Release 0.16.0

Merge branch 'socprime-master'
Merge pull request #624 from Antonlovesdnb/master
2020-02-25 22:19:52 +01:00 · 2020-02-25 21:32:59 +01:00 · 2020-02-25 15:44:31 +01:00 · 2020-02-25 09:24:29 -05:00 · 2020-02-25 09:23:52 -05:00 · 2020-02-25 09:23:22 -05:00
700 changed files with 31771 additions and 4906 deletions
@@ -91,3 +91,6 @@ ENV/
 # vi(m)
 *.swp
 settings.json
+
+# VisualStudio
+.vs/
@@ -1,14 +1,25 @@
 language: python
+dist: xenial
 python:
-  - 3.5
-  - 3.6
+    # - 3.5  # Deactivated because Travis CI tests failed randomly (Travis's problem)
+    - 3.6
+    - 3.7
+sudo: true
 services:
    - elasticsearch
 cache: pip
 before_install:
    - curl -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-6.2.4.deb && sudo dpkg -i --force-confnew elasticsearch-6.2.4.deb && sudo service elasticsearch restart
 install:
-  - pip install -r tools/requirements-devel.txt 
+    - pip install -r tools/requirements-devel.txt
+    - pip install -r tests/requirements-test.txt 
 script:
-  - make test
-  - make test-backend-es-qs
+    - make test
+    - make test-backend-es-qs
+notifications:
+    email:
+        recipients:
+            - venom14@gmail.com
+            - thomas@patzke.org
+        on_success: change
+        on_failure: always
@@ -1,4 +1,12 @@
 ---
 # https://yamllint.readthedocs.io/en/latest/configuration.html
+extends: default
 rules:
+  comments: disable
+  comments-indentation: disable
  document-start: disable
+  empty-lines: {max: 2, max-start: 2, max-end: 2}
+  indentation: disable
+  line-length: disable
+  new-line-at-end-of-file: disable
+  trailing-spaces: disable
@@ -0,0 +1,30 @@
+# Breaking Changes in Sigma
+
+Improvement sometimes makes it unavoidable to break with the past. This file describes the planned and implemented
+breaking changes since 2019. Monitor this file if you use Sigma in productive environments.
+
+Columns:
+
+* Date: The date the change was or will be implemented. Planned dates may be subject of changes.
+* Status may be one of:
+    * Planned: there's the idea, but work hasn't begun.
+    * Development: the change is currently developed.
+    * Implemented: the development is finished, but the change was not yet merged to the master.
+    * Merged: the change has been merged to the master branch. Breaking changes affecting only rules
+      skip this state.
+    * Released: the change has been released officially, this means:
+        * Code or configuration of Sigma tools was pushed as [PyPI release](https://pypi.org/project/sigmatools/)
+        * Sigma rules were merged to master.
+* Issues: GitHub issues in the project repository for further details.
+* Commit/Branch:
+    * a development branch for the states *Development* and *Implemented*.
+    * a commit reference to the merge commit for states from *Merged*.
+* Release: [PyPI release](https://pypi.org/project/sigmatools/) that implements or will implement the change.
+* Description: contains a short description of the change.
+
+| Date       | Status   | Issues              | Commit/Branch   | Release | Description                                                                                                                                                 |
+|------------|----------|---------------------|-----------------|---------|-------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 2019-10-01 | Planned  | -                   | -               | -       | Field name cleanup                                                                                                                                          |
+| 2019-08-01 | Released | -                   | config-cleanup  | 0.12    | Configuration name cleanup                                                                                                                                  |
+| 2019-08-01 | Released | -                   | devel-modifiers | 0.12    | Pipe character must be escaped with backslash in field value names due to introduction of value modifiers                                                   |
+| 2019-03-02 | Released | #136 #137 #139 #147 | 56a1ed1         | 0.9     | Introduction of [generic log sources](https://patzke.org/introducing-generic-log-sources-in-sigma.html) and *process_creation* as first generic log source. |
@@ -0,0 +1,142 @@
+# Release Notes
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html)
+from version 0.14.0.
+
+## 0.16.0 - 2020-02-25
+
+### Added
+
+* Proxy field names to ECS mapping (ecs-proxy) configuration
+* False positives metadata to LimaCharlie backend
+* Additional aggregation capabilitied for es-dsl backend.
+* Azure log analytics rule backend (ala-rule)
+* SQL backend
+* Splunk Zeek sourcetype mapping config
+* sigma2attack script
+* Carbon Black backend and configuration
+* ArcSight ESM backend
+* Elasticsearch detection rule backend
+
+### Changed
+
+* Kibana object id is now Sigma rule id if available. Else
+  the old naming scheme is used.
+* sigma2misp: replacement of deprecated method usage.
+* Various configuration updates
+* Extended ArcSight mapping
+
+### Fixed
+
+* Fixed aggregation queries for Elastalert backend
+* Fixed aggregation queries for es-dsl backend
+* Backend and configuration lists are sorted.
+* Escaping in ala backend
+
+## 0.15.0 - 2019-12-06
+
+### Added
+
+* sigma-uuid tool for addition and check of Sigma rule identifiers
+* Default configurations
+* Restriction of compared rules in sigma-similarity
+* Regular expression support in es-dsl backend
+* LimaCharlie support for proxy rule category
+* Source distribution for PyPI
+
+### Changed
+
+* Type errors are now ignored with -I
+
+### Fixed
+
+* Removed wrong mapping of CommandLine field mapping in THOR config
+
+## 0.14 - 2019-11-10
+
+### Added
+
+* sigma-similarity tool
+* LimaCharlie backend
+* Default configurations for some backends that are used if no configuration is passed.
+* Regular expression support for es-dsl backend (propagates to backends derived from this like elastalert-dsl)
+* Value modifiers:
+    * startswith
+    * endswith
+
+### Changed
+
+* Removal of line breaks in elastalert output
+* Searches not bound to fields are restricted to keyword fields in es-qs backend
+* Graylog backend now based on es-qs backend
+
+### Fixed
+
+* Removed ProcessCommandLine mapping for Windows Security EventID 4688 in generic
+  process creation log source configuration.
+
+## 0.13 - 2019-10-21
+
+### Added
+
+* Index mappings for Sumologic
+* Malicious cmdlets in wdatp
+* QRadar support for keyword searches
+* QRadar mapping improvements
+* QRadar field selection
+* QRadar type regex modifier support
+* Elasticsearch keyword field blacklisting with wildcards
+* Added dateField configuration parameter in xpack-watcher backend
+* Field mappings in configurations
+* Field name mapping for conditional fields
+* Value modifiers:
+    * utf16
+    * utf16le
+    * wide
+    * utf16be
+
+### Changed
+
+* Improved --backend-config help text
+
+### Fixed
+
+* Backend errors in ala
+* Slash escaping within es-dsl wildcard queries
+* QRadar backend config
+* QRadar field name and value escaping and handling
+* Elasticsearch wildcard detection pattern
+* Aggregation on keyword field in es-dsl backend
+
+## 0.12.1 - 2019-08-05
+
+### Fixed
+
+* Missing build dependency
+
+## 0.12 - 2019-08-01
+
+### Added
+
+* Usage of "Channel" field in ELK Windows configuration
+* Fields to mappings
+* xpack-watcher actions index and webhook
+* Config for Winlogbeat 7.x
+* Value modifiers
+* Regular expression support
+
+### Changed
+
+* Warning/error messages
+* Sumologic value cleaning
+* Explicit OR for Elasticsearch query strings
+* Listing of available configurations on missing configuration error
+
+### Fixed
+
+* Conditions in es-dsl backend
+* Sumologic handling of null values
+* Ignore timeframe detection keyword in all/any of conditions
@@ -0,0 +1,38 @@
+## {{ version.minor }}.{{ version.major }}.{{ version.patch }} ({{ date }})
+
+### Added
+
+{% for item in added %}
+* {{ item | indent(2) }}
+{% endfor %}
+
+### Changed
+
+{% for item in changed %}
+* {{ item | indent(2) }}
+{% endfor %}
+
+### Deprecated
+
+{% for item in deprecated %}
+* {{ item | indent(2) }}
+{% endfor %}
+
+### Removed
+
+{% for item in removed %}
+* {{ item | indent(2) }}
+{% endfor %}
+
+### Fixed
+
+{% for item in fixed %}
+* {{ item | indent(2) }}
+{% endfor %}
+
+### Security
+
+{% for item in security %}
+* {{ item | indent(2) }}
+{% endfor %}
+
@@ -1,7 +1,7 @@
-.PHONY: test test-yaml test-sigmac
-TMPOUT = $(shell tempfile)
-COVSCOPE = tools/sigma/*.py,tools/sigmac,tools/merge_sigma
-test: clearcov test-yaml test-sigmac test-merge build finish
+.PHONY: test test-rules test-sigmac test-sigma2attack
+TMPOUT = $(shell tempfile||mktemp)
+COVSCOPE = tools/sigma/*.py,tools/sigma/backends/*.py,tools/sigmac,tools/merge_sigma,tools/sigma2attack
+test: clearcov test-rules test-sigmac test-merge test-sigma2attack build finish

 clearcov:
 	rm -f .coverage
@@ -10,59 +10,85 @@ finish:
 	coverage report --fail-under=90
 	rm -f $(TMPOUT)

-test-yaml:
+test-rules:
 	yamllint rules
+	tests/test_rules.py
+	tools/sigma-uuid -Ver rules/

 test-sigmac:
+	coverage run -a --include=$(COVSCOPE) tools/sigmac
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -h
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -l
-	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-qs rules/ > /dev/null
-	coverage run -a --include=$(COVSCOPE) tools/sigmac -O rulecomment -rvdI -t es-qs rules/ > /dev/null
-	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t kibana rules/ > /dev/null
+	! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvd -t es-qs rules/ > /dev/null
+	! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-qs rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-qs --shoot-yourself-in-the-foot rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c winlogbeat tests/test-modifiers.yml > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -O rulecomment -rvdI -c tools/config/winlogbeat.yml -t es-qs rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t kibana -c tools/config/winlogbeat.yml rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t graylog rules/ > /dev/null
-	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t xpack-watcher rules/ > /dev/null
-	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk rules/ > /dev/null
-	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunkxml rules/ > /dev/null
-	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t logpoint rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t xpack-watcher -O email,index,webhook -c tools/config/winlogbeat.yml rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t elastalert -c tools/config/winlogbeat.yml -O alert_methods=http_post,email -O emails=test@test.invalid -O http_post_url=http://test.invalid rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t elastalert-dsl -c tools/config/winlogbeat.yml -O alert_methods=http_post,email -O emails=test@test.invalid -O http_post_url=http://test.invalid rules/ > /dev/null
+	! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunkxml -c tools/config/splunk-windows.yml rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t logpoint -c tools/config/logpoint-windows.yml rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t wdatp rules/ > /dev/null
-	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-dsl rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t ala rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t ala-rule rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t ala --backend-config tests/backend_config.yml rules/windows/process_creation/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-dsl -c tools/config/winlogbeat.yml rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-rule -c tools/config/winlogbeat.yml rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t powershell -c tools/config/powershell.yml -Ocsv rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t arcsight -c tools/config/arcsight.yml rules/ > /dev/null
-	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t qradar -c tools/config/arcsight.yml rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t arcsight-esm -c tools/config/arcsight.yml rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t qradar -c tools/config/qradar.yml rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t limacharlie -c tools/config/limacharlie.yml rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t carbonblack -c tools/config/carbon-black.yml rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t qualys -c tools/config/qualys.yml rules/ > /dev/null
-	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'level>=high,level<=critical,status=stable,logsource=windows' rules/ > /dev/null
-	! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'level>=high,level<=critical,status=xstable,logsource=windows' rules/ > /dev/null
-	! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'level>=high,level<=xcritical,status=stable,logsource=windows' rules/ > /dev/null
-	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'level=critical' rules/ > /dev/null
-	! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'level=xcritical' rules/ > /dev/null
-	! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'foo=bar' rules/ > /dev/null
-	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-windows.yml -t es-qs rules/ > /dev/null
-	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-linux.yml -t es-qs rules/ > /dev/null
-	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-windows.yml -t kibana rules/ > /dev/null
-	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-windows.yml -Ooutput=curl -t kibana rules/ > /dev/null
-	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-linux.yml -t kibana rules/ > /dev/null
-	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-linux.yml -Ooutput=curl -t kibana rules/ > /dev/null
-	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-windows.yml -t xpack-watcher rules/ > /dev/null
-	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-linux.yml -t xpack-watcher rules/ > /dev/null
-	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-defaultindex.yml -t xpack-watcher rules/ > /dev/null
-	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/splunk-windows-all.yml -t splunk rules/ > /dev/null
-	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/logpoint-windows-all.yml -t logpoint rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t netwitness -c tools/config/netwitness.yml rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t sumologic -O rulecomment -c tools/config/sumologic.yml rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t sql -c sysmon rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml -f 'level>=high,level<=critical,status=stable,logsource=windows,tag=attack.execution' rules/ > /dev/null
+	! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml -f 'level>=high,level<=critical,status=xstable,logsource=windows' rules/ > /dev/null
+	! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml -f 'level>=high,level<=xcritical,status=stable,logsource=windows' rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml -f 'level=critical' rules/ > /dev/null
+	! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml -f 'level=xcritical' rules/ > /dev/null
+	! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml -f 'foo=bar' rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/logstash-windows.yml -t es-qs rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c ecs-proxy -t es-qs rules/proxy > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c sysmon -c logstash-windows -t es-qs rules/ > /dev/null
+	! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c sysmon -c logstash-windows -t splunk rules/ > /dev/null
+	! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/logstash-windows.yml -c tools/config/generic/sysmon.yml -t es-qs rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/logstash-linux.yml -t es-qs rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/logstash-windows.yml -t kibana rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/logstash-windows.yml -Ooutput=curl -t kibana rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/logstash-linux.yml -t kibana rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/logstash-linux.yml -Ooutput=curl -t kibana rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/logstash-windows.yml -t xpack-watcher rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/logstash-linux.yml -t xpack-watcher rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/filebeat-defaultindex.yml -t xpack-watcher rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/splunk-windows.yml -t splunk rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/generic/sysmon.yml -c tools/config/splunk-windows.yml -t splunk rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t grep rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t fieldlist rules/ > /dev/null
-	coverage run -a --include=$(COVSCOPE) tools/sigmac -t xpack-watcher -O output=plain -O es=es -O foobar rules/windows/builtin/win_susp_failed_logons_single_source.yml > /dev/null
-	coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -o $(TMPOUT) tests/collection_repeat.yml > /dev/null
-	! coverage run -a --include=$(COVSCOPE)  tools/sigmac -t xpack-watcher -O output=foobar -O es=es -O foobar rules/windows/builtin/win_susp_failed_logons_single_source.yml > /dev/null
-	! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs tests/not_existing.yml > /dev/null
-	! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs tests/invalid_yaml.yml > /dev/null
-	! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs tests/invalid_sigma-no_identifiers.yml > /dev/null
-	! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs tests/invalid_sigma-no_condition.yml > /dev/null
-	! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs tests/invalid_sigma-invalid_identifier_reference.yml > /dev/null
-	! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs tests/invalid_sigma-invalid_aggregation.yml > /dev/null
-	! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs tests/invalid_sigma-wrong_identifier_definition.yml > /dev/null
-	! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs rules/windows/builtin/win_susp_failed_logons_single_source.yml
-	! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -o /not_possible rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -t xpack-watcher -c tools/config/winlogbeat.yml -O output=plain -O es=es -O foobar rules/windows/builtin/win_susp_failed_logons_single_source.yml > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -t kibana -c tests/config-multiple_mapping.yml -c tests/config-multiple_mapping-2.yml tests/mapping-conditional-multi.yml > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -t xpack-watcher -c tools/config/winlogbeat.yml -O output=json -O es=es -O foobar rules/windows/builtin/win_susp_failed_logons_single_source.yml > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml -o $(TMPOUT) - < tests/collection_repeat.yml > /dev/null
+	! coverage run -a --include=$(COVSCOPE)  tools/sigmac -t xpack-watcher -c tools/config/winlogbeat.yml -O output=foobar -O es=es -O foobar rules/windows/builtin/win_susp_failed_logons_single_source.yml > /dev/null
+	! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/not_existing.yml > /dev/null
+	! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/invalid_yaml.yml > /dev/null
+	! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/invalid_sigma-no_identifiers.yml > /dev/null
+	! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/invalid_sigma-no_condition.yml > /dev/null
+	! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/invalid_sigma-invalid_identifier_reference.yml > /dev/null
+	! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/invalid_sigma-invalid_aggregation.yml > /dev/null
+	! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/invalid_sigma-wrong_identifier_definition.yml > /dev/null
+	! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml rules/windows/builtin/win_susp_failed_logons_single_source.yml
+	! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml -o /not_possible rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
 	! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c not_existing rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
 	! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tests/invalid_yaml.yml rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
 	! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tests/invalid_config.yml rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
-	! coverage run -a --include=$(COVSCOPE) tools/sigmac -rv -c tools/config/elk-defaultindex.yml -t kibana rules/ > /dev/null

 test-merge:
 	tests/test-merge.sh
@@ -71,8 +97,11 @@ test-merge:
 test-backend-es-qs:
 	tests/test-backend-es-qs.py

+test-sigma2attack:
+	coverage run -a --include=$(COVSCOPE) tools/sigma2attack
+
 build: tools/sigmac tools/merge_sigma tools/sigma/*.py tools/setup.py tools/setup.cfg
-	cd tools && python3 setup.py bdist_wheel
+	cd tools && python3 setup.py bdist_wheel sdist

