2:
+        EventID: 4688
@@ -0,0 +1,35 @@
+---
+action: global
+title: Defrag Deactivation
+description: Detects the deactivation of the Scheduled defragmentation task as seen by Slingshot APT group
+references:
+    - https://securelist.com/apt-slingshot/84312/
+author: Florian Roth
+date: 2018/03/10
+logsource:
+    product: windows
+    service: security
+    description: 'Requirements: Audit Policy : Audit Other Object Access Events > Success'       
+detection:
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium
+---
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+        CommandLine: 
+            - '*schtasks* /delete *Defrag\ScheduledDefrag*'
+---
+logsource:
+    product: windows
+    service: security
+    description: 'Requirements: Audit Policy : Audit Other Object Access Events > Success'       
+detection:
+    selection:
+        EventID: 4701
+        TaskName: '\Microsoft\Windows\Defrag\ScheduledDefrag'
@@ -15,12 +15,15 @@ detection:
            # Temporary folder
            - '/tmp/*'
            # Web server 
-            - '/var/www/*'            # Standard
-            - '/usr/local/apache2/*'  # Classical Apache
-            - '/usr/local/httpd/*'    # Old SuSE Linux 6.*
-            - '/var/apache/*'         # Solaris
-            - '/srv/www/*'            # SuSE Linux 9.*
-            - '/home/httpd/html/*'    # Redhat 6 or older
+            - '/var/www/*'              # Standard
+            - '/home/*/public_html/*'   # Per-user
+            - '/usr/local/apache2/*'    # Classical Apache
+            - '/usr/local/httpd/*'      # Old SuSE Linux 6.* Apache
+            - '/var/apache/*'           # Solaris Apache
+            - '/srv/www/*'              # SuSE Linux 9.*
+            - '/home/httpd/html/*'      # Redhat 6 or older Apache
+            - '/srv/http/*'             # ArchLinux standard
+            - '/usr/share/nginx/html/*' # ArchLinux nginx
            # Data dirs of typically exploited services (incomplete list)
            - '/var/lib/pgsql/data/*'
            - '/usr/local/mysql/data/*'
@@ -28,8 +31,6 @@ detection:
            - '/var/vsftpd/*'
            - '/etc/bind/*'
            - '/var/named/*'
-            # Others
-            - '*/public_html/*'
    condition: selection
 falsepositives:
    - Admin activity (especially in /tmp folders)
@@ -6,8 +6,8 @@ logsource:
 detection:
    selection:
        pam_message: "authentication failure"
-        pam_user: not null
-        pam_rhost: not null
+        pam_user: '*'
+        pam_rhost: '*'
    timeframe: 24h 
    condition: selection | count(pam_user) by pam_rhost > 3
 falsepositives:
@@ -0,0 +1,19 @@
+title: Cobalt Strike DNS Beaconing
+status: experimental
+description: Detects suspicious DNS queries known from Cobalt Strike beacons
+references:
+    - https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns
+author: Florian Roth
+date: 2018/05/10
+logsource:
+    category: dns
+detection:
+    selection:
+        query:
+            - 'aaa.stage.*' 
+            - 'post.1*'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
+
@@ -0,0 +1,17 @@
+title: Suspicious DNS Query with B64 Encoded String   
+status: experimental
+description: Detects suspicious DNS queries using base64 encoding
+references:
+    - https://github.com/krmaxwell/dns-exfiltration
+author: Florian Roth
+date: 2018/05/10
+logsource:
+    category: dns
+detection:
+    selection:
+        query:
+            - '*==.*'
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium
@@ -0,0 +1,20 @@
+title: Telegram Bot API Request
+status: experimental
+description: Detects suspicious DNS queries to api.telegram.org used by Telegram Bots of any kind
+references:
+    - https://core.telegram.org/bots/faq
+    - https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/
+    - https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/
+    - https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/
+author: Florian Roth
+date: 2018/06/05
+logsource:
+    category: dns
+detection:
+    selection:
+        query:
+            - 'api.telegram.org'   # Telegram Bot API Request https://core.telegram.org/bots/faq
+    condition: selection
+falsepositives:
+    - Legitimate use of Telegram bots in the company
+level: medium
@@ -5,8 +5,9 @@ references:
    - https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap
    - https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf
    - https://www.spamhaus.org/statistics/tlds/
+    - https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/
 author: Florian Roth
-date: 2017/11/07
+date: 2018/06/13
 logsource:
    category: proxy
 detection:
@@ -60,7 +61,7 @@ detection:
            - '*.cricket'
            - '*.space'
            - '*.top'
-            # McAfee report
+            # McAfee report 
            - '*.info'
            - '*.vn'
            - '*.cm'
@@ -83,7 +84,6 @@ detection:
            - '*.tt'
            - '*.name'
            - '*.tv'
-            - '*.tv'
            - '*.kz'
            - '*.tc'
            - '*.mobi'
@@ -93,10 +93,16 @@ detection:
            - '*.link'
            - '*.trade'
            - '*.accountant'
+            # Spamhaus 2018 https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/
+            - '*.click'
+            - '*.cf'
+            - '*.gq'
+            - '*.ml'
+            - '*.ga'
    condition: selection
 fields:
    - ClientIP
    - URL
 falsepositives:
-    - All kind of software downloads
+    - All kinds of software downloads
 level: low
@@ -0,0 +1,24 @@
+title: Windows WebDAV User Agent
+status: experimental
+description: Detects WebDav DownloadCradle
+references:
+    - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
+author: Florian Roth
+date: 2018/04/06
+logsource:
+    category: proxy
+detection:
+    selection:
+      UserAgent: 'Microsoft-WebDAV-MiniRedir/*'
+      HttpMethod: 'GET'
+    condition: selection
+fields:
+    - ClientIP
+    - URL
+    - UserAgent
+    - HttpMethod
+falsepositives:
+    - Administrative scripts that download files from the Internet
+    - Administrative scripts that retrieve certain website contents
+    - Legitimate WebDAV administration
+level: high
@@ -12,7 +12,7 @@ detection:
            - '*/install_flash_player.exe'
            - '*/flash_install.php*'
    filter:
-        cs-uri-query: '*.adobe.com/*'
+        cs-uri-stem: '*.adobe.com/*'
    condition: selection and not filter
 falsepositives:
    - Unknown flash download locations
@@ -0,0 +1,29 @@
+title: Telegram API Access
+status: experimental
+description: Detects suspicious requests to Telegram API without the usual Telegram User-Agent
+references:
+    - https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/
+    - https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/
+    - https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/
+author: Florian Roth
+date: 2018/06/05
+logsource:
+    category: proxy
+detection:
+    selection:
+        r-dns: 
+            - 'api.telegram.org'  # Often used by Bots
+    filter:
+        UserAgent: 
+            # Used https://core.telegram.org/bots/samples for this list
+            - '*Telegram*'
+            - '*Bot*'
+    condition: selection and not filter
+fields:
+    - ClientIP
+    - URL
+    - UserAgent
+falsepositives:
+    - Legitimate use of Telegram bots in the company
+level: medium
+
@@ -28,6 +28,13 @@ detection:
        - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NETCLR 2.0.50727)'  # APT17
        - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; SV1)'  # Bronze Butler - Daserf
        - 'Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; SV1)'  # Bronze Butler - Daserf
+        - 'Mozilla/4.0 (compatible; MSIE 8.0; Win32)'  # TSCookie https://app.any.run/tasks/0996b314-5133-491b-8d23-d431ffdec597
+        - 'Mozilla v5.1 (Windows NT 6.1; rv:6.0.1) Gecko/20100101 Firefox/6.0.1'  # Delphi downloader https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/
+        - 'Mozilla/6.1 (compatible; MSIE 9.0; Windows NT 5.3; Trident/5.0)'  # VPNFilter https://blog.talosintelligence.com/2018/05/VPNFilter.html
+        - 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; InfoPath.1)'  # Sofacy User-Agent https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/
+        - 'Mozilla/5.0 (Windows NT 6.1; WOW64) WinHttp/1.6.3.8 (WinHTTP/5.1) like Gecko'  # Sofacy User-Agent https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/
+        - 'Mozilla v5.1 *'  # Sofacy Zebrocy samples 
+        - 'MSIE 8.0'  # Sofacy Azzy Backdoor  from https://www.hybrid-analysis.com/sample/a80e29c0757bee05338fd5c22a542d852ad86c477068e3eb4aacc1c3e59e2eef?environmentId=100
    condition: selection
 fields:
    - ClientIP
@@ -13,7 +13,6 @@ detection:
        EventID: 4624
        LogonType: 10
        AuthenticationPackageName: Negotiate
-        Severity: Information
        AccountName: 'Admin-*'
    condition: selection
 falsepositives: 
@@ -1,5 +1,5 @@
 title: Access to ADMIN$ Share
-description: 
+description: Detects access to $ADMIN share
 status: experimental
 author: Florian Roth
 logsource:
@@ -11,7 +11,7 @@ detection:
        EventID: 5140
        ShareName: Admin$
    filter:
-        SubjectAccountName: '*$'
+        SubjectUserName: '*$'
    condition: selection and not filter
 falsepositives: 
    - Legitimate administrative activity
@@ -9,7 +9,7 @@ logsource:
    description: 'Requirements: Audit Policy : Policy Change > Audit Authorization Policy Change, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Authorization Policy Change'
 detection:
    selection:
-        EventID: 4707
+        EventID: 4704
    keywords:
        - 'SeEnableDelegationPrivilege'
    condition: all of them
@@ -12,7 +12,8 @@ logsource:
 detection:
    selection1:
        EventID: 4738
-        AllowedToDelegateTo: '*'
+    filter1:
+        AllowedToDelegateTo: null
    selection2:
        EventID: 5136
        AttributeLDAPDisplayName: 'msDS-AllowedToDelegateTo'
@@ -20,7 +21,7 @@ detection:
        EventID: 5136
        ObjectClass: 'user'
        AttributeLDAPDisplayName: 'servicePrincipalName'
-    condition: 1 of them
+    condition: (selection1 and not filter1) or selection2 or selection3
 falsepositives: 
    - Unknown
 level: high
@@ -3,7 +3,7 @@ description: This method detects well-known keywords, certain field combination
 author: Florian Roth
 logsource:
    product: windows
-    service: system
+    service: security
 detection:
    # Ruler https://github.com/sensepost/ruler
    selection1:
@@ -0,0 +1,22 @@
+title: Mimikatz DC Sync
+description: Detects Mimikatz DC sync security events
+status: experimental
+date: 2018/06/03
+author: Benjamin Delpy, Florian Roth
+references:
+    - https://twitter.com/gentilkiwi/status/1003236624925413376
+    - https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2
+logsource:
+    product: windows
+    service: security
+detection:
+    selection:
+        EventID: 4662
+        Properties: 
+            - '*Replicating Directory Changes All*'
+            - '*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*'
+    condition: selection
+falsepositives:
+    - Unkown
+level: critical
+
@@ -16,7 +16,7 @@ logsource:
 detection:
    selection:
        EventID: 4719
-        Message: 'removed'
+        AuditPolicyChanges: 'removed'
    condition: selection
 falsepositives: 
    - Unknown
@@ -0,0 +1,21 @@
+title: smbexec.py Service Installation
+description: Detects the use of smbexec.py tool by detecting a specific service installation
+author: Omer Faruk Celik
+date: 2018/03/20
+references:
+    - https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/
+logsource:
+    product: windows
+detection:
+    service_installation:
+        EventID: 7045
+        ServiceName: 'BTOBTO'
+        ServiceFileName: '*\execute.bat'
+    condition: service_installation
+fields:
+    - ServiceName
+    - ServiceFileName
+falsepositives:
+    - Penetration Test
+    - Unknown
+level: critical
@@ -4,6 +4,7 @@ description: Detects wceaux.dll access while WCE pass-the-hash remote command ex
 author: Thomas Patzke
 references:
    - https://www.jpcert.or.jp/english/pub/sr/ir_research.html
+    - https://jpcertcc.github.io/ToolAnalysisResultSheet
 logsource:
    product: windows
    service: security
@@ -0,0 +1,38 @@
+--- 
+action: global
+title: NetNTLM Downgrade Attack
+description: Detects post exploitation using NetNTLM downgrade attacks
+reference: 
+    - https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks
+author: Florian Roth
+date: 2018/03/20
+detection:
+    condition: 1 of them
+falsepositives:
+    - Unknown
+level: critical
+--- 
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection1:
+        EventID: 13
+        TargetObject: 
+            - '*SYSTEM\*ControlSet*\Control\Lsa\lmcompatibilitylevel'
+            - '*SYSTEM\*ControlSet*\Control\Lsa\NtlmMinClientSec'
+            - '*SYSTEM\*ControlSet*\Control\Lsa\RestrictSendingNTLMTraffic'
+---
+# Windows Security Eventlog: Process Creation with Full Command Line
+logsource:
+    product: windows
+    service: security
+    description: 'Requirements: Audit Policy : Object Access > Audit Registry (Success)'
+detection:
+    selection2:
+        EventID: 4657
+        ObjectName: '\REGISTRY\MACHINE\SYSTEM\*ControlSet*\Control\Lsa'
+        ObjectValueName: 
+            - 'LmCompatibilityLevel'
+            - 'NtlmMinClientSec'
+            - 'RestrictSendingNTLMTraffic'
@@ -12,12 +12,12 @@ detection:
    selection:
        - EventID: 4624
          LogonType: '3'
-          LogonProcess: 'NtLmSsp'
+          LogonProcessName: 'NtLmSsp'
          WorkstationName: '%Workstations%'
          ComputerName: '%Workstations%'
        - EventID: 4625
          LogonType: '3'
-          LogonProcess: 'NtLmSsp'
+          LogonProcessName: 'NtLmSsp'
          WorkstationName: '%Workstations%'
          ComputerName: '%Workstations%'
    filter:
@@ -14,50 +14,50 @@ detection:
    # CamMute
    selection_cammute:
        EventID: 4688
-        ProcessCommandLine: '*\CamMute.exe'
+        CommandLine: '*\CamMute.exe'
    filter_cammute:
        EventID: 4688
-        ProcessCommandLine: '*\Lenovo\Communication Utility\*'
+        CommandLine: '*\Lenovo\Communication Utility\*'

    # Chrome Frame Helper
    selection_chrome_frame:
        EventID: 4688
-        ProcessCommandLine: '*\chrome_frame_helper.exe'
+        CommandLine: '*\chrome_frame_helper.exe'
    filter_chrome_frame:
        EventID: 4688
-        ProcessCommandLine: '*\Google\Chrome\application\*'    
+        CommandLine: '*\Google\Chrome\application\*'    

    # Microsoft Device Emulator
    selection_devemu:
        EventID: 4688
-        ProcessCommandLine: '*\dvcemumanager.exe'
+        CommandLine: '*\dvcemumanager.exe'
    filter_devemu:
        EventID: 4688
-        ProcessCommandLine: '*\Microsoft Device Emulator\*'   
+        CommandLine: '*\Microsoft Device Emulator\*'   

    # Windows Media Player Gadget
    selection_gadget:
        EventID: 4688
-        ProcessCommandLine: '*\Gadget.exe'
+        CommandLine: '*\Gadget.exe'
    filter_gadget:
        EventID: 4688
-        ProcessCommandLine: '*\Windows Media Player\*'
+        CommandLine: '*\Windows Media Player\*'

    # HTML Help Workshop
    selection_hcc:
        EventID: 4688
-        ProcessCommandLine: '*\hcc.exe'
+        CommandLine: '*\hcc.exe'
    filter_hcc:
        EventID: 4688
-        ProcessCommandLine: '*\HTML Help Workshop\*'
+        CommandLine: '*\HTML Help Workshop\*'

    # Hotkey Command Module for Intel Graphics Contollers
    selection_hkcmd:
        EventID: 4688
-        ProcessCommandLine: '*\hkcmd.exe'
+        CommandLine: '*\hkcmd.exe'
    filter_hkcmd:
        EventID: 4688
-        ProcessCommandLine: 
+        CommandLine: 
            - '*\System32\*'
            - '*\SysNative\*'
            - '*\SysWowo64\*'
@@ -65,10 +65,10 @@ detection:
    # McAfee component
    selection_mc:
        EventID: 4688
-        ProcessCommandLine: '*\Mc.exe'
+        CommandLine: '*\Mc.exe'
    filter_mc:
        EventID: 4688
-        ProcessCommandLine: 
+        CommandLine: 
            - '*\Microsoft Visual Studio*'
            - '*\Microsoft SDK*'
            - '*\Windows Kit*'
@@ -76,10 +76,10 @@ detection:
    # MsMpEng - Microsoft Malware Protection Engine
    selection_msmpeng:
        EventID: 4688
-        ProcessCommandLine: '*\MsMpEng.exe'
+        CommandLine: '*\MsMpEng.exe'
    filter_msmpeng:
        EventID: 4688
-        ProcessCommandLine: 
+        CommandLine: 
            - '*\Microsoft Security Client\*'
            - '*\Windows Defender\*'
            - '*\AntiMalware\*'
@@ -87,26 +87,26 @@ detection:
    # Microsoft Security Center
    selection_msseces:
        EventID: 4688
-        ProcessCommandLine: '*\msseces.exe'
+        CommandLine: '*\msseces.exe'
    filter_msseces:
        EventID: 4688
-        ProcessCommandLine: '*\Microsoft Security Center\*'
+        CommandLine: '*\Microsoft Security Center\*'

    # Microsoft Office 2003 OInfo
    selection_oinfo:
        EventID: 4688
-        ProcessCommandLine: '*\OInfoP11.exe'
+        CommandLine: '*\OInfoP11.exe'
    filter_oinfo:
        EventID: 4688
-        ProcessCommandLine: '*\Common Files\Microsoft Shared\*'      
+        CommandLine: '*\Common Files\Microsoft Shared\*'      

    # OLE View
    selection_oleview:
        EventID: 4688
-        ProcessCommandLine: '*\OleView.exe'
+        CommandLine: '*\OleView.exe'
    filter_oleview:
        EventID: 4688
-        ProcessCommandLine: 
+        CommandLine: 
            - '*\Microsoft Visual Studio*'
            - '*\Microsoft SDK*'
            - '*\Windows Kit*'   
@@ -115,10 +115,10 @@ detection:
    # RC
    selection_rc:
        EventID: 4688
-        ProcessCommandLine: '*\OleView.exe'
+        CommandLine: '*\OleView.exe'
    filter_rc:
        EventID: 4688
-        ProcessCommandLine: 
+        CommandLine: 
            - '*\Microsoft Visual Studio*'
            - '*\Microsoft SDK*'
            - '*\Windows Kit*'   
@@ -22,7 +22,7 @@ detection:
    condition: selection
 falsepositives: 
    - False positives depend on scripts and administrative tools used in the monitored environment
-level: medium
+level: low
 ---
 # Windows Audit Log
 logsource:
@@ -0,0 +1,16 @@
+title: PsExec Service Start
+description: Detects a PsExec service start
+author: Florian Roth
+date: 2018/03/13
+logsource:
+    product: windows
+    service: security
+    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+detection:
+    selection:
+        EventID: 4688
+        CommandLine: 'C:\Windows\PSEXESVC.exe'
+    condition: 1 of them
+falsepositives:
+    - Administrative activity
+level: low
@@ -12,19 +12,19 @@ author: juju4
 detection:
    selection:
        CommandLine: 
-            - '^'
-            - '@'
+            #- '^'
+            #- '@'
