Sigma tools release 0.7.1

Corrected class B private IP range to prevent false negatives

.travis.yml

@@ -1,7 +1,10 @@
 language: python
+dist: xenial
 python:
   - 3.5
   - 3.6
+  - 3.7
+sudo: true
 services:
     - elasticsearch
 cache: pip

Makefile

@@ -1,6 +1,6 @@
 .PHONY: test test-yaml test-sigmac
-TMPOUT = $(shell tempfile)
-COVSCOPE = tools/sigma/*.py,tools/sigmac,tools/merge_sigma
+TMPOUT = $(shell tempfile||mktemp)
+COVSCOPE = tools/sigma/*.py,tools/sigma/backends/*.py,tools/sigmac,tools/merge_sigma
 test: clearcov test-yaml test-sigmac test-merge build finish
 
 clearcov:
@@ -20,15 +20,19 @@ test-sigmac:
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t kibana rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t graylog rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t xpack-watcher rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t elastalert rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunkxml rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t logpoint rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t wdatp rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-dsl rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t powershell -c tools/config/powershell-windows-all.yml -Ocsv rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t arcsight -c tools/config/arcsight.yml rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t qradar -c tools/config/arcsight.yml rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t qualys -c tools/config/qualys.yml rules/ > /dev/null
-	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'level>=high,level<=critical,status=stable,logsource=windows' rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t netwitness -c tools/config/netwitness.yml rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t sumologic -c tools/config/sumologic.yml rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'level>=high,level<=critical,status=stable,logsource=windows,tag=attack.execution' rules/ > /dev/null
 	! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'level>=high,level<=critical,status=xstable,logsource=windows' rules/ > /dev/null
 	! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'level>=high,level<=xcritical,status=stable,logsource=windows' rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'level=critical' rules/ > /dev/null
@@ -48,7 +52,8 @@ test-sigmac:
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t grep rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t fieldlist rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -t xpack-watcher -O output=plain -O es=es -O foobar rules/windows/builtin/win_susp_failed_logons_single_source.yml > /dev/null
-	coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -o $(TMPOUT) tests/collection_repeat.yml > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -t xpack-watcher -O output=json -O es=es -O foobar rules/windows/builtin/win_susp_failed_logons_single_source.yml > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -o $(TMPOUT) - < tests/collection_repeat.yml > /dev/null
 	! coverage run -a --include=$(COVSCOPE)  tools/sigmac -t xpack-watcher -O output=foobar -O es=es -O foobar rules/windows/builtin/win_susp_failed_logons_single_source.yml > /dev/null
 	! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs tests/not_existing.yml > /dev/null
 	! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs tests/invalid_yaml.yml > /dev/null

README.md

@@ -94,14 +94,19 @@ merges multiple YAML documents of a Sigma rule collection into simple Sigma rule
 
 ### Supported Targets
 
-* [Splunk](https://www.splunk.com/)
-* [ElasticSearch](https://www.elastic.co/)
+* [Splunk](https://www.splunk.com/) (plainqueries and dashboards)
+* [ElasticSearch Query Strings](https://www.elastic.co/)
 * [ElasticSearch Query DSL](https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl.html)
 * [Kibana](https://www.elastic.co/de/products/kibana)
 * [Elastic X-Pack Watcher](https://www.elastic.co/guide/en/x-pack/current/xpack-alerting.html)
 * [Logpoint](https://www.logpoint.com)
 * [Windows Defender Advanced Threat Protection (WDATP)](https://www.microsoft.com/en-us/windowsforbusiness/windows-atp)
-* Grep with Perl-compatible regular expression support
+* [ArcSight](https://software.microfocus.com/en-us/products/siem-security-information-event-management/overview)
+* [QRadar](https://www.ibm.com/de-de/marketplace/ibm-qradar-siem)
+* [Qualys](https://www.qualys.com/apps/threat-protection/)
+* [RSA NetWitness](https://www.rsa.com/en-us/products/threat-detection-response)
+* [PowerShell](https://docs.microsoft.com/en-us/powershell/scripting/getting-started/getting-started-with-windows-powershell?view=powershell-6)
+* [Grep](https://www.gnu.org/software/grep/manual/grep.html) with Perl-compatible regular expression support
 
 Current work-in-progress
 * [Splunk Data Models](https://docs.splunk.com/Documentation/Splunk/7.1.0/Knowledge/Aboutdatamodels)
@@ -132,6 +137,30 @@ For development (e.g. execution of integration tests with `make` and packaging),
 pip3 install -r tools/requirements-devel.txt
 ```
 
+## Sigma2MISP
+
+Import Sigma rules to MISP events. Depends on PyMISP.
+
+Parameters that aren't changed frequently (`--url`, `--key`) can be put without the prefixing dashes `--` into a file
+and included with `@filename` as parameter on the command line.
+
+Example:
+*misp.conf*:
+```
+url https://host
+key foobarfoobarfoobarfoobarfoobarfoobarfoo 
+```
+
+Load Sigma rule into MISP event 1234:
+```
+sigma2misp @misp.conf --event 1234 sigma_rule.py
+```
+
+Load Sigma rules in directory sigma_rules/ into one newly created MISP event with info set to *Test Event*:
+```
+sigma2misp @misp.conf --same-event --info "Test Event" -r sigma_rules/
+```
+
 ## Evt2Sigma
 
 [Evt2Sigma](https://github.com/Neo23x0/evt2sigma) helps you with the rule creation. It generates a Sigma rule from a log entry. 
@@ -157,6 +186,7 @@ These tools are not part of the main toolchain and maintained separately by thei
 * [TA-Sigma-Searches](https://github.com/dstaulcu/TA-Sigma-Searches) (Splunk App)
 * [SOC Prime - Sigma Rule Editor](https://tdm.socprime.com/sigma/)
 * [ypsilon](https://github.com/P4T12ICK/ypsilon) - Automated Use Case Testing 
+* [uncoder.io](https://uncoder.io/) - Online Translator for SIEM Searches
 * [SPARK](https://www.nextron-systems.com/2018/06/28/spark-applies-sigma-rules-in-eventlog-scan/) - Scan with Sigma rules on endpoints
 
 # Licenses

contrib/sigma2elastalert.py

@@ -102,13 +102,13 @@ def rule_element(file_content, elements):
     :return: the value of the key in the yaml document
     """
     try:
-        yaml.load(file_content.replace("---",""))
+        yaml.safe_load(file_content.replace("---",""))
     except:
         raise Exception('Unsupported')
     element_output = ""
     for e in elements:
         try:
-            element_output = yaml.load(file_content.replace("---",""))[e]
+            element_output = yaml.safe_load(file_content.replace("---",""))[e]
         except:
             pass
     if element_output is None:

rules/apt/apt_apt29_thinktanks.yml

@@ -0,0 +1,32 @@
+---
+action: global
+title: APT29 
+description: 'This method detects a suspicious powershell command line combination as used by APT29 in a campaign against US think tanks' 
+references:
+    - https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/
+logsource:
+    product: windows
+author: Florian Roth
+date: 2018/12/04 
+detection:
+    condition: selection
+falsepositives:
+    - unknown
+level: critical
+---
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+        CommandLine: '*-noni -ep bypass $*'
+---
+logsource:
+    product: windows
+    service: security
+    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+detection:
+    selection:
+        EventID: 4688
+        ProcessCommandLine: '*-noni -ep bypass $*'

rules/apt/apt_apt29_tor.yml

@@ -4,6 +4,10 @@ title: APT29 Google Update Service Install
 description: 'This method detects malicious services mentioned in APT29 report by FireEye. The legitimate path for the Google update service is C:\Program Files (x86)\Google\Update\GoogleUpdate.exe so the service names and executable locations used by APT29 are specific enough to be detected in log files.' 