 upload-test: build
 	twine upload --repository-url https://test.pypi.org/legacy/ tools/dist/*
@@ -0,0 +1,19 @@
+[[source]]
+name = "pypi"
+url = "https://pypi.org/simple"
+verify_ssl = true
+
+[dev-packages]
+
+[packages]
+coverage = ">=4.4.1"
+yamllint = ">=1.10.0"
+elasticsearch = "*"
+elasticsearch-async = "*"
+pymisp = "*"
+PyYAML = ">=3.11"
+progressbar2 = "*"
+colorama = "*"
+
+[requires]
+python_version = "3.6"
@@ -0,0 +1,318 @@
+{
+    "_meta": {
+        "hash": {
+            "sha256": "c553c014d5959f8c30ffdb23d4648ff872dbffd5f6f982d8c029a5b4533a959d"
+        },
+        "pipfile-spec": 6,
+        "requires": {
+            "python_version": "3.6"
+        },
+        "sources": [
+            {
+                "name": "pypi",
+                "url": "https://pypi.org/simple",
+                "verify_ssl": true
+            }
+        ]
+    },
+    "default": {
+        "aiohttp": {
+            "hashes": [
+                "sha256:1e984191d1ec186881ffaed4581092ba04f7c61582a177b187d3a2f07ed9719e",
+                "sha256:259ab809ff0727d0e834ac5e8a283dc5e3e0ecc30c4d80b3cd17a4139ce1f326",
+                "sha256:2f4d1a4fdce595c947162333353d4a44952a724fba9ca3205a3df99a33d1307a",
+                "sha256:32e5f3b7e511aa850829fbe5aa32eb455e5534eaa4b1ce93231d00e2f76e5654",
+                "sha256:344c780466b73095a72c616fac5ea9c4665add7fc129f285fbdbca3cccf4612a",
+                "sha256:460bd4237d2dbecc3b5ed57e122992f60188afe46e7319116da5eb8a9dfedba4",
+                "sha256:4c6efd824d44ae697814a2a85604d8e992b875462c6655da161ff18fd4f29f17",
+                "sha256:50aaad128e6ac62e7bf7bd1f0c0a24bc968a0c0590a726d5a955af193544bcec",
+                "sha256:6206a135d072f88da3e71cc501c59d5abffa9d0bb43269a6dcd28d66bfafdbdd",
+                "sha256:65f31b622af739a802ca6fd1a3076fd0ae523f8485c52924a89561ba10c49b48",
+                "sha256:ae55bac364c405caa23a4f2d6cfecc6a0daada500274ffca4a9230e7129eac59",
+                "sha256:b778ce0c909a2653741cb4b1ac7015b5c130ab9c897611df43ae6a58523cb965"
+            ],
+            "version": "==3.6.2"
+        },
+        "async-timeout": {
+            "hashes": [
+                "sha256:0c3c816a028d47f659d6ff5c745cb2acf1f966da1fe5c19c77a70282b25f4c5f",
+                "sha256:4291ca197d287d274d0b6cb5d6f8f8f82d434ed288f962539ff18cc9012f9ea3"
+            ],
+            "version": "==3.0.1"
+        },
+        "attrs": {
+            "hashes": [
+                "sha256:08a96c641c3a74e44eb59afb61a24f2cb9f4d7188748e76ba4bb5edfa3cb7d1c",
+                "sha256:f7b7ce16570fe9965acd6d30101a28f62fb4a7f9e926b3bbc9b61f8b04247e72"
+            ],
+            "version": "==19.3.0"
+        },
+        "certifi": {
+            "hashes": [
+                "sha256:017c25db2a153ce562900032d5bc68e9f191e44e9a0f762f373977de9df1fbb3",
+                "sha256:25b64c7da4cd7479594d035c08c2d809eb4aab3a26e5a990ea98cc450c320f1f"
+            ],
+            "version": "==2019.11.28"
+        },
+        "chardet": {
+            "hashes": [
+                "sha256:84ab92ed1c4d4f16916e05906b6b75a6c0fb5db821cc65e70cbd64a3e2a5eaae",
+                "sha256:fc323ffcaeaed0e0a02bf4d117757b98aed530d9ed4531e3e15460124c106691"
+            ],
+            "version": "==3.0.4"
+        },
+        "colorama": {
+            "hashes": [
+                "sha256:7d73d2a99753107a36ac6b455ee49046802e59d9d076ef8e47b61499fa29afff",
+                "sha256:e96da0d330793e2cb9485e9ddfd918d456036c7149416295932478192f4436a1"
+            ],
+            "index": "pypi",
+            "version": "==0.4.3"
+        },
+        "coverage": {
+            "hashes": [
+                "sha256:15cf13a6896048d6d947bf7d222f36e4809ab926894beb748fc9caa14605d9c3",
+                "sha256:1daa3eceed220f9fdb80d5ff950dd95112cd27f70d004c7918ca6dfc6c47054c",
+                "sha256:1e44a022500d944d42f94df76727ba3fc0a5c0b672c358b61067abb88caee7a0",
+                "sha256:25dbf1110d70bab68a74b4b9d74f30e99b177cde3388e07cc7272f2168bd1477",
+                "sha256:3230d1003eec018ad4a472d254991e34241e0bbd513e97a29727c7c2f637bd2a",
+                "sha256:3dbb72eaeea5763676a1a1efd9b427a048c97c39ed92e13336e726117d0b72bf",
+                "sha256:5012d3b8d5a500834783689a5d2292fe06ec75dc86ee1ccdad04b6f5bf231691",
+                "sha256:51bc7710b13a2ae0c726f69756cf7ffd4362f4ac36546e243136187cfcc8aa73",
+                "sha256:527b4f316e6bf7755082a783726da20671a0cc388b786a64417780b90565b987",
+                "sha256:722e4557c8039aad9592c6a4213db75da08c2cd9945320220634f637251c3894",
+                "sha256:76e2057e8ffba5472fd28a3a010431fd9e928885ff480cb278877c6e9943cc2e",
+                "sha256:77afca04240c40450c331fa796b3eab6f1e15c5ecf8bf2b8bee9706cd5452fef",
+                "sha256:7afad9835e7a651d3551eab18cbc0fdb888f0a6136169fbef0662d9cdc9987cf",
+                "sha256:9bea19ac2f08672636350f203db89382121c9c2ade85d945953ef3c8cf9d2a68",
+                "sha256:a8b8ac7876bc3598e43e2603f772d2353d9931709345ad6c1149009fd1bc81b8",
+                "sha256:b0840b45187699affd4c6588286d429cd79a99d509fe3de0f209594669bb0954",
+                "sha256:b26aaf69713e5674efbde4d728fb7124e429c9466aeaf5f4a7e9e699b12c9fe2",
+                "sha256:b63dd43f455ba878e5e9f80ba4f748c0a2156dde6e0e6e690310e24d6e8caf40",
+                "sha256:be18f4ae5a9e46edae3f329de2191747966a34a3d93046dbdf897319923923bc",
+                "sha256:c312e57847db2526bc92b9bfa78266bfbaabac3fdcd751df4d062cd4c23e46dc",
+                "sha256:c60097190fe9dc2b329a0eb03393e2e0829156a589bd732e70794c0dd804258e",
+                "sha256:c62a2143e1313944bf4a5ab34fd3b4be15367a02e9478b0ce800cb510e3bbb9d",
+                "sha256:cc1109f54a14d940b8512ee9f1c3975c181bbb200306c6d8b87d93376538782f",
+                "sha256:cd60f507c125ac0ad83f05803063bed27e50fa903b9c2cfee3f8a6867ca600fc",
+                "sha256:d513cc3db248e566e07a0da99c230aca3556d9b09ed02f420664e2da97eac301",
+                "sha256:d649dc0bcace6fcdb446ae02b98798a856593b19b637c1b9af8edadf2b150bea",
+                "sha256:d7008a6796095a79544f4da1ee49418901961c97ca9e9d44904205ff7d6aa8cb",
+                "sha256:da93027835164b8223e8e5af2cf902a4c80ed93cb0909417234f4a9df3bcd9af",
+                "sha256:e69215621707119c6baf99bda014a45b999d37602cb7043d943c76a59b05bf52",
+                "sha256:ea9525e0fef2de9208250d6c5aeeee0138921057cd67fcef90fbed49c4d62d37",
+                "sha256:fca1669d464f0c9831fd10be2eef6b86f5ebd76c724d1e0706ebdff86bb4adf0"
+            ],
+            "index": "pypi",
+            "version": "==5.0.3"
+        },
+        "deprecated": {
+            "hashes": [
+                "sha256:408038ab5fdeca67554e8f6742d1521cd3cd0ee0ff9d47f29318a4f4da31c308",
+                "sha256:8b6a5aa50e482d8244a62e5582b96c372e87e3a28e8b49c316e46b95c76a611d"
+            ],
+            "version": "==1.2.7"
+        },
+        "elasticsearch": {
+            "hashes": [
+                "sha256:1815ee1377e7d3cf32770738a70785fe4ab1f05be28336a330ed71cb295a7c6c",
+                "sha256:2a0ca516378ae9b87ac840e7bb529ec508f3010360dd9feed605dff2a898aff5"
+            ],
+            "index": "pypi",
+            "version": "==7.5.1"
+        },
+        "elasticsearch-async": {
+            "hashes": [
+                "sha256:2534f3ec80da275723cabd6d354c83eb4b4f6241ad1432b48c2c05fb12175ab1",
+                "sha256:281f5a7193811a9eb60669734d297bde13feeb745fd33c0c8af537e939aa887f"
+            ],
+            "index": "pypi",
+            "version": "==6.2.0"
+        },
+        "idna": {
+            "hashes": [
+                "sha256:c357b3f628cf53ae2c4c05627ecc484553142ca23264e593d327bcde5e9c3407",
+                "sha256:ea8b7f6188e6fa117537c3df7da9fc686d485087abf6ac197f9c46432f7e4a3c"
+            ],
+            "version": "==2.8"
+        },
+        "idna-ssl": {
+            "hashes": [
+                "sha256:a933e3bb13da54383f9e8f35dc4f9cb9eb9b3b78c6b36f311254d6d0d92c6c7c"
+            ],
+            "markers": "python_version < '3.7'",
+            "version": "==1.1.0"
+        },
+        "importlib-metadata": {
+            "hashes": [
+                "sha256:06f5b3a99029c7134207dd882428a66992a9de2bef7c2b699b5641f9886c3302",
+                "sha256:b97607a1a18a5100839aec1dc26a1ea17ee0d93b20b0f008d80a5a050afb200b"
+            ],
+            "markers": "python_version < '3.8'",
+            "version": "==1.5.0"
+        },
+        "jsonschema": {
+            "hashes": [
+                "sha256:4e5b3cf8216f577bee9ce139cbe72eca3ea4f292ec60928ff24758ce626cd163",
+                "sha256:c8a85b28d377cc7737e46e2d9f2b4f44ee3c0e1deac6bf46ddefc7187d30797a"
+            ],
+            "version": "==3.2.0"
+        },
+        "multidict": {
+            "hashes": [
+                "sha256:13f3ebdb5693944f52faa7b2065b751cb7e578b8dd0a5bb8e4ab05ad0188b85e",
+                "sha256:26502cefa86d79b86752e96639352c7247846515c864d7c2eb85d036752b643c",
+                "sha256:4fba5204d32d5c52439f88437d33ad14b5f228e25072a192453f658bddfe45a7",
+                "sha256:527124ef435f39a37b279653ad0238ff606b58328ca7989a6df372fd75d7fe26",
+                "sha256:5414f388ffd78c57e77bd253cf829373721f450613de53dc85a08e34d806e8eb",
+                "sha256:5eee66f882ab35674944dfa0d28b57fa51e160b4dce0ce19e47f495fdae70703",
+                "sha256:63810343ea07f5cd86ba66ab66706243a6f5af075eea50c01e39b4ad6bc3c57a",
+                "sha256:6bd10adf9f0d6a98ccc792ab6f83d18674775986ba9bacd376b643fe35633357",
+                "sha256:83c6ddf0add57c6b8a7de0bc7e2d656be3eefeff7c922af9a9aae7e49f225625",
+                "sha256:93166e0f5379cf6cd29746989f8a594fa7204dcae2e9335ddba39c870a287e1c",
+                "sha256:9a7b115ee0b9b92d10ebc246811d8f55d0c57e82dbb6a26b23c9a9a6ad40ce0c",
+                "sha256:a38baa3046cce174a07a59952c9f876ae8875ef3559709639c17fdf21f7b30dd",
+                "sha256:a6d219f49821f4b2c85c6d426346a5d84dab6daa6f85ca3da6c00ed05b54022d",
+                "sha256:a8ed33e8f9b67e3b592c56567135bb42e7e0e97417a4b6a771e60898dfd5182b",
+                "sha256:d7d428488c67b09b26928950a395e41cc72bb9c3d5abfe9f0521940ee4f796d4",
+                "sha256:dcfed56aa085b89d644af17442cdc2debaa73388feba4b8026446d168ca8dad7",
+                "sha256:f29b885e4903bd57a7789f09fe9d60b6475a6c1a4c0eca874d8558f00f9d4b51"
+            ],
+            "version": "==4.7.4"
+        },
+        "pathspec": {
+            "hashes": [
+                "sha256:163b0632d4e31cef212976cf57b43d9fd6b0bac6e67c26015d611a647d5e7424",
+                "sha256:562aa70af2e0d434367d9790ad37aed893de47f1693e4201fd1d3dca15d19b96"
+            ],
+            "version": "==0.7.0"
+        },
+        "progressbar2": {
+            "hashes": [
+                "sha256:7538d02045a1fd3aa2b2834bfda463da8755bd3ff050edc6c5ddff3bc616215f",
+                "sha256:eb774d1e0d03ea4730f381c13c2c6ae7abb5ddfb14d8321d7a58a61aa708f0d0"
+            ],
+            "index": "pypi",
+            "version": "==3.47.0"
+        },
+        "pymisp": {
+            "hashes": [
+                "sha256:4359953881c70d8c851ba847ebd41fe636ecc155ee92a6b653dcae2d241a6fef",
+                "sha256:be4c2a2d311ba1aaeb73e1124e8a97ac4eec52a871e02d373c455936095aac72"
+            ],
+            "index": "pypi",
+            "version": "==2.4.120"
+        },
+        "pyrsistent": {
+            "hashes": [
+                "sha256:cdc7b5e3ed77bed61270a47d35434a30617b9becdf2478af76ad2c6ade307280"
+            ],
+            "version": "==0.15.7"
+        },
+        "python-dateutil": {
+            "hashes": [
+                "sha256:73ebfe9dbf22e832286dafa60473e4cd239f8592f699aa5adaf10050e6e1823c",
+                "sha256:75bb3f31ea686f1197762692a9ee6a7550b59fc6ca3a1f4b5d7e32fb98e2da2a"
+            ],
+            "version": "==2.8.1"
+        },
+        "python-utils": {
+            "hashes": [
+                "sha256:34aaf26b39b0b86628008f2ae0ac001b30e7986a8d303b61e1357dfcdad4f6d3",
+                "sha256:e25f840564554eaded56eaa395bca507b0b9e9f0ae5ecb13a8cb785305c56d25"
+            ],
+            "version": "==2.3.0"
+        },
+        "pyyaml": {
+            "hashes": [
+                "sha256:059b2ee3194d718896c0ad077dd8c043e5e909d9180f387ce42012662a4946d6",
+                "sha256:1cf708e2ac57f3aabc87405f04b86354f66799c8e62c28c5fc5f88b5521b2dbf",
+                "sha256:24521fa2890642614558b492b473bee0ac1f8057a7263156b02e8b14c88ce6f5",
+                "sha256:4fee71aa5bc6ed9d5f116327c04273e25ae31a3020386916905767ec4fc5317e",
+                "sha256:70024e02197337533eef7b85b068212420f950319cc8c580261963aefc75f811",
+                "sha256:74782fbd4d4f87ff04159e986886931456a1894c61229be9eaf4de6f6e44b99e",
+                "sha256:940532b111b1952befd7db542c370887a8611660d2b9becff75d39355303d82d",
+                "sha256:cb1f2f5e426dc9f07a7681419fe39cee823bb74f723f36f70399123f439e9b20",
+                "sha256:dbbb2379c19ed6042e8f11f2a2c66d39cceb8aeace421bfc29d085d93eda3689",
+                "sha256:e3a057b7a64f1222b56e47bcff5e4b94c4f61faac04c7c4ecb1985e18caa3994",
+                "sha256:e9f45bd5b92c7974e59bcd2dcc8631a6b6cc380a904725fce7bc08872e691615"
+            ],
+            "index": "pypi",
+            "version": "==5.3"
+        },
+        "requests": {
+            "hashes": [
+                "sha256:11e007a8a2aa0323f5a921e9e6a2d7e4e67d9877e85773fba9ba6419025cbeb4",
+                "sha256:9cf5292fcd0f598c671cfc1e0d7d1a7f13bb8085e9a590f48c010551dc6c4b31"
+            ],
+            "version": "==2.22.0"
+        },
+        "six": {
+            "hashes": [
+                "sha256:236bdbdce46e6e6a3d61a337c0f8b763ca1e8717c03b369e87a7ec7ce1319c0a",
+                "sha256:8f3cd2e254d8f793e7f3d6d9df77b92252b52637291d0f0da013c76ea2724b6c"
+            ],
+            "version": "==1.14.0"
+        },
+        "typing-extensions": {
+            "hashes": [
+                "sha256:091ecc894d5e908ac75209f10d5b4f118fbdb2eb1ede6a63544054bb1edb41f2",
+                "sha256:910f4656f54de5993ad9304959ce9bb903f90aadc7c67a0bef07e678014e892d",
+                "sha256:cf8b63fedea4d89bab840ecbb93e75578af28f76f66c35889bd7065f5af88575"
+            ],
+            "markers": "python_version < '3.7'",
+            "version": "==3.7.4.1"
+        },
+        "urllib3": {
+            "hashes": [
+                "sha256:2f3db8b19923a873b3e5256dc9c2dedfa883e33d87c690d9c7913e1f40673cdc",
+                "sha256:87716c2d2a7121198ebcb7ce7cccf6ce5e9ba539041cfbaeecfb641dc0bf6acc"
+            ],
+            "version": "==1.25.8"
+        },
+        "wrapt": {
+            "hashes": [
+                "sha256:565a021fd19419476b9362b05eeaa094178de64f8361e44468f9e9d7843901e1"
+            ],
+            "version": "==1.11.2"
+        },
+        "yamllint": {
+            "hashes": [
+                "sha256:7318e189027951983c3cb4d6bcaa1e75deef7c752320ca3ce84e407f2551e8ce",
+                "sha256:76912b6262fd7e0815d7b14c4c2bb2642c754d0aa38f2d3e4b4e21c77872a3bf"
+            ],
+            "index": "pypi",
+            "version": "==1.20.0"
+        },
+        "yarl": {
+            "hashes": [
+                "sha256:0c2ab325d33f1b824734b3ef51d4d54a54e0e7a23d13b86974507602334c2cce",
+                "sha256:0ca2f395591bbd85ddd50a82eb1fde9c1066fafe888c5c7cc1d810cf03fd3cc6",
+                "sha256:2098a4b4b9d75ee352807a95cdf5f10180db903bc5b7270715c6bbe2551f64ce",
+                "sha256:25e66e5e2007c7a39541ca13b559cd8ebc2ad8fe00ea94a2aad28a9b1e44e5ae",
+                "sha256:26d7c90cb04dee1665282a5d1a998defc1a9e012fdca0f33396f81508f49696d",
+                "sha256:308b98b0c8cd1dfef1a0311dc5e38ae8f9b58349226aa0533f15a16717ad702f",
+                "sha256:3ce3d4f7c6b69c4e4f0704b32eca8123b9c58ae91af740481aa57d7857b5e41b",
+                "sha256:58cd9c469eced558cd81aa3f484b2924e8897049e06889e8ff2510435b7ef74b",
+                "sha256:5b10eb0e7f044cf0b035112446b26a3a2946bca9d7d7edb5e54a2ad2f6652abb",
+                "sha256:6faa19d3824c21bcbfdfce5171e193c8b4ddafdf0ac3f129ccf0cdfcb083e462",
+                "sha256:944494be42fa630134bf907714d40207e646fd5a94423c90d5b514f7b0713fea",
+                "sha256:a161de7e50224e8e3de6e184707476b5a989037dcb24292b391a3d66ff158e70",
+                "sha256:a4844ebb2be14768f7994f2017f70aca39d658a96c786211be5ddbe1c68794c1",
+                "sha256:c2b509ac3d4b988ae8769901c66345425e361d518aecbe4acbfc2567e416626a",
+                "sha256:c9959d49a77b0e07559e579f38b2f3711c2b8716b8410b320bf9713013215a1b",
+                "sha256:d8cdee92bc930d8b09d8bd2043cedd544d9c8bd7436a77678dd602467a993080",
+                "sha256:e15199cdb423316e15f108f51249e44eb156ae5dba232cb73be555324a1d49c2"
+            ],
+            "version": "==1.4.2"
+        },
+        "zipp": {
+            "hashes": [
+                "sha256:ccc94ed0909b58ffe34430ea5451f07bc0c76467d7081619a454bf5c98b89e28",
+                "sha256:feae2f18633c32fc71f2de629bfb3bd3c9325cd4419642b1f1da42ee488d9b98"
+            ],
+            "version": "==2.1.0"
+        }
+    },
+    "develop": {}
+}
@@ -14,9 +14,9 @@ Sigma is for log files what [Snort](https://www.snort.org/) is for network traff

 This repository contains:

-* Sigma rule specification in the [Wiki](https://github.com/Neo23x0/sigma/wiki/Specification)
-* Open repository for sigma signatures in the `./rules`subfolder
-* A converter that generate searches/queries for different SIEM systems [work in progress]
+1. Sigma rule specification in the [Wiki](https://github.com/Neo23x0/sigma/wiki/Specification)
+2. Open repository for sigma signatures in the `./rules` subfolder
+3. A converter named `sigmac` located in the `./tools/` sub folder that generates search queries for different SIEM systems from Sigma rules

 ![sigma_description](./images/Sigma-description.png)

@@ -24,10 +24,16 @@ This repository contains:

 [![Sigma - Generic Signatures for Log Events](https://preview.ibb.co/cMCigR/Screen_Shot_2017_10_18_at_15_47_15.png)](https://www.youtube.com/watch?v=OheVuE9Ifhs "Sigma - Generic Signatures for Log Events")

+## SANS Webcast on MITRE ATT&CK and Sigma
+
+The SANS webcast on Sigma contains a very good 20 min introduction to the project by John Hubbart from minute 39 onward. (SANS account required; registration is free)
+
+[MITRE ATT&CK and Sigma Alerting Webcast Recording](https://www.sans.org/webcasts/mitre-att-ck-sigma-alerting-110010 "MITRE ATT&CK and Sigma Alerting")
+
 # Use Cases

 * Describe your detection method in Sigma to make it sharable
-* Write and your SIEM searches in Sigma to avoid a vendor lock-in
+* Write your SIEM searches in Sigma to avoid a vendor lock-in
 * Share the signature in the appendix of your analysis along with IOCs and YARA rules
 * Share the signature in threat intel communities - e.g. via MISP
 * Provide Sigma signatures for malicious behaviour in your own application
@@ -61,7 +67,7 @@ Florian wrote a short [rule creation tutorial](https://www.nextron-systems.com/2
 1. Download or clone the respository
 2. Check the `./rules` sub directory for an overview on the rule base
 3. Run `python sigmac --help` in folder `./tools` to get a help on the rule converter
-4. Convert a rule of your choice with `sigmac` like `python sigmac -t splunk ../rules/windows/builtin/win_susp_process_creations.yml`
+4. Convert a rule of your choice with `sigmac` like `./sigmac -t splunk -c tools/config/generic/sysmon.yml ./rules/windows/process_creation/win_susp_whoami.yml`
 5. Convert a whole rule directory with `python sigmac -t splunk -r ../rules/proxy/`
 6. Check the `./tools/config` folder and the [wiki](https://github.com/Neo23x0/sigma/wiki/Converter-Tool-Sigmac) if you need custom field or log source mappings in your environment

@@ -90,18 +96,111 @@ Sigmac converts sigma rules into queries or inputs of the supported targets list
 Sigma library that may be used to integrate Sigma support in other projects. Further, there's `merge_sigma.py` which
 merges multiple YAML documents of a Sigma rule collection into simple Sigma rules.

