Sigma tools release 0.7.1

Rule: PowerShell script run in AppData folders
Rule: WMI Event Subscription
2019-01-14 00:26:03 +01:00 · 2019-01-12 12:03:36 +01:00 · 2019-01-12 12:03:36 +01:00 · 2019-01-12 12:03:36 +01:00 · 2019-01-12 12:03:36 +01:00 · 2019-01-12 12:03:36 +01:00
249 changed files with 6564 additions and 1531 deletions
@@ -1,8 +1,10 @@
 language: python
+dist: xenial
 python:
  - 3.5
  - 3.6
-  - pypy3
+  - 3.7
+sudo: true
 services:
    - elasticsearch
 cache: pip
@@ -1,6 +1,6 @@
 .PHONY: test test-yaml test-sigmac
-TMPOUT = $(shell tempfile)
-COVSCOPE = tools/sigma/*.py,tools/sigmac,tools/merge_sigma
+TMPOUT = $(shell tempfile||mktemp)
+COVSCOPE = tools/sigma/*.py,tools/sigma/backends/*.py,tools/sigmac,tools/merge_sigma
 test: clearcov test-yaml test-sigmac test-merge build finish

 clearcov:
@@ -18,11 +18,21 @@ test-sigmac:
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-qs rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -O rulecomment -rvdI -t es-qs rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t kibana rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t graylog rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t xpack-watcher rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t elastalert rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunkxml rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t logpoint rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t wdatp rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-dsl rules/ > /dev/null
-	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'level>=high,level<=critical,status=stable,logsource=windows' rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t powershell -c tools/config/powershell-windows-all.yml -Ocsv rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t arcsight -c tools/config/arcsight.yml rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t qradar -c tools/config/arcsight.yml rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t qualys -c tools/config/qualys.yml rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t netwitness -c tools/config/netwitness.yml rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t sumologic -c tools/config/sumologic.yml rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'level>=high,level<=critical,status=stable,logsource=windows,tag=attack.execution' rules/ > /dev/null
 	! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'level>=high,level<=critical,status=xstable,logsource=windows' rules/ > /dev/null
 	! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'level>=high,level<=xcritical,status=stable,logsource=windows' rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'level=critical' rules/ > /dev/null
@@ -42,7 +52,8 @@ test-sigmac:
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t grep rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t fieldlist rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -t xpack-watcher -O output=plain -O es=es -O foobar rules/windows/builtin/win_susp_failed_logons_single_source.yml > /dev/null
-	coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -o $(TMPOUT) tests/collection_repeat.yml > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -t xpack-watcher -O output=json -O es=es -O foobar rules/windows/builtin/win_susp_failed_logons_single_source.yml > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -o $(TMPOUT) - < tests/collection_repeat.yml > /dev/null
 	! coverage run -a --include=$(COVSCOPE)  tools/sigmac -t xpack-watcher -O output=foobar -O es=es -O foobar rules/windows/builtin/win_susp_failed_logons_single_source.yml > /dev/null
 	! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs tests/not_existing.yml > /dev/null
 	! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs tests/invalid_yaml.yml > /dev/null
@@ -56,7 +67,7 @@ test-sigmac:
 	! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c not_existing rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
 	! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tests/invalid_yaml.yml rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
 	! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tests/invalid_config.yml rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
-	! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvI -c tools/config/elk-defaultindex.yml -t kibana rules/ > /dev/null
+	! coverage run -a --include=$(COVSCOPE) tools/sigmac -rv -c tools/config/elk-defaultindex.yml -t kibana rules/ > /dev/null

 test-merge:
 	tests/test-merge.sh
@@ -26,26 +26,17 @@ This repository contains:

 # Use Cases

-* Describe your once discovered detection method in Sigma to make it sharable 
-* Share the signature in the appendix of your analysis along with file hashes and C2 servers
+* Describe your detection method in Sigma to make it sharable
+* Write and your SIEM searches in Sigma to avoid a vendor lock-in
+* Share the signature in the appendix of your analysis along with IOCs and YARA rules
 * Share the signature in threat intel communities - e.g. via MISP
-* Provide Sigma signatures for malicious behaviour in your own application (Error messages, access violations, manipulations) 
-* Integrate a new log into your SIEM and check the Sigma repository for available rules
-* Write a rule converter for your custom log analysis tool and process new Sigma rules automatically
-* Provide a free or commercial feed for Sigma signatures
-
+* Provide Sigma signatures for malicious behaviour in your own application

 # Why Sigma

 Today, everyone collects log data for analysis. People start working on their own, processing numerous white papers, blog posts and log analysis guidelines, extracting the necessary information and build their own searches and dashboard. Some of their searches and correlations are great and very useful but they lack a standardized format in which they can share their work with others. 

-Others provide excellent analyses for threat groups, sharing file indicators, C2 servers and YARA rules to detect the malicious files, but describe a certain malicious service install or remote thread injection in a separate paragraph. Security analysts, who read that paragraph then extract the necessary information and create rules in their SIEM system. The detection method never finds a way into a repository that is shared, structured and archived. 
-
-The lower layers of the OSI layer are well known and described. Every SIEM vendor has rules to detect port scans, ping sweeps and threats like the ['smurf attack'](https://en.wikipedia.org/wiki/Smurf_attack). But the higher layers contain numerous applications and protocols  with special characteristics that write their own custom log files. SIEM vendors consider the signatures and correlations as their intelectual property and do not tend to share details on the coverage. 
-
-Sigma is meant to be an open standard in which detection mechanisms can be defined, shared and collected in order to improve the detection capabilities on the application layers for everyone. 
-
-![sigma_why](./images/Problem_OSI_v01.png)
+Others provide excellent analyses, include IOCs and YARA rules to detect the malicious files and network connections, but have no way to describe a specific or generic detection method in log events. Sigma is meant to be an open standard in which such detection mechanisms can be defined, shared and collected in order to improve the detection capabilities for everyone. 

 ## Slides

@@ -61,8 +52,19 @@ The current specification is a proposal. Feedback is requested.

 # Getting Started

+## Rule Creation
+
 Florian wrote a short [rule creation tutorial](https://www.nextron-systems.com/2018/02/10/write-sigma-rules/) that can help you getting started.

+## Rule Usage 
+
+1. Download or clone the respository
+2. Check the `./rules` sub directory for an overview on the rule base
+3. Run `python sigmac --help` in folder `./tools` to get a help on the rule converter
+4. Convert a rule of your choice with `sigmac` like `python sigmac -t splunk ../rules/windows/builtin/win_susp_process_creations.yml`
+5. Convert a whole rule directory with `python sigmac -t splunk -r ../rules/proxy/`
+6. Check the `./tools/config` folder and the [wiki](https://github.com/Neo23x0/sigma/wiki/Converter-Tool-Sigmac) if you need custom field or log source mappings in your environment
+
 # Examples

 Windows 'Security' Eventlog: Access to LSASS Process with Certain Access Mask / Object Type (experimental)
@@ -80,7 +82,9 @@ Sysmon: Web Shell Detection
 Windows 'Security' Eventlog: Suspicious Number of Failed Logons from a Single Source Workstation
 ![sigma_rule example5](./images/Sigma_rule_example5.png)

-## Sigma Tools
+# Sigma Tools 
+
+## Sigmac 

 Sigmac converts sigma rules into queries or inputs of the supported targets listed below. It acts as a frontend to the
 Sigma library that may be used to integrate Sigma support in other projects. Further, there's `merge_sigma.py` which
@@ -90,18 +94,28 @@ merges multiple YAML documents of a Sigma rule collection into simple Sigma rule

 ### Supported Targets

-* [Splunk](https://www.splunk.com/)
-* [Elasticsearch](https://www.elastic.co/)
+* [Splunk](https://www.splunk.com/) (plainqueries and dashboards)
+* [ElasticSearch Query Strings](https://www.elastic.co/)
+* [ElasticSearch Query DSL](https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl.html)
 * [Kibana](https://www.elastic.co/de/products/kibana)
 * [Elastic X-Pack Watcher](https://www.elastic.co/guide/en/x-pack/current/xpack-alerting.html)
 * [Logpoint](https://www.logpoint.com)
-* Grep with Perl-compatible regular expression support
+* [Windows Defender Advanced Threat Protection (WDATP)](https://www.microsoft.com/en-us/windowsforbusiness/windows-atp)
+* [ArcSight](https://software.microfocus.com/en-us/products/siem-security-information-event-management/overview)
+* [QRadar](https://www.ibm.com/de-de/marketplace/ibm-qradar-siem)
+* [Qualys](https://www.qualys.com/apps/threat-protection/)
+* [RSA NetWitness](https://www.rsa.com/en-us/products/threat-detection-response)
+* [PowerShell](https://docs.microsoft.com/en-us/powershell/scripting/getting-started/getting-started-with-windows-powershell?view=powershell-6)
+* [Grep](https://www.gnu.org/software/grep/manual/grep.html) with Perl-compatible regular expression support

-New targets are continuously developed. A current list can be obtained with `sigmac --target-list` or `sigmac -l`.
+Current work-in-progress
+* [Splunk Data Models](https://docs.splunk.com/Documentation/Splunk/7.1.0/Knowledge/Aboutdatamodels)
+
+New targets are continuously developed. You can get a list of supported targets with `sigmac --target-list` or `sigmac -l`.

 ### Requirements

-The usage of Sigmac or the underlying library requires Python >= 3.5 and PyYAML.
+The usage of Sigmac (the Sigma Rule Converter) or the underlying library requires Python >= 3.5 and PyYAML.