 references:
     - https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html
+tags:
+    - attack.command_and_control
+    - attack.g0016
+    - attack.t1172
 logsource:
     product: windows
 detection:

rules/apt/apt_carbonpaper_turla.yml

@@ -2,6 +2,10 @@ title: Turla Service Install
 description: 'This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET' 
 references:
     - https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/
+tags:
+    - attack.command_and_control
+    - attack.g0010
+    - attack.t1050
 logsource:
     product: windows
     service: system

rules/apt/apt_chafer_mar18.yml

@@ -4,6 +4,8 @@ title: Chafer Activity
 description: Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018 
 references:
     - https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/
+tags:
+    - attack.g0049
 date: 2018/03/23
 author: Florian Roth, Markus Neis
 detection:

rules/apt/apt_cloudhopper.yml

@@ -3,6 +3,10 @@ description: Detects suspicious file execution by wscript and cscript
 author: Florian Roth
 references:
     - https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
+tags:
+    - attack.execution
+    - attack.g0045
+    - attack.t1064
 logsource:
     product: windows
     service: sysmon

rules/apt/apt_dragonfly.yml

@@ -5,6 +5,8 @@ description: Detects CrackMapExecWin Activity as Described by NCSC
 status: experimental
 references:
     - https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control 
+tags:
+    - attack.g0035
 author: Markus Neis
 detection:
     condition: 1 of them
@@ -16,7 +18,7 @@ level: critical
 logsource:
     product: windows
     service: security
-    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
 detection:
     selection1:
         # Does not require group policy 'Audit Process Creation' > Include command line in process creation events

rules/apt/apt_elise.yml

@@ -3,6 +3,10 @@ status: experimental
 description: Detects Elise backdoor acitivty as used by APT32 
 references: 
     - https://community.rsa.com/community/products/netwitness/blog/2018/01/30/apt32-continues-asean-targeting
+tags:
+    - attack.g0030
+    - attack.g0050
+    - attack.s0081
 author: Florian Roth
 date: 2018/01/31
 logsource:

rules/apt/apt_equationgroup_c2.yml

@@ -3,16 +3,19 @@ description: Detects communication to C2 servers mentioned in the operational no
 references:
     - 'https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation'
     - 'https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195'
+tags:
+    - attack.command_and_control
+    - attack.g0020
 author: Florian Roth
 logsource:
-    product: firewall
+    category: firewall
 detection:
     outgoing:
-        dst:
+        dst_ip:
             - '69.42.98.86'
             - '89.185.234.145'
     incoming:
-        src:
+        src_ip:
             - '69.42.98.86'
             - '89.185.234.145'
     condition: 1 of them

rules/apt/apt_equationgroup_dll_u_load.yml

@@ -6,14 +6,14 @@ references:
     - https://github.com/adamcaudill/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type=
     - https://securelist.com/apt-slingshot/84312/
     - https://twitter.com/cyb3rops/status/972186477512839170
+tags:
+    - attack.execution
+    - attack.g0020
+    - attack.t1059
 author: Florian Roth
 date: 2018/03/10 
+modified: 2018/12/11
 detection:
-    selection1:
-        Image: '*\rundll32.exe'
-        CommandLine: '*,dll_u'
-    selection2:
-        CommandLine: '* -export dll_u *'
     condition: 1 of them
 falsepositives:
     - Unknown
@@ -25,15 +25,21 @@ logsource:
 detection:
     selection1:
         EventID: 1
+        Image: '*\rundll32.exe'
+        CommandLine: '*,dll_u'
     selection2:
         EventID: 1
+        CommandLine: '* -export dll_u *'
 ---
 logsource:
     product: windows
     service: security
-    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
 detection:
     selection1:
         EventID: 4688
+        Image: '*\rundll32.exe'
+        ProcessCommandLine: '*,dll_u'
     selection2:
-        EventID: 4688
+        EventID: 4688
+        ProcessCommandLine: '* -export dll_u *'

rules/apt/apt_equationgroup_lnx.yml

@@ -2,6 +2,10 @@ title: Equation Group Indicators
 description: Detects suspicious shell commands used in various Equation Group scripts and tools
 references:
     - https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
+tags:
+    - attack.execution
+    - attack.g0020
+    - attack.t1059
 author: Florian Roth
 logsource:
     product: linux

rules/apt/apt_hurricane_panda.yml

@@ -5,13 +5,14 @@ status: experimental
 description: Detects Hurricane Panda Activity 
 references: 
     - https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/
+tags:
+    - attack.privilege_escalation
+    - attack.g0009
+    - attack.t1068
 author: Florian Roth
 date: 2018/02/25
+modified: 2018/12/11
 detection:
-    selection:
-        CommandLine: 
-            - '* localgroup administrators admin /add'
-            - '*\Win64.exe*'
     condition: selection
 falsepositives:
     - Unknown
@@ -23,13 +24,19 @@ logsource:
 detection:
     selection:
         EventID: 1
+        CommandLine: 
+            - '* localgroup administrators admin /add'
+            - '*\Win64.exe*'
 ---
 logsource:
     product: windows
     service: security
-    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
 detection:
     selection:
         EventID: 4688
+        ProcessCommandLine: 
+            - '* localgroup administrators admin /add'
+            - '*\Win64.exe*'
 
 

rules/apt/apt_pandemic.yml

@@ -4,6 +4,9 @@ description: Detects Pandemic Windows Implant
 references:
     - https://wikileaks.org/vault7/#Pandemic
     - https://twitter.com/MalwareJake/status/870349480356454401
+tags:
+    - attack.lateral_movement
+    - attack.t1105
 author: Florian Roth
 logsource:
     product: windows

rules/apt/apt_slingshot.yml

@@ -4,12 +4,14 @@ title: Defrag Deactivation
 description: Detects the deactivation of the Scheduled defragmentation task as seen by Slingshot APT group
 references:
     - https://securelist.com/apt-slingshot/84312/
+tags:
+    - attack.persistence
 author: Florian Roth
 date: 2018/03/10
 logsource:
     product: windows
     service: security
-    description: 'Requirements: Audit Policy : Audit Other Object Access Events > Success'       
+    definition: 'Requirements: Audit Policy : Audit Other Object Access Events > Success'       
 detection:
     condition: selection
 falsepositives:
@@ -28,7 +30,7 @@ detection:
 logsource:
     product: windows
     service: security
-    description: 'Requirements: Audit Policy : Audit Other Object Access Events > Success'       
+    definition: 'Requirements: Audit Policy : Audit Other Object Access Events > Success'       
 detection:
     selection:
         EventID: 4701

rules/apt/apt_sofacy.yml

@@ -1,4 +1,3 @@
-
 ---
 action: global
 title: Sofacy Trojan Loader Activity
@@ -8,13 +7,12 @@ references:
     - https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/
     - https://www.reverse.it/sample/e3399d4802f9e6d6d539e3ae57e7ea9a54610a7c4155a6541df8e94d67af086e?environmentId=100
     - https://twitter.com/ClearskySec/status/960924755355369472
+tags:
+    - attack.g0007
 author: Florian Roth
 date: 2018/03/01
+modified: 2018/12/11
 detection:
-    selection:
-        CommandLine: 
-            - 'rundll32.exe %APPDATA%\*.dat",*'
-            - 'rundll32.exe %APPDATA%\*.dll",#1'
     condition: selection
 falsepositives:
     - Unknown
@@ -26,11 +24,17 @@ logsource:
 detection:
     selection:
         EventID: 1
+        CommandLine: 
+            - 'rundll32.exe %APPDATA%\*.dat",*'
+            - 'rundll32.exe %APPDATA%\*.dll",#1'
 ---
 logsource:
     product: windows
     service: security
-    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
 detection:
     selection:
-        EventID: 4688
+        EventID: 4688
+        ProcessCommandLine: 
+            - 'rundll32.exe %APPDATA%\*.dat",*'
+            - 'rundll32.exe %APPDATA%\*.dll",#1'

rules/apt/apt_sofacy_zebrocy.yml

@@ -0,0 +1,34 @@
+---
+action: global
+title: Sofacy Zebrocy
+description: Detects Sofacy's Zebrocy malware execution
+references:
+    - https://app.any.run/tasks/54acca9a-394e-4384-a0c8-91a96d36c81d
+tags:
+    - attack.execution
+    - attack.g0020
+    - attack.t1059
+author: Florian Roth
+date: 2018/03/10
+detection:
+    condition: selection
+falsepositives:
+    - Unknown
+level: critical
+---
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+        CommandLine: '*cmd.exe /c SYSTEMINFO & TASKLIST'
+---
+logsource:
+    product: windows
+    service: security
+    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+detection:
+    selection:
+        EventID: 4688
+        ProcessCommandLine: '*cmd.exe /c SYSTEMINFO & TASKLIST'

rules/apt/apt_stonedrill.yml

@@ -3,6 +3,10 @@ description: 'This method detects a service install of the malicious Microsoft N
 author: Florian Roth
 references:
     - https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/
+tags:
+    - attack.persistence
+    - attack.g0064
+    - attack.t1050
 logsource:
     product: windows
     service: system

rules/apt/apt_ta17_293a_ps.yml

@@ -2,6 +2,10 @@ title: Ps.exe Renamed SysInternals Tool
 description: Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documentied in TA17-293A report
 references:
     - https://www.us-cert.gov/ncas/alerts/TA17-293A
+tags:
+    - attack.defense_evasion
+    - attack.g0035
+    - attack.t1036
 author: Florian Roth
 date: 2017/10/22
 logsource:

rules/apt/apt_tropictrooper.yml

@@ -0,0 +1,34 @@
+action: global
+title: TropicTrooper Campaign November 2018
+status: stable
+description: Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia
+references:
+    - https://cloudblogs.microsoft.com/microsoftsecure/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/
+author: "@41thexplorer, Windows Defender ATP"
+date: 2018/11/30
+modified: 2018/12/11
+tags:
+    - attack.execution
+    - attack.t1085
+detection:
+    condition: selection
+level: high
+---
+# Windows Security Eventlog: Process Creation with Full Command Line
+logsource:
+    product: windows
+    service: security
+    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+detection:
+    selection:
+        EventID: 4688
+        ProcessCommandLine: '*abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc*'
+---
+# Sysmon: Process Creation (ID 1)
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+        CommandLine: '*abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc*'

rules/apt/apt_turla_commands.yml

@@ -5,6 +5,9 @@ status: experimental
 description: Detects automated lateral movement by Turla group 
 references:
     - https://securelist.com/the-epic-turla-operation/65545/
+tags:
+    - attack.lateral_movement
+    - attack.g0010
 author: Markus Neis
 date: 2017/11/07
 logsource:
@@ -34,5 +37,5 @@ detection:
       EventID: 1
       CommandLine: 'net share'
    timeframe: 1m
-   condition: netCommand1 | near netCommand1 and netCommand1 
+   condition: netCommand1 | near netCommand2 and netCommand3 
 level: medium

rules/apt/apt_turla_namedpipes.yml

@@ -4,11 +4,13 @@ description: Detects a named pipe used by Turla group samples
 references:
     - Internal Research
 date: 2017/11/06
+tags:
+    - attack.g0010
 author: Markus Neis
 logsource:
     product: windows
     service: sysmon
-    description: 'Note that you have to configure logging for PipeEvents in Symson config'
+    definition: 'Note that you have to configure logging for PipeEvents in Symson config'
 detection:
     selection:
         EventID: 

rules/apt/apt_turla_service_png.yml

@@ -0,0 +1,21 @@
+title: Turla PNG Dropper Service
+description: 'This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018' 
+references:
+    - https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/
+author: Florian Roth
+date: 2018/11/23
+tags:
+    - attack.command_and_control
+    - attack.g0016
+    - attack.t1172
+logsource:
+    product: windows
+    service: system
+detection:
+    selection:
+        EventID: 7045
+        ServiceName: 'WerFaultSvc'
+    condition: selection
+falsepositives:
+    - unlikely
+level: critical

rules/apt/apt_unidentified_nov_18.yml

@@ -0,0 +1,44 @@
+action: global
+title: Unidentified Attacker November 2018
+status: stable
+description: A sigma rule detecting an unidetefied attacker who used phishing emails to target high profile orgs on November 2018. The Actor shares some TTPs with YYTRIUM/APT29 campaign in 2016.