-![sigmac_converter](./images/Sigmac-win_susp_rc4_kerberos.png)
+### Usage
+
+```
+usage: sigmac [-h] [--recurse] [--filter FILTER]
+              [--target {arcsight,es-qs,es-dsl,kibana,xpack-watcher,elastalert,graylog,limacharlie,logpoint,grep,netwitness,powershell,qradar,qualys,splunk,splunkxml,sumologic,fieldlist,wdatp}]
+              [--target-list] [--config CONFIG] [--output OUTPUT]
+              [--backend-option BACKEND_OPTION] [--defer-abort]
+              [--ignore-backend-errors] [--verbose] [--debug]
+              [inputs [inputs ...]]
+
+Convert Sigma rules into SIEM signatures.
+
+positional arguments:
+  inputs                Sigma input files ('-' for stdin)
+
+optional arguments:
+  -h, --help            show this help message and exit
+  --recurse, -r         Use directory as input (recurse into subdirectories is
+                        not implemented yet)
+  --filter FILTER, -f FILTER
+                        Define comma-separated filters that must match (AND-
+                        linked) to rule to be processed. Valid filters:
+                        level<=x, level>=x, level=x, status=y, logsource=z,
+                        tag=t. x is one of: low, medium, high, critical. y is
+                        one of: experimental, testing, stable. z is a word
+                        appearing in an arbitrary log source attribute. t is a
+                        tag that must appear in the rules tag list, case-
+                        insensitive matching. Multiple log source
+                        specifications are AND linked.
+  --target {arcsight,es-qs,es-dsl,kibana,xpack-watcher,elastalert,graylog,limacharlie,logpoint,grep,netwitness,powershell,qradar,qualys,splunk,splunkxml,sumologic,fieldlist,wdatp}, -t {arcsight,es-qs,es-dsl,kibana,xpack-watcher,elastalert,graylog,limacharlie,logpoint,grep,netwitness,powershell,qradar,qualys,splunk,splunkxml,sumologic,fieldlist,wdatp}
+                        Output target format
+  --target-list, -l     List available output target formats
+  --config CONFIG, -c CONFIG
+                        Configurations with field name and index mapping for
+                        target environment. Multiple configurations are merged
+                        into one. Last config is authorative in case of
+                        conflicts.
+  --output OUTPUT, -o OUTPUT
+                        Output file or filename prefix if multiple files are
+                        generated
+  --backend-option BACKEND_OPTION, -O BACKEND_OPTION
+                        Options and switches that are passed to the backend
+  --defer-abort, -d     Don't abort on parse or conversion errors, proceed
+                        with next rule. The exit code from the last error is
+                        returned
+  --ignore-backend-errors, -I
+                        Only return error codes for parse errors and ignore
+                        errors for rules that cause backend errors. Useful,
+                        when you want to get as much queries as possible.
+  --verbose, -v         Be verbose
+  --debug, -D           Debugging output
+```
+
+### Examples
+
+#### Single Rule Translation
+Translate a single rule
+```
+tools/sigmac -t splunk -c splunk-windows rules/windows/sysmon/sysmon_susp_image_load.yml
+```
+#### Rule Set Translation
+Translate a whole rule directory and ignore backend errors (`-I`) in rule conversion for the selected backend (`-t splunk`)
+```
+tools/sigmac -I -t splunk -c splunk-windows -r rules/windows/sysmon/
+```
+#### Translate Only Rules of Level High or Critical
+Translate a whole rule directory and ignore backend errors (`-I`) in rule conversion for the selected backend (`-t splunk`) and select only rules of level `high` and `critical`
+```
+tools/sigmac -I -t splunk -c splunk-windows -f 'level>=high' -r rules/windows/sysmon/
+```
+#### Rule Set Translation with Custom Config 
+Apply your own config file (`-c ~/my-elk-winlogbeat.yml`) during conversion, which can contain you custom field and source mappings
+```
+tools/sigmac -t es-qs -c ~/my-elk-winlogbeat.yml -r rules/windows/sysmon
+```
+#### Generic Rule Set Translation
+Use a config file for `process_creation` rules (`-r rules/windows/process_creation`) that instructs sigmac to create queries for a Sysmon log source (`-c tools/config/generic/sysmon.yml`) and the ElasticSearch target backend (`-t es-qs`) 
+```
+tools/sigmac -t es-qs -c tools/config/generic/sysmon.yml -r rules/windows/process_creation
+```
+#### Generic Rule Set Translation with Custom Config
+Use a config file for a single `process_creation` rule (`./rules/windows/process_creation/win_susp_outlook.yml`) that instructs sigmac to create queries for process creation events generated in the Windows Security Eventlog (`-c tools/config/generic/windows-audit.yml`) and a Splunk target backend (`-t splunk`)
+```
+tools/sigmac -t splunk -c ~/my-splunk-mapping.yml -c tools/config/generic/windows-audit.yml ./rules/windows/process_creation/win_susp_outlook.yml
+```
+(See @blubbfiction's [blog post](https://patzke.org/a-guide-to-generic-log-sources-in-sigma.html) for more information)

 ### Supported Targets

-* [Splunk](https://www.splunk.com/)
-* [ElasticSearch](https://www.elastic.co/)
+* [Splunk](https://www.splunk.com/) (plainqueries and dashboards)
+* [ElasticSearch Query Strings](https://www.elastic.co/)
 * [ElasticSearch Query DSL](https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl.html)
 * [Kibana](https://www.elastic.co/de/products/kibana)
 * [Elastic X-Pack Watcher](https://www.elastic.co/guide/en/x-pack/current/xpack-alerting.html)
 * [Logpoint](https://www.logpoint.com)
 * [Windows Defender Advanced Threat Protection (WDATP)](https://www.microsoft.com/en-us/windowsforbusiness/windows-atp)
-* Grep with Perl-compatible regular expression support
+* [Azure Sentinel / Azure Log Analytics](https://azure.microsoft.com/en-us/services/azure-sentinel/)
+* [Sumologic](https://www.sumologic.com/)
+* [ArcSight](https://software.microfocus.com/en-us/products/siem-security-information-event-management/overview)
+* [QRadar](https://www.ibm.com/de-de/marketplace/ibm-qradar-siem)
+* [Qualys](https://www.qualys.com/apps/threat-protection/)
+* [RSA NetWitness](https://www.rsa.com/en-us/products/threat-detection-response)
+* [PowerShell](https://docs.microsoft.com/en-us/powershell/scripting/getting-started/getting-started-with-windows-powershell?view=powershell-6)
+* [Grep](https://www.gnu.org/software/grep/manual/grep.html) with Perl-compatible regular expression support
+* [LimaCharlie](https://limacharlie.io)