 # 0x002D -, 0x2013 , 0x2014 , 0x2015 ― ... FIXME! how to match hexa form?
-            - '-'
-            - '―'
-            - 'c:/'
+            # - '-'
+            # - '―'
+            #- 'c:/'
            - '<TAB>'
            - '^h^t^t^p'
            - 'h"t"t"p'
    condition: selection
 falsepositives: 
    - False positives depend on scripts and administrative tools used in the monitored environment
-level: medium
+level: low
 ---
 # Windows Audit Log
 logsource:
@@ -12,7 +12,6 @@ logsource:
    service: system
 detection:
    selection:
-        EventLog: System
        EventID: 1033
    condition: selection
 falsepositives: 
@@ -12,7 +12,6 @@ logsource:
    service: system
 detection:
    selection:
-        - EventLog: System
          EventID: 
            - 1031
            - 1032
@@ -10,11 +10,11 @@ detection:
            - 4625
            - 4776
        Status:
-            - 0xC0000072
-            - 0xC000006F
-            - 0xC0000070
-            - 0xC0000413
-            - 0xC000018C
+            - '0xC0000072'
+            - '0xC000006F'
+            - '0xC0000070'
+            - '0xC0000413'
+            - '0xC000018C'
    condition: selection
 falsepositives:
    - User using a disabled account
@@ -5,15 +5,20 @@ logsource:
    product: windows
    service: security
 detection:
-    selection:
+    selection1:
        EventID:
            - 529
            - 4625
-            - 4776
-        UserName: not null
-        SourceWorkstation: not null
+        UserName: '*'
+        WorkstationName: '*'
+    selection2:
+        EventID: 4776
+        UserName: '*'
+        Workstation: '*'
    timeframe: 24h 
-    condition: selection | count(UserName) by SourceWorkstation > 3
+    condition:
+        - selection1 | count(UserName) by WorkstationName > 3
+        - selection2 | count(UserName) by Workstation > 3
 falsepositives:
    - Terminal servers
    - Jump servers
@@ -21,6 +21,6 @@ detection:
        - 'mpengine.dll'
    condition: 1 of selection* and all of keywords
 falsepositives: 
-    - Unknown
+    - MsMpEng.exe can crash when C:\ is full
 level: high

@@ -7,7 +7,7 @@ author: Florian Roth (rule), Jack Croock (method)
 logsource:
    product: windows
    service: security
-    description: The volume of Event ID 4661 ist high on Domain Controllers and therefore "Audit SAM" and "Audit Kernel Object" advanced audit policy settings are not configured in the recommandations for server systems
+    description: The volume of Event ID 4661 is high on Domain Controllers and therefore "Audit SAM" and "Audit Kernel Object" advanced audit policy settings are not configured in the recommandations for server systems
 detection:
    selection:
        - EventID: 4661
@@ -0,0 +1,31 @@
+---
+action: global
+title: Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)
+description: Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)
+status: experimental
+references:
+    - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm
+author: Thomas Patzke
+detection:
+    selection:
+        CommandLine: '*\ntdsutil.exe *'
+    condition: selection
+falsepositives: 
+    - NTDS maintenance
+level: high
+---
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+---
+logsource:
+    product: windows
+    service: security
+    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+detection:
+    selection:
+        EventID: 4688
+
@@ -0,0 +1,20 @@
+title: NTLM Logon
+status: experimental
+description: Detects logons using NTLM, which could be caused by a legacy source or attackers
+references:
+    - https://twitter.com/JohnLaTwC/status/1004895028995477505
+    - https://goo.gl/PsqrhT
+author: Florian Roth
+date: 2018/06/08
+logsource:
+    product: windows
+    service: ntlm
+    description: Reqiures events from Microsoft-Windows-NTLM/Operational
+detection:
+    selection:
+        EventID: 8002
+        CallingProcessName: '*'  # We use this to avoid false positives with ID 8002 on other log sources if the logsource isn't set correctly
+    condition: selection
+falsepositives:
+    - Legacy hosts
+level: low
@@ -1,83 +0,0 @@
-action: global
-title: Phantom DLLs Usage
-description: Detects Phantom DLLs usage and matching executable
-status: experimental
-references:
-    - http://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
-    - http://www.hexacorn.com/blog/2015/02/23/beyond-good-ol-run-key-part-28/
-author: juju4
-detection:
-    selection:
-        CommandLine: 
-            - '*ntbackup*'
-            - '*\edbbcli.dll*'
-            - '*\esebcli2.dll*'
-#            - '*mrt*'
-            - '*\bcrypt.dll*'
-            - '*sessmgr*'
-            - '*\SalemHook.dll*'
-            - '*certreq*'
-            - '*\msfte.dll*'
-            - '*\mstracer.dll*'
-            - '*fxscover*'
-            - '*\TPPrnUIENU.dll*'
-            - '*dxdiag*'
-            - '*\DXGIDebug.dll*'
-            - '*msinfo32*'
-            - '*\fveapi.dll*'
-            - '*narrator*'
-            - '*\MSTTSLocEnUS.dll*'
-            - '*\Wow64Log.dll*'
-            - '*Dism*'
-            - '*\Dism\wimgapi.dll*'
-            - '*\DismCore.dll*'
-            - '*FileHistory*'
-            - '*\Microsoft.NET\Framework\v4.0.30319\api-ms-win-core-winrt-l1-1-0.dll*'
-            - '*\Microsoft.NET\Framework\v4.0.30319\mscoree.dll*'
-            - '*\Microsoft.NET\Framework\v4.0.30319\ole32.dll*'
-            - '*\Microsoft.NET\Framework\v4.0.30319\urlmon.dll*'
-#            - '*mmc*'
-            - '*\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\oleaut32.dll*'
-            - '*\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\shell32.dll*'
-            - '*\Microsoft.Net\assembly\GAC_MSIL\MIGUIControls\v4.0_1.0.0.0__31bf3856ad364e35\ntdll.dll*'
-            - '*\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\comctl32.dll*'
-            - '*\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\uxtheme.dll*'
-            - '*\Microsoft.NET\Framework\v4.0.30319\api-ms-win-core-winrt-l1-1-0.dll*'
-            - '*\Microsoft.NET\Framework\v4.0.30319\mscoree.dll*'
-            - '*\Microsoft.NET\Framework\v4.0.30319\ole32.dll*'
-            - '*\Microsoft.NET\Framework\v4.0.30319\VERSION.dll*'
-            - '*Narrator*'
-            - '*speech\engines\tts\MSTTSLocEnUS.DLL'
-            - '*omadmclient*'
-            - '*cmnet.dll*'
-            - '*PresentationHost*'
-            - '*\Microsoft.NET\Framework\v4.0.30319\WPF\PresentationHost_v0400.dll*'
-            - '*provtool*'
-            - '*MvHelper.dll*'
-            - '*SearchIndexer*'
-            - '*msfte.dll*'
-            - '*msTracer.dll*'
-            - '*SearchProtocolHost*'
-            - '*msfte.dll*'
-            - '*msTracer.dll*'
-    condition: selection
-falsepositives: 
-    - False positives depend on environment
-level: medium
---
-# Windows Audit Log
-logsource:
-    product: windows
-    service: security
-    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection:
-        EventID: 4688
---
-# Sysmon
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 1
@@ -2,7 +2,8 @@ title: Suspicious Kerberos RC4 Ticket Encryption
 status: experimental
 references:
    - https://adsecurity.org/?p=3458
-description: Detects logons using RC4 encryption type
+    - https://www.trimarcsecurity.com/single-post/TrimarcResearch/Detecting-Kerberoasting-Activity
+description: Detects service ticket requests using RC4 encryption type
 logsource:
    product: windows
    service: security
@@ -10,10 +11,9 @@ detection:
    selection:
        EventID: 4769
        TicketOptions: '0x40810000'
-        TicketEncryption: '0x17'
+        TicketEncryptionType: '0x17'
    reduction:
        - ServiceName: '$*'
-        - Type: 'Success Audit'
    condition: selection and not reduction
 falsepositives:
    - Service accounts used on legacy systems (e.g. NetApp)
@@ -6,13 +6,12 @@ logsource:
    service: security
 detection:
    samrpipe:
-            - EventLog: Security
-              EventID: 5145
-              RelativeTargetName: samr
+        EventID: 5145
+        RelativeTargetName: samr
    passwordchanged:
-            - EventLog: Security
-              EventID: 4738
-              PasswordLastSet: (any) 
+        EventID: 4738
+    passwordchanged_filter:
+        PasswordLastSet: null
    timeframe: 15s 
-    condition: samrpipe | near passwordchanged
+    condition: ( passwordchanged and not passwordchanged_filter ) | near samrpipe
 level: medium
@@ -3,6 +3,7 @@ status: experimental
 description: Detects renaming of file while deletion with SDelete tool
 author: Thomas Patzke
 references:
+    - https://jpcertcc.github.io/ToolAnalysisResultSheet
    - https://www.jpcert.or.jp/english/pub/sr/ir_research.html
    - https://technet.microsoft.com/en-us/en-en/sysinternals/sdelete.aspx
 logsource:
@@ -0,0 +1,34 @@
+---
+action: global
+title: Sysprep on AppData Folder
+status: experimental
+description: Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec)
+references:
+    - https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets
+    - https://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b
+author: Florian Roth
+date: 2018/06/22
+detection:
+    selection:
+        CommandLine: 
+            - '*\sysprep.exe *\AppData\*'