+references:
+    - https://twitter.com/DrunkBinary/status/1063075530180886529
+author: "@41thexplorer, Windows Defender ATP"
+date: 2018/11/20
+modified: 2018/12/11
+tags:
+    - attack.execution
+    - attack.t1085
+detection:
+    condition: selection
+level: high
+---
+# Windows Security Eventlog: Process Creation with Full Command Line
+logsource:
+    product: windows
+    service: security
+    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+detection:
+    selection:
+        EventID: 4688
+        ProcessCommandLine: '*cyzfc.dat, PointFunctionCall'
+---
+# Sysmon: Process Creation (ID 1)
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+        CommandLine: '*cyzfc.dat, PointFunctionCall'
+---
+# Sysmon: File Creation (ID 11)
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 11
+        TargetFilename: 
+            - '*ds7002.lnk*' 

rules/apt/apt_zxshell.yml

@@ -3,6 +3,8 @@ description: Detects a ZxShell start by the called and well-known function name
 author: Florian Roth
 references:
     - https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100
+tags:
+    - attack.g0001
 logsource:
     product: windows
     service: sysmon

rules/linux/lnx_buffer_overflows.yml

@@ -1,9 +1,9 @@
 title: Buffer Overflow Attempts
-description: Detects buffer overflow attempts in Linux system log files
+description: Detects buffer overflow attempts in Unix system log files
 references:
     - https://github.com/ossec/ossec-hids/blob/master/etc/rules/attack_rules.xml
 logsource:
-    product: linux
+    product: unix
 detection:
     keywords:
         - 'attempt to execute code on stack by'

rules/linux/lnx_ssh_cve_2018_15473.yml

@@ -0,0 +1,16 @@
+title: SSHD Error Message CVE-2018-15473
+description: Detects exploitation attempt using public exploit code for CVE-2018-15473
+references:
+    - https://github.com/Rhynorater/CVE-2018-15473-Exploit
+author: Florian Roth
+date: 2017/08/24
+logsource:
+    product: linux
+    service: sshd
+detection:
+    keywords:
+        - 'error: buffer_get_ret: trying to get more bytes 1907 than in buffer 308 [preauth]'
+    condition: keywords
+falsepositives:
+    - Unknown
+level: medium

rules/linux/lnx_susp_jexboss.yml

@@ -0,0 +1,17 @@
+title: JexBoss Command Sequence
+description: Detects suspicious command sequence that JexBoss
+references:
+    - https://www.us-cert.gov/ncas/analysis-reports/AR18-312A
+author: Florian Roth
+date: 2017/08/24
+logsource:
+    product: linux
+detection:
+    selection1: 
+        - 'bash -c /bin/bash'
+    selection2:
+        - '&/dev/tcp/'
+    condition: selection1 and selection2
+falsepositives:
+    - Unknown
+level: high

rules/network/net_susp_dns_txt_exec_strings.yml

@@ -0,0 +1,22 @@
+title: DNS TXT Answer with possible execution strings    
+status: experimental
+description: Detects strings used in command execution in DNS TXT Answer 
+references:
+    - https://twitter.com/stvemillertime/status/1024707932447854592
+    - https://github.com/samratashok/nishang/blob/master/Backdoors/DNS_TXT_Pwnage.ps1
+tags:
+    - attack.t1071
+author: Markus Neis
+date: 2018/08/08
+logsource:
+    category: dns
+detection:
+    selection:
+        answer:
+            - '*IEX*'
+            - '*Invoke-Expression*'
+            - '*cmd.exe*'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high

rules/proxy/proxy_cobalt_amazon.yml

@@ -0,0 +1,27 @@
+title: CobaltStrike Malleable Amazon browsing traffic profile
+status: experimental
+description: Detects Malleable Amazon Profile 
+references:
+    - https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/amazon.profile
+    - https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100
+author: Markus Neis
+tags:
+    - attack.t1102
+logsource:
+    category: proxy
+detection:
+    selection1:
+      UserAgent: "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
+      HttpMethod: 'GET'
+      URL: '/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books'
+      Host: 'www.amazon.com'
+      Cookie: '*=csm-hit=s-24KU11BB82RZSYGJ3BDK|1419899012996'
+    selection2:
+      UserAgent: "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
+      HttpMethod: 'POST'
+      URL: '/N4215/adj/amzn.us.sr.aps'
+      Host: 'www.amazon.com'
+    condition: selection1 or selection2
+falsepositives:
+    - Unknown
+level: high

rules/proxy/proxy_empty_ua.yml

@@ -8,9 +8,8 @@ logsource:
     category: proxy
 detection:
     selection:
-      UserAgent:
-        # Empty string - as used by Powershell's (New-Object Net.WebClient).DownloadString 
-        - ''
+      # Empty string - as used by Powershell's (New-Object Net.WebClient).DownloadString 
+      UserAgent: ''
     condition: selection
 fields:
     - ClientIP

rules/proxy/proxy_ua_apt.yml

@@ -1,46 +1,50 @@
-title: APT User Agent
-status: experimental
-description: Detects suspicious user agent strings used in APT malware in proxy logs
-references:
-    - Internal Research
-author: Florian Roth
-logsource:
-    category: proxy
-detection:
-    selection:
-      UserAgent:
-         # APT Related
-        - 'SJZJ (compatible; MSIE 6.0; Win32)'  # APT Backspace
-        - 'Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0'  # APT GrizzlySteppe - ChopStick - US CERT https://goo.gl/1DTHwi
-        - 'User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC'  # Comment Crew Miniasp
-        - 'Mozilla/4.0 (compatible; MSIE 7.4; Win32;32-bit)'  # Comment Crew Miniasp
-        - 'webclient'  # Naikon APT
-        - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/200'  # Naikon APT
-        - 'Mozilla/4.0 (compatible; MSI 6.0;'  # SnowGlobe Babar - yes, it is cut
-        - 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0'  # Sofacy - Xtunnel
-        - 'Mozilla/5.0 (Windows NT 6.2; WOW64; rv:20.0) Gecko/20100101 Firefox/'  # Sofacy - Xtunnel
-        - 'Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/2'  # Sofacy - Xtunnel
-        - 'Mozilla/4.0'  # Derusbi backdoor ELF https://github.com/fideliscyber/indicators/tree/master/FTA-1021
-        - 'Netscape'  # Unit78020 Malware 
-        - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/20100719 Firefox/1.0.7'  # Unit78020 Malware
-        - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Firefox/3.6.13 GTB7.1'  # Winnti related
-        - 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)'  # Winnti related
-        - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NETCLR 2.0.50727)'  # APT17
-        - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; SV1)'  # Bronze Butler - Daserf
-        - 'Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; SV1)'  # Bronze Butler - Daserf
-        - 'Mozilla/4.0 (compatible; MSIE 8.0; Win32)'  # TSCookie https://app.any.run/tasks/0996b314-5133-491b-8d23-d431ffdec597
-        - 'Mozilla v5.1 (Windows NT 6.1; rv:6.0.1) Gecko/20100101 Firefox/6.0.1'  # Delphi downloader https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/
-        - 'Mozilla/6.1 (compatible; MSIE 9.0; Windows NT 5.3; Trident/5.0)'  # VPNFilter https://blog.talosintelligence.com/2018/05/VPNFilter.html
-        - 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; InfoPath.1)'  # Sofacy User-Agent https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/
-        - 'Mozilla/5.0 (Windows NT 6.1; WOW64) WinHttp/1.6.3.8 (WinHTTP/5.1) like Gecko'  # Sofacy User-Agent https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/
-        - 'Mozilla v5.1 *'  # Sofacy Zebrocy samples 
-        - 'MSIE 8.0'  # Sofacy Azzy Backdoor  from https://www.hybrid-analysis.com/sample/a80e29c0757bee05338fd5c22a542d852ad86c477068e3eb4aacc1c3e59e2eef?environmentId=100
-    condition: selection
-fields:
-    - ClientIP
-    - URL
-    - UserAgent
-falsepositives:
-    - Old browsers
-level: high
-
+title: APT User Agent
+status: experimental
+description: Detects suspicious user agent strings used in APT malware in proxy logs
+references:
+    - Internal Research
+author: Florian Roth, Markus Neis
+logsource:
+    category: proxy
+detection:
+    selection:
+      UserAgent:
+         # APT Related
+        - 'SJZJ (compatible; MSIE 6.0; Win32)'  # APT Backspace
+        - 'Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0'  # APT GrizzlySteppe - ChopStick - US CERT https://goo.gl/1DTHwi