 ### Installation

@@ -123,6 +137,34 @@ For development (e.g. execution of integration tests with `make` and packaging),
 pip3 install -r tools/requirements-devel.txt
 ```

+## Sigma2MISP
+
+Import Sigma rules to MISP events. Depends on PyMISP.
+
+Parameters that aren't changed frequently (`--url`, `--key`) can be put without the prefixing dashes `--` into a file
+and included with `@filename` as parameter on the command line.
+
+Example:
+*misp.conf*:
+```
+url https://host
+key foobarfoobarfoobarfoobarfoobarfoobarfoo 
+```
+
+Load Sigma rule into MISP event 1234:
+```
+sigma2misp @misp.conf --event 1234 sigma_rule.py
+```
+
+Load Sigma rules in directory sigma_rules/ into one newly created MISP event with info set to *Test Event*:
+```
+sigma2misp @misp.conf --same-event --info "Test Event" -r sigma_rules/
+```
+
+## Evt2Sigma
+
+[Evt2Sigma](https://github.com/Neo23x0/evt2sigma) helps you with the rule creation. It generates a Sigma rule from a log entry. 
+
 ## Contributed Scripts

 The directory `contrib` contains scripts that were contributed by the community:
@@ -134,20 +176,18 @@ These tools are not part of the main toolchain and maintained separately by thei

 # Next Steps

-* Integration of feedback into the rule specifications
-* Integration into Threat Intel Exchanges, e.g. [MISP](http://www.misp-project.org/)
+* Integration of MITRE ATT&CK framework identifier to the rule set
+* Integration into Threat Intel Exchanges
 * Attempts to convince others to use the rule format in their reports, threat feeds, blog posts, threat sharing platforms

 # Projects that use Sigma

-* [Augmentd](https://augmentd.co/)
+* [MISP](http://www.misp-project.org/2017/03/26/MISP.2.4.70.released.html) (since version 2.4.70, March 2017)
 * [TA-Sigma-Searches](https://github.com/dstaulcu/TA-Sigma-Searches) (Splunk App)
-
-# Credits
-
-This is a private project mainly developed by Florian Roth and Thomas Patzke with feedback from many fellow analysts and friends. Rules are our own or have been drived from blog posts, tweets or other public sources that are referenced in the rules.
-
-Copyright for Tree Image: [studiobarcelona / 123RF Stock Photo](http://www.123rf.com/profile_studiobarcelona)
+* [SOC Prime - Sigma Rule Editor](https://tdm.socprime.com/sigma/)
+* [ypsilon](https://github.com/P4T12ICK/ypsilon) - Automated Use Case Testing 
+* [uncoder.io](https://uncoder.io/) - Online Translator for SIEM Searches
+* [SPARK](https://www.nextron-systems.com/2018/06/28/spark-applies-sigma-rules-in-eventlog-scan/) - Scan with Sigma rules on endpoints

 # Licenses

@@ -156,3 +196,9 @@ The content of this repository is released under the following licenses:
 * The toolchain (everything under `tools/`) is licensed under the [GNU Lesser General Public License](https://www.gnu.org/licenses/lgpl-3.0.en.html).
 * The [Sigma specification](https://github.com/Neo23x0/sigma/wiki) is public domain.
 * Everything else, especially the rules contained in the `rules/` directory is released under the [GNU General Public License](https://www.gnu.org/licenses/gpl-3.0.en.html).
+
+# Credits
+
+This is a private project mainly developed by Florian Roth and Thomas Patzke with feedback from many fellow analysts and friends. Rules are our own or have been drived from blog posts, tweets or other public sources that are referenced in the rules.
+
+Copyright for Tree Image: [studiobarcelona / 123RF Stock Photo](http://www.123rf.com/profile_studiobarcelona)
@@ -102,13 +102,13 @@ def rule_element(file_content, elements):
    :return: the value of the key in the yaml document
    """
    try:
-        yaml.load(file_content.replace("---",""))
+        yaml.safe_load(file_content.replace("---",""))
    except:
        raise Exception('Unsupported')
    element_output = ""
    for e in elements:
        try:
-            element_output = yaml.load(file_content.replace("---",""))[e]
+            element_output = yaml.safe_load(file_content.replace("---",""))[e]
        except:
            pass
    if element_output is None:
@@ -0,0 +1,32 @@
+---
+action: global
+title: APT29 
+description: 'This method detects a suspicious powershell command line combination as used by APT29 in a campaign against US think tanks' 
+references:
+    - https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/
+logsource:
+    product: windows
+author: Florian Roth
+date: 2018/12/04 
+detection:
+    condition: selection
+falsepositives:
+    - unknown
+level: critical
+---
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+        CommandLine: '*-noni -ep bypass $*'
+---
+logsource:
+    product: windows
+    service: security
+    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+detection:
+    selection:
+        EventID: 4688
+        ProcessCommandLine: '*-noni -ep bypass $*'
@@ -4,6 +4,10 @@ title: APT29 Google Update Service Install
 description: 'This method detects malicious services mentioned in APT29 report by FireEye. The legitimate path for the Google update service is C:\Program Files (x86)\Google\Update\GoogleUpdate.exe so the service names and executable locations used by APT29 are specific enough to be detected in log files.' 
 references:
    - https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html
+tags:
+    - attack.command_and_control
+    - attack.g0016
+    - attack.t1172
 logsource:
    product: windows
 detection:
@@ -2,6 +2,10 @@ title: Turla Service Install
 description: 'This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET' 
 references:
    - https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/
+tags:
+    - attack.command_and_control
+    - attack.g0010
+    - attack.t1050
 logsource:
    product: windows
    service: system
@@ -4,6 +4,8 @@ title: Chafer Activity
 description: Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018 
 references:
    - https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/
+tags:
+    - attack.g0049
 date: 2018/03/23
 author: Florian Roth, Markus Neis
 detection:
@@ -3,6 +3,10 @@ description: Detects suspicious file execution by wscript and cscript
 author: Florian Roth
 references:
    - https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
+tags:
+    - attack.execution
+    - attack.g0045
+    - attack.t1064
 logsource:
    product: windows
    service: sysmon
@@ -5,6 +5,8 @@ description: Detects CrackMapExecWin Activity as Described by NCSC
 status: experimental
 references:
    - https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control 
+tags:
+    - attack.g0035
 author: Markus Neis
 detection:
    condition: 1 of them
@@ -16,7 +18,7 @@ level: critical
 logsource:
    product: windows
    service: security
-    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
 detection:
    selection1:
        # Does not require group policy 'Audit Process Creation' > Include command line in process creation events
@@ -3,6 +3,10 @@ status: experimental
 description: Detects Elise backdoor acitivty as used by APT32 
 references: 
    - https://community.rsa.com/community/products/netwitness/blog/2018/01/30/apt32-continues-asean-targeting
+tags:
+    - attack.g0030
+    - attack.g0050
+    - attack.s0081
 author: Florian Roth
 date: 2018/01/31
 logsource:
@@ -3,16 +3,19 @@ description: Detects communication to C2 servers mentioned in the operational no
 references:
    - 'https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation'
    - 'https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195'
+tags:
+    - attack.command_and_control
+    - attack.g0020
 author: Florian Roth
 logsource:
-    product: firewall
+    category: firewall
 detection:
    outgoing:
-        dst:
+        dst_ip:
            - '69.42.98.86'
            - '89.185.234.145'
    incoming:
-        src:
+        src_ip:
            - '69.42.98.86'
            - '89.185.234.145'
    condition: 1 of them
@@ -6,14 +6,14 @@ references:
    - https://github.com/adamcaudill/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type=
    - https://securelist.com/apt-slingshot/84312/
    - https://twitter.com/cyb3rops/status/972186477512839170
+tags:
+    - attack.execution
+    - attack.g0020
+    - attack.t1059
 author: Florian Roth
 date: 2018/03/10 
+modified: 2018/12/11
 detection:
-    selection1:
-        Image: '*\rundll32.exe'
-        CommandLine: '*,dll_u'
-    selection2:
-        CommandLine: '* -export dll_u *'
    condition: 1 of them
 falsepositives:
    - Unknown
@@ -25,15 +25,21 @@ logsource:
 detection:
    selection1:
        EventID: 1
+        Image: '*\rundll32.exe'
+        CommandLine: '*,dll_u'
    selection2:
        EventID: 1
+        CommandLine: '* -export dll_u *'
 ---
 logsource:
    product: windows
    service: security
-    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
 detection:
    selection1:
        EventID: 4688
+        Image: '*\rundll32.exe'
+        ProcessCommandLine: '*,dll_u'
    selection2:
-        EventID: 4688
+        EventID: 4688
+        ProcessCommandLine: '* -export dll_u *'
@@ -2,6 +2,10 @@ title: Equation Group Indicators
 description: Detects suspicious shell commands used in various Equation Group scripts and tools
 references:
    - https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
+tags:
+    - attack.execution
+    - attack.g0020
+    - attack.t1059
 author: Florian Roth
 logsource:
    product: linux
@@ -5,13 +5,14 @@ status: experimental
 description: Detects Hurricane Panda Activity 
 references: 
    - https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/
+tags:
+    - attack.privilege_escalation
+    - attack.g0009
+    - attack.t1068
 author: Florian Roth
 date: 2018/02/25
+modified: 2018/12/11
 detection:
-    selection:
-        CommandLine: 
-            - '* localgroup administrators admin /add'
-            - '*\Win64.exe*'
    condition: selection
 falsepositives:
    - Unknown
@@ -23,13 +24,19 @@ logsource:
 detection:
    selection:
        EventID: 1
+        CommandLine: 
+            - '* localgroup administrators admin /add'
+            - '*\Win64.exe*'
 ---
 logsource:
    product: windows
    service: security
-    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
 detection:
    selection:
        EventID: 4688
+        ProcessCommandLine: 
+            - '* localgroup administrators admin /add'
+            - '*\Win64.exe*'


@@ -4,6 +4,9 @@ description: Detects Pandemic Windows Implant
 references:
    - https://wikileaks.org/vault7/#Pandemic
    - https://twitter.com/MalwareJake/status/870349480356454401
+tags:
+    - attack.lateral_movement
+    - attack.t1105
 author: Florian Roth
 logsource:
    product: windows
@@ -4,12 +4,14 @@ title: Defrag Deactivation
 description: Detects the deactivation of the Scheduled defragmentation task as seen by Slingshot APT group
 references:
    - https://securelist.com/apt-slingshot/84312/
+tags:
+    - attack.persistence
 author: Florian Roth
 date: 2018/03/10
 logsource:
    product: windows
    service: security
-    description: 'Requirements: Audit Policy : Audit Other Object Access Events > Success'       
+    definition: 'Requirements: Audit Policy : Audit Other Object Access Events > Success'       
 detection:
    condition: selection
 falsepositives:
@@ -28,7 +30,7 @@ detection:
 logsource:
    product: windows
    service: security