 Current work-in-progress
 * [Splunk Data Models](https://docs.splunk.com/Documentation/Splunk/7.1.0/Knowledge/Aboutdatamodels)
@@ -132,10 +231,55 @@ For development (e.g. execution of integration tests with `make` and packaging),
 pip3 install -r tools/requirements-devel.txt
 ```

+## Sigma2MISP
+
+Import Sigma rules to MISP events. Depends on PyMISP.
+
+Parameters that aren't changed frequently (`--url`, `--key`) can be put without the prefixing dashes `--` into a file
+and included with `@filename` as parameter on the command line.
+
+Example:
+*misp.conf*:
+```
+url https://host
+key foobarfoobarfoobarfoobarfoobarfoobarfoo 
+```
+
+Load Sigma rule into MISP event 1234:
+```
+sigma2misp @misp.conf --event 1234 sigma_rule.py
+```
+
+Load Sigma rules in directory sigma_rules/ into one newly created MISP event with info set to *Test Event*:
+```
+sigma2misp @misp.conf --same-event --info "Test Event" -r sigma_rules/
+```
+
 ## Evt2Sigma

 [Evt2Sigma](https://github.com/Neo23x0/evt2sigma) helps you with the rule creation. It generates a Sigma rule from a log entry. 

+## Sigma2attack
+
+Generates a [MITRE ATT&CK Navigator](https://github.com/mitre/attack-navigator/) heatmap from a directory containing sigma rules.
+
+Requirements:
+- Sigma rules tagged with a `attack.tXXXX` tag (e.g.: `attack.t1086`)
+
+Usage samples:
+
+```
+# Use the default "rules" folder
+./tools/sigma2attack
+
+# ... or specify your own
+./tools/sigma2attack --rules-directory ~/hunting/rules
+```
+
+Result once imported in the MITRE ATT&CK Navigator ([online version](https://mitre-attack.github.io/attack-navigator/enterprise/)):
+
+![Sigma2attack result](./images/sigma2attack.png)
+
 ## Contributed Scripts

 The directory `contrib` contains scripts that were contributed by the community:
@@ -151,13 +295,41 @@ These tools are not part of the main toolchain and maintained separately by thei
 * Integration into Threat Intel Exchanges
 * Attempts to convince others to use the rule format in their reports, threat feeds, blog posts, threat sharing platforms

-# Projects that use Sigma
+# Projects or Products that use Sigma

 * [MISP](http://www.misp-project.org/2017/03/26/MISP.2.4.70.released.html) (since version 2.4.70, March 2017)
-* [TA-Sigma-Searches](https://github.com/dstaulcu/TA-Sigma-Searches) (Splunk App)
 * [SOC Prime - Sigma Rule Editor](https://tdm.socprime.com/sigma/)
+* [uncoder.io](https://uncoder.io/) - Online Translator for SIEM Searches
+* [THOR](https://www.nextron-systems.com/2018/06/28/spark-applies-sigma-rules-in-eventlog-scan/) - Scan with Sigma rules on endpoints
+* [Joe Sandbox](https://www.joesecurity.org/)
 * [ypsilon](https://github.com/P4T12ICK/ypsilon) - Automated Use Case Testing 
-* [SPARK](https://www.nextron-systems.com/2018/06/28/spark-applies-sigma-rules-in-eventlog-scan/) - Scan with Sigma rules on endpoints
+* [RANK VASA](https://globenewswire.com/news-release/2019/03/04/1745907/0/en/RANK-Software-to-Help-MSSPs-Scale-Cybersecurity-Offerings.html)
+* [TA-Sigma-Searches](https://github.com/dstaulcu/TA-Sigma-Searches) (Splunk App)
+* [TimeSketch](https://github.com/google/timesketch/commit/0c6c4b65a6c0f2051d074e87bbb2da2424fa6c35)
+
+# Contribution
+
+If you want to contribute, you are more then welcome. There are numerous ways to help this project.
+
+## Use it and provide feedback
+
+If you use it, let us know what works and what does not work. 
+
+E.g.
+- Tell us about false positives (issues section) 
+- Try to provide an improved rule (new filter) via [pull request](https://help.github.com/en/articles/editing-files-in-another-users-repository) on that rule
+
+## Work on open issues
+
+The github issue tracker is a good place to start tackling some issues others raised to the project. It could be as easy as a review of the documentation.
+
+## Provide Backends / Backend Features / Bugfixes
+
+Various requests for sigmac (sigma converter) backends exist. Some backends are very limited and need features. We are working on a documentation on how to write new backends but our time for this project is currently mostly spent for issue resolutions. 
+
+## Spread the word
+
+Last but not least, the more people use Sigma, the better, so help promote it by sharing it via social media. If you are using it, consider giving a talk about your journey and tell us about it.

 # Licenses

@@ -171,4 +343,6 @@ The content of this repository is released under the following licenses:

 This is a private project mainly developed by Florian Roth and Thomas Patzke with feedback from many fellow analysts and friends. Rules are our own or have been drived from blog posts, tweets or other public sources that are referenced in the rules.

-Copyright for Tree Image: [studiobarcelona / 123RF Stock Photo](http://www.123rf.com/profile_studiobarcelona)
+# Info Graphic
+
+![sigmac_info_graphic](./images/sigma_infographic_lq.png)
@@ -1 +1 @@
-theme: jekyll-theme-hacker
+theme: jekyll-theme-minimal
@@ -0,0 +1,32 @@
+#!/usr/bin/env python3
+# Remove all hunks from a patch that don't add the id attribute to minimize the impact (removed
+# comments etc.) of sigma-uuid script.
+#
+# Usually used as follows:
+# 1. Add UUIDs to rules:
+# tools/sigma-uuid -er rules
+# 2. Generate and filter patch
+# git diff | contrib/filter-uuid-patch > rule-uuid.diff
+# 3. Reset to previous state
+# git reset --hard
+# 4. Apply filtered patch
+# patch -p1 < rule-uuid.diff
+#
+# This tool requires an installed unidiff package.
+
+from unidiff import PatchSet
+from sys import argv, stdin
+
+try:
+    with open(argv[1], "r") as f:
+        patch = PatchSet(f.readlines())
+except IndexError:
+    patch = PatchSet(stdin.readlines())
+
+for patched_file in patch:
+    for h in reversed(range(len(patched_file))):
+        hunk = patched_file[h]
+        if not any([ line.is_added and line.value.startswith("id: ") for line in hunk ]):
+            del patched_file[h]
+
+print(str(patch))
@@ -102,13 +102,13 @@ def rule_element(file_content, elements):
    :return: the value of the key in the yaml document
    """
    try:
-        yaml.load(file_content.replace("---",""))
+        yaml.safe_load(file_content.replace("---",""))
    except:
        raise Exception('Unsupported')
    element_output = ""
    for e in elements:
        try:
-            element_output = yaml.load(file_content.replace("---",""))[e]
+            element_output = yaml.safe_load(file_content.replace("---",""))[e]
        except:
            pass
    if element_output is None:
@@ -162,12 +162,12 @@ for file in glob.glob(args.ruledir + "/*"):
            output_elast_config = re.sub(entry, str(convert_args[entry]), output_elast_config)
        for entry in translate_func:
            output_elast_config = re.sub(entry, translate_func[entry], output_elast_config)
-        print "Converting file " + file
+        print("Converting file " + file)
        with open(os.path.join(args.outdir, "sigma-" + file.split("/")[-1]), "w") as f:
                f.write(output_elast_config)
    except Exception as e:
        if args.debug:
            traceback.print_exc()
-        print "error " + str(file) + "----" + str(e)
+        print("error " + str(file) + "----" + str(e))
        pass

@@ -0,0 +1,261 @@
+#!/usr/bin/python
+# Copyright 2018 juju4
+
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+
+# You should have received a copy of the GNU Lesser General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+"""
+Project: sigma2sumologic.py
+Date: 11 Jan 2019
+Author: juju4
+Version: 1.0
+Description: This script executes sumologic search queries from Sigma SIEM rules.
+Workflow:
+    1. Convert rules with sigmac
+    2. Enrich: add ignore+local custom rules, priority
+    3. Format
+    4. Get results and save to txt/xlsx files
+Requirements:
+    $ pip install sumologic-sdk pyyaml pandas openpyxl
+"""
+
+import re
+import os
+import sys
+import stat
+import glob
+import subprocess
+import argparse
+import yaml
+import traceback
+import logging
+from sumologic import SumoLogic
+import time
+import datetime
+import json
+import pandas
+
+logging.basicConfig(level=logging.DEBUG)
+logger = logging.getLogger(__name__)
+formatter = logging.Formatter('%(asctime)s - %(name)s - p%(process)s {%(pathname)s:%(lineno)d} - %(levelname)s - %(message)s')
+handler = logging.FileHandler('sigma2sumo.log')
+handler.setFormatter(formatter)
+logger.addHandler(handler)
+
+parser = argparse.ArgumentParser(description='Execute sigma rules in sumologic')
+parser.add_argument("--conf", help="script yaml config file", type=str, required=True)
+parser.add_argument("--accessid", help="Sumologic Access ID", type=str, required=False)
+parser.add_argument("--accesskey", help="Sumologic Access Key", type=str, required=False)
+parser.add_argument("--endpoint", help="Sumologic url endpoint", type=str, required=False)
+parser.add_argument("--ruledir", help="sigma rule directory path to convert", type=str, required=False)
+parser.add_argument("--outdir", help="output directory to create rules", type=str, required=False)
+parser.add_argument("--sigmac", help="Sigmac location", default="../tools/sigmac", type=str)
+parser.add_argument("--realerttime", help="Realert time (optional value, default 5 minutes)", type=str, default=5)
+parser.add_argument("--debug", help="Show debug output", type=bool, default=False)
+args = parser.parse_args()
+
+LIMIT = 100
+delay = 5
+
+
+def rule_element(file_content, elements):
+    """
+    Function used to get specific element from yaml document and return content
+    :type file_content: str
+    :type elements: list
+    :param file_content:
+    :param elements: list of elements of the yaml document to get "title", "description"
+    :return: the value of the key in the yaml document
+    """
+    try:
+        logger.debug("file_content: %s" % file_content)
+        yaml.safe_load(file_content.replace("---", ""))
+    except TypeError:
+        raise Exception('Unsupported')
+    element_output = ""
+    for e in elements:
+        try:
+            element_output = yaml.safe_load(file_content.replace("---", ""))[e]
+        except TypeError:
+            pass
+    if element_output is None:
+        return ""
+    return element_output
+
+
+def get_rule_as_sumologic(file):
+    """
+    Function used to get sumologic query output from rule file
+    :type file: str
+    :param file: rule filename
+    :return: string query
+    """
+    if not os.path.exists(args.sigmac):
+        logger.error("Cannot find sigmac rule coverter at '%s', please set a correct location via '--sigmac'")
+    cmd = [args.sigmac, file, "--target", "sumologic"]
+    logger.info('get_rule_as_sumologic cmd: %s' % cmd)
+    process = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+    output, err = process.communicate()
+
+    # output is byte-string...
+    output = output.decode("utf-8")
+    err = err.decode("utf-8")
+
+    logger.info('get_rule_as_sumologic output: %s' % output)
+    logger.info('get_rule_as_sumologic stderr: %s' % err)
+    if err or "unsupported" in err:
+        logger.error('Unsupported output at this time')
+        raise Exception('Unsupported output at this time')
+    output = output.split("\n")
+    # Remove empty string from \n
+    output = [a for a in output if a]
+    # Handle case of multiple queries returned
+    if len(output) > 1:
+        return " OR ".join(output)
+    return "".join(output)
+
+if args.help:
+    parser_print_help()
+
+if args.conf:
+    with open(args.conf, 'r') as ymlfile:
+        cfg = yaml.load(ymlfile)
+    args.accessid = cfg['accessid']
+    args.accesskey = cfg['accesskey']
+    args.endpoint = cfg['endpoint']
+    args.ruledir = cfg['ruledir']
+    args.outdir = cfg['outdir']
+    args.sigmac = cfg['sigmac']
+    try:
+        args.recursive = cfg['recursive']
+    except TypeError:
+        args.recursive = False
+    if args.recursive:
+        globpath = args.ruledir + "/**/*.yml"
+    else:
+        globpath = args.ruledir + "/*.yml"
+    logger.debug("args: %s" % args)
+    logger.debug("globpath: %s" % globpath)
+
+if args.outdir and not os.path.isdir(args.outdir):
+    os.mkdir(args.outdir, stat.S_IRWXU)
+
+# non-recursive (above, not working...)
+# for file in glob.iglob(args.ruledir + "/*.yml"):
+# recursive
+for file in glob.iglob(globpath, recursive=True):
+
+    file_basename = os.path.basename(os.path.splitext(file)[0])
+    file_basenamepath = os.path.splitext(file)[0]
+    file_ext = os.path.splitext(file)[1]
+    try:
+        if file_ext != '.yml':
+            continue
+
+        logger.info("Processing %s ..." % file_basename)
+        with open(file, "rb") as f:
+            file_content = f.read()
+
+        logger.info("Rule file: %s" % file)
+
+        sumo_query = get_rule_as_sumologic(file)
+
+        logger.info("  Checking if custom query file: %s" % file_basenamepath + '.custom')
+        if os.path.isfile(file_basenamepath + '.custom'):
+            # FIXME! want to add something in the middle for parsing for example...
+            logger.info("  Adding custom part to end query from: %s" % file_basenamepath + '.custom')
+            with open(file_basenamepath + '.custom', "rb") as f:
+                # FIXME ! manage pipe inside queries
+                if "| count" in sumo_query:
+                    pos = sumo_query.find('| count')
+                    sumo_query = sumo_query[:pos] + f.read().decode('utf-8') + sumo_query[pos:]
+                else:
+                    sumo_query += " " + f.read().decode('utf-8')
+        elif 'count ' not in sumo_query and ('EventID=' in sumo_query):
+            sumo_query += " | count _sourceCategory, hostname, EventID, msg_summary, _raw"
+        elif 'count ' not in sumo_query:
+            sumo_query += " | count _sourceCategory, hostname, _raw"
+
+        logger.debug("Final sumo query: %s" % sumo_query)
+
+    except Exception as e:
+        if args.debug:
+            traceback.print_exc()
+        logger.exception("error generating sumo query " + str(file) + "----" + str(e))
+        with open(os.path.join(args.outdir, "sigma-" + file_basename + '-error-generation.txt'), "w") as f:
+            # f.write(json.dumps(r, indent=4, sort_keys=True) + " ERROR: %s\n\nQUERY: %s" % (e, sumo_query))
+            f.write(" ERROR for file: %s\n\Exception:\n %s" % (file, e))
+        continue
+
+    try:
+        # Run query
+        # https://github.com/SumoLogic/sumologic-python-sdk/blob/master/scripts/search-job.py
+        sumo = SumoLogic(args.accessid, args.accesskey, args.endpoint)
+        toTime = datetime.datetime.now().strftime("%Y-%m-%dT%H:%M:%S")
+        fromTime = datetime.datetime.strptime(toTime, "%Y-%m-%dT%H:%M:%S") - datetime.timedelta(hours=24)
+        fromTime = fromTime.strftime("%Y-%m-%dT%H:%M:%S")
+        timeZone = 'UTC'
+        byReceiptTime = True
+
+        sj = sumo.search_job(sumo_query, fromTime, toTime, timeZone, byReceiptTime)
+
+        status = sumo.search_job_status(sj)
+        while status['state'] != 'DONE GATHERING RESULTS':
+            if status['state'] == 'CANCELLED':
+                break
+            time.sleep(delay)
+            status = sumo.search_job_status(sj)
+
+    except Exception as e:
+        if args.debug:
+            traceback.print_exc()
+        logger.exception("error seaching sumo  " + str(file) + "----" + str(e))
+        with open(os.path.join(args.outdir, "sigma-" + file_basename + '-error.txt'), "w") as f:
+            # f.write(json.dumps(r, indent=4, sort_keys=True) + " ERROR: %s\n\nQUERY: %s" % (e, sumo_query))
+            f.write(" ERROR: %s\n\nQUERY: %s" % (e, sumo_query))
+        pass
+
+    logger.debug("Sumo search job status: %s" % status['state'])
+
+    try:
+        if status['state'] == 'DONE GATHERING RESULTS':
+            count = status['recordCount']
+            # compensate bad limit check
+            limit = count if count < LIMIT and count != 0 else LIMIT
+            r = sumo.search_job_records(sj, limit=limit)
+            logger.debug("Sumo search results: %s" % r)
+
+        logger.debug("Saving final sumo query for %s to %s" % (file, os.path.join(args.outdir, "sigma-" + file_basename + '.sumo')))
+        with open(os.path.join(args.outdir, "sigma-" + file_basename + '.sumo'), "w") as f:
+            f.write(sumo_query)
+        if r and r['records'] != []:
+            logger.info("Saving results")
+            # as json text file
+            with open(os.path.join(args.outdir, "sigma-" + file_basename + '.txt'), "w") as f:
+                f.write(json.dumps(r, indent=4, sort_keys=True))
+            # as excel file
+            df = pandas.io.json.json_normalize(r['records'])
+            with pandas.ExcelWriter(os.path.join(args.outdir, "sigma-" + file_basename + ".xlsx")) as writer:
+                df.to_excel(writer, 'data')
+                pandas.DataFrame({'References': [
+                    "timeframe: from %s to %s" % (fromTime, toTime),
+                    "Sumo endpoint: %s" % args.endpoint,
+                    "Sumo query: %s" % sumo_query
+                ]}).to_excel(writer, 'comments')
+
+        # and do whatever you want, email alert, report, ticket...
+
+    except Exception as e:
+        if args.debug:
+            traceback.print_exc()
+        logger.exception("error saving results " + str(file) + "----" + str(e))
+        pass
@@ -0,0 +1,2653 @@
+{
+	"name": "SIGMA Rule Coverage",
+	"version": "2.1",
+	"domain": "mitre-enterprise",
+	"description": "Accurate to commit #: 81693d81b6823bb5f064919453eac70c1d097d3e\nhttps://github.com/Neo23x0/sigma/commit/81693d81b6823bb5f064919453eac70c1d097d3e",
+	"filters": {
+		"stages": [
+			"act"
+		],
+		"platforms": [
+			"windows",
+			"linux",
+			"mac"
+		]
+	},
+	"sorting": 0,
+	"viewMode": 0,
+	"hideDisabled": false,
+	"techniques": [
+		{
+			"techniqueID": "T1156",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1134",
+			"tactic": "defense-evasion",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1134",
+			"tactic": "privilege-escalation",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1015",
+			"tactic": "persistence",
+			"score": 1,
+			"color": "",
+			"comment": "sysmon_stickykey_like_backdoor.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1015",
+			"tactic": "privilege-escalation",
+			"score": 1,
+			"color": "",
+			"comment": "sysmon_stickykey_like_backdoor.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1087",
+			"tactic": "discovery",
+			"score": 5,
+			"color": "",
+			"comment": "win_account_discovery.yml\nwin_alert_hacktool_use.yml\nwin_susp_net_recon_activity.yml\nwin_susp_commands_recon_activity.yml\nwin_susp_recon_activity.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1098",
+			"tactic": "credential-access",
+			"score": 3,
+			"color": "",
+			"comment": "apt_judgement_panda_gtr19.yml\nwin_alert_ad_user_backdoors.yml\nwin_susp_dsrm_password_change.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1098",
+			"tactic": "persistence",
+			"score": 3,
+			"color": "",
+			"comment": "apt_judgement_panda_gtr19.yml\nwin_alert_ad_user_backdoors.yml\nwin_susp_dsrm_password_change.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1182",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1182",
+			"tactic": "privilege-escalation",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1103",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1103",
+			"tactic": "privilege-escalation",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1155",
+			"tactic": "execution",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1155",
+			"tactic": "lateral-movement",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1017",
+			"tactic": "lateral-movement",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1138",
+			"tactic": "persistence",
+			"score": 1,
+			"color": "",
+			"comment": "win_sdbinst_shim_persistence.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1138",
+			"tactic": "privilege-escalation",
+			"score": 1,
+			"color": "",
+			"comment": "win_sdbinst_shim_persistence.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1010",
+			"tactic": "discovery",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1123",
+			"tactic": "collection",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1131",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1119",
+			"tactic": "collection",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1020",
+			"tactic": "exfiltration",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1197",
+			"tactic": "defense-evasion",
+			"score": 1,
+			"color": "",
+			"comment": "win_process_creation_bitsadmin_download.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1197",
+			"tactic": "persistence",
+			"score": 1,
+			"color": "",
+			"comment": "win_process_creation_bitsadmin_download.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1139",
+			"tactic": "credential-access",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1009",
+			"tactic": "defense-evasion",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1067",
+			"tactic": "persistence",
+			"score": 1,
+			"color": "",
+			"comment": "win_susp_bcdedit.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1217",
+			"tactic": "discovery",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1176",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1110",
+			"tactic": "credential-access",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1088",
+			"tactic": "defense-evasion",
+			"score": 3,
+			"color": "",
+			"comment": "win_cmstp_com_object_access.yml\nsysmon_uac_bypass_eventvwr.yml\nsysmon_uac_bypass_sdclt.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1088",
+			"tactic": "privilege-escalation",
+			"score": 3,
+			"color": "",
+			"comment": "win_cmstp_com_object_access.yml\nsysmon_uac_bypass_eventvwr.yml\nsysmon_uac_bypass_sdclt.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1191",
+			"tactic": "defense-evasion",
+			"score": 2,
+			"color": "",
+			"comment": "win_cmstp_com_object_access.yml\nsysmon_cmstp_execution.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1191",
+			"tactic": "execution",
+			"score": 2,
+			"color": "",
+			"comment": "win_cmstp_com_object_access.yml\nsysmon_cmstp_execution.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1042",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1146",
+			"tactic": "defense-evasion",
+			"score": 1,
+			"color": "",
+			"comment": "lnx_shell_clear_cmd_history.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1115",
+			"tactic": "collection",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1116",
+			"tactic": "defense-evasion",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1059",
+			"tactic": "execution",
+			"score": 12,
+			"color": "",
+			"comment": "apt_babyshark.yml\napt_equationgroup_dll_u_load.yml\napt_equationgroup_lnx.yml\napt_sofacy.yml\napt_sofacy_zebrocy.yml\napt_turla_commands.yml\napt_zxshell.yml\ncrime_fireball.yml\nwin_alert_hacktool_use.yml\nwin_office_shell.yml\nwin_susp_cmd_http_appdata.yml\nwin_susp_outlook.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1043",
+			"tactic": "command-and-control",
+			"score": 1,
+			"color": "",
+			"comment": "sysmon_malware_backconnect_ports.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1092",
+			"tactic": "command-and-control",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1223",
+			"tactic": "defense-evasion",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1223",
+			"tactic": "execution",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1109",
+			"tactic": "defense-evasion",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1109",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1122",
+			"tactic": "defense-evasion",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1122",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1090",
+			"tactic": "command-and-control",
+			"score": 2,
+			"color": "",
+			"comment": "win_netsh_fw_add.yml\nwin_netsh_port_fwd.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1196",
+			"tactic": "defense-evasion",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1196",
+			"tactic": "execution",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1136",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1003",
+			"tactic": "credential-access",
+			"score": 23,
+			"color": "",
+			"comment": "apt_bear_activity_gtr19.yml\nwin_alert_lsass_access.yml\nwin_alert_mimikatz_keywords.yml\nwin_dcsync.yml\nwin_impacket_secretdump.yml\nwin_mal_creddumper.yml\nwin_mal_wceaux_dll.yml\nwin_susp_lsass_dump.yml\nwin_susp_sam_dump.yml\nav_password_dumper.yml\nwin_cmdkey_recon.yml\nwin_hack_rubeus.yml\nwin_malware_notpetya.yml\nwin_susp_ntdsutil.yml\nwin_susp_procdump.yml\nwin_susp_sysvol_access.yml\nwin_susp_vssadmin_ntds_activity.yml\nsysmon_ghostpack_safetykatz.yml\nsysmon_lsass_memdump.yml\nsysmon_mimikatz_detection_lsass.yml\nsysmon_mimikatz_inmemory_detection.yml\nsysmon_password_dumper_lsass.yml\nsysmon_quarkspw_filedump.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1081",
+			"tactic": "credential-access",
+			"score": 1,
+			"color": "",
+			"comment": "apt_bear_activity_gtr19.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1214",
+			"tactic": "credential-access",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1094",
+			"tactic": "command-and-control",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1024",
+			"tactic": "command-and-control",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1207",
+			"tactic": "defense-evasion",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1038",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1038",
+			"tactic": "privilege-escalation",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1038",
+			"tactic": "defense-evasion",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1073",
+			"tactic": "defense-evasion",
+			"score": 9,
+			"color": "",
+			"comment": "win_susp_dhcp_config.yml\nwin_susp_dhcp_config_failed.yml\nwin_susp_dns_config.yml\nwin_plugx_susp_exe_locations.yml\nwin_susp_control_dll_load.yml\nwin_susp_gup.yml\nsysmon_dhcp_calloutdll.yml\nsysmon_dns_serverlevelplugindll.yml\nsysmon_susp_image_load.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1002",
+			"tactic": "exfiltration",
+			"score": 1,
+			"color": "",
+			"comment": "apt_judgement_panda_gtr19.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1132",
+			"tactic": "command-and-control",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1022",