+            - 'sysprep.exe *\AppData\*'
+    condition: selection
+falsepositives: 
+    - False positives depend on scripts and administrative tools used in the monitored environment
+level: medium
+---
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+---
+logsource:
+    product: windows
+    service: security
+    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+detection:
+    selection:
+        EventID: 4688
@@ -0,0 +1,33 @@
+---
+action: global
+title: Whoami Execution
+status: experimental
+description: 'Detects the execution of whoami, which is often used by attackers after exloitation / privilege escalation but rarely used by administrators' 
+references:
+    - https://twitter.com/haroonmeer/status/939099379834658817
+    - https://twitter.com/c_APT_ure/status/939475433711722497
+author: Florian Roth
+date: 2018/05/22
+detection:
+    condition: selection
+falsepositives: 
+    - Admin activity
+    - Scripts and administrative tools used in the monitored environment
+level: high
+---
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+        CommandLine: 'whoami'
+---
+logsource:
+    product: windows
+    service: security
+    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+detection:
+    selection:
+        EventID: 4688
+        NewProcessName: '*\whoami.exe'
@@ -10,7 +10,7 @@ detection:
        EventID: 4732
        GroupName: Administrators
    filter:
-        SubjectAccountName: '*$'
+        SubjectUserName: '*$'
    condition: selection and not filter
 falsepositives: 
    - Legitimate administrative activity
@@ -0,0 +1,32 @@
+---
+action: global
+title: WMI Persistence - Script Event Consumer
+status: experimental
+description: Detects WMI script event consumers
+references:
+    - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
+author: Thomas Patzke
+date: 2018/03/07
+detection:
+    selection:
+        Image: 'C:\WINDOWS\system32\wbem\scrcons.exe'
+        ParentImage: 'C:\Windows\System32\svchost.exe'
+    condition: selection
+falsepositives: 
+    - Legitimate event consumers
+level: high
+---
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+---
+logsource:
+    product: windows
+    service: security
+    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+detection:
+    selection:
+        EventID: 4688
@@ -40,7 +40,7 @@ logsource:
 detection:
    selection:
        EventID: 11
-        TargetFileName: 
+        TargetFilename: 
            - '*\AppData\Roaming\Oracle\bin\java*.exe'
            - '*\Retrive*.vbs'
 ---
@@ -4,6 +4,7 @@ description: Detects PsExec service installation and execution events (service a
 author: Thomas Patzke
 references:
    - https://www.jpcert.or.jp/english/pub/sr/ir_research.html
+    - https://jpcertcc.github.io/ToolAnalysisResultSheet
 logsource:
    product: windows
 detection:
@@ -1,9 +1,10 @@
 title: WMI Persistence
 status: experimental
-description: Detects suspicious WMI event filter and command line event consumer based on event id 5861 (Windows 10, 2012 and higher)
+description: Detects suspicious WMI event filter and command line event consumer based on event id 5861 and 5859 (Windows 10, 2012 and higher)
 author: Florian Roth
 references:
    - https://twitter.com/mattifestation/status/899646620148539397
+    - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
 logsource:
    product: windows
    service: wmi
@@ -11,10 +12,13 @@ detection:
    selection:
        EventID: 5861
    keywords:
+        - 'ActiveScriptEventConsumer'
        - 'CommandLineEventConsumer'
        - 'CommandLineTemplate'
        - 'Binding EventFilter'
-    condition: selection and 1 of keywords
+    selection2:
+        EventID: 5859
+    condition: selection and 1 of keywords or selection2
 falsepositives:
    - Unknown (data set is too small; further testing needed)
 level: high
@@ -1,6 +1,6 @@
-title: Malicious PowerShell Commandlets
+title: Malicious PowerShell Keywords
 status: experimental
-description: Detects Commandlet names from well-known PowerShell exploitation frameworks
+description: Detects keywords from well-known PowerShell exploitation frameworks
 references:
    - https://adsecurity.org/?p=2921
 author: Sean Metcalf (source), Florian Roth (rule)
@@ -0,0 +1,24 @@
+title: Executable in ADS
+status: experimental
+description: Detects the creation of an ADS data stream that contains an executable (non-empty imphash)
+references:
+    - https://twitter.com/0xrawsec/status/1002478725605273600?s=21
+author: Florian Roth, @0xrawsec
+date: 2018/06/03
+logsource:
+    product: windows
+    service: sysmon
+    description: 'Requirements: Sysmon config with Imphash logging activated'
+detection:
+    selection:
+        EventID: 15
+    filter:
+        Imphash: '00000000000000000000000000000000'
+    condition: selection and not filter
+fields:
+    - TargetFilename
+    - Image
+falsepositives:
+    - unknown
+level: critical
+
@@ -0,0 +1,33 @@
+title: SquiblyTwo
+status: experimental
+description: Detects WMI SquiblyTwo Attack with possible renamed WMI by looking for imphash
+references:
+    - https://subt0x11.blogspot.ch/2018/04/wmicexe-whitelisting-bypass-hacking.html
+    - https://twitter.com/mattifestation/status/986280382042595328
+author: Markus Neis / Florian Roth
+falsepositives:
+    - Unknown
+level: medium
+logsource:
+   product: windows
+   service: sysmon
+detection:
+    selection1:
+        EventID: 1
+        Image:
+            - '*\wmic.exe'
+        CommandLine:
+            - 'wmic * *format:\"http*'
+            - "wmic * /format:'http"
+            - 'wmic * /format:http*'
+    selection2:
+        EventID: 1
+        Imphash:
+             - '1B1A3F43BF37B5BFE60751F2EE2F326E'
+             - '37777A96245A3C74EB217308F3546F4C'
+             - '9D87C9D67CE724033C0B40CC4CA1B206'
+        CommandLine:
+            - '* *format:\"http*'
+            - "* /format:'http"
+            - '* /format:http*'
+    condition: 1 of them
@@ -0,0 +1,23 @@
+title: cmdkey Cached Credentials Recon
+status: experimental
+description: Detects usage of cmdkey to look for cached credentials.
+reference: 
+    - https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation
+    - https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx
+author: jmallette
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+        Image: '*\cmdkey.exe'
+        CommandLine: '* /list *'
+    condition: selection
+fields:
+    - CommandLine
+    - ParentCommandLine
+    - User
+falsepositives:
+    - Legitimate administrative tasks.
+level: low
@@ -0,0 +1,34 @@
+title: CMSTP Execution
+status: stable
+description: Detects various indicators of Microsoft Connection Manager Profile Installer execution
+author: Nik Seetharaman
+references:
+    - http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    # CMSTP Spawning Child Process
+    selection1:
+        EventID: 1
+        ParentImage: '*\cmstp.exe'
+    # Registry Object Add
+    selection2:
+        EventID: 12
+        TargetObject: '*\cmmgr32.exe*'
+    # Registry Object Value Set
+    selection3:
+        EventID: 13
+        TargetObject: '*\cmmgr32.exe*'
+    # Process Access Call Trace
+    selection4:
+        EventID: 10
+        CallTrace: '*cmlua.dll*'
+    condition: 1 of them
+fields:
+    - CommandLine
+    - ParentCommandLine
+    - Details
+falsepositives:
+    - Legitimate CMSTP use (unlikely in modern enterprise environments)
+level: high
@@ -0,0 +1,19 @@
+title: MSHTA spwaned by SVCHOST as seen in LethalHTA 
+status: experimental
+description: Detects MSHTA.EXE spwaned by SVCHOST described in report
+references:
+    - https://codewhitesec.blogspot.com/2018/07/lethalhta.html
+author: Markus Neis
+date: 2018/06/07
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+        ParentImage: '*\svchost.exe'
+        Image: '*\mshta.exe'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
@@ -1,6 +1,6 @@
 title: Suspicious Typical Malware Back Connect Ports
 status: experimental
-description: Detects programs that connect to typical malware back connetc ports based on statistical analysis from two different sandbox system databases
+description: Detects programs that connect to typical malware back connect ports based on statistical analysis from two different sandbox system databases
 references:
    - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
 author: Florian Roth
@@ -68,4 +68,4 @@ detection:
    condition: selection and not filter
 falsepositives:
    - unknown
-level: medium
+level: medium
@@ -1,6 +1,6 @@
 title: Malware Shellcode in Verclsid Target Process
 status: experimental
-description: Detetcs a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro
+description: Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro
 references:
    - https://twitter.com/JohnLaTwC/status/837743453039534080
 author: John Lambert (tech), Florian Roth (rule)
@@ -22,7 +22,7 @@ detection:
            - '*\regsvr32.exe'
            - '*\BITSADMIN*'
    filter:
-        Commandline:
+        CommandLine:
            - '*/HP/HP*'
            - '*\HP\HP*'
    condition: selection and not filter
@@ -3,7 +3,9 @@ status: experimental
 description: Detects a Windows command line executable started from Microsoft Word, Excel, Powerpoint, Publisher and Visio.