-    description: 'Requirements: Audit Policy : Audit Other Object Access Events > Success'       
+    definition: 'Requirements: Audit Policy : Audit Other Object Access Events > Success'       
 detection:
    selection:
        EventID: 4701
@@ -1,4 +1,3 @@
-
 ---
 action: global
 title: Sofacy Trojan Loader Activity
@@ -8,13 +7,12 @@ references:
    - https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/
    - https://www.reverse.it/sample/e3399d4802f9e6d6d539e3ae57e7ea9a54610a7c4155a6541df8e94d67af086e?environmentId=100
    - https://twitter.com/ClearskySec/status/960924755355369472
+tags:
+    - attack.g0007
 author: Florian Roth
 date: 2018/03/01
+modified: 2018/12/11
 detection:
-    selection:
-        CommandLine: 
-            - 'rundll32.exe %APPDATA%\*.dat",*'
-            - 'rundll32.exe %APPDATA%\*.dll",#1'
    condition: selection
 falsepositives:
    - Unknown
@@ -26,11 +24,17 @@ logsource:
 detection:
    selection:
        EventID: 1
+        CommandLine: 
+            - 'rundll32.exe %APPDATA%\*.dat",*'
+            - 'rundll32.exe %APPDATA%\*.dll",#1'
 ---
 logsource:
    product: windows
    service: security
-    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
 detection:
    selection:
-        EventID: 4688
+        EventID: 4688
+        ProcessCommandLine: 
+            - 'rundll32.exe %APPDATA%\*.dat",*'
+            - 'rundll32.exe %APPDATA%\*.dll",#1'
@@ -0,0 +1,34 @@
+---
+action: global
+title: Sofacy Zebrocy
+description: Detects Sofacy's Zebrocy malware execution
+references:
+    - https://app.any.run/tasks/54acca9a-394e-4384-a0c8-91a96d36c81d
+tags:
+    - attack.execution
+    - attack.g0020
+    - attack.t1059
+author: Florian Roth
+date: 2018/03/10
+detection:
+    condition: selection
+falsepositives:
+    - Unknown
+level: critical
+---
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+        CommandLine: '*cmd.exe /c SYSTEMINFO & TASKLIST'
+---
+logsource:
+    product: windows
+    service: security
+    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+detection:
+    selection:
+        EventID: 4688
+        ProcessCommandLine: '*cmd.exe /c SYSTEMINFO & TASKLIST'
@@ -3,6 +3,10 @@ description: 'This method detects a service install of the malicious Microsoft N
 author: Florian Roth
 references:
    - https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/
+tags:
+    - attack.persistence
+    - attack.g0064
+    - attack.t1050
 logsource:
    product: windows
    service: system
@@ -2,6 +2,10 @@ title: Ps.exe Renamed SysInternals Tool
 description: Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documentied in TA17-293A report
 references:
    - https://www.us-cert.gov/ncas/alerts/TA17-293A
+tags:
+    - attack.defense_evasion
+    - attack.g0035
+    - attack.t1036
 author: Florian Roth
 date: 2017/10/22
 logsource:
@@ -0,0 +1,34 @@
+action: global
+title: TropicTrooper Campaign November 2018
+status: stable
+description: Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia
+references:
+    - https://cloudblogs.microsoft.com/microsoftsecure/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/
+author: "@41thexplorer, Windows Defender ATP"
+date: 2018/11/30
+modified: 2018/12/11
+tags:
+    - attack.execution
+    - attack.t1085
+detection:
+    condition: selection
+level: high
+---
+# Windows Security Eventlog: Process Creation with Full Command Line
+logsource:
+    product: windows
+    service: security
+    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+detection:
+    selection:
+        EventID: 4688
+        ProcessCommandLine: '*abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc*'
+---
+# Sysmon: Process Creation (ID 1)
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+        CommandLine: '*abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc*'
@@ -5,6 +5,9 @@ status: experimental
 description: Detects automated lateral movement by Turla group 
 references:
    - https://securelist.com/the-epic-turla-operation/65545/
+tags:
+    - attack.lateral_movement
+    - attack.g0010
 author: Markus Neis
 date: 2017/11/07
 logsource:
@@ -34,5 +37,5 @@ detection:
      EventID: 1
      CommandLine: 'net share'
   timeframe: 1m
-   condition: netCommand1 | near netCommand1 and netCommand1 
+   condition: netCommand1 | near netCommand2 and netCommand3 
 level: medium
@@ -4,11 +4,13 @@ description: Detects a named pipe used by Turla group samples
 references:
    - Internal Research
 date: 2017/11/06
+tags:
+    - attack.g0010
 author: Markus Neis
 logsource:
    product: windows
    service: sysmon
-    description: 'Note that you have to configure logging for PipeEvents in Symson config'
+    definition: 'Note that you have to configure logging for PipeEvents in Symson config'
 detection:
    selection:
        EventID: 
@@ -0,0 +1,21 @@
+title: Turla PNG Dropper Service
+description: 'This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018' 
+references:
+    - https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/
+author: Florian Roth
+date: 2018/11/23
+tags:
+    - attack.command_and_control
+    - attack.g0016
+    - attack.t1172
+logsource:
+    product: windows
+    service: system
+detection:
+    selection:
+        EventID: 7045
+        ServiceName: 'WerFaultSvc'
+    condition: selection
+falsepositives:
+    - unlikely
+level: critical
@@ -0,0 +1,44 @@
+action: global
+title: Unidentified Attacker November 2018
+status: stable
+description: A sigma rule detecting an unidetefied attacker who used phishing emails to target high profile orgs on November 2018. The Actor shares some TTPs with YYTRIUM/APT29 campaign in 2016.
+references:
+    - https://twitter.com/DrunkBinary/status/1063075530180886529
+author: "@41thexplorer, Windows Defender ATP"
+date: 2018/11/20
+modified: 2018/12/11
+tags:
+    - attack.execution
+    - attack.t1085
+detection:
+    condition: selection
+level: high
+---
+# Windows Security Eventlog: Process Creation with Full Command Line
+logsource:
+    product: windows
+    service: security
+    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+detection:
+    selection:
+        EventID: 4688
+        ProcessCommandLine: '*cyzfc.dat, PointFunctionCall'
+---
+# Sysmon: Process Creation (ID 1)
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+        CommandLine: '*cyzfc.dat, PointFunctionCall'
+---
+# Sysmon: File Creation (ID 11)
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 11
+        TargetFilename: 
+            - '*ds7002.lnk*' 
@@ -3,6 +3,8 @@ description: Detects a ZxShell start by the called and well-known function name
 author: Florian Roth
 references:
    - https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100
+tags:
+    - attack.g0001
 logsource:
    product: windows
    service: sysmon
@@ -15,12 +15,15 @@ detection:
            # Temporary folder
            - '/tmp/*'
            # Web server 
-            - '/var/www/*'            # Standard
-            - '/usr/local/apache2/*'  # Classical Apache
-            - '/usr/local/httpd/*'    # Old SuSE Linux 6.*
-            - '/var/apache/*'         # Solaris
-            - '/srv/www/*'            # SuSE Linux 9.*
-            - '/home/httpd/html/*'    # Redhat 6 or older
+            - '/var/www/*'              # Standard
+            - '/home/*/public_html/*'   # Per-user
+            - '/usr/local/apache2/*'    # Classical Apache
+            - '/usr/local/httpd/*'      # Old SuSE Linux 6.* Apache
+            - '/var/apache/*'           # Solaris Apache
+            - '/srv/www/*'              # SuSE Linux 9.*
+            - '/home/httpd/html/*'      # Redhat 6 or older Apache
+            - '/srv/http/*'             # ArchLinux standard
+            - '/usr/share/nginx/html/*' # ArchLinux nginx
            # Data dirs of typically exploited services (incomplete list)
            - '/var/lib/pgsql/data/*'
            - '/usr/local/mysql/data/*'
@@ -28,8 +31,6 @@ detection:
            - '/var/vsftpd/*'
            - '/etc/bind/*'
            - '/var/named/*'
-            # Others
-            - '*/public_html/*'
    condition: selection
 falsepositives:
    - Admin activity (especially in /tmp folders)
@@ -1,9 +1,9 @@
 title: Buffer Overflow Attempts
-description: Detects buffer overflow attempts in Linux system log files
+description: Detects buffer overflow attempts in Unix system log files
 references:
    - https://github.com/ossec/ossec-hids/blob/master/etc/rules/attack_rules.xml
 logsource:
-    product: linux
+    product: unix
 detection:
    keywords:
        - 'attempt to execute code on stack by'
@@ -0,0 +1,16 @@
+title: SSHD Error Message CVE-2018-15473
+description: Detects exploitation attempt using public exploit code for CVE-2018-15473
+references:
+    - https://github.com/Rhynorater/CVE-2018-15473-Exploit
+author: Florian Roth
+date: 2017/08/24
+logsource:
+    product: linux
+    service: sshd
+detection:
+    keywords:
+        - 'error: buffer_get_ret: trying to get more bytes 1907 than in buffer 308 [preauth]'
+    condition: keywords
+falsepositives:
+    - Unknown
+level: medium
@@ -6,8 +6,8 @@ logsource:
 detection:
    selection:
        pam_message: "authentication failure"
-        pam_user: not null
-        pam_rhost: not null
+        pam_user: '*'
+        pam_rhost: '*'
    timeframe: 24h 
    condition: selection | count(pam_user) by pam_rhost > 3
 falsepositives:
@@ -0,0 +1,17 @@
+title: JexBoss Command Sequence
+description: Detects suspicious command sequence that JexBoss
+references:
+    - https://www.us-cert.gov/ncas/analysis-reports/AR18-312A
+author: Florian Roth
+date: 2017/08/24
+logsource:
+    product: linux
+detection:
+    selection1: 
+        - 'bash -c /bin/bash'
+    selection2:
+        - '&/dev/tcp/'
+    condition: selection1 and selection2
+falsepositives:
+    - Unknown
+level: high
@@ -0,0 +1,19 @@
+title: Cobalt Strike DNS Beaconing
+status: experimental
+description: Detects suspicious DNS queries known from Cobalt Strike beacons
+references:
+    - https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns
+author: Florian Roth
+date: 2018/05/10
+logsource:
+    category: dns
+detection:
+    selection:
+        query:
+            - 'aaa.stage.*' 
+            - 'post.1*'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
+
@@ -0,0 +1,17 @@
+title: Suspicious DNS Query with B64 Encoded String   
+status: experimental
+description: Detects suspicious DNS queries using base64 encoding
+references:
+    - https://github.com/krmaxwell/dns-exfiltration
+author: Florian Roth
+date: 2018/05/10
+logsource:
+    category: dns
+detection:
+    selection:
+        query:
+            - '*==.*'
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium
@@ -0,0 +1,22 @@
+title: DNS TXT Answer with possible execution strings    
+status: experimental
+description: Detects strings used in command execution in DNS TXT Answer 
+references:
+    - https://twitter.com/stvemillertime/status/1024707932447854592
+    - https://github.com/samratashok/nishang/blob/master/Backdoors/DNS_TXT_Pwnage.ps1
+tags:
+    - attack.t1071
+author: Markus Neis
+date: 2018/08/08
+logsource:
+    category: dns
+detection:
+    selection:
+        answer:
+            - '*IEX*'
+            - '*Invoke-Expression*'
+            - '*cmd.exe*'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