+        - 'User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC'  # Comment Crew Miniasp
+        - 'Mozilla/4.0 (compatible; MSIE 7.4; Win32;32-bit)'  # Comment Crew Miniasp
+        - 'webclient'  # Naikon APT
+        - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/200'  # Naikon APT
+        - 'Mozilla/4.0 (compatible; MSI 6.0;'  # SnowGlobe Babar - yes, it is cut
+        - 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0'  # Sofacy - Xtunnel
+        - 'Mozilla/5.0 (Windows NT 6.2; WOW64; rv:20.0) Gecko/20100101 Firefox/'  # Sofacy - Xtunnel
+        - 'Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/2'  # Sofacy - Xtunnel
+        - 'Mozilla/4.0'  # Derusbi backdoor ELF https://github.com/fideliscyber/indicators/tree/master/FTA-1021
+        - 'Netscape'  # Unit78020 Malware 
+        - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/20100719 Firefox/1.0.7'  # Unit78020 Malware
+        - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Firefox/3.6.13 GTB7.1'  # Winnti related
+        - 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)'  # Winnti related
+        - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NETCLR 2.0.50727)'  # APT17
+        - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; SV1)'  # Bronze Butler - Daserf
+        - 'Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; SV1)'  # Bronze Butler - Daserf
+        - 'Mozilla/4.0 (compatible; MSIE 8.0; Win32)'  # TSCookie https://app.any.run/tasks/0996b314-5133-491b-8d23-d431ffdec597
+        - 'Mozilla v5.1 (Windows NT 6.1; rv:6.0.1) Gecko/20100101 Firefox/6.0.1'  # Delphi downloader https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/
+        - 'Mozilla/6.1 (compatible; MSIE 9.0; Windows NT 5.3; Trident/5.0)'  # VPNFilter https://blog.talosintelligence.com/2018/05/VPNFilter.html
+        - 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; InfoPath.1)'  # Sofacy User-Agent https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/
+        - 'Mozilla/5.0 (Windows NT 6.1; WOW64) WinHttp/1.6.3.8 (WinHTTP/5.1) like Gecko'  # Sofacy User-Agent https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/
+        - 'Mozilla v5.1 *'  # Sofacy Zebrocy samples 
+        - 'MSIE 8.0'  # Sofacy Azzy Backdoor  from https://www.hybrid-analysis.com/sample/a80e29c0757bee05338fd5c22a542d852ad86c477068e3eb4aacc1c3e59e2eef?environmentId=100
+        - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)'  # https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html
+        - 'Mozilla/4.0 (compatible; RMS)'  # Attacks on industrial enterprises using RMS and TeamViewer https://goo.gl/GthvTw
+        - 'Mozilla/4.0 (compatible; MSIE 6.0; DynGate)'  # Attacks on industrial enterprises using RMS and TeamViewer https://goo.gl/GthvTw
+        - 'O/9.27 (W; U; Z)' # Cmstar https://www.virustotal.com/#/file/e4328011bb2b04abc856ccd04404c9f95d67167f6c291d343e8ffa8aa2aa2099/details
+    condition: selection
+fields:
+    - ClientIP
+    - URL
+    - UserAgent
+falsepositives:
+    - Old browsers
+level: high
+

rules/proxy/proxy_ua_hacktool.yml

@@ -60,6 +60,7 @@ detection:
 
         # Hack tool
         - 'ruler'  # https://www.crowdstrike.com/blog/using-outlook-forms-lateral-movement-persistence/
+        - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)'  # SQLi Dumper
     condition: selection
 fields:
     - ClientIP

rules/proxy/proxy_ua_malware.yml

@@ -48,6 +48,8 @@ detection:
         - 'MSIE'  # Toby web shell
         - '*(Charon; Inferno)'  # Loki Bot
         - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)'  # Fareit / Pony
+        - 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)'  # https://goo.gl/g43qjs
+        - 'Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.1)'  # MacControl malware https://goo.gl/sqY3Ja https://www.symantec.com/connect/blogs/osxmacontrol-back-it-again
 
         # Others 
         - '* pxyscand*'

rules/proxy/proxy_ua_suspicious.yml

@@ -20,7 +20,11 @@ detection:
         - ' Mozilla/*'  # leading space 
         - 'Mozila/*'  # single 'l'
         - '_'
-    condition: selection
+        - 'CertUtil URL Agent'  # https://twitter.com/stvemillertime/status/985150675527974912
+    falsepositives:
+        UserAgent:
+            - 'Mozilla/3.0 * Acrobat *'  # Acrobat with linked content
+    condition: selection and not falsepositives
 fields:
     - ClientIP
     - URL

rules/web/web_cve_2018_2894_weblogic_exploit.yml

@@ -0,0 +1,30 @@
+title: Oracle WebLogic Exploit
+description: Detects access to a webshell droped into a keytore folder on the WebLogic server
+author: Florian Roth
+date: 2018/07/22
+status: experimental
+references: 
+    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2894
+    - https://twitter.com/pyn3rd/status/1020620932967223296
+    - https://github.com/LandGrey/CVE-2018-2894
+logsource:
+    category: webserver
+detection:
+    selection:
+        c-uri-path: 
+            - '*/config/keystore/*.js*'
+    condition: selection
+fields:
+    - c-ip
+    - c-dns
+falsepositives:
+    - Unknown
+tags:
+    - attack.t1100
+    - attack.t1190
+    - attack.initial_access
+    - attack.persistence
+    - attack.privilege_escalation
+    - cve.2018-2894
+level: critical
+

rules/web/web_webshell_keyword.yml

@@ -1,5 +1,5 @@
 title: Webshell Detection by Keyword
-description: Detects webshells that use GET requests by keyword sarches in URL strings
+description: Detects webshells that use GET requests by keyword searches in URL strings
 author: Florian Roth
 logsource:
     category: webserver

rules/windows/builtin/win_admin_rdp_login.yml

@@ -1,13 +1,16 @@
 title: Admin User Remote Logon
 description: Detect remote login by Administrator user depending on internal pattern
 references:
-  - https://car.mitre.org/wiki/CAR-2016-04-005
+    - https://car.mitre.org/wiki/CAR-2016-04-005
+tags:
+    - attack.lateral_movement
+    - attack.t1078
 status: experimental
 author: juju4
 logsource:
     product: windows
     service: security
-    description: 'Requirements: Identifiable administrators usernames (pattern or special unique character. ex: "Admin-*"), internal policy mandating use only as secondary account'
+    definition: 'Requirements: Identifiable administrators usernames (pattern or special unique character. ex: "Admin-*"), internal policy mandating use only as secondary account'
 detection:
     selection:
         EventID: 4624

rules/windows/builtin/win_admin_share_access.yml

@@ -1,11 +1,14 @@
 title: Access to ADMIN$ Share
 description: Detects access to $ADMIN share
+tags:
+    - attack.lateral_movement
+    - attack.t1077
 status: experimental
 author: Florian Roth
 logsource:
     product: windows
     service: security
-    description: 'The advanced audit policy setting "Object Access > Audit File Share" must be configured for Success/Failure'
+    definition: 'The advanced audit policy setting "Object Access > Audit File Share" must be configured for Success/Failure'
 detection:
     selection:
         EventID: 5140

rules/windows/builtin/win_alert_active_directory_user_control.yml

@@ -1,12 +1,15 @@
 title: Enabled User Right in AD to Control User Objects
 description: Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.
+tags:
+    - attack.privilege_escalation
+    - attack.t1078
 references:
     - https://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
 author: '@neu5ron'
 logsource:
     product: windows
     service: security
-    description: 'Requirements: Audit Policy : Policy Change > Audit Authorization Policy Change, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Authorization Policy Change'
+    definition: 'Requirements: Audit Policy : Policy Change > Audit Authorization Policy Change, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Authorization Policy Change'
 detection:
     selection:
         EventID: 4704

rules/windows/builtin/win_alert_ad_user_backdoors.yml

@@ -1,14 +1,18 @@
 title: Active Directory User Backdoors
-description: Detects scenarios where one can control another users account without having to use their credentials via msDS-AllowedToDelegateTo and or service principal names (SPN).