 references:
    - https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100
-author: Michael Haag
+    - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
+author: Michael Haag, Florian Roth
+date: 2018/04/06
 logsource:
    product: windows
    service: sysmon
@@ -16,6 +18,7 @@ detection:
            - '*\POWERPNT.exe'
            - '*\MSPUB.exe'
            - '*\VISIO.exe'
+            - '*\OUTLOOK.EXE'
        Image:
            - '*\cmd.exe'
            - '*\powershell.exe'
@@ -27,6 +30,10 @@ detection:
            - '*\schtasks.exe'  # see https://www.hybrid-analysis.com/sample/b409538c99f99b94a5035d9fa44a506b41be0feb23e89b7e4d272ba791aa6002?environmentId=100
            - '*\regsvr32.exe'  # see https://twitter.com/subTee/status/899283365647458305
            - '*\hh.exe'  # see https://www.hybrid-analysis.com/sample/6abc2b63f1865a847ff7f5a9d49bb944397b36f5503b9718d6f91f93d60f7cd7?environmentId=100
+            - '*\wmic.exe'  # see https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
+            - '*\mshta.exe'  # see https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
+            - '*\rundll32.exe'  # see https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
+            - '*\msiexec.exe'  # see https://twitter.com/DissectMalware/status/984252467474026497
    condition: selection
 fields:
    - CommandLine
@@ -0,0 +1,31 @@
+title: Microsoft Outlook Spawning Windows Shell
+status: experimental
+description: Detects a Windows command line executable started from Microsoft Outlook
+references:
+    - https://www2.cybereason.com/asset/60:research-cobalt-kitty-attack-lifecycle
+author: Florian Roth
+date: 2018/03/06
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+        ParentImage:
+            - '*\OUTLOOK.EXE'
+        Image:
+            - '*\cmd.exe'
+            - '*\powershell.exe'
+            - '*\wscript.exe'
+            - '*\cscript.exe'
+            - '*\sh.exe'
+            - '*\bash.exe'
+            - '*\schtasks.exe'
+    condition: selection
+fields:
+    - CommandLine
+    - ParentCommandLine
+falsepositives:
+    - False positives are possible, depends on organisation and processes
+level: high
+
@@ -7,11 +7,9 @@ logsource:
 detection:
    selection:
        EventID: 8
-        TargetProcess: 'C:\Windows\System32\lsass.exe'
+        TargetImage: 'C:\Windows\System32\lsass.exe'
        StartModule: null
    condition: selection
 falsepositives:
    - unknown
 level: high
-
-
@@ -1,6 +1,6 @@
 title: PowerShell Download from URL
 status: experimental
-description: Detetcs a Powershell process that contains download commands in its command line string
+description: Detects a Powershell process that contains download commands in its command line string
 author: Florian Roth
 logsource:
    product: windows
@@ -0,0 +1,115 @@
+title: Malicious PowerShell Commandlet Names
+status: experimental
+description: Detects the creation of known powershell scripts for exploitation
+references:
+    - https://raw.githubusercontent.com/Neo23x0/sigma/f35c50049fa896dff91ff545cb199319172701e8/rules/windows/powershell/powershell_malicious_commandlets.yml
+author: Markus Neis
+date: 2018/04/07
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 11
+        TargetFilename:
+            - '*\Invoke-DllInjection.ps1'   
+            - '*\Invoke-WmiCommand.ps1'
+            - '*\Get-GPPPassword.ps1'
+            - '*\Get-Keystrokes.ps1'
+            - '*\Get-VaultCredential.ps1'
+            - '*\Invoke-CredentialInjection.ps1'
+            - '*\Invoke-Mimikatz.ps1'
+            - '*\Invoke-NinjaCopy.ps1'
+            - '*\Invoke-TokenManipulation.ps1'
+            - '*\Out-Minidump.ps1'
+            - '*\VolumeShadowCopyTools.ps1'
+            - '*\Invoke-ReflectivePEInjection.ps1'
+            - '*\Get-TimedScreenshot.ps1'
+            - '*\Invoke-UserHunter.ps1'
+            - '*\Find-GPOLocation.ps1'
+            - '*\Invoke-ACLScanner.ps1'
+            - '*\Invoke-DowngradeAccount.ps1'
+            - '*\Get-ServiceUnquoted.ps1'
+            - '*\Get-ServiceFilePermission.ps1'
+            - '*\Get-ServicePermission.ps1'
+            - '*\Invoke-ServiceAbuse.ps1'
+            - '*\Install-ServiceBinary.ps1'
+            - '*\Get-RegAutoLogon.ps1'
+            - '*\Get-VulnAutoRun.ps1'
+            - '*\Get-VulnSchTask.ps1'
+            - '*\Get-UnattendedInstallFile.ps1'
+            - '*\Get-WebConfig.ps1'
+            - '*\Get-ApplicationHost.ps1'
+            - '*\Get-RegAlwaysInstallElevated.ps1'
+            - '*\Get-Unconstrained.ps1'
+            - '*\Add-RegBackdoor.ps1'
+            - '*\Add-ScrnSaveBackdoor.ps1'
+            - '*\Gupt-Backdoor.ps1'
+            - '*\Invoke-ADSBackdoor.ps1'
+            - '*\Enabled-DuplicateToken.ps1'
+            - '*\Invoke-PsUaCme.ps1'
+            - '*\Remove-Update.ps1'
+            - '*\Check-VM.ps1'
+            - '*\Get-LSASecret.ps1'
+            - '*\Get-PassHashes.ps1'
+            - '*\Invoke-Mimikatz.ps1'
+            - '*\Show-TargetScreen.ps1'
+            - '*\Port-Scan.ps1'
+            - '*\Invoke-PoshRatHttp.ps1'
+            - '*\Invoke-PowerShellTCP.ps1'
+            - '*\Invoke-PowerShellWMI.ps1'
+            - '*\Add-Exfiltration.ps1'
+            - '*\Add-Persistence.ps1'
+            - '*\Do-Exfiltration.ps1'
+            - '*\Start-CaptureServer.ps1'
+            - '*\Invoke-ShellCode.ps1'
+            - '*\Get-ChromeDump.ps1'
+            - '*\Get-ClipboardContents.ps1'
+            - '*\Get-FoxDump.ps1'
+            - '*\Get-IndexedItem.ps1'
+            - '*\Get-Screenshot.ps1'
+            - '*\Invoke-Inveigh.ps1'
+            - '*\Invoke-NetRipper.ps1'
+            - '*\Invoke-EgressCheck.ps1'
+            - '*\Invoke-PostExfil.ps1'
+            - '*\Invoke-PSInject.ps1'
+            - '*\Invoke-RunAs.ps1'
+            - '*\MailRaider.ps1'
+            - '*\New-HoneyHash.ps1'
+            - '*\Set-MacAttribute.ps1'
+            - '*\Invoke-DCSync.ps1'
+            - '*\Invoke-PowerDump.ps1'
+            - '*\Exploit-Jboss.ps1'
+            - '*\Invoke-ThunderStruck.ps1'
+            - '*\Invoke-VoiceTroll.ps1'
+            - '*\Set-Wallpaper.ps1'
+            - '*\Invoke-InveighRelay.ps1'
+            - '*\Invoke-PsExec.ps1'
+            - '*\Invoke-SSHCommand.ps1'
+            - '*\Get-SecurityPackages.ps1'
+            - '*\Install-SSP.ps1'
+            - '*\Invoke-BackdoorLNK.ps1'
+            - '*\PowerBreach.ps1'
+            - '*\Get-SiteListPassword.ps1'
+            - '*\Get-System.ps1'
+            - '*\Invoke-BypassUAC.ps1'
+            - '*\Invoke-Tater.ps1'
+            - '*\Invoke-WScriptBypassUAC.ps1'
+            - '*\PowerUp.ps1'
+            - '*\PowerView.ps1'
+            - '*\Get-RickAstley.ps1'
+            - '*\Find-Fruit.ps1'
+            - '*\HTTP-Login.ps1'
+            - '*\Find-TrustedDocuments.ps1'
+            - '*\Invoke-Paranoia.ps1'
+            - '*\Invoke-WinEnum.ps1'
+            - '*\Invoke-ARPScan.ps1'
+            - '*\Invoke-PortScan.ps1'
+            - '*\Invoke-ReverseDNSLookup.ps1'
+            - '*\Invoke-SMBScanner.ps1'
+            - '*\Invoke-Mimikittenz.ps1'
+    condition: selection
+falsepositives:
+    - Penetration Tests
+level: high
+        
@@ -1,6 +1,6 @@
 title: PowerShell Network Connections
 status: experimental
-description: "Detetcs a Powershell process that opens network connections - check for suspicious target ports and target systems - adjust to your environment (e.g. extend filters with company's ip range')"  
+description: "Detects a Powershell process that opens network connections - check for suspicious target ports and target systems - adjust to your environment (e.g. extend filters with company's ip range')"  
 author: Florian Roth
 references:
    - https://www.youtube.com/watch?v=DLtJTxMWZ2o
@@ -0,0 +1,23 @@
+title: Default PowerSploit Schtasks Persistence 
+status: experimental
+description: Detects the creation of a schtask via PowerSploit Default Configuration 
+references:
+    - https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1
+author: Markus Neis
+date: 2018/03/06
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        ParentImage:
+            - '*\Powershell.exe'
+        CommandLine:
+            - '*\schtasks.exe*/Create*/RU*system*/SC*ONLOGON*'
+            - '*\schtasks.exe*/Create*/RU*system*/SC*DAILY*'
+            - '*\schtasks.exe*/Create*/RU*system*/SC*ONIDLE*'
+            - '*\schtasks.exe*/Create*/RU*system*/SC*HOURLY*'
+    condition: selection
+falsepositives:
+    - False positives are possible, depends on organisation and processes
+level: high
@@ -13,7 +13,7 @@ detection:
    selection:
        # Sysmon: File Creation (ID 11)
        EventID: 11
-        TargetFileName: '*\AppData\Local\Temp\SAM-*.dmp*'
+        TargetFilename: '*\AppData\Local\Temp\SAM-*.dmp*'
    condition: selection
 falsepositives:
    - Unknown
@@ -0,0 +1,35 @@
+title: Windows Shell Spawning Suspicious Program
+status: experimental
+description: Detects a suspicious child process of a Windows shell
+references:
+    - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
+author: Florian Roth
+date: 20018/04/06
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+        ParentImage:
+            - '*\mshta.exe'
+            - '*\powershell.exe'
+            - '*\cmd.exe'
+            - '*\rundll32.exe'
+            - '*\cscript.exe'
+            - '*\wscript.exe'
+            - '*\wmiprvse.exe'
+        Image:
+            - '*\schtasks.exe'
+            - '*\nslookup.exe'
+            - '*\certutil.exe'
+            - '*\bitsadmin.exe'
+            - '*\mshta.exe'
+    condition: selection
+fields:
+    - CommandLine
+    - ParentCommandLine
+falsepositives:
+    - Administrative scripts
+level: high
+
@@ -0,0 +1,36 @@
+title: Sticky Key Like Backdoor Usage
+description: Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen
+references:
+    - https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/
+author: Florian Roth, @twjackomo
+date: 2018/03/15
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection_process:
+        EventID: 1
+        ParentImage:
+            - '*\winlogon.exe'
+        CommandLine:
+            - '*\cmd.exe sethc.exe *'
+            - '*\cmd.exe utilman.exe *'
+            - '*\cmd.exe osk.exe *'
+            - '*\cmd.exe Magnify.exe *'
+            - '*\cmd.exe Narrator.exe *'
+            - '*\cmd.exe DisplaySwitch.exe *'
+    selection_registry:
+        EventID: 13
+        TargetObject: 
+            - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger'
+            - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger'
+            - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\Debugger'
+            - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe\Debugger'
+            - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Narrator.exe\Debugger'
+            - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe\Debugger'
+        EventType: 'SetValue'
+    condition: 1 of them
+falsepositives:
+    - Unlikely
+level: critical
+
@@ -1,9 +1,7 @@
 title: Suspicious Certutil Command
 status: experimental
-description: Detetcs a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code with the built-in certutil utility
-author:
-    - Florian Roth
-    - juju4
+description: Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code with the built-in certutil utility
+author: Florian Roth, juju4
 references:
    - https://twitter.com/JohnLaTwC/status/835149808817991680
    - https://twitter.com/subTee/status/888102593838362624
@@ -1,5 +1,5 @@
 title: Suspicious Driver Load from Temp
-description: Detetcs a driver load from a temporary directory
+description: Detects a driver load from a temporary directory
 author: Florian Roth
 logsource:
    product: windows
@@ -10,5 +10,5 @@ detection:
        ImageLoaded: '*\Temp\*'
    condition: selection
 falsepositives:
-    - there is a relevant set of false positives depending on applications in the envirnment 
+    - there is a relevant set of false positives depending on applications in the environment 
 level: medium
@@ -0,0 +1,22 @@
+title: Possible Process Hollowing Image Loading 
+status: experimental
+description: Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. through process hollowing by Mimikatz
+references:
+    - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html
+author: Markus Neis
+date: 2018/01/07
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 7
+        Image:
+            - '*\notepad.exe'
+        ImageLoaded:
+            - '*\samlib.dll'
+            - '*\WinSCard.dll'
+    condition: selection
+falsepositives:
+    - Very likely, needs more tuning
+level: high
@@ -1,6 +1,6 @@
 title: Processes created by MMC 
 status: experimental
-description: Processes started by MMC could by a sign of lateral movement using MMC application COM object 
+description: Processes started by MMC could be a sign of lateral movement using MMC application COM object 
 references:
    - https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
 logsource:
@@ -27,4 +27,4 @@ fields:
    - ParentCommandLine
 falsepositives:
    - Will need to be tuned. If using Splunk, I recommend | stats count by Computer,CommandLine following the search for easy hunting by computer/CommandLine.
-level: medium
+level: low
@@ -0,0 +1,23 @@
+title: Ping Hex IP
+description: Detects a ping command that uses a hex encoded IP address
+references:
+    - https://github.com/vysec/Aggressor-VYSEC/blob/master/ping.cna
+    - https://twitter.com/vysecurity/status/977198418354491392
+author: Florian Roth
+date: 2018/03/23
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+        CommandLine:
+            - '*\ping.exe 0x*'
+            - '*\ping 0x*'
+    condition: selection
+fields:
+    - ParentCommandLine
+falsepositives:
+    - Unlikely, because no sane admin pings IP addresses in a hexadecimal form
+level: high
+
@@ -0,0 +1,19 @@
+title: PowerShell Rundll32 Remote Thread Creation
+status: experimental
+description: Detects PowerShell remote thread creation in Rundll32.exe 
+author: Florian Roth
+references:
+    - https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html
+date: 2018/06/25
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 8
+        SourceImage: '*\powershell.exe'
+        TargetImage: '*\rundll32.exe'
+    condition: selection
+falsepositives:
+    - Unkown
+level: high
@@ -22,7 +22,7 @@ detection:
    selection3:
        EventID: 1
        Image: '*\regsvr32.exe'
-        Commandline: 
+        CommandLine: 
            - '*/i:http* scrobj.dll'
            - '*/i:ftp* scrobj.dll'
    # Regsvr32.exe spawned wscript.exe process - indicator of COM scriptlet
@@ -31,6 +31,11 @@ detection:
        EventID: 1
        Image: '*\wscript.exe'
        ParentImage: '*\regsvr32.exe'
+    # https://twitter.com/danielhbohannon/status/974321840385531904
+    selection5:
+        EventID: 1
+        Image: '*\EXCEL.EXE'
+        CommandLine: '*..\..\..\Windows\System32\regsvr32.exe *'
    condition: 1 of them
 fields:
    - CommandLine
@@ -1,6 +1,6 @@
 title: Suspicious Svchost Process
 status: experimental
-description: Detects a suspicious scvhost process start 
+description: Detects a suspicious svchost process start 
 author: Florian Roth
 date: 2017/08/15
 logsource:
@@ -11,7 +11,9 @@ detection:
        EventID: 1
        Image: '*\svchost.exe'
    filter:
-        ParentImage: '*\services.exe'
+        ParentImage: 
+            - '*\services.exe'
+            - '*\MsMpEng.exe'
    condition: selection and not filter
 fields:
    - CommandLine
@@ -0,0 +1,17 @@
+title: Taskmgr as LOCAL_SYSTEM
+status: experimental
+description: Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM
+author: Florian Roth
+date: 2018/03/18
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+        User: 'NT AUTHORITY\SYSTEM'
+        Image: '*\taskmgr.exe'
+    condition: selection
+falsepositives:
+    - Unkown
+level: high
@@ -0,0 +1,24 @@
+title: Taskmgr as Parent
+status: experimental
+description: Detects the creation of a process from Windows task manager
+author: Florian Roth
+date: 2018/03/13
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+        ParentImage: '*\taskmgr.exe'
+    filter:
+        Image: 
+            - 'resmon.exe'
+            - 'mmc.exe'
+    condition: selection and not filter
+fields:
+    - Image
+    - CommandLine
+    - ParentCommandLine
+falsepositives:
+    - Administrative activity
+level: low
@@ -0,0 +1,20 @@
+title: Suspicious TSCON Start
+status: experimental
+description: Detects a tscon.exe start as LOCAL SYSTEM 
+reference: 
+    - http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html
+    - https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6
+author: Florian Roth
+date: 2018/03/17
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+        User: 'NT AUTHORITY\SYSTEM'
+        Image: '*\tscon.exe'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
@@ -0,0 +1,32 @@
+---
+action: global
+title: Suspicious RDP Redirect Using TSCON
+status: experimental
+description: Detects a suspicious RDP session redirect using tscon.exe
+reference: 
+    - http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html
+    - https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6
+author: Florian Roth
+date: 2018/03/17
+detection:
+    selection:
+        CommandLine: '* /dest:rdp-tcp:*'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
+---
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+---
+logsource:
+    product: windows
+    service: security
+    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+detection:
+    selection:
+        EventID: 4688
@@ -1,5 +1,5 @@
 title: Java Running with Remote Debugging
-description: Detcts a JAVA process running with remote debugging allowing more than just localhost to connect
+description: Detects a JAVA process running with remote debugging allowing more than just localhost to connect
 author: Florian Roth
 logsource:
    product: windows
@@ -1,5 +1,5 @@
 title: Webshell Detection With Command Line Keywords
-description: Detects certain command line parameters often used during reconnissaince activity via web shells
+description: Detects certain command line parameters often used during reconnaissance activity via web shells
 author: Florian Roth
 logsource:
    product: windows
@@ -0,0 +1,21 @@
+title: Registry Persistence Mechanisms
+description: Detects persistence registry keys 
+references:
+    - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/
+date: 2018/04/11
+author: Karneades
+logsource:
+   product: windows
+   service: sysmon
+detection:
+    selection_reg1:
+        EventID: 13 
+        TargetObject: 
+            - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*\GlobalFlag'
+            - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\*\ReportingMode'
+            - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\*\MonitorProcess'
+        EventType: 'SetValue'
+    condition: 1 of them
+falsepositives:
+    - unknown
+level: critical
@@ -0,0 +1,19 @@
+title: WMI Persistence - Command Line Event Consumer
+status: experimental
+description: Detects WMI command line event consumers
+references:
+    - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
+author: Thomas Patzke
+date: 2018/03/07
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 7
+        Image: 'C:\Windows\System32\wbem\WmiPrvSE.exe'
+        ImageLoaded: 'wbemcons.dll'
+    condition: selection
+falsepositives: 
+    - Unknown (data set is too small; further testing needed)
+level: high
@@ -0,0 +1,18 @@
+title: WMI Persistence - Script Event Consumer File Write
+status: experimental
+description: Detects file writes of WMI script event consumer
+references:
+    - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
+author: Thomas Patzke
+date: 2018/03/07
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 11
+        Image: 'C:\WINDOWS\system32\wbem\scrcons.exe'
+    condition: selection
+falsepositives: 
+    - Unknown (data set is too small; further testing needed)
+level: high
@@ -0,0 +1 @@
+{ "query": { "query_string": { "query": $query } } }
@@ -0,0 +1,139 @@
+#!/usr/bin/env python3
+# CI Test script: generate all queries with es-qs backend and test them against local ES instance.