@@ -0,0 +1,20 @@
+title: Telegram Bot API Request
+status: experimental
+description: Detects suspicious DNS queries to api.telegram.org used by Telegram Bots of any kind
+references:
+    - https://core.telegram.org/bots/faq
+    - https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/
+    - https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/
+    - https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/
+author: Florian Roth
+date: 2018/06/05
+logsource:
+    category: dns
+detection:
+    selection:
+        query:
+            - 'api.telegram.org'   # Telegram Bot API Request https://core.telegram.org/bots/faq
+    condition: selection
+falsepositives:
+    - Legitimate use of Telegram bots in the company
+level: medium
@@ -0,0 +1,27 @@
+title: CobaltStrike Malleable Amazon browsing traffic profile
+status: experimental
+description: Detects Malleable Amazon Profile 
+references:
+    - https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/amazon.profile
+    - https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100
+author: Markus Neis
+tags:
+    - attack.t1102
+logsource:
+    category: proxy
+detection:
+    selection1:
+      UserAgent: "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
+      HttpMethod: 'GET'
+      URL: '/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books'
+      Host: 'www.amazon.com'
+      Cookie: '*=csm-hit=s-24KU11BB82RZSYGJ3BDK|1419899012996'
+    selection2:
+      UserAgent: "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
+      HttpMethod: 'POST'
+      URL: '/N4215/adj/amzn.us.sr.aps'
+      Host: 'www.amazon.com'
+    condition: selection1 or selection2
+falsepositives:
+    - Unknown
+level: high
@@ -5,8 +5,9 @@ references:
    - https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap
    - https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf
    - https://www.spamhaus.org/statistics/tlds/
+    - https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/
 author: Florian Roth
-date: 2017/11/07
+date: 2018/06/13
 logsource:
    category: proxy
 detection:
@@ -60,7 +61,7 @@ detection:
            - '*.cricket'
            - '*.space'
            - '*.top'
-            # McAfee report
+            # McAfee report 
            - '*.info'
            - '*.vn'
            - '*.cm'
@@ -83,7 +84,6 @@ detection:
            - '*.tt'
            - '*.name'
            - '*.tv'
-            - '*.tv'
            - '*.kz'
            - '*.tc'
            - '*.mobi'
@@ -93,10 +93,16 @@ detection:
            - '*.link'
            - '*.trade'
            - '*.accountant'
+            # Spamhaus 2018 https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/
+            - '*.click'
+            - '*.cf'
+            - '*.gq'
+            - '*.ml'
+            - '*.ga'
    condition: selection
 fields:
    - ClientIP
    - URL
 falsepositives:
-    - All kind of software downloads
+    - All kinds of software downloads
 level: low
@@ -1,6 +1,6 @@
-title: Windows PowerShell WebDav User Agent
+title: Windows WebDAV User Agent
 status: experimental
-description: Detects Windows PowerShell Web Access
+description: Detects WebDav DownloadCradle
 references:
    - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
 author: Florian Roth
@@ -10,12 +10,15 @@ logsource:
 detection:
    selection:
      UserAgent: 'Microsoft-WebDAV-MiniRedir/*'
+      HttpMethod: 'GET'
    condition: selection
 fields:
    - ClientIP
    - URL
    - UserAgent
+    - HttpMethod
 falsepositives:
    - Administrative scripts that download files from the Internet
    - Administrative scripts that retrieve certain website contents
+    - Legitimate WebDAV administration
 level: high
@@ -8,9 +8,8 @@ logsource:
    category: proxy
 detection:
    selection:
-      UserAgent:
-        # Empty string - as used by Powershell's (New-Object Net.WebClient).DownloadString 
-        - ''
+      # Empty string - as used by Powershell's (New-Object Net.WebClient).DownloadString 
+      UserAgent: ''
    condition: selection
 fields:
    - ClientIP
@@ -12,7 +12,7 @@ detection:
            - '*/install_flash_player.exe'
            - '*/flash_install.php*'
    filter:
-        cs-uri-query: '*.adobe.com/*'
+        cs-uri-stem: '*.adobe.com/*'
    condition: selection and not filter
 falsepositives:
    - Unknown flash download locations
@@ -0,0 +1,29 @@
+title: Telegram API Access
+status: experimental
+description: Detects suspicious requests to Telegram API without the usual Telegram User-Agent
+references:
+    - https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/
+    - https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/
+    - https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/
+author: Florian Roth
+date: 2018/06/05
+logsource:
+    category: proxy
+detection:
+    selection:
+        r-dns: 
+            - 'api.telegram.org'  # Often used by Bots
+    filter:
+        UserAgent: 
+            # Used https://core.telegram.org/bots/samples for this list
+            - '*Telegram*'
+            - '*Bot*'
+    condition: selection and not filter
+fields:
+    - ClientIP
+    - URL
+    - UserAgent
+falsepositives:
+    - Legitimate use of Telegram bots in the company
+level: medium
+
@@ -1,41 +1,50 @@
-title: APT User Agent
-status: experimental
-description: Detects suspicious user agent strings used in APT malware in proxy logs
-references:
-    - Internal Research
-author: Florian Roth
-logsource:
-    category: proxy
-detection:
-    selection:
-      UserAgent:
-         # APT Related
-        - 'SJZJ (compatible; MSIE 6.0; Win32)'  # APT Backspace
-        - 'Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0'  # APT GrizzlySteppe - ChopStick - US CERT https://goo.gl/1DTHwi
-        - 'User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC'  # Comment Crew Miniasp
-        - 'Mozilla/4.0 (compatible; MSIE 7.4; Win32;32-bit)'  # Comment Crew Miniasp
-        - 'webclient'  # Naikon APT
-        - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/200'  # Naikon APT
-        - 'Mozilla/4.0 (compatible; MSI 6.0;'  # SnowGlobe Babar - yes, it is cut
-        - 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0'  # Sofacy - Xtunnel
-        - 'Mozilla/5.0 (Windows NT 6.2; WOW64; rv:20.0) Gecko/20100101 Firefox/'  # Sofacy - Xtunnel
-        - 'Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/2'  # Sofacy - Xtunnel
-        - 'Mozilla/4.0'  # Derusbi backdoor ELF https://github.com/fideliscyber/indicators/tree/master/FTA-1021
-        - 'Netscape'  # Unit78020 Malware 
-        - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/20100719 Firefox/1.0.7'  # Unit78020 Malware
-        - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Firefox/3.6.13 GTB7.1'  # Winnti related
-        - 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)'  # Winnti related
-        - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NETCLR 2.0.50727)'  # APT17
-        - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; SV1)'  # Bronze Butler - Daserf
-        - 'Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; SV1)'  # Bronze Butler - Daserf
-        - 'Mozilla/4.0 (compatible; MSIE 8.0; Win32)'  # TSCookie https://app.any.run/tasks/0996b314-5133-491b-8d23-d431ffdec597
-        - 'Mozilla v5.1 (Windows NT 6.1; rv:6.0.1) Gecko/20100101 Firefox/6.0.1'  # Delphi downloader https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/
-    condition: selection
-fields:
-    - ClientIP
-    - URL
-    - UserAgent
-falsepositives:
-    - Old browsers
-level: high
-
+title: APT User Agent
+status: experimental
+description: Detects suspicious user agent strings used in APT malware in proxy logs
+references:
+    - Internal Research
+author: Florian Roth, Markus Neis
+logsource:
+    category: proxy
+detection:
+    selection:
+      UserAgent:
+         # APT Related
+        - 'SJZJ (compatible; MSIE 6.0; Win32)'  # APT Backspace
+        - 'Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0'  # APT GrizzlySteppe - ChopStick - US CERT https://goo.gl/1DTHwi
+        - 'User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC'  # Comment Crew Miniasp
+        - 'Mozilla/4.0 (compatible; MSIE 7.4; Win32;32-bit)'  # Comment Crew Miniasp
+        - 'webclient'  # Naikon APT
+        - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/200'  # Naikon APT
+        - 'Mozilla/4.0 (compatible; MSI 6.0;'  # SnowGlobe Babar - yes, it is cut
+        - 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0'  # Sofacy - Xtunnel
+        - 'Mozilla/5.0 (Windows NT 6.2; WOW64; rv:20.0) Gecko/20100101 Firefox/'  # Sofacy - Xtunnel
+        - 'Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/2'  # Sofacy - Xtunnel
+        - 'Mozilla/4.0'  # Derusbi backdoor ELF https://github.com/fideliscyber/indicators/tree/master/FTA-1021
+        - 'Netscape'  # Unit78020 Malware 
+        - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/20100719 Firefox/1.0.7'  # Unit78020 Malware
+        - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Firefox/3.6.13 GTB7.1'  # Winnti related
+        - 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)'  # Winnti related
+        - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NETCLR 2.0.50727)'  # APT17
+        - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; SV1)'  # Bronze Butler - Daserf
+        - 'Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; SV1)'  # Bronze Butler - Daserf
+        - 'Mozilla/4.0 (compatible; MSIE 8.0; Win32)'  # TSCookie https://app.any.run/tasks/0996b314-5133-491b-8d23-d431ffdec597
+        - 'Mozilla v5.1 (Windows NT 6.1; rv:6.0.1) Gecko/20100101 Firefox/6.0.1'  # Delphi downloader https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/
+        - 'Mozilla/6.1 (compatible; MSIE 9.0; Windows NT 5.3; Trident/5.0)'  # VPNFilter https://blog.talosintelligence.com/2018/05/VPNFilter.html
+        - 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; InfoPath.1)'  # Sofacy User-Agent https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/
+        - 'Mozilla/5.0 (Windows NT 6.1; WOW64) WinHttp/1.6.3.8 (WinHTTP/5.1) like Gecko'  # Sofacy User-Agent https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/
+        - 'Mozilla v5.1 *'  # Sofacy Zebrocy samples 
+        - 'MSIE 8.0'  # Sofacy Azzy Backdoor  from https://www.hybrid-analysis.com/sample/a80e29c0757bee05338fd5c22a542d852ad86c477068e3eb4aacc1c3e59e2eef?environmentId=100
+        - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)'  # https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html
+        - 'Mozilla/4.0 (compatible; RMS)'  # Attacks on industrial enterprises using RMS and TeamViewer https://goo.gl/GthvTw
+        - 'Mozilla/4.0 (compatible; MSIE 6.0; DynGate)'  # Attacks on industrial enterprises using RMS and TeamViewer https://goo.gl/GthvTw
+        - 'O/9.27 (W; U; Z)' # Cmstar https://www.virustotal.com/#/file/e4328011bb2b04abc856ccd04404c9f95d67167f6c291d343e8ffa8aa2aa2099/details
+    condition: selection
+fields:
+    - ClientIP
+    - URL
+    - UserAgent
+falsepositives:
+    - Old browsers
+level: high
+
@@ -60,6 +60,7 @@ detection:

        # Hack tool
        - 'ruler'  # https://www.crowdstrike.com/blog/using-outlook-forms-lateral-movement-persistence/