+description: Detects scenarios where one can control another users or computers account without having to use their credentials.
 references:
     - https://msdn.microsoft.com/en-us/library/cc220234.aspx
     - https://adsecurity.org/?p=3466
+    - https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/
 author: '@neu5ron'
+tags:
+    - attack.t1098
+    - attack.credential_access
 logsource:
     product: windows
     service: security
-    description1: 'Requirements: Audit Policy : Account Management > Audit User Account Management, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit User Account Management'
-    description2: 'Requirements: Audit Policy : DS Access > Audit Directory Service Changes, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\DS Access\Audit Directory Service Changes'
+    definition1: 'Requirements: Audit Policy : Account Management > Audit User Account Management, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit User Account Management'
+    definition2: 'Requirements: Audit Policy : DS Access > Audit Directory Service Changes, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\DS Access\Audit Directory Service Changes'
 detection:
     selection1:
         EventID: 4738
@@ -21,7 +25,10 @@ detection:
         EventID: 5136
         ObjectClass: 'user'
         AttributeLDAPDisplayName: 'servicePrincipalName'
-    condition: (selection1 and not filter1) or selection2 or selection3
+    selection4:
+        EventID: 5136
+        AttributeLDAPDisplayName: 'msDS-AllowedToActOnBehalfOfOtherIdentity'        
+    condition: (selection1 and not filter1) or selection2 or selection3 or selection4
 falsepositives: 
     - Unknown
 level: high

rules/windows/builtin/win_alert_enable_weak_encryption.yml

@@ -7,7 +7,7 @@ author: '@neu5ron'
 logsource:
     product: windows
     service: security
-    description: 'Requirements: Audit Policy : Account Management > Audit User Account Management, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit User Account Management'
+    definition: 'Requirements: Audit Policy : Account Management > Audit User Account Management, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit User Account Management'
 detection:
     selection:
         EventID: 4738

rules/windows/builtin/win_alert_hacktool_use.yml

@@ -1,6 +1,13 @@
 title: Hacktool Use
 description: This method detects well-known keywords, certain field combination that appear in Windows Eventlog when certain hack tools are used
 author: Florian Roth
+tags:
+    - attack.discovery
+    - attack.execution
+    - attack.t1087
+    - attack.t1075
+    - attack.t1114
+    - attack.t1059
 logsource:
     product: windows
     service: security

rules/windows/builtin/win_alert_lsass_access.yml

@@ -0,0 +1,23 @@
+title: LSASS Access Detected via Attack Surface Reduction
+description: Detects Access to LSASS Process
+status: experimental
+references:
+    - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard?WT.mc_id=twitter
+author: Markus Neis
+date: 2018/08/26
+tags:
+    - attack.credential_access
+    - attack.t1003
+# Defender Attack Surface Reduction
+logsource:
+    product: windows_defender
+    definition: 'Requirements:Enabled Block credential stealing from the Windows local security authority subsystem (lsass.exe) from Attack Surface Reduction (GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2)'
+detection:
+    selection:
+        EventID: 1121
+        Path: '*\lsass.exe'
+    condition: selection
+falsepositives:
+    - Google Chrome GoogleUpdate.exe
+    - Some Taskmgr.exe related activity
+level: high

rules/windows/builtin/win_alert_mimikatz_keywords.yml

@@ -1,6 +1,11 @@
 title: Mimikatz Use
 description: This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)
 author: Florian Roth
+tags:
+    - attack.s0002
+    - attack.t1003
+    - attack.lateral_movement
+    - attack.credential_access
 logsource:
     product: windows
 detection:

rules/windows/builtin/win_dcsync.yml

@@ -6,6 +6,10 @@ author: Benjamin Delpy, Florian Roth
 references:
     - https://twitter.com/gentilkiwi/status/1003236624925413376
     - https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2
+tags:
+    - attack.credential_access
+    - attack.s0002
+    - attack.t1003
 logsource:
     product: windows
     service: security

rules/windows/builtin/win_disable_event_logging.yml

@@ -1,18 +1,20 @@
 title: Disabling Windows Event Auditing
-description: >
-    Detects scenarios where system auditing (ie: windows event log auditing) is disabled. This may be used in a scenario
+description: 'Detects scenarios where system auditing (ie: windows event log auditing) is disabled. This may be used in a scenario
     where an entity would want to bypass local logging to evade detection when windows event logging is enabled and
     reviewed. Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO, which will make sure
     that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc".
     Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off
-    specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways.
+    specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways.'
 references:
     - https://bit.ly/WinLogsZero2Hero
+tags:
+    - attack.defense_evasion
+    - attack.t1054
 author: '@neu5ron'
 logsource:
     product: windows
     service: security
-    description: 'Requirements: Audit Policy : Computer Management > Audit Policy Configuration, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Audit Policy Change'
+    definition: 'Requirements: Audit Policy : Computer Management > Audit Policy Configuration, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Audit Policy Change'
 detection:
     selection:
         EventID: 4719

rules/windows/builtin/win_eventlog_cleared.yml

@@ -1,10 +1,13 @@
-title: Eventlog Cleared
+title: Eventlog Cleared Experimental
 status: experimental
 description: Detects a cleared Windows Eventlog as e.g. caused by "wevtutil cl" command execution  
 author: Florian Roth
 date: 2017/06/27
 references:
     - https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100
+tags:
+    - attack.defense_evasion
+    - attack.t1070
 logsource:
     product: windows
     service: system

rules/windows/builtin/win_hack_rubeus.yml

@@ -0,0 +1,52 @@
+---
+action: global
+title: Rubeus Hack Tool
+description: Detects command line parameters used by Rubeus hack tool 
+author: Florian Roth
+references: 
+    - https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/
+date: 2018/12/19
+tags:
+    - attack.credential_access
+    - attack.t1003
+    - attack.s0005
+detection:
+    condition: selection
+falsepositives:
+    - unlikely
+level: critical
+---
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+        CommandLine: 
+            - '* asreproast *'
+            - '* dump /service:krbtgt *'
+            - '* kerberoast *'
+            - '* createnetonly /program:*'
+            - '* ptt /ticket:*'
+            - '* /impersonateuser:*'
+            - '* renew /ticket:*'
+            - '* asktgt /user:*'
+            - '* harvest /interval:*'
+---
+logsource:
+    product: windows
+    service: security
+    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+detection:
+    selection:
+        EventID: 4688
+        ProcessCommandLine: 
+            - '* asreproast *'
+            - '* dump /service:krbtgt *'
+            - '* kerberoast *'
+            - '* createnetonly /program:*'
+            - '* ptt /ticket:*'
+            - '* /impersonateuser:*'
+            - '* renew /ticket:*'
+            - '* asktgt /user:*'
+            - '* harvest /interval:*'

rules/windows/builtin/win_hack_smbexec.yml

@@ -4,6 +4,11 @@ author: Omer Faruk Celik
 date: 2018/03/20
 references:
     - https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/
+tags:
+    - attack.lateral_movement
+    - attack.execution
+    - attack.t1077
+    - attack.t1035
 logsource:
     product: windows
 detection:

rules/windows/builtin/win_mal_creddumper.yml

@@ -1,6 +1,10 @@
 title: Malicious Service Install
 description: This method detects well-known keywords of malicious services in the Windows System Eventlog 
 author: Florian Roth
+tags:
+    - attack.credential_access
+    - attack.t1003
+    - attack.s0005
 logsource:
     product: windows
     service: system

rules/windows/builtin/win_mal_service_installs.yml

@@ -1,6 +1,10 @@
 title: Malicious Service Installations
 description: Detects known malicious service installs that only appear in cases of lateral movement, credential dumping and other suspicious activity
 author: Florian Roth
+tags:
+    - attack.persistence
+    - attack.privilege_escalation
+    - attack.t1050
 logsource:
     product: windows
     service: system

rules/windows/builtin/win_mal_wceaux_dll.yml

@@ -5,6 +5,10 @@ author: Thomas Patzke
 references:
     - https://www.jpcert.or.jp/english/pub/sr/ir_research.html
     - https://jpcertcc.github.io/ToolAnalysisResultSheet
+tags:
+    - attack.credential_access
+    - attack.t1003
+    - attack.s0005
 logsource:
     product: windows
     service: security

rules/windows/builtin/win_mavinject_proc_inj.yml

@@ -0,0 +1,38 @@
+---
+action: global
+title: MavInject Process Injection
+status: experimental
+description: Detects process injection using the signed Windows tool Mavinject32.exe
+references:
+    - https://twitter.com/gN3mes1s/status/941315826107510784
+    - https://reaqta.com/2017/12/mavinject-microsoft-injector/
+    - https://twitter.com/Hexacorn/status/776122138063409152
+author: Florian Roth
+date: 2018/12/12
+tags:
+    - attack.process_injection
+    - attack.t1055
+    - attack.signed_binary_proxy_execution
+    - attack.t1218
+detection:
+    condition: selection
+falsepositives: 
+    - unknown
+level: critical
+---
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+        CommandLine: '* /INJECTRUNNING *'
+---
+logsource:
+    product: windows
+    service: security
+    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+detection:
+    selection:
+        EventID: 4688
+        ProcessCommandLine: '* /INJECTRUNNING *'

rules/windows/builtin/win_multiple_suspicious_cli.yml

@@ -5,8 +5,69 @@ status: experimental
 references:
     - https://car.mitre.org/wiki/CAR-2013-04-002
 author: juju4
+modified: 2012/12/11
+falsepositives:
+    - False positives depend on scripts and administrative tools used in the monitored environment
+level: low
+---
+# Windows Audit Log
+logsource:
+    product: windows
+    service: security
+    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
 detection:
     selection:
+        EventID: 4688
+        ProcessCommandLine: 
+            - arp.exe
+            - at.exe
+            - attrib.exe
+            - cscript.exe
+            - dsquery.exe
+            - hostname.exe
+            - ipconfig.exe
+            - mimikatz.exe
+            - nbstat.exe
+            - net.exe
+            - netsh.exe
+            - nslookup.exe
+            - ping.exe
+            - quser.exe
+            - qwinsta.exe
+            - reg.exe
+            - runas.exe
+            - sc.exe
+            - schtasks.exe
+            - ssh.exe
+            - systeminfo.exe
+            - taskkill.exe
+            - telnet.exe
+            - tracert.exe
+            - wscript.exe
+            - xcopy.exe
+# others
+            - pscp.exe
+            - copy.exe
+            - robocopy.exe
+            - certutil.exe
+            - vssadmin.exe
+            - powershell.exe
+            - wevtutil.exe
+            - psexec.exe
+            - bcedit.exe
+            - wbadmin.exe
+            - icacls.exe
+            - diskpart.exe
+    timeframe: 5m
+    condition: selection | count() by MachineName > 5
+---
+# Sysmon
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
         CommandLine: 
             - arp.exe
             - at.exe
@@ -47,25 +108,5 @@ detection:
             - wbadmin.exe
             - icacls.exe
             - diskpart.exe
-    timeframe: 5min
-    condition: selection | count() > 5
-falsepositives:
-    - False positives depend on scripts and administrative tools used in the monitored environment
-level: low
----
-# Windows Audit Log
-logsource:
-    product: windows
-    service: security
-    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection:
-        EventID: 4688
----
-# Sysmon
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 1
+    timeframe: 5m
+    condition: selection | count() by MachineName > 5

rules/windows/builtin/win_net_ntlm_downgrade.yml

@@ -2,10 +2,13 @@
 action: global
 title: NetNTLM Downgrade Attack
 description: Detects post exploitation using NetNTLM downgrade attacks
-reference: 
+references: 
     - https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks
 author: Florian Roth
 date: 2018/03/20
+tags:
+    - attack.credential_access
+    - attack.t1212
 detection:
     condition: 1 of them
 falsepositives:
@@ -27,7 +30,7 @@ detection:
 logsource:
     product: windows
     service: security
-    description: 'Requirements: Audit Policy : Object Access > Audit Registry (Success)'
+    definition: 'Requirements: Audit Policy : Object Access > Audit Registry (Success)'
 detection:
     selection2:
         EventID: 4657

rules/windows/builtin/win_overpass_the_hash.yml

@@ -5,6 +5,10 @@ references:
     - https://cyberwardog.blogspot.de/2017/04/chronicles-of-threat-hunter-hunting-for.html
 author: Roberto Rodriguez (source), Dominik Schaudel (rule)
 date: 2018/02/12
+tags:
+    - attack.lateral_movement
+    - attack.t1075
+    - attack.s0002
 logsource:
     product: windows
     service: security
@@ -17,4 +21,4 @@ detection:
     condition: selection
 falsepositives:
     - Runas command-line tool using /netonly parameter
-level: high
+level: high

rules/windows/builtin/win_pass_the_hash.yml

@@ -4,10 +4,13 @@ description: 'Detects the attack technique pass the hash which is used to move l
 references:
     - https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events
 author: Ilias el Matani (rule), The Information Assurance Directorate at the NSA (method)
+tags:
+    - attack.lateral_movement
+    - attack.t1075
 logsource:
     product: windows
     service: security
-    description: The successful use of PtH for lateral movement between workstations would trigger event ID 4624, a failed logon attempt would trigger an event ID 4625
+    definition: The successful use of PtH for lateral movement between workstations would trigger event ID 4624, a failed logon attempt would trigger an event ID 4625
 detection:
     selection:
         - EventID: 4624

rules/windows/builtin/win_plugx_susp_exe_locations.yml

@@ -6,6 +6,8 @@ references:
     - 'https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/'
 author: Florian Roth
 date: 2017/06/12
+tags:
+    - attack.s0013
 logsource:
     product: windows
     service: security
@@ -115,7 +117,7 @@ detection:
     # RC
     selection_rc:
         EventID: 4688
-        CommandLine: '*\OleView.exe'
+        CommandLine: '*\rc.exe'
     filter_rc:
         EventID: 4688
         CommandLine: 

rules/windows/builtin/win_possible_applocker_bypass.yml

@@ -6,6 +6,8 @@ references:
     - https://github.com/subTee/ApplicationWhitelistBypassTechniques/blob/master/TheList.txt
     - https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/
 author: juju4
+tags:
+    - attack.defense_evasion
 detection:
     selection:
         CommandLine: 
@@ -28,7 +30,7 @@ level: low
 logsource:
     product: windows
     service: security
-    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
 detection:
     selection:
         EventID: 4688

rules/windows/builtin/win_powershell_b64_shellcode.yml

@@ -0,0 +1,44 @@
+action: global
+title: PowerShell Base64 Encoded Shellcode
+description: Detects Base64 encoded Shellcode 
+status: experimental
+references:
+    - https://twitter.com/cyb3rops/status/1063072865992523776
+author: Florian Roth
+date: 2018/11/17
+tags:
+    - attack.defense_evasion
+    - attack.t1036
+detection:
+    condition: selection1 and selection2
+falsepositives: 
+    - Unknown
+level: critical
+---
+# Windows Audit Log
+logsource:
+    product: windows
+    service: security
+    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+detection:
+    selection1:
+        EventID: 4688
+        ProcessCommandLine: '*AAAAYInlM*'
+    selection2:
+        ProcessCommandLine: 
+            - '*OiCAAAAYInlM*'
+            - '*OiJAAAAYInlM*'
+---
+# Sysmon
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection1:
+        EventID: 1
+        CommandLine: '*AAAAYInlM*'
+    selection2:
+        CommandLine: 
+            - '*OiCAAAAYInlM*'
+            - '*OiJAAAAYInlM*'
+

rules/windows/builtin/win_psexesvc_start.yml

@@ -2,14 +2,19 @@ title: PsExec Service Start
 description: Detects a PsExec service start
 author: Florian Roth
 date: 2018/03/13
+modified: 2012/12/11
+tags:
+    - attack.execution
+    - attack.t1035
+    - attack.s0029
 logsource:
     product: windows
     service: security
-    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
 detection:
     selection:
         EventID: 4688
-        CommandLine: 'C:\Windows\PSEXESVC.exe'
+        ProcessCommandLine: 'C:\Windows\PSEXESVC.exe'
     condition: 1 of them
 falsepositives:
     - Administrative activity

rules/windows/builtin/win_rare_schtasks_creations.yml

@@ -2,15 +2,20 @@ title: Rare Schtasks Creations
 description: Detects rare scheduled tasks creations that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious code
 status: experimental
 author: Florian Roth
+tags:
+    - attack.execution
+    - attack.privilege_escalation
+    - attack.persistence
+    - attack.t1053
 logsource:
     product: windows
     service: security
-    description: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection (not in the baseline recommendations by Microsoft). We also recommend extracting the Command field from the embedded XML in the event data.'