+			"tactic": "exfiltration",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1001",
+			"tactic": "command-and-control",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1074",
+			"tactic": "collection",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1030",
+			"tactic": "exfiltration",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1213",
+			"tactic": "collection",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1005",
+			"tactic": "collection",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1039",
+			"tactic": "collection",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1025",
+			"tactic": "collection",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1140",
+			"tactic": "defense-evasion",
+			"score": 4,
+			"color": "",
+			"comment": "win_susp_mshta_execution.yml\nwin_susp_certutil_command.yml\nwin_susp_cli_escape.yml\nwin_susp_ping_hex_ip.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1089",
+			"tactic": "defense-evasion",
+			"score": 2,
+			"color": "",
+			"comment": "win_alert_enable_weak_encryption.yml\nwin_susp_msmpeng_crash.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1175",
+			"tactic": "lateral-movement",
+			"score": 1,
+			"color": "",
+			"comment": "win_susp_mmc_source.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1172",
+			"tactic": "command-and-control",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1189",
+			"tactic": "initial-access",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1157",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1157",
+			"tactic": "privilege-escalation",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1173",
+			"tactic": "execution",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1114",
+			"tactic": "collection",
+			"score": 1,
+			"color": "",
+			"comment": "win_alert_hacktool_use.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1106",
+			"tactic": "execution",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1129",
+			"tactic": "execution",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1048",
+			"tactic": "exfiltration",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1041",
+			"tactic": "exfiltration",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1011",
+			"tactic": "exfiltration",
+			"score": 1,
+			"color": "",
+			"comment": "sysmon_ssp_added_lsa_config.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1052",
+			"tactic": "exfiltration",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1190",
+			"tactic": "initial-access",
+			"score": 1,
+			"color": "",
+			"comment": "web_cve_2018_2894_weblogic_exploit.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1203",
+			"tactic": "execution",
+			"score": 2,
+			"color": "",
+			"comment": "av_exploiting.yml\nwin_exploit_cve_2017_8759.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1212",
+			"tactic": "credential-access",
+			"score": 3,
+			"color": "",
+			"comment": "win_net_ntlm_downgrade.yml\nwin_susp_kerberos_manipulation.yml\nwin_susp_samr_pwset.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1211",
+			"tactic": "defense-evasion",
+			"score": 2,
+			"color": "",
+			"comment": "win_susp_msmpeng_crash.yml\nwin_exploit_cve_2017_11882.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1068",
+			"tactic": "privilege-escalation",
+			"score": 1,
+			"color": "",
+			"comment": "apt_hurricane_panda.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1210",
+			"tactic": "lateral-movement",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1133",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1181",
+			"tactic": "defense-evasion",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1181",
+			"tactic": "privilege-escalation",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1008",
+			"tactic": "command-and-control",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1107",
+			"tactic": "defense-evasion",
+			"score": 2,
+			"color": "",
+			"comment": "win_susp_backup_delete.yml\nwin_susp_sdelete.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1222",
+			"tactic": "defense-evasion",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1006",
+			"tactic": "defense-evasion",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1044",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1044",
+			"tactic": "privilege-escalation",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1083",
+			"tactic": "discovery",
+			"score": 1,
+			"color": "",
+			"comment": "apt_turla_commands.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1187",
+			"tactic": "credential-access",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1144",
+			"tactic": "defense-evasion",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1061",
+			"tactic": "execution",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1148",
+			"tactic": "defense-evasion",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1200",
+			"tactic": "initial-access",
+			"score": 1,
+			"color": "",
+			"comment": "win_usb_device_plugged.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1158",
+			"tactic": "defense-evasion",
+			"score": 1,
+			"color": "",
+			"comment": "win_attrib_hiding_files.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1158",
+			"tactic": "persistence",
+			"score": 1,
+			"color": "",
+			"comment": "win_attrib_hiding_files.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1147",
+			"tactic": "defense-evasion",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1143",
+			"tactic": "defense-evasion",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1179",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1179",
+			"tactic": "privilege-escalation",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1179",
+			"tactic": "credential-access",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1062",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1183",
+			"tactic": "privilege-escalation",
+			"score": 1,
+			"color": "",
+			"comment": "sysmon_win_reg_persistence.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1183",
+			"tactic": "persistence",
+			"score": 1,
+			"color": "",
+			"comment": "sysmon_win_reg_persistence.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1183",
+			"tactic": "defense-evasion",
+			"score": 1,
+			"color": "",
+			"comment": "sysmon_win_reg_persistence.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1054",
+			"tactic": "defense-evasion",
+			"score": 1,
+			"color": "",
+			"comment": "win_disable_event_logging.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1066",
+			"tactic": "defense-evasion",
+			"score": 1,
+			"color": "",
+			"comment": "win_susp_sdelete.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1070",
+			"tactic": "defense-evasion",
+			"score": 4,
+			"color": "",
+			"comment": "win_susp_eventlog_cleared.yml\nwin_susp_security_eventlog_cleared.yml\nwin_malware_notpetya.yml\nwin_susp_bcdedit.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1202",
+			"tactic": "defense-evasion",
+			"score": 2,
+			"color": "",
+			"comment": "win_office_shell.yml\nwin_susp_outlook.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1056",
+			"tactic": "collection",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1056",
+			"tactic": "credential-access",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1141",
+			"tactic": "credential-access",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1130",
+			"tactic": "defense-evasion",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1118",
+			"tactic": "defense-evasion",
+			"score": 1,
+			"color": "",
+			"comment": "win_possible_applocker_bypass.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1118",
+			"tactic": "execution",
+			"score": 1,
+			"color": "",
+			"comment": "win_possible_applocker_bypass.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1208",
+			"tactic": "credential-access",
+			"score": 2,
+			"color": "",
+			"comment": "win_susp_rc4_kerberos.yml\nwin_spn_enum.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1215",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1142",
+			"tactic": "credential-access",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1161",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1149",
+			"tactic": "defense-evasion",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1171",
+			"tactic": "credential-access",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1177",
+			"tactic": "execution",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1177",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1159",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1160",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1160",
+			"tactic": "privilege-escalation",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1152",
+			"tactic": "defense-evasion",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1152",
+			"tactic": "execution",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1152",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1168",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1168",
+			"tactic": "execution",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1162",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1037",
+			"tactic": "lateral-movement",
+			"score": 1,
+			"color": "",
+			"comment": "sysmon_logon_scripts_userinitmprlogonscript.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1037",
+			"tactic": "persistence",
+			"score": 1,
+			"color": "",
+			"comment": "sysmon_logon_scripts_userinitmprlogonscript.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1185",
+			"tactic": "collection",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1036",
+			"tactic": "defense-evasion",
+			"score": 14,
+			"color": "",
+			"comment": "apt_ta17_293a_ps.yml\nwin_exploit_cve_2015_1641.yml\nwin_powershell_b64_shellcode.yml\nwin_susp_calc.yml\nwin_susp_csc.yml\nwin_susp_execution_path.yml\nwin_susp_exec_folder.yml\nwin_susp_procdump.yml\nwin_susp_prog_location_process_starts.yml\nwin_susp_run_locations.yml\nwin_susp_svchost.yml\nwin_susp_taskmgr_localsystem.yml\nwin_susp_taskmgr_parent.yml\nwin_system_exe_anomaly.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1031",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1112",
+			"tactic": "defense-evasion",
+			"score": 3,
+			"color": "",
+			"comment": "apt_chafer_mar18.yml\nwin_mal_ursnif.yml\nsysmon_dhcp_calloutdll.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1170",
+			"tactic": "defense-evasion",
+			"score": 4,
+			"color": "",
+			"comment": "apt_babyshark.yml\nwin_lethalhta.yml\nwin_mshta_spawn_shell.yml\nwin_possible_applocker_bypass.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1170",
+			"tactic": "execution",
+			"score": 4,
+			"color": "",
+			"comment": "apt_babyshark.yml\nwin_lethalhta.yml\nwin_mshta_spawn_shell.yml\nwin_possible_applocker_bypass.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1104",
+			"tactic": "command-and-control",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1188",
+			"tactic": "command-and-control",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1026",
+			"tactic": "command-and-control",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1079",
+			"tactic": "command-and-control",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1096",
+			"tactic": "defense-evasion",
+			"score": 1,
+			"color": "",
+			"comment": "powershell_ntfs_ads_access.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1128",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1046",
+			"tactic": "discovery",
+			"score": 1,
+			"color": "",
+			"comment": "win_vul_java_remote_debugging.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1126",
+			"tactic": "defense-evasion",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1135",
+			"tactic": "discovery",
+			"score": 1,
+			"color": "",
+			"comment": "apt_turla_commands.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1040",
+			"tactic": "credential-access",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1040",
+			"tactic": "discovery",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1050",
+			"tactic": "persistence",
+			"score": 7,
+			"color": "",
+			"comment": "apt_apt29_tor.yml\napt_carbonpaper_turla.yml\napt_stonedrill.yml\napt_turla_service_png.yml\nwin_mal_service_installs.yml\nwin_rare_service_installs.yml\nsysmon_susp_driver_load.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1050",
+			"tactic": "privilege-escalation",
+			"score": 7,
+			"color": "",
+			"comment": "apt_apt29_tor.yml\napt_carbonpaper_turla.yml\napt_stonedrill.yml\napt_turla_service_png.yml\nwin_mal_service_installs.yml\nwin_rare_service_installs.yml\nsysmon_susp_driver_load.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1027",
+			"tactic": "defense-evasion",
+			"score": 2,
+			"color": "",
+			"comment": "win_susp_ping_hex_ip.yml\nsysmon_ads_executable.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1137",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1075",
+			"tactic": "lateral-movement",
+			"score": 4,
+			"color": "",
+			"comment": "win_alert_hacktool_use.yml\nwin_overpass_the_hash.yml\nwin_pass_the_hash.yml\nwin_susp_ntlm_auth.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1097",
+			"tactic": "lateral-movement",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1174",
+			"tactic": "credential-access",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1201",
+			"tactic": "discovery",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1034",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1034",
+			"tactic": "privilege-escalation",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1120",
+			"tactic": "discovery",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1069",
+			"tactic": "discovery",
+			"score": 1,
+			"color": "",
+			"comment": "win_susp_net_recon_activity.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1150",
+			"tactic": "defense-evasion",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1150",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1150",
+			"tactic": "privilege-escalation",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1205",
+			"tactic": "defense-evasion",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1205",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1205",
+			"tactic": "command-and-control",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1013",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1013",
+			"tactic": "privilege-escalation",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1086",
+			"tactic": "execution",
+			"score": 28,
+			"color": "",
+			"comment": "apt_apt29_thinktanks.yml\napt_babyshark.yml\napt_empiremonkey.yml\npowershell_downgrade_attack.yml\npowershell_exe_calling_ps.yml\npowershell_malicious_commandlets.yml\npowershell_malicious_keywords.yml\npowershell_prompt_credentials.yml\npowershell_psattack.yml\npowershell_shellcode_b64.yml\npowershell_suspicious_download.yml\npowershell_suspicious_invocation_generic.yml\npowershell_suspicious_invocation_specific.yml\npowershell_suspicious_keywords.yml\npowershell_xor_commandline.yml\nwin_powershell_amsi_bypass.yml\nwin_powershell_dll_execution.yml\nwin_powershell_download.yml\nwin_powershell_renamed_ps.yml\nwin_powershell_suspicious_parameter_variation.yml\nwin_susp_powershell_enc_cmd.yml\nwin_susp_powershell_hidden_b64_cmd.yml\nwin_susp_powershell_parent_combo.yml\nwin_susp_ps_appdata.yml\nsysmon_powershell_exploit_scripts.yml\nsysmon_powershell_network_connection.yml\nsysmon_powersploit_schtasks.yml\nsysmon_susp_powershell_rundll32.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1145",
+			"tactic": "credential-access",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1057",
+			"tactic": "discovery",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1186",
+			"tactic": "defense-evasion",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1093",
+			"tactic": "defense-evasion",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1055",
+			"tactic": "defense-evasion",
+			"score": 8,
+			"color": "",
+			"comment": "powershell_shellcode_b64.yml\nwin_exploit_cve_2017_0261.yml\nwin_malware_dridex.yml\nwin_mavinject_proc_inj.yml\nsysmon_cactustorch.yml\nsysmon_cobaltstrike_process_injection.yml\nsysmon_malware_verclsid_shellcode.yml\nsysmon_mal_namedpipes.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1055",
+			"tactic": "privilege-escalation",
+			"score": 8,
+			"color": "",
+			"comment": "powershell_shellcode_b64.yml\nwin_exploit_cve_2017_0261.yml\nwin_malware_dridex.yml\nwin_mavinject_proc_inj.yml\nsysmon_cactustorch.yml\nsysmon_cobaltstrike_process_injection.yml\nsysmon_malware_verclsid_shellcode.yml\nsysmon_mal_namedpipes.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1012",
+			"tactic": "discovery",
+			"score": 1,
+			"color": "",
+			"comment": "apt_babyshark.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1163",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1164",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1108",
+			"tactic": "defense-evasion",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1108",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1060",
+			"tactic": "persistence",
+			"score": 2,
+			"color": "",
+			"comment": "sysmon_susp_reg_persist_explorer_run.yml\nsysmon_susp_run_key_img_folder.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1121",
+			"tactic": "defense-evasion",
+			"score": 1,
+			"color": "",
+			"comment": "win_possible_applocker_bypass.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1121",
+			"tactic": "execution",
+			"score": 1,
+			"color": "",
+			"comment": "win_possible_applocker_bypass.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1117",
+			"tactic": "defense-evasion",
+			"score": 1,
+			"color": "",
+			"comment": "win_susp_regsvr32_anomalies.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1117",
+			"tactic": "execution",
+			"score": 1,
+			"color": "",
+			"comment": "win_susp_regsvr32_anomalies.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1219",
+			"tactic": "command-and-control",
+			"score": 2,
+			"color": "",
+			"comment": "av_exploiting.yml\nwin_susp_tscon_localsystem.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1076",
+			"tactic": "lateral-movement",
+			"score": 4,
+			"color": "",
+			"comment": "win_rdp_localhost_login.yml\nwin_rdp_reverse_tunnel.yml\nwin_susp_tscon_rdp_redirect.yml\nsysmon_rdp_reverse_tunnel.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1105",
+			"tactic": "command-and-control",
+			"score": 4,
+			"color": "",
+			"comment": "apt_pandemic.yml\nwin_susp_certutil_command.yml\nsysmon_win_binary_github_com.yml\nsysmon_win_binary_susp_com.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1105",
+			"tactic": "lateral-movement",
+			"score": 4,
+			"color": "",
+			"comment": "apt_pandemic.yml\nwin_susp_certutil_command.yml\nsysmon_win_binary_github_com.yml\nsysmon_win_binary_susp_com.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1021",
+			"tactic": "lateral-movement",
+			"score": 1,
+			"color": "",
+			"comment": "win_netsh_port_fwd_3389.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1018",
+			"tactic": "discovery",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1091",
+			"tactic": "lateral-movement",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1091",
+			"tactic": "initial-access",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1014",
+			"tactic": "defense-evasion",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1085",
+			"tactic": "defense-evasion",
+			"score": 11,
+			"color": "",
+			"comment": "apt_equationgroup_dll_u_load.yml\napt_sofacy.yml\napt_tropictrooper.yml\napt_unidentified_nov_18.yml\napt_zxshell.yml\ncrime_fireball.yml\nwin_malware_notpetya.yml\nwin_susp_control_dll_load.yml\nwin_susp_rundll32_activity.yml\nsysmon_rundll32_net_connections.yml\nsysmon_susp_powershell_rundll32.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1085",
+			"tactic": "execution",
+			"score": 11,
+			"color": "",
+			"comment": "apt_equationgroup_dll_u_load.yml\napt_sofacy.yml\napt_tropictrooper.yml\napt_unidentified_nov_18.yml\napt_zxshell.yml\ncrime_fireball.yml\nwin_malware_notpetya.yml\nwin_susp_control_dll_load.yml\nwin_susp_rundll32_activity.yml\nsysmon_rundll32_net_connections.yml\nsysmon_susp_powershell_rundll32.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1178",
+			"tactic": "privilege-escalation",
+			"score": 1,
+			"color": "",
+			"comment": "win_susp_add_sid_history.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1198",
+			"tactic": "defense-evasion",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1198",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1184",
+			"tactic": "lateral-movement",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1053",
+			"tactic": "execution",
+			"score": 8,
+			"color": "",
+			"comment": "apt_chafer_mar18.yml\napt_slingshot.yml\nwin_atsvc_task.yml\nwin_GPO_scheduledtasks.yml\nwin_rare_schtasks_creations.yml\nwin_rare_schtask_creation.yml\nwin_susp_schtask_creation.yml\nsysmon_powersploit_schtasks.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1053",
+			"tactic": "persistence",
+			"score": 8,
+			"color": "",
+			"comment": "apt_chafer_mar18.yml\napt_slingshot.yml\nwin_atsvc_task.yml\nwin_GPO_scheduledtasks.yml\nwin_rare_schtasks_creations.yml\nwin_rare_schtask_creation.yml\nwin_susp_schtask_creation.yml\nsysmon_powersploit_schtasks.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1053",
+			"tactic": "privilege-escalation",
+			"score": 8,
+			"color": "",
+			"comment": "apt_chafer_mar18.yml\napt_slingshot.yml\nwin_atsvc_task.yml\nwin_GPO_scheduledtasks.yml\nwin_rare_schtasks_creations.yml\nwin_rare_schtask_creation.yml\nwin_susp_schtask_creation.yml\nsysmon_powersploit_schtasks.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1029",
+			"tactic": "exfiltration",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1113",
+			"tactic": "collection",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1180",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1064",
+			"tactic": "defense-evasion",
+			"score": 10,
+			"color": "",
+			"comment": "apt_cloudhopper.yml\nwin_malware_script_dropper.yml\nwin_mal_adwind.yml\nwin_mal_lockergoga.yml\nwin_shell_spawn_susp_program.yml\nwin_susp_rasdial_activity.yml\nwin_susp_script_execution.yml\nwin_wmi_spwns_powershell.yml\nsysmon_cactustorch.yml\nsysmon_susp_file_characteristics.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1064",
+			"tactic": "execution",
+			"score": 10,
+			"color": "",
+			"comment": "apt_cloudhopper.yml\nwin_malware_script_dropper.yml\nwin_mal_adwind.yml\nwin_mal_lockergoga.yml\nwin_shell_spawn_susp_program.yml\nwin_susp_rasdial_activity.yml\nwin_susp_script_execution.yml\nwin_wmi_spwns_powershell.yml\nsysmon_cactustorch.yml\nsysmon_susp_file_characteristics.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1063",
+			"tactic": "discovery",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1101",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1167",
+			"tactic": "credential-access",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1035",
+			"tactic": "execution",
+			"score": 3,
+			"color": "",
+			"comment": "win_hack_smbexec.yml\nwin_tool_psexec.yml\nwin_psexesvc_start.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1058",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1058",
+			"tactic": "privilege-escalation",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1166",
+			"tactic": "privilege-escalation",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1166",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1051",
+			"tactic": "lateral-movement",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1023",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1218",
+			"tactic": "defense-evasion",
+			"score": 1,
+			"color": "",
+			"comment": "win_mavinject_proc_inj.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1218",
+			"tactic": "execution",
+			"score": 1,
+			"color": "",
+			"comment": "win_mavinject_proc_inj.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1216",
+			"tactic": "defense-evasion",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1216",
+			"tactic": "execution",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1045",
+			"tactic": "defense-evasion",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1153",
+			"tactic": "execution",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1151",
+			"tactic": "defense-evasion",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1151",
+			"tactic": "execution",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1193",
+			"tactic": "initial-access",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1192",
+			"tactic": "initial-access",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1194",
+			"tactic": "initial-access",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1071",
+			"tactic": "command-and-control",
+			"score": 1,
+			"color": "",
+			"comment": "net_susp_dns_txt_exec_strings.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1032",
+			"tactic": "command-and-control",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1095",
+			"tactic": "command-and-control",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1165",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1165",
+			"tactic": "privilege-escalation",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1169",
+			"tactic": "privilege-escalation",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1206",
+			"tactic": "privilege-escalation",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1195",
+			"tactic": "initial-access",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1019",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1082",
+			"tactic": "discovery",
+			"score": 1,
+			"color": "",
+			"comment": "win_susp_commands_recon_activity.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1016",
+			"tactic": "discovery",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1049",
+			"tactic": "discovery",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1033",
+			"tactic": "discovery",
+			"score": 1,
+			"color": "",
+			"comment": "win_susp_whoami.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1007",
+			"tactic": "discovery",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1124",