+        - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)'  # SQLi Dumper
    condition: selection
 fields:
    - ClientIP
@@ -48,6 +48,8 @@ detection:
        - 'MSIE'  # Toby web shell
        - '*(Charon; Inferno)'  # Loki Bot
        - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)'  # Fareit / Pony
+        - 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)'  # https://goo.gl/g43qjs
+        - 'Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.1)'  # MacControl malware https://goo.gl/sqY3Ja https://www.symantec.com/connect/blogs/osxmacontrol-back-it-again

        # Others 
        - '* pxyscand*'
@@ -20,7 +20,11 @@ detection:
        - ' Mozilla/*'  # leading space 
        - 'Mozila/*'  # single 'l'
        - '_'
-    condition: selection
+        - 'CertUtil URL Agent'  # https://twitter.com/stvemillertime/status/985150675527974912
+    falsepositives:
+        UserAgent:
+            - 'Mozilla/3.0 * Acrobat *'  # Acrobat with linked content
+    condition: selection and not falsepositives
 fields:
    - ClientIP
    - URL
@@ -0,0 +1,30 @@
+title: Oracle WebLogic Exploit
+description: Detects access to a webshell droped into a keytore folder on the WebLogic server
+author: Florian Roth
+date: 2018/07/22
+status: experimental
+references: 
+    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2894
+    - https://twitter.com/pyn3rd/status/1020620932967223296
+    - https://github.com/LandGrey/CVE-2018-2894
+logsource:
+    category: webserver
+detection:
+    selection:
+        c-uri-path: 
+            - '*/config/keystore/*.js*'
+    condition: selection
+fields:
+    - c-ip
+    - c-dns
+falsepositives:
+    - Unknown
+tags:
+    - attack.t1100
+    - attack.t1190
+    - attack.initial_access
+    - attack.persistence
+    - attack.privilege_escalation
+    - cve.2018-2894
+level: critical
+
@@ -1,5 +1,5 @@
 title: Webshell Detection by Keyword
-description: Detects webshells that use GET requests by keyword sarches in URL strings
+description: Detects webshells that use GET requests by keyword searches in URL strings
 author: Florian Roth
 logsource:
    category: webserver
@@ -1,13 +1,16 @@
 title: Admin User Remote Logon
 description: Detect remote login by Administrator user depending on internal pattern
 references:
-  - https://car.mitre.org/wiki/CAR-2016-04-005
+    - https://car.mitre.org/wiki/CAR-2016-04-005
+tags:
+    - attack.lateral_movement
+    - attack.t1078
 status: experimental
 author: juju4
 logsource:
    product: windows
    service: security
-    description: 'Requirements: Identifiable administrators usernames (pattern or special unique character. ex: "Admin-*"), internal policy mandating use only as secondary account'
+    definition: 'Requirements: Identifiable administrators usernames (pattern or special unique character. ex: "Admin-*"), internal policy mandating use only as secondary account'
 detection:
    selection:
        EventID: 4624
@@ -1,11 +1,14 @@
 title: Access to ADMIN$ Share
-description: 
+description: Detects access to $ADMIN share
+tags:
+    - attack.lateral_movement
+    - attack.t1077
 status: experimental
 author: Florian Roth
 logsource:
    product: windows
    service: security
-    description: 'The advanced audit policy setting "Object Access > Audit File Share" must be configured for Success/Failure'
+    definition: 'The advanced audit policy setting "Object Access > Audit File Share" must be configured for Success/Failure'
 detection:
    selection:
        EventID: 5140
@@ -1,15 +1,18 @@
 title: Enabled User Right in AD to Control User Objects
 description: Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.
+tags:
+    - attack.privilege_escalation
+    - attack.t1078
 references:
    - https://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
 author: '@neu5ron'
 logsource:
    product: windows
    service: security
-    description: 'Requirements: Audit Policy : Policy Change > Audit Authorization Policy Change, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Authorization Policy Change'
+    definition: 'Requirements: Audit Policy : Policy Change > Audit Authorization Policy Change, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Authorization Policy Change'
 detection:
    selection:
-        EventID: 4707
+        EventID: 4704
    keywords:
        - 'SeEnableDelegationPrivilege'
    condition: all of them
@@ -1,18 +1,23 @@
 title: Active Directory User Backdoors
-description: Detects scenarios where one can control another users account without having to use their credentials via msDS-AllowedToDelegateTo and or service principal names (SPN).
+description: Detects scenarios where one can control another users or computers account without having to use their credentials.
 references:
    - https://msdn.microsoft.com/en-us/library/cc220234.aspx
    - https://adsecurity.org/?p=3466
+    - https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/
 author: '@neu5ron'
+tags:
+    - attack.t1098
+    - attack.credential_access
 logsource:
    product: windows
    service: security
-    description1: 'Requirements: Audit Policy : Account Management > Audit User Account Management, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit User Account Management'
-    description2: 'Requirements: Audit Policy : DS Access > Audit Directory Service Changes, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\DS Access\Audit Directory Service Changes'
+    definition1: 'Requirements: Audit Policy : Account Management > Audit User Account Management, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit User Account Management'
+    definition2: 'Requirements: Audit Policy : DS Access > Audit Directory Service Changes, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\DS Access\Audit Directory Service Changes'
 detection:
    selection1:
        EventID: 4738
-        AllowedToDelegateTo: '*'
+    filter1:
+        AllowedToDelegateTo: null
    selection2:
        EventID: 5136
        AttributeLDAPDisplayName: 'msDS-AllowedToDelegateTo'
@@ -20,7 +25,10 @@ detection:
        EventID: 5136
        ObjectClass: 'user'
        AttributeLDAPDisplayName: 'servicePrincipalName'
-    condition: 1 of them
+    selection4:
+        EventID: 5136
+        AttributeLDAPDisplayName: 'msDS-AllowedToActOnBehalfOfOtherIdentity'        
+    condition: (selection1 and not filter1) or selection2 or selection3 or selection4
 falsepositives: 
    - Unknown
 level: high
@@ -7,7 +7,7 @@ author: '@neu5ron'
 logsource:
    product: windows
    service: security
-    description: 'Requirements: Audit Policy : Account Management > Audit User Account Management, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit User Account Management'
+    definition: 'Requirements: Audit Policy : Account Management > Audit User Account Management, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit User Account Management'
 detection:
    selection:
        EventID: 4738
@@ -1,9 +1,16 @@
 title: Hacktool Use
 description: This method detects well-known keywords, certain field combination that appear in Windows Eventlog when certain hack tools are used
 author: Florian Roth
+tags:
+    - attack.discovery
+    - attack.execution
+    - attack.t1087
+    - attack.t1075
+    - attack.t1114
+    - attack.t1059
 logsource:
    product: windows
-    service: system
+    service: security
 detection:
    # Ruler https://github.com/sensepost/ruler
    selection1:
@@ -0,0 +1,23 @@
+title: LSASS Access Detected via Attack Surface Reduction
+description: Detects Access to LSASS Process
+status: experimental
+references:
+    - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard?WT.mc_id=twitter
+author: Markus Neis
+date: 2018/08/26
+tags:
+    - attack.credential_access
+    - attack.t1003
+# Defender Attack Surface Reduction
+logsource:
+    product: windows_defender
+    definition: 'Requirements:Enabled Block credential stealing from the Windows local security authority subsystem (lsass.exe) from Attack Surface Reduction (GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2)'
+detection:
+    selection:
+        EventID: 1121
+        Path: '*\lsass.exe'
+    condition: selection
+falsepositives:
+    - Google Chrome GoogleUpdate.exe
+    - Some Taskmgr.exe related activity
+level: high
@@ -1,6 +1,11 @@
 title: Mimikatz Use
 description: This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)
 author: Florian Roth
+tags:
+    - attack.s0002
+    - attack.t1003
+    - attack.lateral_movement
+    - attack.credential_access
 logsource:
    product: windows
 detection:
@@ -0,0 +1,26 @@
+title: Mimikatz DC Sync
+description: Detects Mimikatz DC sync security events
+status: experimental
+date: 2018/06/03
+author: Benjamin Delpy, Florian Roth
+references:
+    - https://twitter.com/gentilkiwi/status/1003236624925413376
+    - https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2
+tags:
+    - attack.credential_access
+    - attack.s0002
+    - attack.t1003
+logsource:
+    product: windows
+    service: security
+detection:
+    selection:
+        EventID: 4662
+        Properties: 
+            - '*Replicating Directory Changes All*'
+            - '*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*'
+    condition: selection
+falsepositives:
+    - Unkown
+level: critical
+
@@ -1,18 +1,20 @@
 title: Disabling Windows Event Auditing
-description: >
-    Detects scenarios where system auditing (ie: windows event log auditing) is disabled. This may be used in a scenario
+description: 'Detects scenarios where system auditing (ie: windows event log auditing) is disabled. This may be used in a scenario
    where an entity would want to bypass local logging to evade detection when windows event logging is enabled and
    reviewed. Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO, which will make sure
    that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc".
    Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off
-    specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways.
+    specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways.'
 references:
    - https://bit.ly/WinLogsZero2Hero
+tags:
+    - attack.defense_evasion
+    - attack.t1054
 author: '@neu5ron'
 logsource:
    product: windows
    service: security
-    description: 'Requirements: Audit Policy : Computer Management > Audit Policy Configuration, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Audit Policy Change'
+    definition: 'Requirements: Audit Policy : Computer Management > Audit Policy Configuration, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Audit Policy Change'
 detection:
    selection:
        EventID: 4719
@@ -1,10 +1,13 @@
-title: Eventlog Cleared
+title: Eventlog Cleared Experimental
 status: experimental
 description: Detects a cleared Windows Eventlog as e.g. caused by "wevtutil cl" command execution  
 author: Florian Roth
 date: 2017/06/27
 references:
    - https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100
+tags:
+    - attack.defense_evasion
+    - attack.t1070
 logsource:
    product: windows
    service: system
@@ -0,0 +1,52 @@
+---
+action: global
+title: Rubeus Hack Tool
+description: Detects command line parameters used by Rubeus hack tool 
+author: Florian Roth
+references: 