+# Copyright 2018 Thomas Patzke
+
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+
+# You should have received a copy of the GNU Lesser General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import asyncio
+import functools
+import sys
+import pprint
+import elasticsearch
+import elasticsearch_async
+pp = pprint.PrettyPrinter()
+
+# Configuration
+eshost = "localhost:9200"
+index = "test"
+sigmac_cmd = "tools/sigmac"
+sigmac_processing_prefix = "* Processing Sigma input "
+
+es = elasticsearch.Elasticsearch(hosts=[eshost])
+esa = elasticsearch_async.AsyncElasticsearch(hosts=[eshost])
+
+# Create empty test index
+try:
+    es.indices.create(index)
+except elasticsearch.exceptions.RequestError as e:
+    if e.error != 'resource_already_exists_exception':  # accept already existing index with same name
+        raise e
+
+queries = asyncio.Queue()
+
+# sigmac runner coroutinne
+async def run_sigmac():
+    sigmac = asyncio.create_subprocess_exec(
+            sigmac_cmd, "-t", "es-qs", "-v", "-I", "-r", "rules/",
+            stdout=asyncio.subprocess.PIPE,
+            )
+    print("* Launching sigmac")
+    proc = await sigmac
+    print("* sigmac launched with PID {}".format(proc.pid))
+
+    cur_rule = None
+    while True:
+        line = await proc.stdout.readline()
+        if not line:
+            print("* sigmac finished")
+            await queries.put((None, None))
+            break
+        else:
+            strline = str(line, 'utf-8').rstrip()
+            if strline.startswith(sigmac_processing_prefix):
+                cur_rule = strline[len(sigmac_processing_prefix):]
+            else:
+                await queries.put((cur_rule, strline))
+    await proc.wait()
+
+    exitcode = proc.returncode
+    print("* sigmac returned with exit code {}".format(exitcode))
+    return exitcode
+
+# Generated query checker loop
+async def check_queries():
+    failed = list()
+    print("# Waiting for queries")
+    while True:
+        rule, query = await queries.get()
+        if query is not None:
+            print("# Checking query (rule {}): {}".format(rule, query))
+            result = await esa.indices.validate_query(index=index, q=query)
+            valid = result['valid']
+
+            print("# Received Result for rule {} query={}: {}".format(rule, query, valid))
+            if not valid:
+                try:
+                    detail_result = await esa.search(index=index, q=query)
+                except Exception as e:
+                    error = e.info
+
+                failed.append((rule, query, error))
+            queries.task_done()
+        else:
+            queries.task_done()
+            break
+    print("# Finished query checks")
+
+    return failed
+
+task_check_query = asyncio.ensure_future(check_queries())
+task_sigmac = asyncio.ensure_future(run_sigmac())
+tasks = [
+        task_check_query,
+        task_sigmac
+        ]
+
+loop = asyncio.get_event_loop()
+done, pending = loop.run_until_complete(asyncio.wait(tasks))
+loop.close()
+esa.transport.close()
+print()
+
+# Check if sigmac runned successfully
+try:
+    if task_sigmac.result() != 0:       # sigmac failed
+        print("!!! sigmac failed while test!")
+        sys.exit(1)
+except Exception:
+    print("!!! sigmac failed while test!")
+    sys.exit(2)
+
+# Check if query checks failed
+try:
+    query_check_result = task_check_query.result()
+except Exception:
+    print("!!! Query check failed!")
+    sys.exit(3)
+
+query_check_result_cnt = len(query_check_result)
+if query_check_result_cnt > 0:
+    print("!!! {} queries failed to check:".format(query_check_result_cnt))
+    for rule, query, error in query_check_result:
+        print("- {}: {}".format(rule, query))
+        print("Error:")
+        pp.pprint(error)
+        print()
+    sys.exit(4)
+else:
+    print("All query checks passed!")
@@ -8,3 +8,72 @@ command line tools:
    * Elasticsearch X-Pack Watcher
    * Logpoint queries
 * *merge_sigma*: Merge Sigma collections into simple Sigma rules.
+
+## Sigmac
+
+### Usage
+
+      usage: sigmac [-h] [--recurse] [--filter FILTER]
+                    [--target {es-dsl,es-qs,graylog,kibana,xpack-watcher,logpoint,splunk,grep,fieldlist}]
+                    [--target-list] [--config CONFIG] [--output OUTPUT]
+                    [--backend-option BACKEND_OPTION] [--defer-abort]
+                    [--ignore-not-implemented] [--verbose] [--debug]
+                    [inputs [inputs ...]]
+
+      Convert Sigma rules into SIEM signatures.
+
+      positional arguments:
+        inputs                Sigma input files
+
+      optional arguments:
+        -h, --help            show this help message and exit
+        --recurse, -r         Recurse into subdirectories (not yet implemented)
+        --filter FILTER, -f FILTER
+                              Define comma-separated filters that must match (AND-
+                              linked) to rule to be processed. Valid filters:
+                              level<=x, level>=x, level=x, status=y, logsource=z. x
+                              is one of: low, medium, high, critical. y is one of:
+                              experimental, testing, stable. z is a word appearing
+                              in an arbitrary log source attribute. Multiple log
+                              source specifications are AND linked.