+			"tactic": "discovery",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1080",
+			"tactic": "lateral-movement",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1221",
+			"tactic": "defense-evasion",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1072",
+			"tactic": "execution",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1072",
+			"tactic": "lateral-movement",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1209",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1099",
+			"tactic": "defense-evasion",
+			"score": 1,
+			"color": "",
+			"comment": "win_susp_time_modification.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1154",
+			"tactic": "execution",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1154",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1127",
+			"tactic": "defense-evasion",
+			"score": 2,
+			"color": "",
+			"comment": "win_possible_applocker_bypass.yml\nwin_workflow_compiler.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1127",
+			"tactic": "execution",
+			"score": 2,
+			"color": "",
+			"comment": "win_possible_applocker_bypass.yml\nwin_workflow_compiler.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1199",
+			"tactic": "initial-access",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1111",
+			"tactic": "credential-access",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1065",
+			"tactic": "command-and-control",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1204",
+			"tactic": "execution",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1078",
+			"tactic": "defense-evasion",
+			"score": 6,
+			"color": "",
+			"comment": "win_admin_rdp_login.yml\nwin_alert_active_directory_user_control.yml\nwin_susp_failed_logons_single_source.yml\nwin_susp_failed_logon_reasons.yml\nwin_susp_interactive_logons.yml\nwin_user_added_to_local_administrators.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1078",
+			"tactic": "persistence",
+			"score": 6,
+			"color": "",
+			"comment": "win_admin_rdp_login.yml\nwin_alert_active_directory_user_control.yml\nwin_susp_failed_logons_single_source.yml\nwin_susp_failed_logon_reasons.yml\nwin_susp_interactive_logons.yml\nwin_user_added_to_local_administrators.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1078",
+			"tactic": "privilege-escalation",
+			"score": 6,
+			"color": "",
+			"comment": "win_admin_rdp_login.yml\nwin_alert_active_directory_user_control.yml\nwin_susp_failed_logons_single_source.yml\nwin_susp_failed_logon_reasons.yml\nwin_susp_interactive_logons.yml\nwin_user_added_to_local_administrators.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1078",
+			"tactic": "initial-access",
+			"score": 6,
+			"color": "",
+			"comment": "win_admin_rdp_login.yml\nwin_alert_active_directory_user_control.yml\nwin_susp_failed_logons_single_source.yml\nwin_susp_failed_logon_reasons.yml\nwin_susp_interactive_logons.yml\nwin_user_added_to_local_administrators.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1125",
+			"tactic": "collection",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1102",
+			"tactic": "command-and-control",
+			"score": 3,
+			"color": "",
+			"comment": "proxy_cobalt_amazon.yml\nproxy_cobalt_ocsp.yml\nproxy_cobalt_onedrive.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1102",
+			"tactic": "defense-evasion",
+			"score": 3,
+			"color": "",
+			"comment": "proxy_cobalt_amazon.yml\nproxy_cobalt_ocsp.yml\nproxy_cobalt_onedrive.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1100",
+			"tactic": "persistence",
+			"score": 6,
+			"color": "",
+			"comment": "web_cve_2018_2894_weblogic_exploit.yml\nav_webshell.yml\nwin_susp_execution_path_webserver.yml\nwin_susp_iss_module_install.yml\nwin_webshell_detection.yml\nwin_webshell_spawn.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1100",
+			"tactic": "privilege-escalation",
+			"score": 6,
+			"color": "",
+			"comment": "web_cve_2018_2894_weblogic_exploit.yml\nav_webshell.yml\nwin_susp_execution_path_webserver.yml\nwin_susp_iss_module_install.yml\nwin_webshell_detection.yml\nwin_webshell_spawn.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1077",
+			"tactic": "lateral-movement",
+			"score": 5,
+			"color": "",
+			"comment": "apt_turla_commands.yml\nwin_admin_share_access.yml\nwin_hack_smbexec.yml\nwin_lm_namedpipe.yml\nwin_susp_psexec.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1047",
+			"tactic": "execution",
+			"score": 4,
+			"color": "",
+			"comment": "win_wmi_persistence.yml\nwin_bypass_squiblytwo.yml\nwin_susp_wmi_execution.yml\nwin_wmi_persistence_script_event_consumer.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1084",
+			"tactic": "persistence",
+			"score": 3,
+			"color": "",
+			"comment": "sysmon_wmi_event_subscription.yml\nsysmon_wmi_persistence_commandline_event_consumer.yml\nsysmon_wmi_persistence_script_event_consumer_write.yml",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1028",
+			"tactic": "execution",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1028",
+			"tactic": "lateral-movement",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1004",
+			"tactic": "persistence",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1220",
+			"tactic": "defense-evasion",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		},
+		{
+			"techniqueID": "T1220",
+			"tactic": "execution",
+			"score": 0,
+			"color": "",
+			"comment": "",
+			"enabled": true,
+			"metadata": []
+		}
+	],
+	"gradient": {
+		"colors": [
+			"#ffffff",
+			"#66b1ff"
+		],
+		"minValue": 0,
+		"maxValue": 2
+	},
+	"legendItems": [],
+	"metadata": [],
+	"showTacticRowBackground": false,
+	"tacticRowBackground": "#dddddd",
+	"selectTechniquesAcrossTactics": true
+}
@@ -0,0 +1,42 @@
+title: High DNS subdomain requests rate per domain
+id: 8198e9a8-e38f-4ba5-8f16-882b1c0f880e
+description: High rate of unique Fully Qualified Domain Names (FQDN) requests per root domain (eTLD+1) in short period of time
+author: Daniil Yugoslavskiy, oscd.community
+date: 2019/10/21
+modified: 2019/11/04
+tags:
+    - attack.exfiltration
+    - attack.t1048
+logsource:
+    category: dns
+detection:
+    dns_question_name:
+        query: "*"
+    default_list_of_well_known_domains:
+        query_etld_plus_one: 
+            - "akadns.net"
+            - "akamaiedge.net"
+            - "amazonaws.com"
+            - "apple.com"
+            - "apple-dns.net"
+            - "cloudfront.net"
+            - "icloud.com"
+            - "in-addr.arpa"
+            - "google.com"
+            - "yahoo.com"
+            - "dropbox.com"
+            - "windowsupdate.com"
+            - "microsoftonline.com"
+            - "s-microsoft.com"
+            - "office365.com"
+            - "linkedin.com"
+    timeframe: 15m
+    condition: count(subdomain) per query_etld_plus_one per computer_name > 200 and not default_list_of_well_known_domains
+    #    for each host in timeframe
+    #                for each dns_question_etld_plus_one
+    #                    if number of dns_question_name > 200
+    #                        dns_question_etld_plus_one is not in default_list_of_well_known_domains
+falsepositives:
+    - Legitimate domain name requested, which should be added to whitelist
+level: high
+status: experimental
@@ -0,0 +1,37 @@
+title: Large domain name request
+id: 14aa0d9e-c70a-4a49-bdc1-e5cbc4fc6af7
+description: Detects large DNS domain names
+author: Daniil Yugoslavskiy, oscd.community
+date: 2019/10/21
+modified: 2019/11/04
+tags:
+    - attack.exfiltration
+    - attack.t1048
+logsource:
+    category: dns
+detection:
+    selection:
+        query_length: "> 70"              # IS MORE THAN 70 bytes
+    default_list_of_well_known_domains:
+        query_etld_plus_one:
+            - "akadns.net"
+            - "akamaiedge.net"
+            - "amazonaws.com"
+            - "apple.com"
+            - "apple-dns.net"
+            - "cloudfront.net"
+            - "icloud.com"
+            - "in-addr.arpa"
+            - "google.com"
+            - "yahoo.com"
+            - "dropbox.com"
+            - "windowsupdate.com"
+            - "microsoftonline.com"
+            - "s-microsoft.com"
+            - "office365.com"
+            - "linkedin.com"
+    condition: selection and not default_list_of_well_known_domains
+falsepositives:
+    - Legitimate domain name requested, which should be added to whitelist
+level: high
+status: experimental
@@ -0,0 +1,23 @@
+title: Possible DNS Rebinding
+id: ec5b8711-b550-4879-9660-568aaae2c3ea
+status: experimental
+description: 'Detects DNS-answer with TTL <10.'
+date: 2019/10/25
+author: Ilyas Ochkov, oscd.community
+references:
+    - https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325
+tags:
+    - attack.command_and_control
+    - attack.t1043
+logsource:
+    product: dns
+detection:
+    selection:
+        answer: '*'
+    filter1:
+        ttl: '>0'
+    filter2:
+        ttl: '<10'
+    timeframe: 30s
+    condition: selection and filter1 and filter2 | count(answer) by src_ip > 3
+level: medium
@@ -0,0 +1,48 @@
+action: global
+title: Defense evasion via process reimaging
+id: 7fa4f550-850e-4117-b543-428c86ebb849
+description: Detects process reimaging defense evasion technique
+# where
+#             selection1: ImageFileName != selection1: OriginalFileName
+#             selection1: ParentProcessGuid = selection2: ProcessGuid
+#             selection1: Image = selection2: TargetFileName
+# and new field ImageFileName is coming from enrichment
+#             selection1: Image = ^.+\\<ImageFileName>$
+# Rule must trigger if selection1 and selection2 both occurs in timeframe of 120 sec.
+# Rule logic is currently not supported by SIGMA.
+# Sysmon v.10.0 or newer is required for proper detection.
+status: experimental
+author: Alexey Balandin, oscd.community
+references:
+    - https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/in-ntdll-i-trust-process-reimaging-and-endpoint-security-solution-bypass/
+tags:
+    - attack.defense_evasion
+date: 2019/10/25
+detection:
+    condition: all of them
+falsepositives:
+    - unknown
+level: high
+---
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection1:
+        category: process_creation
+fields:
+    - Image
+    - OriginalFileName
+    - ParentProcessGuid
+new_fields:
+    - ImageFileName
+---
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection2:
+        EventID: 11
+fields:
+    - ProcessGuid
+    - TargetFileName
@@ -0,0 +1,34 @@
+title: Dumping ntds.dit remotely via DCSync
+id: 51238c62-2b29-4539-ad75-e94575368a12
+description: ntds.dit retrieving using synchronisation with legitimate domain controller using Directory Replication Service Remote Protocol
+author: Teymur Kheirkhabarov, oscd.community
+date: 2019/10/24
+modified: 2019/11/13
+references:
+    - https://twitter.com/gentilkiwi/status/1003236624925413376
+    - https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2
+    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
+tags:
+    - attack.credential_access
+    - attack.t1003
+logsource:
+    product: windows
+    service: security
+detection:
+    selection1:
+        EventID: 4624
+        ComputerName: '%DomainControllersNamesList%'
+    selection2:
+        IpAddress: '%DomainControllersIpsList%'
+    selection3:
+        EventID: 4662
+        ComputerName: '%DomainControllersNamesList%'
+        SubjectLogonId: '%SuspiciousTargetLogonIdList%'
+        Properties|contains: 
+            - '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2'
+            - '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2'
+    condition: write TargetLogonId from selection1 (if not selection2) to list %SuspiciousTargetLogonIdList%; then if selection3 -> alert
+falsepositives:
+    - Legitimate administrator adding new domain controller to already existing domain
+level: medium
+status: experimental
@@ -0,0 +1,30 @@
+title: Dumping ntds.dit remotely via NetSync
+id: 757b2a11-73e7-411a-bd46-141d906e0167
+description: ntds.dit retrieving (only computer accounts) using synchronisation with legit domain controller using Netlogon Remote Protocol
+author: Teymur Kheirkhabarov, oscd.community
+date: 2019/11/01
+references:
+    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
+tags:
+    - attack.credential_access
+    - attack.t1003
+logsource:
+    product: windows
+    service: security
+detection:
+    selection1:
+        EventID: 4624
+        ComputerName: '%DomainControllersNamesList%'
+    selection2:
+        IpAddress: '%DomainControllersIpsList%'
+    selection3:
+        EventID: 5145
+        ComputerName: '%DomainControllersNamesList%'
+        ShareName|contains: '\IPC$'
+        SubjectLogonId: '%SuspiciousTargetLogonIdList%'
+        RelativeTargetName: 'netlogon'
+    condition: write TargetLogonId from selection1 (if not selection2) to list %SuspiciousTargetLogonIdList%; then if selection3 -> alert
+falsepositives:
+    - Legitimate administrator adding new domain controller to already existing domain
+level: medium
+status: experimental
@@ -1,6 +1,8 @@
 title: Python SQL Exceptions
+id: 19aefed0-ffd4-47dc-a7fc-f8b1425e84f9
 description: Generic rule for SQL exceptions in Python according to PEP 249
 author: Thomas Patzke
+date: 2017/08/12
 references:
    - https://www.python.org/dev/peps/pep-0249/#exceptions
 logsource:
@@ -17,4 +19,3 @@ falsepositives:
    - Application bugs
    - Penetration testing
 level: medium
-
@@ -1,7 +1,9 @@
 title: Suspicious SQL Error Messages
+id: 8a670c6d-7189-4b1c-8017-a417ca84a086
 status: experimental
 description: Detects SQL error messages that indicate probing for an injection attack
 author: Bjoern Kimminich
+date: 2017/11/27
 references:
    - http://www.sqlinjection.net/errors
 logsource:
@@ -1,6 +1,8 @@
-title: Django framework exceptions
+title: Django Framework Exceptions
+id: fd435618-981e-4a7c-81f8-f78ce480d616
 description: Detects suspicious Django web application framework exceptions that could indicate exploitation attempts
 author: Thomas Patzke
+date: 2017/08/05
 references:
    - https://docs.djangoproject.com/en/1.11/ref/exceptions/
    - https://docs.djangoproject.com/en/1.11/topics/logging/#django-security
@@ -28,4 +30,3 @@ falsepositives:
    - Application bugs
    - Penetration testing
 level: medium
-
@@ -1,6 +1,8 @@
-title: Ruby on Rails framework exceptions
+title: Ruby on Rails Framework Exceptions
+id: 0d2c3d4c-4b48-4ac3-8f23-ea845746bb1a
 description: Detects suspicious Ruby on Rails exceptions that could indicate exploitation attempts
 author: Thomas Patzke
+date: 2017/08/06
 references:
    - http://edgeguides.rubyonrails.org/security.html
    - http://guides.rubyonrails.org/action_controller_overview.html
@@ -21,4 +23,3 @@ falsepositives:
    - Application bugs
    - Penetration testing
 level: medium
-
@@ -1,6 +1,8 @@
-title: Spring framework exceptions
+title: Spring Framework Exceptions
+id: ae48ab93-45f7-4051-9dfe-5d30a3f78e33
 description: Detects suspicious Spring framework exceptions that could indicate exploitation attempts
 author: Thomas Patzke
+date: 2017/08/06
 references:
    - https://docs.spring.io/spring-security/site/docs/current/apidocs/overview-tree.html
 logsource:
@@ -20,4 +22,3 @@ falsepositives:
    - Application bugs
    - Penetration testing
 level: medium
-
@@ -1,33 +0,0 @@
---
-action: global
-title: APT29 Google Update Service Install
-description: 'This method detects malicious services mentioned in APT29 report by FireEye. The legitimate path for the Google update service is C:\Program Files (x86)\Google\Update\GoogleUpdate.exe so the service names and executable locations used by APT29 are specific enough to be detected in log files.' 
-references:
-    - https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html
-logsource:
-    product: windows
-detection:
-    service:
-        EventID: 7045
-        ServiceName: 'Google Update'
-    timeframe: 5m
-    condition: service | near process
-falsepositives:
-    - Unknown
-level: high
---
-# Windows Audit Log
-detection:
-    process:
-        EventID: 4688 
-        NewProcessName: 
-            - 'C:\Program Files(x86)\Google\GoogleService.exe'
-            - 'C:\Program Files(x86)\Google\GoogleUpdate.exe'
---
-# Sysmon
-detection:
-    process:
-        EventID: 1 
-        Image: 
-            - 'C:\Program Files(x86)\Google\GoogleService.exe'
-            - 'C:\Program Files(x86)\Google\GoogleUpdate.exe'
@@ -1,36 +0,0 @@
---
-action: global
-title: CrackMapExecWin 
-description: Detects CrackMapExecWin Activity as Described by NCSC
-status: experimental
-references:
-    - https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control 
-author: Markus Neis
-detection:
-    condition: 1 of them
-falsepositives: 
-    - None 
-level: critical
---
-# Windows Audit Log
-logsource:
-    product: windows
-    service: security
-    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection1:
-        # Does not require group policy 'Audit Process Creation' > Include command line in process creation events
-        EventID: 4688
-        NewProcessName:
-            - '*\crackmapexec.exe'
---
-# Sysmon
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection1:
-        # Does not require group policy 'Audit Process Creation' > Include command line in process creation events
-        EventID: 1
-        Image:
-            - '*\crackmapexec.exe'
@@ -1,35 +0,0 @@
---
-action: global
-title: Hurricane Panda Activity
-status: experimental
-description: Detects Hurricane Panda Activity 
-references: 
-    - https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/
-author: Florian Roth
-date: 2018/02/25
-detection:
-    selection:
-        CommandLine: 
-            - '* localgroup administrators admin /add'
-            - '*\Win64.exe*'
-    condition: selection
-falsepositives:
-    - Unknown
-level: high
---
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 1
---
-logsource:
-    product: windows
-    service: security
-    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection:
-        EventID: 4688
-
-
@@ -0,0 +1,33 @@
+title: Silence.Downloader V3
+id: 170901d1-de11-4de7-bccb-8fa13678d857
+status: experimental
+description: Detects Silence downloader. These commands are hardcoded into the binary.
+author: Alina Stepchenkova, Roman Rezvukhin, Group-IB, oscd.community
+date: 2019/11/01
+modified: 2019/11/22
+tags:
+    - attack.persistence
+    - attack.g0091
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_recon:
+        Image|endswith:
+            - '\tasklist.exe'
+            - '\qwinsta.exe'
+            - '\ipconfig.exe'
+            - '\hostname.exe'
+        CommandLine|contains: '>>'
+        CommandLine|endswith: 'temps.dat'
+    selection_persistence:
+        CommandLine|contains: '/C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WinNetworkSecurity" /t REG_SZ /d'
+    condition: selection_recon | near selection_persistence # requires both
+fields:
+    - ComputerName
+    - User
+    - Image
+    - CommandLine
+falsepositives:
+    - Unknown
+level: high
@@ -0,0 +1,34 @@
+title: Silence.EDA Detection
+id: 3ceb2083-a27f-449a-be33-14ec1b7cc973
+status: experimental
+description: Detects Silence empireDNSagent
+author: Alina Stepchenkova, Group-IB, oscd.community
+date: 2019/11/01
+modified: 2019/11/20
+tags:
+    - attack.g0091
+    - attack.s0363
+logsource:
+    product: windows
+    service: powershell
+detection:
+    empire:
+        ScriptBlockText|contains|all:           # better to randomise the order
+            - 'System.Diagnostics.Process'
+            - 'Stop-Computer'
+            - 'Restart-Computer'
+            - 'Exception in execution'
+            - '$cmdargs'
+            - 'Close-Dnscat2Tunnel'
+    dnscat:
+         ScriptBlockText|contains|all:          # better to randomise the order
+            - 'set type=$LookupType`nserver'
+            - '$Command | nslookup 2>&1 | Out-String'
+            - 'New-RandomDNSField'
+            - '[Convert]::ToString($SYNOptions, 16)'
+            - '$Session.Dead = $True'
+            - '$Session["Driver"] -eq'
+    condition: empire and dnscat
+falsepositives:
+    - Unknown
+level: critical
@@ -1,36 +0,0 @@
-
---
-action: global
-title: Sofacy Trojan Loader Activity
-status: experimental
-description: Detects Trojan loader acitivty as used by APT28 
-references: 
-    - https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/
-    - https://www.reverse.it/sample/e3399d4802f9e6d6d539e3ae57e7ea9a54610a7c4155a6541df8e94d67af086e?environmentId=100
-    - https://twitter.com/ClearskySec/status/960924755355369472
-author: Florian Roth
-date: 2018/03/01
-detection:
-    selection:
-        CommandLine: 
-            - 'rundll32.exe %APPDATA%\*.dat",*'
-            - 'rundll32.exe %APPDATA%\*.dll",#1'
-    condition: selection
-falsepositives:
-    - Unknown
-level: critical
---
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 1
---
-logsource:
-    product: windows
-    service: security
-    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection:
-        EventID: 4688
@@ -1,38 +0,0 @@
---
-action: global
-title: Turla Group Lateral Movement 
-status: experimental
-description: Detects automated lateral movement by Turla group 
-references:
-    - https://securelist.com/the-epic-turla-operation/65545/
-author: Markus Neis
-date: 2017/11/07
-logsource:
-   product: windows
-   service: sysmon
-falsepositives:
-   - Unknown
---
-detection:
-   selection:
-      EventID: 1
-      CommandLine: 
-         - 'net use \\%DomainController%\C$ "P@ssw0rd" *'
-         - 'dir c:\*.doc* /s'
-         - 'dir %TEMP%\*.exe'
-   condition: selection
-level: critical
---
-detection:
-   netCommand1:
-      EventID: 1
-      CommandLine: 'net view /DOMAIN'
-   netCommand2:
-      EventID: 1
-      CommandLine: 'net session'
-   netCommand3:
-      EventID: 1
-      CommandLine: 'net share'
-   timeframe: 1m
-   condition: netCommand1 | near netCommand1 and netCommand1 
-level: medium
@@ -0,0 +1,24 @@
+title: AWS CloudTrail Important Change
+id: 4db60cc0-36fb-42b7-9b58-a5b53019fb74
+status: experimental
+author: vitaliy0x1
+date: 2020/01/21
+description: Detects disabling, deleting and updating of a Trail
+references:
+  - https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html
+logsource:
+  service: cloudtrail
+detection:
+  selection_source:
+    - eventSource: cloudtrail.amazonaws.com
+  events:
+    - eventName:
+        - StopLogging
+        - UpdateTrail
+        - DeleteTrail
+  condition: selection_source AND events
+level: medium
+falsepositives:
+    - Valid change in a Trail
+tags:
+  - attack.t1089
@@ -0,0 +1,21 @@
+title: AWS Config Disabling Channel/Recorder
+id: 07330162-dba1-4746-8121-a9647d49d297
+status: experimental
+author: vitaliy0x1
+date: 2020/01/21
+description: Detects AWS Config Service disabling
+logsource:
+  service: cloudtrail
+detection:
+  selection_source:
+    - eventSource: config.amazonaws.com
+  events:
+    - eventName:
+        - DeleteDeliveryChannel
+        - StopConfigurationRecorder
+  condition: selection_source AND events
+level: high
+falsepositives:
+    - Valid change in AWS Config Service
+tags:
+  - attack.t1089
@@ -0,0 +1,24 @@
+title: AWS EC2 Download Userdata
+id: 26ff4080-194e-47e7-9889-ef7602efed0c
+status: experimental
+author: faloker
+date: 2020/02/11
+description: Detects bulk downloading of User Data associated with AWS EC2 instances. Instance User Data may include installation scripts and hard-coded secrets for deployment.
+references:
+    - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/ec2__download_userdata/main.py#L24
+logsource:
+    service: cloudtrail
+detection:
+    selection_source:
+        - eventSource: ec2.amazonaws.com
+    selection_requesttype:
+        - requestParameters.attribute: userData
+    selection_eventname:
+        - eventName: DescribeInstanceAttribute
+    timeframe: 30m
+    condition: all of them | count() > 10
+level: medium
+falsepositives:
+    - Assets management software like device42
+tags:
+    - attack.t1020
@@ -0,0 +1,23 @@
+title: AWS EC2 Startup Shell Script Change
+id: 1ab3c5ed-5baf-417b-bb6b-78ca33f6c3df
+status: experimental
+author: faloker
+date: 2020/02/12
+description: Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM everytime the specific instances are booted up.
+references:
+    - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/ec2__startup_shell_script/main.py#L9
+logsource:
+    service: cloudtrail
+detection:
+    selection_source:
+        - eventSource: ec2.amazonaws.com
+    selection_userdata:
+        - requestParameters.userData: "*"
+    selection_eventname:
+        - eventName: ModifyInstanceAttribute
+    condition: all of them
+level: high
+falsepositives:
+    - Valid changes to the startup script
+tags:
+    - attack.t1064
@@ -0,0 +1,21 @@
+title: AWS GuardDuty Important Change
+id: 6e61ee20-ce00-4f8d-8aee-bedd8216f7e3
+status: experimental
+author: faloker
+date: 2020/02/11
+description: Detects updates of the GuardDuty list of trusted IPs, perhaps to disable security alerts against malicious IPs.
+references:
+    - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/guardduty__whitelist_ip/main.py#L9
+logsource:
+    service: cloudtrail
+detection:
+    selection_source:
+        - eventSource: guardduty.amazonaws.com
+    selection_eventName:
+        - eventName: CreateIPSet
+    condition: all of them
+level: high
+falsepositives:
+    - Valid change in the GuardDuty (e.g. to ignore internal scanners)
+tags:
+    - attack.t1089
@@ -0,0 +1,29 @@
+title: AWS IAM Backdoor Users Keys
+id: 0a5177f4-6ca9-44c2-aacf-d3f3d8b6e4d2
+status: experimental
+author: faloker
+date: 2020/02/12
+description: Detects AWS API key creation for a user by another user. Backdoored users can be used to obtain persistence in the AWS environment. Also with this alert, you can detect a flow of AWS keys in your org.
+references:
+    - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/iam__backdoor_users_keys/main.py#L6
+logsource:
+    service: cloudtrail
+detection:
+    selection_source:
+        - eventSource: iam.amazonaws.com
+    selection_eventname:
+        - eventName: CreateAccessKey
+    filter:
+        userIdentity.arn|contains: responseElements.accessKey.userName
+    condition: all of selection* and not filter
+fields:
+    - userIdentity.arn
+    - responseElements.accessKey.userName
+    - errorCode
+    - errorMessage
+level: medium
+falsepositives:
+    - Adding user keys to their own accounts (the filter cannot cover all possible variants of user naming)
+    - AWS API keys legitimate exchange workflows
+tags:
+    - attack.t1098
@@ -0,0 +1,23 @@
+title: AWS RDS Master Password Change
+id: 8a63cdd4-6207-414a-85bc-7e032bd3c1a2
+status: experimental
+author: faloker
+date: 2020/02/12
+description: Detects the change of database master password. It may be a part of data exfiltration.
+references:
+    - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/rds__explore_snapshots/main.py#L10
+logsource:
+    service: cloudtrail
+detection:
+    selection_source:
+        - eventSource: rds.amazonaws.com
+    selection_modified_values:
+        - responseElements.pendingModifiedValues.masterUserPassword: "*"
+    selection_eventname:
+        - eventName: ModifyDBInstance
+    condition: all of them
+level: medium
+falsepositives:
+    - Benign changes to a db instance
+tags:
+    - attack.t1020
@@ -0,0 +1,23 @@
+title: Restore Public AWS RDS Instance
+id: c3f265c7-ff03-4056-8ab2-d486227b4599
+status: experimental
+author: faloker
+date: 2020/02/12
+description: Detects the recovery of a new public database instance from a snapshot. It may be a part of data exfiltration.
+references:
+    - https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/rds__explore_snapshots/main.py#L10
+logsource:
+    service: cloudtrail
+detection:
+    selection_source:
+        - eventSource: rds.amazonaws.com
+    selection_ispublic:
+        - responseElements.publiclyAccessible: "true"
+    selection_eventname:
+        - eventName: RestoreDBInstanceFromDBSnapshot
+    condition: all of them
+level: high
+falsepositives:
+    - unknown
+tags:
+    - attack.t1020
@@ -0,0 +1,21 @@
+title: AWS Root Credentials
+id: 8ad1600d-e9dc-4251-b0ee-a65268f29add
+status: experimental
+author: vitaliy0x1
+date: 2020/01/21
+description: Detects AWS root account usage
+references:
+  - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html
+logsource:
+  service: cloudtrail
+detection:
+  selection_usertype:
+    - userIdentity.type: Root
+  selection_eventtype:
+    - eventType: AwsServiceEvent
+  condition: selection_usertype AND NOT selection_eventtype
+level: medium
+falsepositives:
+    - AWS Tasks That Require AWS Account Root User Credentials https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html
+tags:
+  - attack.t1078
@@ -0,0 +1,111 @@
+action: global
+title: Cleartext Protocol Usage
+id: 7e4bfe58-4a47-4709-828d-d86c78b7cc1f
+description: Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels. Ensure that an encryption
+    is used for all sensitive information in transit. Ensure that an encrypted channels is used  for all administrative account access.
+references:
+    - https://www.cisecurity.org/controls/cis-controls-list/
+    - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
+    - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
+author: Alexandr Yampolskyi, SOC Prime
+status: stable
+date: 2019/03/26
+falsepositives:
+    - unknown
+level: low
+tags:
+    - CSC4
+    - CSC4.5
+    - CSC14
+    - CSC14.4
+    - CSC16
+    - CSC16.5
+    - NIST CSF 1.1 PR.AT-2
+    - NIST CSF 1.1 PR.MA-2
+    - NIST CSF 1.1 PR.PT-3
+    - NIST CSF 1.1 PR.AC-1
+    - NIST CSF 1.1 PR.AC-4
+    - NIST CSF 1.1 PR.AC-5
+    - NIST CSF 1.1 PR.AC-6
+    - NIST CSF 1.1 PR.AC-7
+    - NIST CSF 1.1 PR.DS-1
+    - NIST CSF 1.1 PR.DS-2
+    - NIST CSF 1.1 PR.PT-3
+    - NIST CSF 1.1 PR.PT-3
+    - ISO 27002-2013 A.9.2.1
+    - ISO 27002-2013 A.9.2.2
+    - ISO 27002-2013 A.9.2.3
+    - ISO 27002-2013 A.9.2.4
+    - ISO 27002-2013 A.9.2.5
+    - ISO 27002-2013 A.9.2.6
+    - ISO 27002-2013 A.9.3.1
+    - ISO 27002-2013 A.9.4.1
+    - ISO 27002-2013 A.9.4.2
+    - ISO 27002-2013 A.9.4.3
+    - ISO 27002-2013 A.9.4.4
+    - ISO 27002-2013 A.8.3.1
+    - ISO 27002-2013 A.9.1.1
+    - ISO 27002-2013 A.10.1.1
+    - PCI DSS 3.2 2.1
+    - PCI DSS 3.2 8.1
+    - PCI DSS 3.2 8.2
+    - PCI DSS 3.2 8.3
+    - PCI DSS 3.2 8.7
+    - PCI DSS 3.2 8.8
+    - PCI DSS 3.2 1.3
+    - PCI DSS 3.2 1.4
+    - PCI DSS 3.2 4.3
+    - PCI DSS 3.2 7.1
+    - PCI DSS 3.2 7.2
+    - PCI DSS 3.2 7.3
+---
+logsource:
+    product: netflow
+detection:
+    selection:
+        destination.port:
+            - 8080
+            - 21
+            - 80
+            - 23
+            - 50000
+            - 1521
+            - 27017
+            - 1433
+            - 11211
+            - 3306
+            - 15672
+            - 5900
+            - 5901
+            - 5902
+            - 5903
+            - 5904
+    condition: selection
+---
+logsource:
+    product: firewall
+detection:
+    selection1:
+        destination.port:
+            - 8080
+            - 21
+            - 80
+            - 23
+            - 50000
+            - 1521
+            - 27017
+            - 3306
+            - 1433
+            - 11211
+            - 15672
+            - 5900
+            - 5901
+            - 5902
+            - 5903
+            - 5904
+    selection2:
+        action:
+            - forward
+            - accept
+            - 2
+    condition: selection1 AND selection2
@@ -0,0 +1,109 @@
+title: Default Credentials Usage
+id: 1a395cbc-a84a-463a-9086-ed8a70e573c7
+description: Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts. Sigma detects default credentials
+    usage. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management.
+author: Alexandr Yampolskyi, SOC Prime
+status: stable
+references:
+    - https://www.cisecurity.org/controls/cis-controls-list/
+    - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
+    - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
+    - https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists
+date: 2019/03/26
+logsource:
+    product: qualys
+detection:
+    selection:
+        host.scan.vuln:
+            - 10693
+            - 11507
+            - 11633
+            - 11804
+            - 11821
+            - 11847
+            - 11867
+            - 11931
+            - 11935
+            - 11950
+            - 12541
+            - 12558
+            - 12559
+            - 12560
+            - 12562
+            - 12563
+            - 12565
+            - 12587
+            - 12590
+            - 12599
+            - 12702
+            - 12705
+            - 12706
+            - 12907
+            - 12928
+            - 12929
+            - 13053
+            - 13178
+            - 13200
+            - 13218
+            - 13241
+            - 13253
+            - 13274
+            - 13296
+            - 13301
+            - 13327
+            - 13373
+            - 13374
+            - 13409
+            - 13530
+            - 13532
+            - 20065
+            - 20073
+            - 20081
+            - 27202
+            - 27358
+            - 38702
+            - 38719
+            - 42045
+            - 42417
+            - 43029
+            - 43220
+            - 43221
+            - 43222
+            - 43223
+            - 43225
+            - 43246
+            - 43431
+            - 43484
+            - 86857
+            - 87098
+            - 87106
+    condition: selection
+falsepositives:
+    - unknown
+level: medium
+tags:
+    - CSC4
+    - CSC4.2
+    - NIST CSF 1.1 PR.AC-4
+    - NIST CSF 1.1 PR.AT-2
+    - NIST CSF 1.1 PR.MA-2
+    - NIST CSF 1.1 PR.PT-3
+    - ISO 27002-2013 A.9.1.1
+    - ISO 27002-2013 A.9.2.2
+    - ISO 27002-2013 A.9.2.3
+    - ISO 27002-2013 A.9.2.4
+    - ISO 27002-2013 A.9.2.5
+    - ISO 27002-2013 A.9.2.6
+    - ISO 27002-2013 A.9.3.1
+    - ISO 27002-2013 A.9.4.1
+    - ISO 27002-2013 A.9.4.2
+    - ISO 27002-2013 A.9.4.3
+    - ISO 27002-2013 A.9.4.4
+    - PCI DSS 3.2 2.1
+    - PCI DSS 3.2 7.1
+    - PCI DSS 3.2 7.2
+    - PCI DSS 3.2 7.3
+    - PCI DSS 3.2 8.1
+    - PCI DSS 3.2 8.2
+    - PCI DSS 3.2 8.3
+    - PCI DSS 3.2 8.7
@@ -0,0 +1,61 @@
+title: Group Modification Logging
+id: 9cf01b6c-e723-4841-a868-6d7f8245ca6e
+description: "Configure systems to issue a log entry and alert when an account is added to or removed from any group assigned administrative privileges. Sigma detects\
+    \ Event ID 4728 indicates a \u2018Member is added to a Security Group\u2019. Event ID 4729 indicates a \u2018Member is removed from a Security enabled-group\u2019\
+    . Event ID 4730 indicates a\u2018Security Group is deleted\u2019. The case is not applicable for Unix OS. Supported OS - Windows 2008 R2 and 7, Windows 2012 R2\
+    \ and 8.1, Windows 2016 and 10 Windows Server 2019, Windows Server 2000, Windows 2003 and XP."
+author: Alexandr Yampolskyi, SOC Prime
+status: stable
+references:
+    - https://www.cisecurity.org/controls/cis-controls-list/
+    - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
+    - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
+    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728
+    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729
+    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730
+    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633
+    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632
+    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634
+date: 2019/03/26
+logsource:
+    product: windows
+    service: security
+detection:
+    selection:
+        EventID:
+            - 4728
+            - 4729
+            - 4730
+            - 633
+            - 632
+            - 634
+    condition: selection
+falsepositives:
+    - unknown
+level: low
+tags:
+    - CSC4
+    - CSC4.8
+    - NIST CSF 1.1 PR.AC-4
+    - NIST CSF 1.1 PR.AT-2
+    - NIST CSF 1.1 PR.MA-2
+    - NIST CSF 1.1 PR.PT-3
+    - ISO 27002-2013 A.9.1.1
+    - ISO 27002-2013 A.9.2.2
+    - ISO 27002-2013 A.9.2.3
+    - ISO 27002-2013 A.9.2.4
+    - ISO 27002-2013 A.9.2.5
+    - ISO 27002-2013 A.9.2.6
+    - ISO 27002-2013 A.9.3.1
+    - ISO 27002-2013 A.9.4.1
+    - ISO 27002-2013 A.9.4.2
+    - ISO 27002-2013 A.9.4.3
+    - ISO 27002-2013 A.9.4.4
+    - PCI DSS 3.2 2.1
+    - PCI DSS 3.2 7.1
+    - PCI DSS 3.2 7.2
+    - PCI DSS 3.2 7.3
+    - PCI DSS 3.2 8.1
+    - PCI DSS 3.2 8.2
+    - PCI DSS 3.2 8.3
+    - PCI DSS 3.2 8.7
@@ -0,0 +1,30 @@
+title: Host Without Firewall
+id: 6b2066c8-3dc7-4db7-9db0-6cc1d7b0dde9
+description: Host Without Firewall. Alert means not complied. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management.
+author: Alexandr Yampolskyi, SOC Prime
+references:
+    - https://www.cisecurity.org/controls/cis-controls-list/
+    - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
+    - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
+date: 2019/03/19
+status: stable
+level: low
+logsource:
+    product: Qualys
+detection:
+    selection:
+        event.category: Security Policy
+        host.scan.vuln_name: Firewall Product Not Detected*
+    condition: selection
+tags:
+    - CSC9
+    - CSC9.4
+    - NIST CSF 1.1 PR.AC-5
+    - NIST CSF 1.1 PR.AC-6
+    - NIST CSF 1.1 PR.AC-7
+    - NIST CSF 1.1 DE.AE-1
+    - ISO 27002-2013 A.9.1.2
+    - ISO 27002-2013 A.13.2.1
+    - ISO 27002-2013 A.13.2.2
+    - ISO 27002-2013 A.14.1.2
+    - PCI DSS 3.2 1.4
@@ -0,0 +1,47 @@
+title: Locked Workstation
+id: 411742ad-89b0-49cb-a7b0-3971b5c1e0a4
+description: Automatically lock workstation sessions after a standard period of inactivity. The case is not applicable for Unix OS. Supported OS - Windows 2008 R2
+    and 7, Windows 2012 R2 and 8.1, Windows 2016 and 10 Windows Server 2019.
+author: Alexandr Yampolskyi, SOC Prime
+status: stable
+references:
+    - https://www.cisecurity.org/controls/cis-controls-list/
+    - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
+    - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
+    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4800
+date: 2019/03/26
+logsource:
+    product: windows
+    service: security
+detection:
+    selection:
+        EventID:
+            - 4800
+    condition: selection
+falsepositives:
+    - unknown
+level: low
+tags:
+    - CSC16
+    - CSC16.11
+    - ISO27002-2013 A.9.1.1
+    - ISO27002-2013 A.9.2.1
+    - ISO27002-2013 A.9.2.2
+    - ISO27002-2013 A.9.2.3
+    - ISO27002-2013 A.9.2.4
+    - ISO27002-2013 A.9.2.5
+    - ISO27002-2013 A.9.2.6
+    - ISO27002-2013 A.9.3.1
+    - ISO27002-2013 A.9.4.1
+    - ISO27002-2013 A.9.4.3
+    - ISO27002-2013 A.11.2.8
+    - PCI DSS 3.1 7.1
+    - PCI DSS 3.1 7.2
+    - PCI DSS 3.1 7.3
+    - PCI DSS 3.1 8.7
+    - PCI DSS 3.1 8.8
+    - NIST CSF 1.1 PR.AC-1
+    - NIST CSF 1.1 PR.AC-4
+    - NIST CSF 1.1 PR.AC-6
+    - NIST CSF 1.1 PR.AC-7
+    - NIST CSF 1.1 PR.PT-3
@@ -0,0 +1,25 @@
+title: Brute Force
+id: 53c7cca0-2901-493a-95db-d00d6fcf0a37
+description: Detects many authentication failures from one source to one destination which is may indicate Brute Force activity
+tags:
+    - attack.t1110
+author: Aleksandr Akhremchik, oscd.community
+date: 2019/10/25
+status: experimental
+logsource:
+    category: authentication
+detection:
+    selection:
+         action: failure
+    timeframe: 600s
+    condition: selection | count(category) by dst_ip > 30
+fields:
+    - src_ip
+    - dst_ip
+    - user
+falsepositives:
+    - Inventarization
+    - Penetration testing
+    - Vulnerability scanner
+    - Legitimate application
+level: medium
@@ -0,0 +1,31 @@
+title: Edit of .bash_profile and .bashrc
+id: e74e15cc-c4b6-4c80-b7eb-dfe49feb7fe9
+status: experimental
+description: Detects change of user environment. Adversaries can insert code into these files to gain persistence each time a user logs in or opens a new shell.
+references:
+    - 'MITRE Attack technique T1156; .bash_profile and .bashrc. '
+date: 2019/05/12
+tags:
+    - attack.s0003
+    - attack.t1156
+    - attack.persistence
+author: Peter Matkovski
+logsource:
+    product: linux
+    service: auditd
+detection:
+    selection:
+        type: 'PATH'
+        name:
+            - '/home/*/.bashrc'
+            - '/home/*/.bash_profile'
+            - '/home/*/.profile'
+            - '/etc/profile'
+            - '/etc/shells'
+            - '/etc/bashrc'
+            - '/etc/csh.cshrc'
+            - '/etc/csh.login'
+    condition: selection
+falsepositives:
+    - Admin or User activity
+level: medium
@@ -0,0 +1,34 @@
+title: Auditing Configuration Changes on Linux Host
+id: 977ef627-4539-4875-adf4-ed8f780c4922
+description: Detect changes in auditd configuration files
+    # Example config for this one (place it at the top of audit.rules)
+    # -w /etc/audit/ -p wa -k etc_modify_auditconfig
+    # -w /etc/libaudit.conf -p wa -k etc_modify_libauditconfig
+    # -w /etc/audisp/ -p wa -k etc_modify_audispconfig
+references:
+    - https://github.com/Neo23x0/auditd/blob/master/audit.rules
+    - self experience
+tags:
+    - attack.defense_evasion
+    - attack.t1054
+author: Mikhail Larin, oscd.community
+status: experimental
+date: 2019/10/25
+logsource:
+    product: linux
+    service: auditd
+detection:
+    selection:
+        type: PATH
+        name:
+            - /etc/audit/*
+            - /etc/libaudit.conf
+            - /etc/audisp/*
+    condition: selection
+fields:
+    - exe
+    - comm
+    - key
+falsepositives:
+    - Legitimate administrative activity
+level: high
@@ -0,0 +1,24 @@
+title: Modification of ld.so.preload
+id: 4b3cb710-5e83-4715-8c45-8b2b5b3e5751
+description: Identifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes.
+status: experimental
+author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community
+date: 2019/10/24
+modified: 2019/11/11
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.yaml
+    - https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html
+tags:
+    - attack.defense_evasion
+    - attack.t1055
+logsource:
+    product: linux
+    service: auditd
+detection:
+    selection:
+        type: 'PATH'
+        name: '/etc/ld.so.preload'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
@@ -0,0 +1,33 @@
+title: Logging Configuration Changes on Linux Host
+id: c830f15d-6f6e-430f-8074-6f73d6807841
+description: Detect changes of syslog daemons configuration files
+    # Example config for this one (place it at the top of audit.rules)
+    # -w /etc/syslog.conf -p wa -k etc_modify_syslogconfig
+    # -w /etc/rsyslog.conf -p wa -k etc_modify_rsyslogconfig
+    # -w /etc/syslog-ng/syslog-ng.conf -p wa -k etc_modify_syslogngconfig
+references:
+    - self experience
+tags:
+    - attack.defense_evasion
+    - attack.t1054
+author: Mikhail Larin, oscd.community
+status: experimental
+date: 2019/10/25
+logsource:
+    product: linux
+    service: auditd
+detection:
+    selection:
+        type: 'PATH'
+        name:
+            - /etc/syslog.conf
+            - /etc/rsyslog.conf
+            - /etc/syslog-ng/syslog-ng.conf
+    condition: selection
+fields:
+    - exe
+    - comm
+    - key
+falsepositives:
+    - Legitimate administrative activity
+level: high
@@ -0,0 +1,24 @@
+title: Masquerading as Linux Crond Process
+id: 9d4548fa-bba0-4e88-bd66-5d5bf516cda0
+status: experimental
+description: Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and
+    observation. Several different variations of this technique have been observed.
+author: Timur Zinniatullin, oscd.community
+date: 2019/10/21
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.yaml
+logsource:
+    product: linux
+    service: auditd
+detection:
+    selection:
+        type: 'execve'
+        a0: 'cp'
+        a1: '-i'
+        a2: '/bin/sh'
+        a3: '*/crond'
+    condition: selection
+level: medium
+tags:
+    - attack.defense_evasion
+    - attack.t1036
@@ -1,28 +1,32 @@
-title: Detects Suspicious Commands on Linux systems
+title: Suspicious Commands Linux
+id: 1543ae20-cbdf-4ec1-8d12-7664d667a825
 status: experimental
 description: Detects relevant commands often related to malware or hacking activity
 references:
-    - 'Internal Research - mostly derived from exploit code including code in MSF'
+    - Internal Research - mostly derived from exploit code including code in MSF
 date: 2017/12/12
 author: Florian Roth
 logsource:
    product: linux
    service: auditd
 detection:
-    cmds:
-        - type: 'EXECVE'
-          a0: 'chmod'
-          a1: '777'
-        - type: 'EXECVE'
-          a0: 'chmod'
-          a1: 'u+s'
-        - type: 'EXECVE'
-          a0: 'cp'
-          a1: '/bin/ksh'
-        - type: 'EXECVE'
-          a0: 'cp'
-          a1: '/bin/sh'
-    condition: 1 of cmds
+    cmd1:
+        type: 'EXECVE'
+        a0: 'chmod'
+        a1: '777'
+    cmd2:
+        type: 'EXECVE'
+        a0: 'chmod'
+        a1: 'u+s'
+    cmd3:
+        type: 'EXECVE'
+        a0: 'cp'
+        a1: '/bin/ksh'
+    cmd4:
+        type: 'EXECVE'
+        a0: 'cp'
+        a1: '/bin/sh'
+    condition: 1 of them
 falsepositives:
    - Admin activity
-level: medium
+level: medium
@@ -1,8 +1,9 @@
 title: Program Executions in Suspicious Folders
+id: a39d7fa7-3fbd-4dc2-97e1-d87f546b1bbc
 status: experimental
 description: Detects program executions in suspicious non-program folders related to malware or hacking activity
 references:
-    - 'Internal Research'
+    - Internal Research
 date: 2018/01/23
 author: Florian Roth
 logsource:
@@ -0,0 +1,26 @@
+title: System Owner or User Discovery
+id: 9a0d8ca0-2385-4020-b6c6-cb6153ca56f3
+status: experimental
+description: Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not
+    the adversary fully infects the target and/or attempts specific actions.
+author: Timur Zinniatullin, oscd.community
+date: 2019/10/21
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.yaml
+logsource:
+    product: linux
+    service: auditd
+detection:
+    selection:
+        type: 'EXECVE'
+        a0:
+            - 'users'
+            - 'w'
+            - 'who'
+    condition: selection
+falsepositives:
+    - Admin activity
+level: low
+tags:
+    - attack.discovery
+    - attack.t1033
@@ -0,0 +1,25 @@
+title: Webshell Remote Command Execution
+id: c0d3734d-330f-4a03-aae2-65dacc6a8222
+status: experimental
+description: Detects posible command execution by web application/web shell
+tags:
+    - attack.persistence
+    - attack.t1100
+references:
+    - personal experience
+author: Ilyas Ochkov, Beyu Denis, oscd.community
+date: 2019/10/12
+modified: 2019/11/04
+logsource:
+    product: linux
+    service: auditd
+detection:
+    selection:
+        type: 'SYSCALL'
+        SYSCALL: 'execve'
+        key: 'detect_execve_www'
+    condition: selection
+falsepositives:
+    - Admin activity
+    - Crazy web applications
+level: critical
@@ -0,0 +1,32 @@
+title: Data Compressed
+id: a3b5e3e9-1b49-4119-8b8e-0344a01f21ee
+status: experimental
+description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount
+    of data sent over the network
+author: Timur Zinniatullin, oscd.community
+date: 2019/10/21
+modified: 2019/11/04
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1002/T1002.yaml
+logsource:
+    product: linux
+    service: auditd
+detection:
+    selection1:
+        type: 'execve'
+        a0: 'zip'
+    selection2:
+        type: 'execve'
+        a0: 'gzip'
+        a1: '-f'
+    selection3:
+        type: 'execve'
+        a0: 'tar'
+        a1|contains: '-c'
+    condition: 1 of them
+falsepositives:
+    - Legitimate use of archiving tools by legitimate user
+level: low
+tags:
+    - attack.exfiltration
+    - attack.t1002
@@ -0,0 +1,32 @@
+title: Network Sniffing
+id: f4d3748a-65d1-4806-bd23-e25728081d01
+status: experimental
+description: Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary
+    may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
+author: Timur Zinniatullin, oscd.community
+date: 2019/10/21
+modified: 2019/11/04
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.yaml
+logsource:
+    product: linux
+    service: auditd
+detection:
+    selection1:
+        type: 'execve'
+        a0: 'tcpdump'
+        a1: '-c'
+        a3|contains: '-i'
+    selection2:
+        type: 'execve'
+        a0: 'tshark'
+        a1: '-c'
+        a3: '-i'
+    condition: selection1 or selection2
+falsepositives:
+    - Legitimate administrator or user uses network sniffing tool for legitimate reason
+level: low
+tags:
+    - attack.credential_access
+    - attack.discovery
+    - attack.t1040
@@ -1,8 +1,14 @@
 title: Equation Group Indicators
+id: 41e5c73d-9983-4b69-bd03-e13b67e9623c
 description: Detects suspicious shell commands used in various Equation Group scripts and tools
 references:
    - https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
+tags:
+    - attack.execution
+    - attack.g0020
+    - attack.t1059
 author: Florian Roth
+date: 2017/04/09
 logsource:
    product: linux
 detection:
@@ -64,7 +70,6 @@ detection:
        - 'chmod 755 /usr/vmsys/bin/pipe'
        - 'chmod -R 755 /usr/vmsys'
        - 'chmod 755 $opbin/*tunnel'
-        - '< /dev/console | uudecode && uncompress'
        - 'chmod 700 sendmail'
        - 'chmod 0700 sendmail'
        - '/usr/bin/wget http*sendmail;chmod +x sendmail;'
@@ -1,9 +1,12 @@
 title: Buffer Overflow Attempts
-description: Detects buffer overflow attempts in Linux system log files
+id: 18b042f0-2ecd-4b6e-9f8d-aa7a7e7de781
+description: Detects buffer overflow attempts in Unix system log files
+author: Florian Roth
+date: 2017/03/01
 references:
    - https://github.com/ossec/ossec-hids/blob/master/etc/rules/attack_rules.xml
 logsource:
-    product: linux
+    product: unix
 detection:
    keywords:
        - 'attempt to execute code on stack by'
@@ -0,0 +1,23 @@
+title: Remove Immutable File Attribute
+id: a5b977d6-8a81-4475-91b9-49dbfcd941f7
+description: Detects removing immutable file attribute
+status: experimental
+tags:
+    - attack.defense_evasion
+    - attack.t1222
+author: Jakob Weinzettl, oscd.community
+date: 2019/09/23
+logsource:
+    product: linux
+    service: auditd
+detection:
+    selection:
+        type: 'EXECVE'
+        a0|contains: 'chattr'
+        a1|contains: '-i'
+    condition: selection
+falsepositives:
+    - Administrator interacting with immutable files (for instance backups)
+level: medium
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.yaml
@@ -1,5 +1,8 @@
 title: Relevant ClamAV Message
+id: 36aa86ca-fd9d-4456-814e-d3b1b8e1e0bb
 description: Detects relevant ClamAV messages
+author: Florian Roth
+date: 2017/03/01
 references:
    - https://github.com/ossec/ossec-hids/blob/master/etc/rules/clam_av_rules.xml
 logsource:
@@ -0,0 +1,25 @@
+title: Overwriting the File with Dev Zero or Null
+id: 37222991-11e9-4b6d-8bdf-60fbe48f753e
+date: 2019/10/23
+description: Detects overwriting (effectively wiping/deleting) the file
+author: Jakob Weinzettl, oscd.community
+tags:
+    - attack.impact
+    - attack.t1485
+logsource:
+    product: linux
+    service: auditd
+detection:
+    selection:
+        type: 'EXECVE'
+        a0|contains: 'dd'   
+        a1|contains:
+            - 'if=/dev/null'    
+            - 'if=/dev/zero'    
+    condition: selection
+falsepositives:
+    - Appending null bytes to files
+    - Legitimate overwrite of files
+level: low
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.yaml
@@ -0,0 +1,24 @@
+title: File or Folder Permissions Change
+description: Detects 
+id: 74c01ace-0152-4094-8ae2-6fd776dd43e5
+status: experimental
+tags:
+    - attack.defense_evasion
+    - attack.t1222
+author: Jakob Weinzettl, oscd.community
+date: 2019/09/23
+logsource:
+    product: linux
+    service: auditd
+detection:
+    selection:
+        type: 'EXECVE'
+        a0|contains:
+            - 'chmod'
+            - 'chown'
+    condition: selection
+falsepositives:
+    - User interracting with files permissions (normal/daily behaviour)
+level: low
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.yaml
@@ -0,0 +1,27 @@
+title: Systemd Service Reload or Start
+id: 2625cc59-0634-40d0-821e-cb67382a3dd7
+description: Detects a reload or a start of a service
+status: experimental
+tags:
+    - attack.persistence
+    - attack.t1501
+author: Jakob Weinzettl, oscd.community
+date: 2019/09/23
+logsource:
+    product: linux
+    service: auditd
+detection:
+    selection:
+        type: 'EXECVE'
+        a0|contains: 'systemctl'
+        a1|contains:
+            - 'daemon-reload'
+            - 'start'
+    condition: selection
+falsepositives:
+    - Installation of legitimate service
+    - Legitimate reconfiguration of service
+level: low
+references:
+    - https://attack.mitre.org/techniques/T1501/
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1501/T1501.yaml
@@ -0,0 +1,31 @@
+title: Clear Command History