+    - https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/
+date: 2018/12/19
+tags:
+    - attack.credential_access
+    - attack.t1003
+    - attack.s0005
+detection:
+    condition: selection
+falsepositives:
+    - unlikely
+level: critical
+---
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+        CommandLine: 
+            - '* asreproast *'
+            - '* dump /service:krbtgt *'
+            - '* kerberoast *'
+            - '* createnetonly /program:*'
+            - '* ptt /ticket:*'
+            - '* /impersonateuser:*'
+            - '* renew /ticket:*'
+            - '* asktgt /user:*'
+            - '* harvest /interval:*'
+---
+logsource:
+    product: windows
+    service: security
+    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+detection:
+    selection:
+        EventID: 4688
+        ProcessCommandLine: 
+            - '* asreproast *'
+            - '* dump /service:krbtgt *'
+            - '* kerberoast *'
+            - '* createnetonly /program:*'
+            - '* ptt /ticket:*'
+            - '* /impersonateuser:*'
+            - '* renew /ticket:*'
+            - '* asktgt /user:*'
+            - '* harvest /interval:*'
@@ -4,6 +4,11 @@ author: Omer Faruk Celik
 date: 2018/03/20
 references:
    - https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/
+tags:
+    - attack.lateral_movement
+    - attack.execution
+    - attack.t1077
+    - attack.t1035
 logsource:
    product: windows
 detection:
@@ -1,6 +1,10 @@
 title: Malicious Service Install
 description: This method detects well-known keywords of malicious services in the Windows System Eventlog 
 author: Florian Roth
+tags:
+    - attack.credential_access
+    - attack.t1003
+    - attack.s0005
 logsource:
    product: windows
    service: system
@@ -1,6 +1,10 @@
 title: Malicious Service Installations
 description: Detects known malicious service installs that only appear in cases of lateral movement, credential dumping and other suspicious activity
 author: Florian Roth
+tags:
+    - attack.persistence
+    - attack.privilege_escalation
+    - attack.t1050
 logsource:
    product: windows
    service: system
@@ -5,6 +5,10 @@ author: Thomas Patzke
 references:
    - https://www.jpcert.or.jp/english/pub/sr/ir_research.html
    - https://jpcertcc.github.io/ToolAnalysisResultSheet
+tags:
+    - attack.credential_access
+    - attack.t1003
+    - attack.s0005
 logsource:
    product: windows
    service: security
@@ -0,0 +1,38 @@
+---
+action: global
+title: MavInject Process Injection
+status: experimental
+description: Detects process injection using the signed Windows tool Mavinject32.exe
+references:
+    - https://twitter.com/gN3mes1s/status/941315826107510784
+    - https://reaqta.com/2017/12/mavinject-microsoft-injector/
+    - https://twitter.com/Hexacorn/status/776122138063409152
+author: Florian Roth
+date: 2018/12/12
+tags:
+    - attack.process_injection
+    - attack.t1055
+    - attack.signed_binary_proxy_execution
+    - attack.t1218
+detection:
+    condition: selection
+falsepositives: 
+    - unknown
+level: critical
+---
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+        CommandLine: '* /INJECTRUNNING *'
+---
+logsource:
+    product: windows
+    service: security
+    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+detection:
+    selection:
+        EventID: 4688
+        ProcessCommandLine: '* /INJECTRUNNING *'
@@ -5,8 +5,69 @@ status: experimental
 references:
    - https://car.mitre.org/wiki/CAR-2013-04-002
 author: juju4
+modified: 2012/12/11
+falsepositives:
+    - False positives depend on scripts and administrative tools used in the monitored environment
+level: low
+---
+# Windows Audit Log
+logsource:
+    product: windows
+    service: security
+    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
 detection:
    selection:
+        EventID: 4688
+        ProcessCommandLine: 
+            - arp.exe
+            - at.exe
+            - attrib.exe
+            - cscript.exe
+            - dsquery.exe
+            - hostname.exe
+            - ipconfig.exe
+            - mimikatz.exe
+            - nbstat.exe
+            - net.exe
+            - netsh.exe
+            - nslookup.exe
+            - ping.exe
+            - quser.exe
+            - qwinsta.exe
+            - reg.exe
+            - runas.exe
+            - sc.exe
+            - schtasks.exe
+            - ssh.exe
+            - systeminfo.exe
+            - taskkill.exe
+            - telnet.exe
+            - tracert.exe
+            - wscript.exe
+            - xcopy.exe
+# others
+            - pscp.exe
+            - copy.exe
+            - robocopy.exe
+            - certutil.exe
+            - vssadmin.exe
+            - powershell.exe
+            - wevtutil.exe
+            - psexec.exe
+            - bcedit.exe
+            - wbadmin.exe
+            - icacls.exe
+            - diskpart.exe
+    timeframe: 5m
+    condition: selection | count() by MachineName > 5
+---
+# Sysmon
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
        CommandLine: 
            - arp.exe
            - at.exe
@@ -47,25 +108,5 @@ detection:
            - wbadmin.exe
            - icacls.exe
            - diskpart.exe
-    timeframe: 5min
-    condition: selection | count() > 5
-falsepositives:
-    - False positives depend on scripts and administrative tools used in the monitored environment
-level: low
---
-# Windows Audit Log
-logsource:
-    product: windows
-    service: security
-    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection:
-        EventID: 4688
---
-# Sysmon
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 1
+    timeframe: 5m
+    condition: selection | count() by MachineName > 5
@@ -2,10 +2,13 @@
 action: global
 title: NetNTLM Downgrade Attack
 description: Detects post exploitation using NetNTLM downgrade attacks
-reference: 
+references: 
    - https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks
 author: Florian Roth
 date: 2018/03/20
+tags:
+    - attack.credential_access
+    - attack.t1212
 detection:
    condition: 1 of them
 falsepositives:
@@ -22,17 +25,15 @@ detection:
            - '*SYSTEM\*ControlSet*\Control\Lsa\lmcompatibilitylevel'
            - '*SYSTEM\*ControlSet*\Control\Lsa\NtlmMinClientSec'
            - '*SYSTEM\*ControlSet*\Control\Lsa\RestrictSendingNTLMTraffic'
-        EventType: 'SetValue'
 ---
 # Windows Security Eventlog: Process Creation with Full Command Line
 logsource:
    product: windows
    service: security
-    description: 'Requirements: Audit Policy : Object Access > Audit Registry (Success)'
+    definition: 'Requirements: Audit Policy : Object Access > Audit Registry (Success)'
 detection:
    selection2:
        EventID: 4657
-        OperationType: 'Existing registry value modified'
        ObjectName: '\REGISTRY\MACHINE\SYSTEM\*ControlSet*\Control\Lsa'
        ObjectValueName: 
            - 'LmCompatibilityLevel'
@@ -5,6 +5,10 @@ references:
    - https://cyberwardog.blogspot.de/2017/04/chronicles-of-threat-hunter-hunting-for.html
 author: Roberto Rodriguez (source), Dominik Schaudel (rule)
 date: 2018/02/12
+tags:
+    - attack.lateral_movement
+    - attack.t1075
+    - attack.s0002
 logsource:
    product: windows
    service: security
@@ -17,4 +21,4 @@ detection:
    condition: selection
 falsepositives:
    - Runas command-line tool using /netonly parameter
-level: high
+level: high
@@ -4,10 +4,13 @@ description: 'Detects the attack technique pass the hash which is used to move l
 references:
    - https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events
 author: Ilias el Matani (rule), The Information Assurance Directorate at the NSA (method)
+tags:
+    - attack.lateral_movement
+    - attack.t1075
 logsource:
    product: windows
    service: security
-    description: The successful use of PtH for lateral movement between workstations would trigger event ID 4624, a failed logon attempt would trigger an event ID 4625
+    definition: The successful use of PtH for lateral movement between workstations would trigger event ID 4624, a failed logon attempt would trigger an event ID 4625
 detection:
    selection:
        - EventID: 4624
@@ -6,6 +6,8 @@ references:
    - 'https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/'
 author: Florian Roth
 date: 2017/06/12
+tags:
+    - attack.s0013
 logsource:
    product: windows
    service: security
@@ -115,7 +117,7 @@ detection:
    # RC
    selection_rc:
        EventID: 4688
-        CommandLine: '*\OleView.exe'
+        CommandLine: '*\rc.exe'
    filter_rc:
        EventID: 4688
        CommandLine: 
@@ -6,6 +6,8 @@ references:
    - https://github.com/subTee/ApplicationWhitelistBypassTechniques/blob/master/TheList.txt
    - https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/
 author: juju4
+tags:
+    - attack.defense_evasion
 detection:
    selection:
        CommandLine: 
@@ -22,13 +24,13 @@ detection:
    condition: selection
 falsepositives: 
    - False positives depend on scripts and administrative tools used in the monitored environment
-level: medium
+level: low
 ---
 # Windows Audit Log
 logsource:
    product: windows
    service: security
-    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
 detection:
    selection:
        EventID: 4688
@@ -0,0 +1,44 @@
+action: global
+title: PowerShell Base64 Encoded Shellcode
+description: Detects Base64 encoded Shellcode 
+status: experimental
+references:
+    - https://twitter.com/cyb3rops/status/1063072865992523776
+author: Florian Roth
+date: 2018/11/17
+tags:
+    - attack.defense_evasion
+    - attack.t1036
+detection:
+    condition: selection1 and selection2
+falsepositives: 
+    - Unknown
+level: critical
+---
+# Windows Audit Log
+logsource:
+    product: windows
+    service: security
+    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+detection:
+    selection1:
+        EventID: 4688
+        ProcessCommandLine: '*AAAAYInlM*'
+    selection2:
+        ProcessCommandLine: 
+            - '*OiCAAAAYInlM*'
+            - '*OiJAAAAYInlM*'
+---
+# Sysmon
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection1:
+        EventID: 1
+        CommandLine: '*AAAAYInlM*'
+    selection2:
+        CommandLine: 
+            - '*OiCAAAAYInlM*'
+            - '*OiJAAAAYInlM*'
+
@@ -2,14 +2,19 @@ title: PsExec Service Start
 description: Detects a PsExec service start
 author: Florian Roth
 date: 2018/03/13
+modified: 2012/12/11
+tags:
+    - attack.execution
+    - attack.t1035
+    - attack.s0029
 logsource:
    product: windows
    service: security
-    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
 detection:
    selection:
        EventID: 4688
-        CommandLine: 'C:\Windows\PSEXESVC.exe'
+        ProcessCommandLine: 'C:\Windows\PSEXESVC.exe'
    condition: 1 of them
 falsepositives:
    - Administrative activity
@@ -2,15 +2,20 @@ title: Rare Schtasks Creations
 description: Detects rare scheduled tasks creations that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious code
 status: experimental
 author: Florian Roth
+tags:
+    - attack.execution
+    - attack.privilege_escalation
+    - attack.persistence
+    - attack.t1053
 logsource:
    product: windows
    service: security