+    definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection (not in the baseline recommendations by Microsoft). We also recommend extracting the Command field from the embedded XML in the event data.'
 detection:
     selection:
         EventID: 4698
     timeframe: 7d
-    condition: selection | count(TaskName) < 5 
+    condition: selection | count() by TaskName < 5 
 falsepositives: 
     - Software installation
     - Software updates

rules/windows/builtin/win_rare_service_installs.yml

@@ -2,6 +2,10 @@ title: Rare Service Installs
 description: Detects rare service installs that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious services 
 status: experimental
 author: Florian Roth
+tags:
+    - attack.persistence
+    - attack.privilege_escalation
+    - attack.t1050
 logsource:
     product: windows
     service: system
@@ -9,8 +13,8 @@ detection:
     selection:
         EventID: 7045
     timeframe: 7d
-    condition: selection | count(ServiceFileName) < 5 
+    condition: selection | count() by ServiceFileName < 5 
 falsepositives: 
     - Software installation
     - Software updates
-level: low
+level: low

rules/windows/builtin/win_susp_add_sid_history.yml

@@ -4,6 +4,9 @@ description: An attacker can use the SID history attribute to gain additional pr
 references:
     - https://adsecurity.org/?p=1772
 author: Thomas Patzke
+tags:
+    - attack.privilege_escalation
+    - attack.t1178
 logsource:
     product: windows
     service: security

rules/windows/builtin/win_susp_backup_delete.yml

@@ -5,6 +5,9 @@ references:
     - https://technet.microsoft.com/en-us/library/cc742154(v=ws.11).aspx
     - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
 author: Florian Roth (rule), Tom U. @c_APT_ure (collection) 
+tags:
+    - attack.defense_evasion
+    - attack.t1107
 logsource:
     product: windows
     service: application

rules/windows/builtin/win_susp_cli_escape.yml

@@ -9,18 +9,11 @@ references:
     - https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html
     - http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/
 author: juju4
+modified: 2018/12/11
+tags:
+    - attack.defense_evasion
+    - attack.t1140
 detection:
-    selection:
-        CommandLine: 
-            #- '^'
-            #- '@'
-# 0x002D -, 0x2013 , 0x2014 , 0x2015 ― ... FIXME! how to match hexa form?
-            # - '-'
-            # - '―'
-            #- 'c:/'
-            - '<TAB>'
-            - '^h^t^t^p'
-            - 'h"t"t"p'
     condition: selection
 falsepositives: 
     - False positives depend on scripts and administrative tools used in the monitored environment
@@ -30,10 +23,20 @@ level: low
 logsource:
     product: windows
     service: security
-    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
 detection:
     selection:
         EventID: 4688
+        ProcessCommandLine: 
+            #- '^'
+            #- '@'
+# 0x002D -, 0x2013 , 0x2014 , 0x2015 ― ... FIXME! how to match hexa form?
+            # - '-'
+            # - '―'
+            #- 'c:/'
+            - '<TAB>'
+            - '^h^t^t^p'
+            - 'h"t"t"p'
 ---
 # Sysmon
 logsource:
@@ -42,3 +45,13 @@ logsource:
 detection:
     selection:
         EventID: 1
+        CommandLine: 
+            #- '^'
+            #- '@'
+# 0x002D -, 0x2013 , 0x2014 , 0x2015 ― ... FIXME! how to match hexa form?
+            # - '-'
+            # - '―'
+            #- 'c:/'
+            - '<TAB>'
+            - '^h^t^t^p'
+            - 'h"t"t"p'

rules/windows/builtin/win_susp_commands_recon_activity.yml

@@ -6,22 +6,17 @@ description: 'Detects a set of commands often used in recon stages by different
 references:
     - https://twitter.com/haroonmeer/status/939099379834658817
     - https://twitter.com/c_APT_ure/status/939475433711722497
-author: Florian Roth
-date: 2017/12/12
+    - https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html
+author:  Florian Roth, Markus Neis
+date: 2018/08/22
+modified: 2018/12/11
+tags:
+    - attack.discovery
+    - attack.t1073
+    - attack.t1012 
 detection:
-    selection:
-        CommandLine: 
-            - 'tasklist'
-            - 'net time'
-            - 'systeminfo'
-            - 'whoami'
-            - 'nbtstat'
-            - 'net start'
-            - '*\net1 start'
-            - 'qprocess'
-            - 'nslookup'
-    timeframe: 1m 
-    condition: selection | count() > 2
+    timeframe: 15s 
+    condition: selection | count() by CommandLine > 4
 falsepositives: 
     - False positives depend on scripts and administrative tools used in the monitored environment
 level: medium
@@ -32,11 +27,47 @@ logsource:
 detection:
     selection:
         EventID: 1
+        CommandLine: 
+            - 'tasklist'
+            - 'net time'
+            - 'systeminfo'
+            - 'whoami'
+            - 'nbtstat'
+            - 'net start'
+            - '*\net1 start'
+            - 'qprocess'
+            - 'nslookup'
+            - 'hostname.exe'
+            - '*\net1 user /domain'
+            - '*\net1 group /domain'
+            - '*\net1 group "domain admins" /domain'
+            - '*\net1 group "Exchange Trusted Subsystem" /domain'
+            - '*\net1 accounts /domain' 
+            - '*\net1 user net localgroup administrators' 
+            - 'netstat -an'
 ---
 logsource:
     product: windows
     service: security
-    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
 detection:
     selection:
         EventID: 4688
+        ProcessCommandLine: 
+            - 'tasklist'
+            - 'net time'
+            - 'systeminfo'
+            - 'whoami'
+            - 'nbtstat'
+            - 'net start'
+            - '*\net1 start'
+            - 'qprocess'
+            - 'nslookup'
+            - 'hostname.exe'
+            - '*\net1 user /domain'
+            - '*\net1 group /domain'
+            - '*\net1 group "domain admins" /domain'
+            - '*\net1 group "Exchange Trusted Subsystem" /domain'
+            - '*\net1 accounts /domain' 
+            - '*\net1 user net localgroup administrators' 
+            - 'netstat -an'

rules/windows/builtin/win_susp_dhcp_config.yml

@@ -7,6 +7,8 @@ references:
     - https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx
 date: 2017/05/15
 author: Dimitrios Slamaris
+tags:
+    - attack.defense_evasion
 logsource:
     product: windows
     service: system

rules/windows/builtin/win_susp_dsrm_password_change.yml

@@ -4,6 +4,9 @@ description: The Directory Service Restore Mode (DSRM) account is a local admini
 references:
     - https://adsecurity.org/?p=1714
 author: Thomas Patzke
+tags:
+    - attack.persistence
+    - attack.privilege_escalation
 logsource:
     product: windows
     service: security

rules/windows/builtin/win_susp_eventlog_cleared.yml

@@ -3,6 +3,9 @@ description: One of the Windows Eventlogs has been cleared
 references:
     - https://twitter.com/deviouspolack/status/832535435960209408
 author: Florian Roth
+tags:
+    - attack.defense_evasion
+    - attack.t1070
 logsource:
     product: windows
     service: system

rules/windows/builtin/win_susp_failed_logon_reasons.yml

@@ -1,6 +1,10 @@
 title: Account Tampering - Suspicious Failed Logon Reasons
 description: This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.
 author: Florian Roth
+tags:
+    - attack.persistence
+    - attack.privilege_escalation
+    - attack.t1078
 logsource:
     product: windows
     service: security

rules/windows/builtin/win_susp_failed_logons_single_source.yml

@@ -1,6 +1,10 @@
 title: Multiple Failed Logins with Different Accounts from Single Source System
 description: Detects suspicious failed logins with different user accounts from a single source system 
 author: Florian Roth
+tags:
+    - attack.persistence
+    - attack.privilege_escalation
+    - attack.t1078
 logsource:
     product: windows
     service: security

rules/windows/builtin/win_susp_interactive_logons.yml

@@ -1,6 +1,9 @@
 title: Interactive Logon to Server Systems
 description: Detects interactive console logons to 
 author: Florian Roth
+tags:
+    - attack.lateral_movement
+    - attack.t1078
 logsource:
     product: windows
     service: security

rules/windows/builtin/win_susp_iss_module_install.yml

@@ -6,10 +6,11 @@ status: experimental
 references:
     - https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/
 author: Florian Roth
+modified: 2012/12/11
+tags:
+    - attack.persistence
+    - attack.t1100
 detection:
-    selection:
-        CommandLine: 
-            - '*\APPCMD.EXE install module /name:*'
     condition: selection
 falsepositives: 
     - Unknown as it may vary from organisation to arganisation how admins use to install IIS modules
@@ -21,11 +22,15 @@ logsource:
 detection:
     selection:
         EventID: 1
+        CommandLine: 
+            - '*\APPCMD.EXE install module /name:*'
 ---
 logsource:
     product: windows
     service: security
-    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
 detection:
     selection:
         EventID: 4688
+        ProcessCommandLine: 
+            - '*\APPCMD.EXE install module /name:*'

rules/windows/builtin/win_susp_kerberos_manipulation.yml

@@ -1,6 +1,9 @@
 title: Kerberos Manipulation
 description: This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages
 author: Florian Roth
+tags:
+    - attack.credential_access
+    - attack.t1212
 logsource:
     product: windows
     service: security

rules/windows/builtin/win_susp_lsass_dump.yml

@@ -1,8 +1,11 @@
 title: Password Dumper Activity on LSASS
-description: Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN 
+description: Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN
 status: experimental
 references:
     - https://twitter.com/jackcr/status/807385668833968128