+id: fdc88d25-96fb-4b7c-9633-c0e417fdbd4e
+status: experimental
+description: Clear command history in linux which is used for defense evasion.
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1146/T1146.yaml
+    - https://attack.mitre.org/techniques/T1146/
+    - https://www.hackers-arise.com/single-post/2016/06/20/Covering-your-BASH-Shell-Tracks-AntiForensics
+author: Patrick Bareiss
+date: 2019/03/24
+logsource:
+    product: linux
+detection:
+    keywords:
+        - 'rm *bash_history'
+        - 'echo "" > *bash_history'
+        - 'cat /dev/null > *bash_history' 
+        - 'ln -sf /dev/null *bash_history'
+        - 'truncate -s0 *bash_history'
+        # - 'unset HISTFILE'  # prone to false positives
+        - 'export HISTFILESIZE=0'
+        - 'history -c'
+        - 'history -w'
+        - 'shred *bash_history'
+    condition: keywords
+falsepositives:
+    - Unknown
+level: high
+tags:
+    - attack.defense_evasion
+    - attack.t1146
@@ -0,0 +1,70 @@
+title: Privilege Escalation Preparation
+id: 444ade84-c362-4260-b1f3-e45e20e1a905
+status: experimental
+description: Detects suspicious shell commands indicating the information gathering phase as preparation for the Privilege Escalation.
+references:
+    - https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
+    - https://patrick-bareiss.com/detect-privilege-escalation-preparation-in-linux-with-sigma/
+author: Patrick Bareiss
+date: 2019/04/05
+tags:
+    - attack.privilege_escalation
+    - attack.t1068
+level: medium
+logsource:
+    product: linux
+detection:
+    keywords:
+        # distribution type and kernel version
+        - 'cat /etc/issue'
+        - 'cat /etc/*-release'
+        - 'cat /proc/version'
+        - 'uname -a'
+        - 'uname -mrs'
+        - 'rpm -q kernel'
+        - 'dmesg | grep Linux'
+        - 'ls /boot | grep vmlinuz-'
+        # environment variables
+        - 'cat /etc/profile'
+        - 'cat /etc/bashrc'
+        - 'cat ~/.bash_profile'
+        - 'cat ~/.bashrc'
+        - 'cat ~/.bash_logout'
+        # applications and services as root
+        - 'ps -aux | grep root'
+        - 'ps -ef | grep root'
+        # scheduled tasks
+        - 'crontab -l'
+        - 'cat /etc/cron*'
+        - 'cat /etc/cron.allow'
+        - 'cat /etc/cron.deny'
+        - 'cat /etc/crontab'
+        # search for plain text user/passwords
+        - 'grep -i user *'
+        - 'grep -i pass *'
+        # networking
+        - 'ifconfig'
+        - 'cat /etc/network/interfaces'
+        - 'cat /etc/sysconfig/network'
+        - 'cat /etc/resolv.conf'
+        - 'cat /etc/networks'
+        - 'iptables -L'
+        - 'lsof -i'
+        - 'netstat -antup'
+        - 'netstat -antpx'
+        - 'netstat -tulpn'
+        - 'arp -e'
+        - 'route'
+        # sensitive files
+        - 'cat /etc/passwd'
+        - 'cat /etc/group'
+        - 'cat /etc/shadow'
+        # sticky bits
+        - 'find / -perm -u=s'
+        - 'find / -perm -g=s'
+        - 'find / -perm -4000'
+        - 'find / -perm -2000'
+    timeframe: 30m
+    condition: keywords | count() by host > 6
+falsepositives:
+    - Troubleshooting on Linux Machines
@@ -1,4 +1,5 @@
 title: Suspicious Activity in Shell Commands
+id: 2aa1440c-9ae9-4d92-84a7-a9e5f5e31695
 description: Detects suspicious shell commands used in various exploit codes (see references)
 references:
    - http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html
@@ -6,6 +7,8 @@ references:
    - http://pastebin.com/FtygZ1cg
    - https://artkond.com/2017/03/23/pivoting-guide/
 author: Florian Roth
+date: 2017/08/21
+modified: 2019/02/05
 logsource:
    product: linux
 detection:
@@ -15,30 +18,37 @@ detection:
        - 'wget * - http* | sh'
        - 'wget * - http* | bash'
        - 'python -m SimpleHTTPServer'
-        - 'import pty; pty.spawn'
+        - '-m http.server'  # Python 3
+        - 'import pty; pty.spawn*'
+        - 'socat exec:*'
+        - 'socat -O /tmp/*'
+        - 'socat tcp-connect*'
+        - '*echo binary >>*'
        # Malware 
        - '*wget *; chmod +x*'
        - '*wget *; chmod 777 *'
        - '*cd /tmp || cd /var/run || cd /mnt*'
        # Apache Struts in-the-wild exploit codes  
-        - 'stop;service iptables stop;'
-        - 'stop;SuSEfirewall2 stop;'
-        - 'chmod 777 2020'
-        - '">>/etc/rc.local;'
-        - 'wget -c *;chmod 777'
+        - '*stop;service iptables stop;*'
+        - '*stop;SuSEfirewall2 stop;*'
+        - 'chmod 777 2020*'
+        - '*>>/etc/rc.local'
        # Metasploit framework exploit codes
-        - 'base64 -d /tmp/'
-        - ' | base64 -d'
-        - '/bin/chmod u+s'
-        - 'chmod +s /tmp/'
-        - 'chmod u+s /tmp/'
-        - '/tmp/haxhax'
-        - '/tmp/ns_sploit'
-        - 'nc -l -p '
-        - 'cp /bin/ksh '
-        - 'cp /bin/sh '
-        - ' /tmp/*.b64 '
-        - '/tmp/ysocereal.jar'
+        - '*base64 -d /tmp/*'
+        - '* | base64 -d *'
+        - '*/chmod u+s *'
+        - '*chmod +s /tmp/*'
+        - '*chmod u+s /tmp/*'
+        - '* /tmp/haxhax*'
+        - '* /tmp/ns_sploit*'
+        - 'nc -l -p *'
+        - 'cp /bin/ksh *'
+        - 'cp /bin/sh *'
+        - '* /tmp/*.b64 *'
+        - '*/tmp/ysocereal.jar*'
+        - '*/tmp/x *'
+        - '*; chmod +x /tmp/*'
+        - '*;chmod +x /tmp/*'
    condition: keywords
 falsepositives:
    - Unknown
@@ -1,16 +1,16 @@
 title: Suspicious Log Entries
+id: f64b6e9a-5d9d-48a5-8289-e1dd2b3876e1
 description: Detects suspicious log entries in Linux log files
 author: Florian Roth
+date: 2017/03/25
 logsource:
    product: linux
 detection:
    keywords:
-        # Generic suspicious log lines
-        - 'entered promiscuous mode'
-        # OSSEC https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml
-        - 'Deactivating service'
-        - 'Oversized packet received from'  
-        - 'imuxsock begins to drop messages'      
+        - entered promiscuous mode
+        - Deactivating service
+        - Oversized packet received from
+        - imuxsock begins to drop messages
    condition: keywords
 falsepositives:
    - Unknown
@@ -0,0 +1,41 @@
+title: Suspicious Reverse Shell Command Line
+id: 738d9bcf-6999-4fdb-b4ac-3033037db8ab
+status: experimental
+description: Detects suspicious shell commands or program code that may be exected or used in command line to establish a reverse shell
+references:
+    - https://alamot.github.io/reverse_shells/
+author: Florian Roth
+date: 2019/04/02
+logsource:
+    product: linux
+detection:
+    keywords:
+        - 'BEGIN {s = "/inet/tcp/0/'
+        - 'bash -i >& /dev/tcp/'
+        - 'bash -i >& /dev/udp/'
+        - 'sh -i >$ /dev/udp/'
+        - 'sh -i >$ /dev/tcp/'
+        - '&& while read line 0<&5; do'
+        - '/bin/bash -c exec 5<>/dev/tcp/'
+        - '/bin/bash -c exec 5<>/dev/udp/'
+        - 'nc -e /bin/sh '
+        - '/bin/sh | nc'
+        - 'rm -f backpipe; mknod /tmp/backpipe p && nc '
+        - ';socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i))))'
+        - ';STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
+        - '/bin/sh -i <&3 >&3 2>&3'
+        - 'uname -a; w; id; /bin/bash -i'
+        - '$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()};'
+        - ";os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);os.putenv('HISTFILE','/dev/null');"
+        - '.to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
+        - ';while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print'
+        - "socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:"
+        - 'rm -f /tmp/p; mknod /tmp/p p &&'
+        - ' | /bin/bash | telnet '
+        - ',echo=0,raw tcp-listen:'
+        - 'nc -lvvp '
+        - 'xterm -display 1'
+    condition: keywords
+falsepositives:
+    - Unknown
+level: high
@@ -1,5 +1,8 @@
 title: Shellshock Expression
+id: c67e0c98-4d39-46ee-8f6b-437ebf6b950e
 description: Detects shellshock expressions in log files
+date: 2017/03/14
+author: Florian Roth
 references:
    - http://rubular.com/r/zxBfjWfFYs
 logsource:
@@ -0,0 +1,17 @@
+title: SSHD Error Message CVE-2018-15473
+id: 4c9d903d-4939-4094-ade0-3cb748f4d7da
+description: Detects exploitation attempt using public exploit code for CVE-2018-15473
+references:
+    - https://github.com/Rhynorater/CVE-2018-15473-Exploit
+author: Florian Roth
+date: 2017/08/24
+logsource:
+    product: linux
+    service: sshd
+detection:
+    keywords:
+        - 'error: buffer_get_ret: trying to get more bytes 1907 than in buffer 308 [preauth]'
+    condition: keywords
+falsepositives:
+    - Unknown
+level: medium
@@ -0,0 +1,33 @@
+action: global
+title: Sudo Privilege Escalation CVE-2019-14287
+id: f74107df-b6c6-4e80-bf00-4170b658162b
+status: experimental
+description: Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287
+references:
+    - https://www.openwall.com/lists/oss-security/2019/10/14/1
+    - https://access.redhat.com/security/cve/cve-2019-14287
+    - https://twitter.com/matthieugarin/status/1183970598210412546
+author: Florian Roth
+date: 2019/10/15
+modified: 2019/10/20
+tags:
+    - attack.privilege_escalation
+    - attack.t1068
+    - attack.t1169
+logsource:
+    product: linux
+falsepositives:
+    - Unlikely
+level: critical
+---
+detection:
+    selection_keywords:
+        - '* -u#*'
+    condition: selection_keywords
+--- 
+detection:
+    selection_user:
+        USER:
+            - '#-*'
+            - '#*4294967295'
+    condition: selection_user
@@ -1,18 +1,20 @@
-title: Multiple Failed Logins with Different Accounts from Single Source System
+title: Failed Logins with Different Accounts from Single Source System
+id: fc947f8e-ea81-4b14-9a7b-13f888f94e18
+author: Florian Roth
+date: 2017/02/16
 description: Detects suspicious failed logins with different user accounts from a single source system
 logsource:
    product: linux
    service: auth
 detection:
    selection:
-        pam_message: "authentication failure"
+        pam_message: authentication failure
        pam_user: '*'
        pam_rhost: '*'
-    timeframe: 24h 
+    timeframe: 24h
    condition: selection | count(pam_user) by pam_rhost > 3
 falsepositives:
    - Terminal servers
    - Jump servers
-    - Workstations with frequently changing users 
+    - Workstations with frequently changing users
 level: medium
-
@@ -0,0 +1,18 @@
+title: JexBoss Command Sequence
+id: 8ec2c8b4-557a-4121-b87c-5dfb3a602fae
+description: Detects suspicious command sequence that JexBoss
+references:
+    - https://www.us-cert.gov/ncas/analysis-reports/AR18-312A
+author: Florian Roth
+date: 2017/08/24
+logsource:
+    product: linux
+detection:
+    selection1: 
+        - 'bash -c /bin/bash'
+    selection2:
+        - '&/dev/tcp/'
+    condition: selection1 and selection2
+falsepositives:
+    - Unknown
+level: high
@@ -1,6 +1,7 @@
 title: Suspicious Named Error
+id: c8e35e96-19ce-4f16-aeb6-fd5588dc5365
 status: experimental
-description: Detects suspicious DNS error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts 
+description: Detects suspicious DNS error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
 references:
    - https://github.com/ossec/ossec-hids/blob/master/etc/rules/named_rules.xml
 author: Florian Roth
@@ -1,5 +1,6 @@
 title: Suspicious SSHD Error
-description: Detects suspicious SSH / SSHD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts 
+id: e76b413a-83d0-4b94-8e4c-85db4a5b8bdc
+description: Detects suspicious SSH / SSHD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
 references:
    - https://github.com/openssh/openssh-portable/blob/master/ssherr.c
    - https://github.com/ossec/ossec-hids/blob/master/etc/rules/sshd_rules.xml
@@ -1,5 +1,6 @@
 title: Suspicious VSFTPD Error Messages
-description: Detects suspicious VSFTPD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts 
+id: 377f33a1-4b36-4ee1-acee-1dbe4b43cfbe
+description: Detects suspicious VSFTPD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
 references:
    - https://github.com/dagwieers/vsftpd/
 author: Florian Roth
@@ -30,4 +31,3 @@ detection:
 falsepositives:
    - Unknown
 level: medium
-
@@ -1,5 +1,8 @@
 title: Multiple Modsecurity Blocks
-description: Detects multiple blocks by the mod_security module (Web Application Firewall) 
+id: a06eea10-d932-4aa6-8ba9-186df72c8d23
+description: Detects multiple blocks by the mod_security module (Web Application Firewall)
+date: 2017/02/28
+author: Florian Roth
 logsource:
    product: linux
    service: modsecurity
@@ -8,10 +11,9 @@ detection:
        - 'mod_security: Access denied'
        - 'ModSecurity: Access denied'
        - 'mod_security-message: Access denied'
-    timeframe: 120m 
+    timeframe: 120m
    condition: selection | count() > 6
 falsepositives:
    - Vulnerability scanners
    - Frequent attacks if system faces Internet
 level: medium
-
@@ -0,0 +1,31 @@
+title: Cisco Clear Logs
+id: ceb407f6-8277-439b-951f-e4210e3ed956
+status: experimental
+description: Clear command history in network OS which is used for defense evasion.
+references:
+    - https://attack.mitre.org/techniques/T1146/
+    - https://attack.mitre.org/techniques/T1070/
+author: Austin Clark
+date: 2019/08/12
+tags:
+    - attack.defense_evasion
+    - attack.t1146
+    - attack.t1070
+logsource:
+    product: cisco
+    service: aaa
+    category: accounting
+fields:
+    - src
+    - CmdSet
+    - User
+    - Privilege_Level
+    - Remote_Address
+detection:
+    keywords:
+        - 'clear logging'
+        - 'clear archive'
+    condition: keywords
+falsepositives:
+    - Legitimate administrators may run these commands.
+level: high
@@ -0,0 +1,39 @@
+title: Cisco Collect Data
+id: cd072b25-a418-4f98-8ebc-5093fb38fe1a
+status: experimental
+description: Collect pertinent data from the configuration files
+references:
+    - https://attack.mitre.org/techniques/T1087/
+    - https://attack.mitre.org/techniques/T1003/
+    - https://attack.mitre.org/techniques/T1081/
+    - https://attack.mitre.org/techniques/T1005/
+author: Austin Clark
+date: 2019/08/11
+tags:
+    - attack.discovery
+    - attack.credential_access
+    - attack.collection
+    - attack.t1087
+    - attack.t1003
+    - attack.t1081
+    - attack.t1005
+logsource:
+    product: cisco
+    service: aaa
+    category: accounting
+fields:
+    - src
+    - CmdSet
+    - User
+    - Privilege_Level
+    - Remote_Address
+detection:
+    keywords:
+        - 'show running-config'
+        - 'show startup-config'
+        - 'show archive config'
+        - 'more'
+    condition: keywords
+falsepositives:
+    - Commonly run by administrators.
+level: low
@@ -0,0 +1,33 @@
+title: Cisco Crypto Commands
+id: 1f978c6a-4415-47fb-aca5-736a44d7ca3d
+status: experimental
+description: Show when private keys are being exported from the device, or when new certificates are installed.
+references:
+    - https://attack.mitre.org/techniques/T1145/
+    - https://attack.mitre.org/techniques/T1130/
+author: Austin Clark
+date: 2019/08/12
+tags:
+    - attack.credential_access
+    - attack.defense_evasion
+    - attack.t1130
+    - attack.t1145
+logsource:
+    product: cisco
+    service: aaa
+    category: accounting
+fields:
+    - src
+    - CmdSet
+    - User
+    - Privilege_Level
+    - Remote_Address
+detection:
+    keywords:
+        - 'crypto pki export'
+        - 'crypto pki import'
+        - 'crypto pki trustpoint'
+    condition: keywords
+falsepositives:
+    - Not commonly run by administrators.  Also whitelist your known good certificates.
+level: high
@@ -0,0 +1,29 @@
+title: Cisco Disabling Logging
+id: 9e8f6035-88bf-4a63-96b6-b17c0508257e
+status: experimental
+description: Turn off logging locally or remote
+references:
+    - https://attack.mitre.org/techniques/T1089
+author: Austin Clark
+date: 2019/08/11
+tags:
+    - attack.defense_evasion
+    - attack.t1089
+logsource:
+    product: cisco
+    service: aaa
+    category: accounting
+fields:
+    - src
+    - CmdSet
+    - User
+    - Privilege_Level
+    - Remote_Address
+detection:
+    keywords:
+        - 'no logging'
+        - 'no aaa new-model'
+    condition: keywords
+falsepositives:
+    - Unknown
+level: high
@@ -0,0 +1,46 @@
+title: Cisco Discovery
+id: 9705a6a1-6db6-4a16-a987-15b7151e299b
+status: experimental
+description: Find information about network devices that are not stored in config files.
+references:
+    - https://attack.mitre.org/tactics/TA0007/
+author: Austin Clark
+date: 2019/08/12
+tags:
+    - attack.discovery
+    - attack.t1083
+    - attack.t1201
+    - attack.t1057
+    - attack.t1018
+    - attack.t1082
+    - attack.t1016
+    - attack.t1049
+    - attack.t1033
+    - attack.t1124
+logsource:
+    product: cisco
+    service: aaa
+    category: accounting
+fields:
+    - src
+    - CmdSet
+    - User
+    - Privilege_Level
+    - Remote_Address
+detection:
+    keywords:
+        - 'dir'
+        - 'show processes'
+        - 'show arp'
+        - 'show cdp'
+        - 'show version'
+        - 'show ip route'
+        - 'show ip interface'
+        - 'show ip sockets'
+        - 'show users'
+        - 'show ssh'
+        - 'show clock'
+    condition: keywords
+falsepositives:
+    - Commonly used by administrators for troubleshooting
+level: low
@@ -0,0 +1,28 @@
+title: Cisco Denial of Service
+id: d94a35f0-7a29-45f6-90a0-80df6159967c
+status: experimental
+description: Detect a system being shutdown or put into different boot mode
+references:
+    - https://attack.mitre.org/techniques/T1499/
+    - https://attack.mitre.org/techniques/T1495/
+author: Austin Clark
+date: 2019/08/15
+tags:
+    - attack.impact
+    - attack.t1499
+    - attack.t1495
+logsource:
+    product: cisco
+    service: aaa
+    category: accounting
+fields:
+    - CmdSet
+detection:
+    keywords:
+        - 'shutdown'
+        - 'config-register 0x2100'
+        - 'config-register 0x2142'
+    condition: keywords
+falsepositives:
+    - Legitimate administrators may run these commands, though rarely.
+level: medium
@@ -0,0 +1,31 @@
+title: Cisco Show Commands Input
+id: 71d65515-c436-43c0-841b-236b1f32c21e
+status: experimental
+description: See what files are being deleted from flash file systems
+references:
+    - https://attack.mitre.org/techniques/T1107/
+    - https://attack.mitre.org/techniques/T1488/
+    - https://attack.mitre.org/techniques/T1487/
+author: Austin Clark
+date: 2019/08/12
+tags:
+    - attack.defense_evasion
+    - attack.impact
+    - attack.t1107
+    - attack.t1488
+    - attack.t1487
+logsource:
+    product: cisco
+    service: aaa
+    category: accounting
+fields:
+    - CmdSet
+detection:
+    keywords:
+        - 'erase'
+        - 'delete'
+        - 'format'
+    condition: keywords
+falsepositives:
+    - Will be used sometimes by admins to clean up local flash space.
+level: medium
@@ -0,0 +1,29 @@
+title: Cisco Show Commands Input
+id: b094d9fb-b1ad-4650-9f1a-fb7be9f1d34b
+status: experimental
+description: See what commands are being input into the device by other people, full credentials can be in the history
+references:
+    - https://attack.mitre.org/techniques/T1056/
+    - https://attack.mitre.org/techniques/T1139/
+author: Austin Clark
+date: 2019/08/11
+tags:
+    - attack.collection
+    - attack.credential_access
+    - attack.t1139
+    - attack.t1056
+logsource:
+    product: cisco
+    service: aaa
+    category: accounting
+fields:
+    - CmdSet
+detection:
+    keywords:
+        - 'show history'
+        - 'show history all'
+        - 'show logging'
+    condition: keywords
+falsepositives:
+    - Not commonly run by administrators, especially if remote logging is configured.
+level: medium
@@ -0,0 +1,27 @@
+title: Cisco Local Accounts
+id: 6d844f0f-1c18-41af-8f19-33e7654edfc3
+status: experimental
+description: Find local accounts being created or modified as well as remote authentication configurations
+references:
+    - https://attack.mitre.org/techniques/T1098/
+    - https://attack.mitre.org/techniques/T1136/
+author: Austin Clark
+date: 2019/08/12
+tags:
+    - attack.persistence
+    - attack.t1136
+    - attack.t1098
+logsource:
+    product: cisco
+    service: aaa
+    category: accounting
+fields:
+    - CmdSet
+detection:
+    keywords:
+        - 'username'
+        - 'aaa'
+    condition: keywords
+falsepositives:
+    - When remote authentication is in place, this should not change often.
+level: high
@@ -0,0 +1,38 @@
+title: Cisco Modify Configuration
+id: 671ffc77-50a7-464f-9e3d-9ea2b493b26b
+status: experimental
+description: Modifications to a config that will serve an adversary's impacts or persistence
+references:
+    - https://attack.mitre.org/techniques/T1100/
+    - https://attack.mitre.org/techniques/T1168/
+    - https://attack.mitre.org/techniques/T1493/
+author: Austin Clark
+date: 2019/08/12
+tags:
+    - attack.persistence
+    - attack.privilege_escalation
+    - attack.impact
+    - attack.t1493
+    - attack.t1100
+    - attack.t1168
+    - attack.t1490
+logsource:
+    product: cisco
+    service: aaa
+    category: accounting
+fields:
+    - CmdSet
+detection:
+    keywords:
+        - 'ip http server'
+        - 'ip https server'
+        - 'kron policy-list'
+        - 'kron occurrence'
+        - 'policy-list'
+        - 'access-list'
+        - 'ip access-group'
+        - 'archive maximum'
+    condition: keywords
+falsepositives:
+    - Legitimate administrators may run these commands.
+level: medium
@@ -0,0 +1,39 @@
+title: Cisco Stage Data
+id: 5e51acb2-bcbe-435b-99c6-0e3cd5e2aa59
+status: experimental
+description: Various protocols maybe used to put data on the device for exfil or infil
+references:
+    - https://attack.mitre.org/techniques/T1074/
+    - https://attack.mitre.org/techniques/T1105/
+    - https://attack.mitre.org/techniques/T1498/
+    - https://attack.mitre.org/techniques/T1002/
+author: Austin Clark
+date: 2019/08/12
+tags:
+    - attack.collection
+    - attack.lateral_movement
+    - attack.command_and_control
+    - attack.exfiltration
+    - attack.impact
+    - attack.t1074
+    - attack.t1105
+    - attack.t1492
+    - attack.t1002
+logsource:
+    product: cisco
+    service: aaa
+    category: accounting
+fields:
+    - CmdSet
+detection:
+    keywords:
+        - 'tftp'
+        - 'rcp'
+        - 'puts'
+        - 'copy'
+        - 'configure replace'
+        - 'archive tar'
+    condition: keywords
+falsepositives:
+    - Generally used to copy configs or IOS images.
+level: low
@@ -0,0 +1,27 @@
+title: Cisco Sniffing
+id: b9e1f193-d236-4451-aaae-2f3d2102120d
+status: experimental
+description: Show when a monitor or a span/rspan is setup or modified
+references:
+    - https://attack.mitre.org/techniques/T1040
+author: Austin Clark
+date: 2019/08/11
+tags:
+    - attack.credential_access
+    - attack.discovery
+    - attack.t1040
+logsource:
+    product: cisco
+    service: aaa
+    category: accounting
+fields:
+    - CmdSet
+detection:
+    keywords:
+        - 'monitor capture point'
+        - 'set span'
+        - 'set rspan'
+    condition: keywords
+falsepositives:
+    - Admins may setup new or modify old spans, or use a monitor for troubleshooting.
+level: medium
@@ -1,18 +1,23 @@
 title: Equation Group C2 Communication
+id: 881834a4-6659-4773-821e-1c151789d873
 description: Detects communication to C2 servers mentioned in the operational notes of the ShadowBroker leak of EquationGroup C2 tools
 references:
-    - 'https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation'
-    - 'https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195'
+    - https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
+    - https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195
+tags:
+    - attack.command_and_control
+    - attack.g0020
 author: Florian Roth
+date: 2017/04/15
 logsource:
-    product: firewall
+    category: firewall
 detection:
    outgoing:
-        dst:
+        dst_ip:
            - '69.42.98.86'
            - '89.185.234.145'
    incoming:
-        src:
+        src_ip:
            - '69.42.98.86'
            - '89.185.234.145'
    condition: 1 of them
@@ -0,0 +1,22 @@
+title: Possible DNS Tunneling
+id: 1ec4b281-aa65-46a2-bdae-5fd830ed914e
+status: experimental
+description: Normally, DNS logs contain a limited amount of different dns queries for a single domain. This rule detects a high amount of queries for a single domain,
+    which can be an indicator that DNS is used to transfer data.
+references:
+    - https://zeltser.com/c2-dns-tunneling/
+    - https://patrick-bareiss.com/detect-c2-traffic-over-dns-using-sigma/
+author: Patrick Bareiss
+date: 2019/04/07
+logsource:
+    category: dns
+detection:
+    selection:
+        parent_domain: '*'
+    condition: selection | count(dns_query) by parent_domain > 1000
+falsepositives:
+    - Valid software, which uses dns for transferring data
+level: high
+tags:
+    - attack.t1048
+    - attack.exfiltration
@@ -0,0 +1,29 @@
+action: global
+title: High DNS Bytes Out
+id: 0f6c1bf5-70a5-4963-aef9-aab1eefb50bd
+description: High DNS queries bytes amount from host per short period of time
+status: experimental
+author: Daniil Yugoslavskiy, oscd.community
+date: 2019/10/24
+tags:
+    - attack.exfiltration
+    - attack.t1048
+falsepositives:
+    - Legitimate high DNS bytes out rate to domain name which should be added to whitelist
+level: medium
+---
+logsource:
+    category: dns
+detection:
+    selection:
+        query: '*'
+    timeframe: 1m
+    condition: selection | sum(question_length) by src_ip > 300000
+---
+logsource:
+    category: firewall
+detection:
+    selection:
+        dst_port: 53
+    timeframe: 1m
+    condition: selection | sum(message_size) by src_ip > 300000
@@ -0,0 +1,29 @@
+action: global
+title: High DNS Requests Rate
+id: b4163085-4001-46a3-a79a-55d8bbbc7a3a
+description: High DNS requests amount from host per short period of time
+status: experimental
+author: Daniil Yugoslavskiy, oscd.community
+date: 2019/10/24
+tags:
+    - attack.exfiltration
+    - attack.t1048
+falsepositives:
+    - Legitimate high DNS requests rate to domain name which should be added to whitelist
+level: medium
+---
+logsource:
+    category: dns
+detection:
+    selection:
+        query: '*'
+    timeframe: 1m
+    condition: selection | count() by src_ip > 1000
+---
+logsource:
+    category: firewall
+detection:
+    selection:    
+        dst_port: 53
+    timeframe: 1m
+    condition: selection | count() by src_ip > 1000
--- a/Show More
+++ b/Show More