-    description: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection (not in the baseline recommendations by Microsoft). We also recommend extracting the Command field from the embedded XML in the event data.'
+    definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection (not in the baseline recommendations by Microsoft). We also recommend extracting the Command field from the embedded XML in the event data.'
 detection:
    selection:
        EventID: 4698
    timeframe: 7d
-    condition: selection | count(TaskName) < 5 
+    condition: selection | count() by TaskName < 5 
 falsepositives: 
    - Software installation
    - Software updates
@@ -2,6 +2,10 @@ title: Rare Service Installs
 description: Detects rare service installs that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious services 
 status: experimental
 author: Florian Roth
+tags:
+    - attack.persistence
+    - attack.privilege_escalation
+    - attack.t1050
 logsource:
    product: windows
    service: system
@@ -9,8 +13,8 @@ detection:
    selection:
        EventID: 7045
    timeframe: 7d
-    condition: selection | count(ServiceFileName) < 5 
+    condition: selection | count() by ServiceFileName < 5 
 falsepositives: 
    - Software installation
    - Software updates
-level: low
+level: low
@@ -4,6 +4,9 @@ description: An attacker can use the SID history attribute to gain additional pr
 references:
    - https://adsecurity.org/?p=1772
 author: Thomas Patzke
+tags:
+    - attack.privilege_escalation
+    - attack.t1178
 logsource:
    product: windows
    service: security
@@ -5,6 +5,9 @@ references:
    - https://technet.microsoft.com/en-us/library/cc742154(v=ws.11).aspx
    - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
 author: Florian Roth (rule), Tom U. @c_APT_ure (collection) 
+tags:
+    - attack.defense_evasion
+    - attack.t1107
 logsource:
    product: windows
    service: application
@@ -9,31 +9,34 @@ references:
    - https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html
    - http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/
 author: juju4
+modified: 2018/12/11
+tags:
+    - attack.defense_evasion
+    - attack.t1140
 detection:
-    selection:
-        CommandLine: 
-            - '^'
-            - '@'
-# 0x002D -, 0x2013 , 0x2014 , 0x2015 ― ... FIXME! how to match hexa form?
-            - '-'
-            - '―'
-            - 'c:/'
-            - '<TAB>'
-            - '^h^t^t^p'
-            - 'h"t"t"p'
    condition: selection
 falsepositives: 
    - False positives depend on scripts and administrative tools used in the monitored environment
-level: medium
+level: low
 ---
 # Windows Audit Log
 logsource:
    product: windows
    service: security
-    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
 detection:
    selection:
        EventID: 4688
+        ProcessCommandLine: 
+            #- '^'
+            #- '@'
+# 0x002D -, 0x2013 , 0x2014 , 0x2015 ― ... FIXME! how to match hexa form?
+            # - '-'
+            # - '―'
+            #- 'c:/'
+            - '<TAB>'
+            - '^h^t^t^p'
+            - 'h"t"t"p'
 ---
 # Sysmon
 logsource:
@@ -42,3 +45,13 @@ logsource:
 detection:
    selection:
        EventID: 1
+        CommandLine: 
+            #- '^'
+            #- '@'
+# 0x002D -, 0x2013 , 0x2014 , 0x2015 ― ... FIXME! how to match hexa form?
+            # - '-'
+            # - '―'
+            #- 'c:/'
+            - '<TAB>'
+            - '^h^t^t^p'
+            - 'h"t"t"p'
@@ -6,22 +6,17 @@ description: 'Detects a set of commands often used in recon stages by different
 references:
    - https://twitter.com/haroonmeer/status/939099379834658817
    - https://twitter.com/c_APT_ure/status/939475433711722497
-author: Florian Roth
-date: 2017/12/12
+    - https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html
+author:  Florian Roth, Markus Neis
+date: 2018/08/22
+modified: 2018/12/11
+tags:
+    - attack.discovery
+    - attack.t1073
+    - attack.t1012 
 detection:
-    selection:
-        CommandLine: 
-            - 'tasklist'
-            - 'net time'
-            - 'systeminfo'
-            - 'whoami'
-            - 'nbtstat'
-            - 'net start'
-            - '*\net1 start'
-            - 'qprocess'
-            - 'nslookup'
-    timeframe: 1m 
-    condition: selection | count() > 2
+    timeframe: 15s 
+    condition: selection | count() by CommandLine > 4
 falsepositives: 
    - False positives depend on scripts and administrative tools used in the monitored environment
 level: medium
@@ -32,11 +27,47 @@ logsource:
 detection:
    selection:
        EventID: 1
+        CommandLine: 
+            - 'tasklist'
+            - 'net time'
+            - 'systeminfo'
+            - 'whoami'
+            - 'nbtstat'
+            - 'net start'
+            - '*\net1 start'
+            - 'qprocess'
+            - 'nslookup'
+            - 'hostname.exe'
+            - '*\net1 user /domain'
+            - '*\net1 group /domain'
+            - '*\net1 group "domain admins" /domain'
+            - '*\net1 group "Exchange Trusted Subsystem" /domain'
+            - '*\net1 accounts /domain' 
+            - '*\net1 user net localgroup administrators' 
+            - 'netstat -an'
 ---
 logsource:
    product: windows
    service: security
-    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
 detection:
    selection:
        EventID: 4688
+        ProcessCommandLine: 
+            - 'tasklist'
+            - 'net time'
+            - 'systeminfo'
+            - 'whoami'
+            - 'nbtstat'
+            - 'net start'
+            - '*\net1 start'
+            - 'qprocess'
+            - 'nslookup'
+            - 'hostname.exe'
+            - '*\net1 user /domain'
+            - '*\net1 group /domain'
+            - '*\net1 group "domain admins" /domain'
+            - '*\net1 group "Exchange Trusted Subsystem" /domain'
+            - '*\net1 accounts /domain' 
+            - '*\net1 user net localgroup administrators' 
+            - 'netstat -an'
@@ -7,6 +7,8 @@ references:
    - https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx
 date: 2017/05/15
 author: Dimitrios Slamaris
+tags:
+    - attack.defense_evasion
 logsource:
    product: windows
    service: system
@@ -4,6 +4,9 @@ description: The Directory Service Restore Mode (DSRM) account is a local admini
 references:
    - https://adsecurity.org/?p=1714
 author: Thomas Patzke
+tags:
+    - attack.persistence
+    - attack.privilege_escalation
 logsource:
    product: windows
    service: security
@@ -3,6 +3,9 @@ description: One of the Windows Eventlogs has been cleared
 references:
    - https://twitter.com/deviouspolack/status/832535435960209408
 author: Florian Roth
+tags:
+    - attack.defense_evasion
+    - attack.t1070
 logsource:
    product: windows
    service: system
@@ -1,6 +1,10 @@
 title: Account Tampering - Suspicious Failed Logon Reasons
 description: This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.
 author: Florian Roth
+tags:
+    - attack.persistence
+    - attack.privilege_escalation
+    - attack.t1078
 logsource:
    product: windows
    service: security
@@ -10,11 +14,11 @@ detection:
            - 4625
            - 4776
        Status:
-            - 0xC0000072
-            - 0xC000006F
-            - 0xC0000070
-            - 0xC0000413
-            - 0xC000018C
+            - '0xC0000072'
+            - '0xC000006F'
+            - '0xC0000070'
+            - '0xC0000413'
+            - '0xC000018C'
    condition: selection
 falsepositives:
    - User using a disabled account
@@ -1,6 +1,10 @@
 title: Multiple Failed Logins with Different Accounts from Single Source System
 description: Detects suspicious failed logins with different user accounts from a single source system 
 author: Florian Roth
+tags:
+    - attack.persistence
+    - attack.privilege_escalation
+    - attack.t1078
 logsource:
    product: windows
    service: security
@@ -9,12 +13,12 @@ detection:
        EventID:
            - 529
            - 4625
-        UserName: not null
-        WorkstationName: not null
+        UserName: '*'
+        WorkstationName: '*'
    selection2:
        EventID: 4776
-        UserName: not null
-        Workstation: not null
+        UserName: '*'
+        Workstation: '*'
    timeframe: 24h 
    condition:
        - selection1 | count(UserName) by WorkstationName > 3
@@ -1,6 +1,9 @@
 title: Interactive Logon to Server Systems
 description: Detects interactive console logons to 
 author: Florian Roth
+tags:
+    - attack.lateral_movement
+    - attack.t1078
 logsource:
    product: windows
    service: security
@@ -6,10 +6,11 @@ status: experimental
 references:
    - https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/
 author: Florian Roth
+modified: 2012/12/11
+tags:
+    - attack.persistence
+    - attack.t1100
 detection:
-    selection:
-        CommandLine: 
-            - '*\APPCMD.EXE install module /name:*'
    condition: selection
 falsepositives: 
    - Unknown as it may vary from organisation to arganisation how admins use to install IIS modules
@@ -21,11 +22,15 @@ logsource:
 detection:
    selection:
        EventID: 1
+        CommandLine: 
+            - '*\APPCMD.EXE install module /name:*'
 ---
 logsource:
    product: windows
    service: security
-    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
 detection:
    selection:
        EventID: 4688
+        ProcessCommandLine: 
+            - '*\APPCMD.EXE install module /name:*'
@@ -1,6 +1,9 @@
 title: Kerberos Manipulation
 description: This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages
 author: Florian Roth
+tags:
+    - attack.credential_access
+    - attack.t1212
 logsource:
    product: windows
    service: security
@@ -1,8 +1,11 @@
 title: Password Dumper Activity on LSASS
-description: Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN 
+description: Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN
 status: experimental
 references:
    - https://twitter.com/jackcr/status/807385668833968128
+tags:
+    - attack.credential_access
+    - attack.t1003
 logsource:
    product: windows
    service: security
@@ -16,4 +19,3 @@ detection:
 falsepositives:
    - Unkown
 level: high
-
@@ -7,10 +7,8 @@ references:
    - https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/
 author: Florian Roth
 date: 2018/02/09
+modified: 2012/12/11
 detection:
-    selection:
-        CommandLine: 
-            - '* msiexec*:\/\/*'
    condition: selection
 falsepositives: 
    - False positives depend on scripts and administrative tools used in the monitored environment
@@ -22,11 +20,15 @@ logsource:
 detection:
    selection:
        EventID: 1
+        CommandLine: 
+            - '* msiexec*:\/\/*'
 ---
 logsource:
    product: windows
    service: security
-    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
 detection:
    selection:
        EventID: 4688
+        ProcessCommandLine: 
+            - '* msiexec*:\/\/*'
@@ -1,5 +1,9 @@
 title: Microsoft Malware Protection Engine Crash
 description: This rule detects a suspicious crash of the Microsoft Malware Protection Engine
+tags:
+    - attack.defense_evasion
+    - attack.t1089
+    - attack.t1211
 status: experimental
 date: 2017/05/09
 references:
@@ -12,7 +16,7 @@ logsource:
 detection:
    selection1:
        Source: 'Application Error'
-        EventID: 1000 