+        --target {es-dsl,es-qs,graylog,kibana,xpack-watcher,logpoint,splunk,grep,fieldlist}, -t {es-dsl,es-qs,graylog,kibana,xpack-watcher,logpoint,splunk,grep,fieldlist}
+                              Output target format
+        --target-list, -l     List available output target formats
+        --config CONFIG, -c CONFIG
+                              Configuration with field name and index mapping for
+                              target environment (not yet implemented)
+        --output OUTPUT, -o OUTPUT
+                              Output file or filename prefix if multiple files are
+                              generated (not yet implemented)
+        --backend-option BACKEND_OPTION, -O BACKEND_OPTION
+                              Options and switches that are passed to the backend
+        --defer-abort, -d     Don't abort on parse or conversion errors, proceed
+                              with next rule. The exit code from the last error is
+                              returned
+        --ignore-not-implemented, -I
+                              Only return error codes for parse errors and ignore
+                              errors for rules with not implemented features
+        --verbose, -v         Be verbose
+        --debug, -D           Debugging output
+
+      Backend options:
+        es-dsl
+          es        : Host and port of Elasticsearch instance (default: http://localhost:9200)
+          output    : Output format: import = JSON search request, curl = Shell script that do the search queries via curl (default: import)
+        es-qs
+          rulecomment: Prefix generated query with comment containing title (default: False)
+        graylog
+          rulecomment: Prefix generated query with comment containing title (default: False)
+        kibana
+          output    : Output format: import = JSON file manually imported in Kibana, curl = Shell script that imports queries in Kibana via curl (jq is additionally required) (default: import)
+          es        : Host and port of Elasticsearch instance (default: localhost:9200)
+          index     : Kibana index (default: .kibana)
+          prefix    : Title prefix of Sigma queries (default: Sigma: )
+        xpack-watcher
+          output    : Output format: curl = Shell script that imports queries in Watcher index with curl (default: curl)
+          es        : Host and port of Elasticsearch instance (default: localhost:9200)
+          mail      : Mail address for Watcher notification (only logging if not set) (default: None)
+        logpoint
+          rulecomment: Prefix generated query with comment containing title (default: False)
+        splunk
+          rulecomment: Prefix generated query with comment containing title (default: False)
@@ -0,0 +1,102 @@
+logsources:
+  linux:
+    product: linux
+    conditions:
+      deviceVendor: Unix
+  linux-sshd:
+    product: linux
+    service: sshd
+    conditions:
+      deviceVendor: Unix
+  linux-auth:
+    product: linux
+    service: auth
+    conditions:
+      deviceVendor: Unix
+  linux-clamav:
+    product: linux
+    service: clamav
+    conditions:
+      deviceVendor: Unix
+  windows-dns:
+    product: windows
+    service: dns-server
+    conditions:
+      deviceVendor: Microsoft
+      deviceProduct: DNS-Server
+  windows-pc:
+    product: windows
+    service: powershell-classic
+    conditions:
+      deviceVendor: Microsoft
+  windows-sys:
+    product: windows
+    service: sysmon
+    conditions:
+      deviceVendor: Microsoft
+      deviceProduct: Sysmon
+  windows-sec:
+    product: windows
+    service: security
+    conditions:
+      deviceVendor: Microsoft
+      deviceProduct: Microsoft Windows
+  windows-power:
+    product: windows
+    service: powershell
+    conditions:
+      deviceVendor: Microsoft
+  windows-system:
+    product: windows
+    service: system
+    conditions:
+      deviceVendor: Microsoft
+  windows-driver:
+    product: windows
+    service: driver-framework
+    conditions:
+      deviceVendor: Microsoft
+  windows-app:
+    product: windows
+    service: application
+    conditions:
+      deviceVendor: Microsoft
+  proxy:
+    category: proxy
+    conditions:
+      categoryDeviceGroup: /Proxy
+  python:
+    product: python
+    conditions:
+      deviceProduct: Python
+      categoryDeviceGroup: /Application
+  ruby_on_rails:
+    product: ruby_on_rails
+    conditions:
+      deviceProduct: Ruby on Rails
+      categoryDeviceGroup: /Application
+  spring:
+    product: spring
+    conditions:
+      deviceProduct: Spring
+      categoryDeviceGroup: /Application
+  apache:
+    product: apache
+    conditions:
+      deviceProduct: Apache
+      categoryDeviceGroup: /Application
+    firewall:
+    product: firewall
+    conditions:
+      categoryDeviceGroup: /Firewall
+
+fieldmappings:
+  EventID: externalId
+  dst:
+    - destinationAddress
+  dst_ip:
+    - destinationAddress
+  src:
+    - sourceAddress
+  src_ip:
+    - sourceAddress
@@ -0,0 +1,93 @@
+logsources:
+  windows-application:
+    product: windows
+    service: application
+    index: logs-endpoint-winevent-application-*
+  windows-security:
+    product: windows
+    service: security
+    index: logs-endpoint-winevent-security-*
+  windows-sysmon:
+    product: windows
+    service: sysmon
+    index: logs-endpoint-winevent-sysmon-*
+  windows-system:
+    product: windows
+    service: system
+    index: logs-endpoint-winevent-system-*
+  windows-wmi:
+    product: windows
+    service: wmi
+    index: logs-endpoint-winevent-wmiactivity-*
+  windows-powershell:
+    product: windows
+    service: powershell
+    index: logs-endpoint-winevent-powershell-*
+  windows-powershell-classic:
+    product: windows
+    service: powershell-classic
+    index: logs-endpoint-winevent-powershell-*
+defaultindex: logs-*
+fieldmappings:
+    AccessMask: object_access_mask_requested
+    AccountName: service_account_name
+    AllowedToDelegateTo: user_attribute_allowed_todelegate
+    AttributeLDAPDisplayName: dsobject_attribute_name
+    AuditPolicyChanges: policy_changes
+    AuthenticationPackageName: logon_authentication_package
+    CallTrace: process_calltrace
+    CommandLine: command_line
+    ComputerName: host_name
+    CurrentDirectory: process_current_directory
+    DestinationHostname: dst_host
+    DestinationIp: dst_ip
+    DestinationIsIpv6: dst_isipv6
+    DestinationPort: dst_port_number
+    Details: registry_details
+    EngineVersion: powershell.engine.version
+    EventID: event_id
+    EventType: 
+        EventID=12: registry_event_type
+        EventID=13: registry_event_type
+        EventID=14: registry_event_type
+        EventID=19: wmi_event_type
+        EventID=20: wmi_event_type
+        EventID=21: wmi_event_type
+    FailureCode: ticket_failure_code
+    GrantedAccess: process_granted_access
+    GroupName: group_name
+    HiveName: hive_name
+    HostVersion: powershell.host.version
+    Image: process_path
+    ImageLoaded: image_loaded
+    LogonProcessName: logon_process_name
+    LogonType: logon_type
+    NewProcessName: process_path
+    ObjectClass: dsobject_class
+    ObjectName: object_name
+    ObjectType: object_type
+    ObjectValueName: object_value_name
+    OperationType: object_operation_type
+    ParentImage: process_parent_path
+    PipeName: pipe_name
+    ProcessName: process_path
+    RelativeTargetName: share_relative_target_name
+    ServiceFileName: service_image_path
+    ServiceName: service_name
+    ShareName: share_name
+    Source: source_name
+    SourceImage: process_path
+    StartModule: thread_startmodule
+    Status: logon_failure_status
+    SubjectUserName: user_name
+    TargetFilename: file_name
+    TargetImage: process_target_path
+    TargetObject: registry_target_object
+    TargetImage: target_process_path
+    TaskName: task_name
+    TicketEncryptionType: ticket_encryption_type
+    TicketOptions: ticket_options
+    User: user
+    UserName: user_name
+    Workstation: src_host
+    WorkstationName: src_host
@@ -24,7 +24,7 @@ fieldmappings:
    FailureCode: result_code
    GroupName: group_name
    KeyLength: key_length
-    LogonProcess: logon_process
+    LogonProcessName: logon_process
    LogonType: logon_type
    ServiceName: service
    SubjectAccountName:
@@ -0,0 +1,21 @@
+logsources:
+  apache:
+    product: apache
+    conditions:
+      deviceProduct: LOGSOURCETYPENAME(devicetype) ilike Apache
+
+  windows:
+    product: windows
+    conditions:
+      deviceProduct: LOGSOURCETYPENAME(devicetype) ilike 'Microsoft Windows Security Event Log'
+
+fieldmappings:
+  EventID: EventID
+  dst:
+    - destinationIP
+  dst_ip:
+    - destinationIP
+  src:
+    - sourceIP
+  src_ip:
+    - sourceIP
@@ -0,0 +1,17 @@
+fieldmappings:
+    dst:
+        - network.remote.address.ip
+    dst_ip:
+        - network.remote.address.ip
+    src:
+        - network.local.address.ip
+    src_ip:
+        - network.local.address.ip
+    file_hash:
+        - file.hash.md5
+        - file.hash.sha256
+    NewProcessName: process.name
+    ServiceName: process.name
+    ServiceFileName: process.name
+    TargetObject: registry.path
+
@@ -0,0 +1,54 @@
+logsources:
+  windows-application:
+    product: windows
+    service: application
+    sources: 
+      - 'WinEventLog:Application'
+  windows-security:
+    product: windows
+    service: security
+    sources: 
+      - 'WinEventLog:Security'
+  windows-security:
+    product: windows
+    service: system
+    sources: 
+      - 'WinEventLog:System'
+  windows-sysmon:
+    product: windows
+    service: sysmon
+    sources: 
+      - 'WinEventLog:Microsoft-Windows-Sysmon/Operational'
+  windows-powershell:
+    product: windows
+    service: powershell
+    sources: 
+      - 'WinEventLog:Microsoft-Windows-PowerShell/Operational'
+  windows-powershell:
+    product: windows
+    service: taskscheduler
+    sources: 
+      - 'WinEventLog:Microsoft-Windows-TaskScheduler/Operational'
+  windows-wmi:
+    product: windows
+    service: wmi
+    sources: 
+      - 'WinEventLog:Microsoft-Windows-WMI-Activity/Operational'
+  apache:
+    category: webserver
+    sources:
+      - 'File:/var/log/apache/*.log'
+      - 'File:/var/log/apache2/*.log'
+      - 'File:/var/log/httpd/*.log'
+  linux-auth:
+    product: linux
+    service: auth
+    sources:
+      - 'File:/var/log/auth.log'
+      - 'File:/var/log/auth.log.?' # auth.log.1, auth.log.2, ...
+  linux-syslog:
+    product: linux
+    service: syslog
+    sources:
+      - 'File:/var/log/syslog'
+      - 'File:/var/log/syslog.?' # syslog.1, syslog.2 ...
@@ -42,12 +42,23 @@ logsources:
  windows-dns-server:
    product: windows
    service: dns-server
+    category: dns
    conditions:
      source: 'DNS Server'
+  windows-dns-server-audit:
+    product: windows
+    service: dns-server-audit
+    conditions:
+      source: 'Microsoft-Windows-DNS-Server/Audit'
  windows-driver-framework:
    product: windows
    service: driver-framework
    conditions:
      source: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
+  windows-ntlm:
+    product: windows
+    service: ntlm
+    conditions:
+      source: 'Microsoft-Windows-NTLM/Operational'
 fieldmappings:
    EventID: EventCode
--- a/Show More
+++ b/Show More
				`@@ -0,0 +1 @@`
				`{ "query": { "query_string": { "query": $query } } }`