+        EventID: 1000
    selection2:
        Source: 'Windows Error Reporting'
        EventID: 1001
@@ -20,7 +24,6 @@ detection:
        - 'MsMpEng.exe'
        - 'mpengine.dll'
    condition: 1 of selection* and all of keywords
-falsepositives: 
-    - Unknown
+falsepositives:
+    - MsMpEng.exe can crash when C:\ is full
 level: high
-
@@ -1,13 +1,18 @@
 title: Reconnaissance Activity
 status: experimental
-description: 'Detects activity as "net user administrator /domain" and "net group domain admins /domain"' 
+description: 'Detects activity as "net user administrator /domain" and "net group domain admins /domain"'
 references:
    - https://findingbad.blogspot.de/2017/01/hunting-what-does-it-look-like.html
 author: Florian Roth (rule), Jack Croock (method)
+tags:
+    - attack.discovery
+    - attack.t1087
+    - attack.t1069
+    - attack.s0039
 logsource:
    product: windows
    service: security
-    description: The volume of Event ID 4661 ist high on Domain Controllers and therefore "Audit SAM" and "Audit Kernel Object" advanced audit policy settings are not configured in the recommandations for server systems
+    definition: The volume of Event ID 4661 is high on Domain Controllers and therefore "Audit SAM" and "Audit Kernel Object" advanced audit policy settings are not configured in the recommandations for server systems
 detection:
    selection:
        - EventID: 4661
@@ -6,6 +6,9 @@ status: experimental
 references:
    - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm
 author: Thomas Patzke
+tags:
+    - attack.credential_access
+    - attack.t1003
 detection:
    selection:
        CommandLine: '*\ntdsutil.exe *'
@@ -24,7 +27,7 @@ detection:
 logsource:
    product: windows
    service: security
-    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
 detection:
    selection:
        EventID: 4688
@@ -0,0 +1,23 @@
+title: NTLM Logon
+status: experimental
+description: Detects logons using NTLM, which could be caused by a legacy source or attackers
+references:
+    - https://twitter.com/JohnLaTwC/status/1004895028995477505
+    - https://goo.gl/PsqrhT
+author: Florian Roth
+date: 2018/06/08
+tags:
+    - attack.credential_access
+    - attack.t1208
+logsource:
+    product: windows
+    service: ntlm
+    definition: Reqiures events from Microsoft-Windows-NTLM/Operational
+detection:
+    selection:
+        EventID: 8002
+        CallingProcessName: '*'  # We use this to avoid false positives with ID 8002 on other log sources if the logsource isn't set correctly
+    condition: selection
+falsepositives:
+    - Legacy hosts
+level: low
@@ -1,83 +0,0 @@
-action: global
-title: Phantom DLLs Usage
-description: Detects Phantom DLLs usage and matching executable
-status: experimental
-references:
-    - http://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
-    - http://www.hexacorn.com/blog/2015/02/23/beyond-good-ol-run-key-part-28/
-author: juju4
-detection:
-    selection:
-        CommandLine: 
-            - '*ntbackup*'
-            - '*\edbbcli.dll*'
-            - '*\esebcli2.dll*'
-#            - '*mrt*'
-            - '*\bcrypt.dll*'
-            - '*sessmgr*'
-            - '*\SalemHook.dll*'
-            - '*certreq*'
-            - '*\msfte.dll*'
-            - '*\mstracer.dll*'
-            - '*fxscover*'
-            - '*\TPPrnUIENU.dll*'
-            - '*dxdiag*'
-            - '*\DXGIDebug.dll*'
-            - '*msinfo32*'
-            - '*\fveapi.dll*'
-            - '*narrator*'
-            - '*\MSTTSLocEnUS.dll*'
-            - '*\Wow64Log.dll*'
-            - '*Dism*'
-            - '*\Dism\wimgapi.dll*'
-            - '*\DismCore.dll*'
-            - '*FileHistory*'
-            - '*\Microsoft.NET\Framework\v4.0.30319\api-ms-win-core-winrt-l1-1-0.dll*'
-            - '*\Microsoft.NET\Framework\v4.0.30319\mscoree.dll*'
-            - '*\Microsoft.NET\Framework\v4.0.30319\ole32.dll*'
-            - '*\Microsoft.NET\Framework\v4.0.30319\urlmon.dll*'
-#            - '*mmc*'
-            - '*\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\oleaut32.dll*'
-            - '*\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\shell32.dll*'
-            - '*\Microsoft.Net\assembly\GAC_MSIL\MIGUIControls\v4.0_1.0.0.0__31bf3856ad364e35\ntdll.dll*'
-            - '*\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\comctl32.dll*'
-            - '*\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\uxtheme.dll*'
-            - '*\Microsoft.NET\Framework\v4.0.30319\api-ms-win-core-winrt-l1-1-0.dll*'
-            - '*\Microsoft.NET\Framework\v4.0.30319\mscoree.dll*'
-            - '*\Microsoft.NET\Framework\v4.0.30319\ole32.dll*'
-            - '*\Microsoft.NET\Framework\v4.0.30319\VERSION.dll*'
-            - '*Narrator*'
-            - '*speech\engines\tts\MSTTSLocEnUS.DLL'
-            - '*omadmclient*'
-            - '*cmnet.dll*'
-            - '*PresentationHost*'
-            - '*\Microsoft.NET\Framework\v4.0.30319\WPF\PresentationHost_v0400.dll*'
-            - '*provtool*'
-            - '*MvHelper.dll*'
-            - '*SearchIndexer*'
-            - '*msfte.dll*'
-            - '*msTracer.dll*'
-            - '*SearchProtocolHost*'
-            - '*msfte.dll*'
-            - '*msTracer.dll*'
-    condition: selection
-falsepositives: 
-    - False positives depend on environment
-level: medium
---
-# Windows Audit Log
-logsource:
-    product: windows
-    service: security
-    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection:
-        EventID: 4688
---
-# Sysmon
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 1
@@ -0,0 +1,43 @@
+---
+action: global
+title: Suspicious Encoded PowerShell Command Line
+description: Detects suspicious powershell process starts with base64 encoded commands
+status: experimental
+references:
+    - https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e
+author: Florian Roth
+date: 2018/09/03
+detection:
+    selection:
+        CommandLine:
+            # Command starts with '$' symbol
+            - '* -e JAB*'
+            - '* -enc JAB*'
+            - '* -encodedcommand JAB*'
+    # Google Rapid Response
+    falsepositive1:
+        Image: '*\GRR\*'
+    # PowerSponse deployments
+    falsepositive2: 
+        CommandLine: '* -ExecutionPolicy remotesigned *'
+    condition: selection and not 1 of falsepositive*
+falsepositives: 
+    - GRR powershell hacks
+    - PowerSponse Deployments
+level: high
+---
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+---
+logsource:
+    product: windows
+    service: security
+    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+detection:
+    selection:
+        EventID: 4688
+
@@ -0,0 +1,82 @@
+title: Malicious Base64 encoded PowerShell Keywords in command lines
+status: experimental
+description: Detects base64 encoded strings used in hidden malicious PowerShell command lines 
+references:
+    - http://www.leeholmes.com/blog/2017/09/21/searching-for-content-in-base-64-strings/
+tags:
+    - attack.execution
+    - attack.t1086
+author: John Lambert (rule)
+logsource:
+    product: windows
+    service: security
+    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+detection:
+    encoded:
+        EventID: 4688
+        Image: '*\powershell.exe'
+        CommandLine: '* hidden *'
+    selection:
+        EventID: 4688
+        CommandLine:
+            # bitsadmin transfer
+            - '*AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA*'
+            - '*aXRzYWRtaW4gL3RyYW5zZmVy*'
+            - '*IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA*'
+            - '*JpdHNhZG1pbiAvdHJhbnNmZX*'
+            - '*YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg*'
+            - '*Yml0c2FkbWluIC90cmFuc2Zlc*'
+            # chunk_size
+            - '*AGMAaAB1AG4AawBfAHMAaQB6AGUA*'
+            - '*JABjAGgAdQBuAGsAXwBzAGkAegBlA*'
+            - '*JGNodW5rX3Npem*'
+            - '*QAYwBoAHUAbgBrAF8AcwBpAHoAZQ*'
+            - '*RjaHVua19zaXpl*'
+            - '*Y2h1bmtfc2l6Z*'
+            # IO.Compression
+            - '*AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A*'
+            - '*kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg*'
+            - '*lPLkNvbXByZXNzaW9u*'
+            - '*SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA*'
+            - '*SU8uQ29tcHJlc3Npb2*'
+            - '*Ty5Db21wcmVzc2lvb*'
+            # IO.MemoryStream
+            - '*AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ*'
+            - '*kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA*'
+            - '*lPLk1lbW9yeVN0cmVhb*'
+            - '*SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A*'
+            - '*SU8uTWVtb3J5U3RyZWFt*'
+            - '*Ty5NZW1vcnlTdHJlYW*'
+            # GetChunk
+            - '*4ARwBlAHQAQwBoAHUAbgBrA*'
+            - '*5HZXRDaHVua*'
+            - '*AEcAZQB0AEMAaAB1AG4Aaw*'
+            - '*LgBHAGUAdABDAGgAdQBuAGsA*'
+            - '*LkdldENodW5r*'
+            - '*R2V0Q2h1bm*'
+            # THREAD INFO64
+            - '*AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A*'
+            - '*QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA*'
+            - '*RIUkVBRF9JTkZPNj*'
+            - '*SFJFQURfSU5GTzY0*'
+            - '*VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA*'
+            - '*VEhSRUFEX0lORk82N*'
+            # CreateRemoteThread
+            - '*AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA*'
+            - '*cmVhdGVSZW1vdGVUaHJlYW*'
+            - '*MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA*'
+            - '*NyZWF0ZVJlbW90ZVRocmVhZ*'
+            - '*Q3JlYXRlUmVtb3RlVGhyZWFk*'
+            - '*QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA*'
+            # memmove
+            - '*0AZQBtAG0AbwB2AGUA*'
+            - '*1lbW1vdm*'
+            - '*AGUAbQBtAG8AdgBlA*'
+            - '*bQBlAG0AbQBvAHYAZQ*'
+            - '*bWVtbW92Z*'
+            - '*ZW1tb3Zl*'  
+
+    condition: encoded and selection
+falsepositives:
+    - Penetration tests
+level: high
@@ -0,0 +1,49 @@
+action: global
+title: Suspicious Use of Procdump
+description: Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we're also able to catch cases in which the attacker has renamed the procdump executable. 
+status: experimental
+references:
+    - Internal Research
+author: Florian Roth
+date: 2018/10/30
+tags:
+    - attack.defense_evasion
+    - attack.t1036
+    - attack.credential_access
+    - attack.t1003
+detection:
+    condition: selection and selection1 and selection2
+falsepositives: 
+    - Unlikely, because no one should dump an lsass process memory
+    - Another tool that uses the command line switches of Procdump
+level: medium
+---
+# Windows Audit Log
+logsource:
+    product: windows
+    service: security
+    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+detection:
+    selection:
+        EventID: 4688
+    selection1:
+        ProcessCommandLine:
+            - "* -ma *"
+    selection2: 
+        ProcessCommandLine:
+            - '* lsass.exe*'
+---
+# Sysmon
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+    selection1:
+        CommandLine:
+            - "* -ma *"
+    selection2: 
+        CommandLine:
+            - '* lsass.exe*'
+
--- a/Show More
+++ b/Show More