+tags:
+    - attack.credential_access
+    - attack.t1003
 logsource:
     product: windows
     service: security
@@ -16,4 +19,3 @@ detection:
 falsepositives:
     - Unkown
 level: high
-

rules/windows/builtin/win_susp_msiexec_web_install.yml

@@ -7,10 +7,8 @@ references:
     - https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/
 author: Florian Roth
 date: 2018/02/09
+modified: 2012/12/11
 detection:
-    selection:
-        CommandLine: 
-            - '* msiexec*:\/\/*'
     condition: selection
 falsepositives: 
     - False positives depend on scripts and administrative tools used in the monitored environment
@@ -22,11 +20,15 @@ logsource:
 detection:
     selection:
         EventID: 1
+        CommandLine: 
+            - '* msiexec*:\/\/*'
 ---
 logsource:
     product: windows
     service: security
-    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
 detection:
     selection:
         EventID: 4688
+        ProcessCommandLine: 
+            - '* msiexec*:\/\/*'

rules/windows/builtin/win_susp_msmpeng_crash.yml

@@ -1,5 +1,9 @@
 title: Microsoft Malware Protection Engine Crash
 description: This rule detects a suspicious crash of the Microsoft Malware Protection Engine
+tags:
+    - attack.defense_evasion
+    - attack.t1089
+    - attack.t1211
 status: experimental
 date: 2017/05/09
 references:
@@ -12,7 +16,7 @@ logsource:
 detection:
     selection1:
         Source: 'Application Error'
-        EventID: 1000 
+        EventID: 1000
     selection2:
         Source: 'Windows Error Reporting'
         EventID: 1001
@@ -20,7 +24,6 @@ detection:
         - 'MsMpEng.exe'
         - 'mpengine.dll'
     condition: 1 of selection* and all of keywords
-falsepositives: 
+falsepositives:
     - MsMpEng.exe can crash when C:\ is full
 level: high
-

rules/windows/builtin/win_susp_net_recon_activity.yml

@@ -1,13 +1,18 @@
 title: Reconnaissance Activity
 status: experimental
-description: 'Detects activity as "net user administrator /domain" and "net group domain admins /domain"' 
+description: 'Detects activity as "net user administrator /domain" and "net group domain admins /domain"'
 references:
     - https://findingbad.blogspot.de/2017/01/hunting-what-does-it-look-like.html
 author: Florian Roth (rule), Jack Croock (method)
+tags:
+    - attack.discovery
+    - attack.t1087
+    - attack.t1069
+    - attack.s0039
 logsource:
     product: windows
     service: security
-    description: The volume of Event ID 4661 is high on Domain Controllers and therefore "Audit SAM" and "Audit Kernel Object" advanced audit policy settings are not configured in the recommandations for server systems
+    definition: The volume of Event ID 4661 is high on Domain Controllers and therefore "Audit SAM" and "Audit Kernel Object" advanced audit policy settings are not configured in the recommandations for server systems
 detection:
     selection:
         - EventID: 4661

rules/windows/builtin/win_susp_ntdsutil.yml

@@ -6,6 +6,9 @@ status: experimental
 references:
     - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm
 author: Thomas Patzke
+tags:
+    - attack.credential_access
+    - attack.t1003
 detection:
     selection:
         CommandLine: '*\ntdsutil.exe *'
@@ -24,7 +27,7 @@ detection:
 logsource:
     product: windows
     service: security
-    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
 detection:
     selection:
         EventID: 4688

rules/windows/builtin/win_susp_ntlm_auth.yml

@@ -6,10 +6,13 @@ references:
     - https://goo.gl/PsqrhT
 author: Florian Roth
 date: 2018/06/08
+tags:
+    - attack.credential_access
+    - attack.t1208
 logsource:
     product: windows
     service: ntlm
-    description: Reqiures events from Microsoft-Windows-NTLM/Operational
+    definition: Reqiures events from Microsoft-Windows-NTLM/Operational
 detection:
     selection:
         EventID: 8002

rules/windows/builtin/win_susp_powershell_enc_cmd.yml

@@ -0,0 +1,43 @@
+---
+action: global
+title: Suspicious Encoded PowerShell Command Line
+description: Detects suspicious powershell process starts with base64 encoded commands
+status: experimental
+references:
+    - https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e
+author: Florian Roth
+date: 2018/09/03
+detection:
+    selection:
+        CommandLine:
+            # Command starts with '$' symbol
+            - '* -e JAB*'
+            - '* -enc JAB*'
+            - '* -encodedcommand JAB*'
+    # Google Rapid Response
+    falsepositive1:
+        Image: '*\GRR\*'
+    # PowerSponse deployments
+    falsepositive2: 
+        CommandLine: '* -ExecutionPolicy remotesigned *'
+    condition: selection and not 1 of falsepositive*
+falsepositives: 
+    - GRR powershell hacks
+    - PowerSponse Deployments
+level: high
+---
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+---
+logsource:
+    product: windows
+    service: security
+    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+detection:
+    selection:
+        EventID: 4688
+

rules/windows/builtin/win_susp_powershell_hidden_b64_cmd.yml

@@ -0,0 +1,82 @@
+title: Malicious Base64 encoded PowerShell Keywords in command lines
+status: experimental
+description: Detects base64 encoded strings used in hidden malicious PowerShell command lines 
+references:
+    - http://www.leeholmes.com/blog/2017/09/21/searching-for-content-in-base-64-strings/
+tags:
+    - attack.execution
+    - attack.t1086
+author: John Lambert (rule)
+logsource:
+    product: windows
+    service: security
+    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+detection:
+    encoded:
+        EventID: 4688
+        Image: '*\powershell.exe'
+        CommandLine: '* hidden *'
+    selection:
+        EventID: 4688
+        CommandLine:
+            # bitsadmin transfer
+            - '*AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA*'
+            - '*aXRzYWRtaW4gL3RyYW5zZmVy*'
+            - '*IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA*'
+            - '*JpdHNhZG1pbiAvdHJhbnNmZX*'
+            - '*YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg*'
+            - '*Yml0c2FkbWluIC90cmFuc2Zlc*'
+            # chunk_size
+            - '*AGMAaAB1AG4AawBfAHMAaQB6AGUA*'
+            - '*JABjAGgAdQBuAGsAXwBzAGkAegBlA*'
+            - '*JGNodW5rX3Npem*'
+            - '*QAYwBoAHUAbgBrAF8AcwBpAHoAZQ*'
+            - '*RjaHVua19zaXpl*'
+            - '*Y2h1bmtfc2l6Z*'
+            # IO.Compression
+            - '*AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A*'
+            - '*kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg*'
+            - '*lPLkNvbXByZXNzaW9u*'
+            - '*SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA*'
+            - '*SU8uQ29tcHJlc3Npb2*'
+            - '*Ty5Db21wcmVzc2lvb*'
+            # IO.MemoryStream
+            - '*AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ*'
+            - '*kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA*'
+            - '*lPLk1lbW9yeVN0cmVhb*'
+            - '*SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A*'
+            - '*SU8uTWVtb3J5U3RyZWFt*'
+            - '*Ty5NZW1vcnlTdHJlYW*'
+            # GetChunk
+            - '*4ARwBlAHQAQwBoAHUAbgBrA*'
+            - '*5HZXRDaHVua*'
+            - '*AEcAZQB0AEMAaAB1AG4Aaw*'
+            - '*LgBHAGUAdABDAGgAdQBuAGsA*'
+            - '*LkdldENodW5r*'
+            - '*R2V0Q2h1bm*'
+            # THREAD INFO64
+            - '*AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A*'
+            - '*QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA*'
+            - '*RIUkVBRF9JTkZPNj*'
+            - '*SFJFQURfSU5GTzY0*'
+            - '*VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA*'
+            - '*VEhSRUFEX0lORk82N*'
+            # CreateRemoteThread
+            - '*AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA*'
+            - '*cmVhdGVSZW1vdGVUaHJlYW*'
+            - '*MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA*'
+            - '*NyZWF0ZVJlbW90ZVRocmVhZ*'
+            - '*Q3JlYXRlUmVtb3RlVGhyZWFk*'
+            - '*QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA*'
+            # memmove
+            - '*0AZQBtAG0AbwB2AGUA*'
+            - '*1lbW1vdm*'
+            - '*AGUAbQBtAG8AdgBlA*'
+            - '*bQBlAG0AbQBvAHYAZQ*'
+            - '*bWVtbW92Z*'
+            - '*ZW1tb3Zl*'  
+
+    condition: encoded and selection
+falsepositives:
+    - Penetration tests
+level: high

rules/windows/builtin/win_susp_procdump.yml

@@ -0,0 +1,49 @@
+action: global
+title: Suspicious Use of Procdump
+description: Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we're also able to catch cases in which the attacker has renamed the procdump executable. 
+status: experimental
+references:
+    - Internal Research
+author: Florian Roth
+date: 2018/10/30
+tags:
+    - attack.defense_evasion
+    - attack.t1036
+    - attack.credential_access
+    - attack.t1003
+detection:
+    condition: selection and selection1 and selection2
+falsepositives: 
+    - Unlikely, because no one should dump an lsass process memory
+    - Another tool that uses the command line switches of Procdump
+level: medium
+---
+# Windows Audit Log
+logsource:
+    product: windows
+    service: security
+    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+detection:
+    selection:
+        EventID: 4688
+    selection1:
+        ProcessCommandLine:
+            - "* -ma *"
+    selection2: 
+        ProcessCommandLine:
+            - '* lsass.exe*'
+---
+# Sysmon
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+    selection1:
+        CommandLine:
+            - "* -ma *"
+    selection2: 
+        CommandLine:
+            - '* lsass.exe*'
+

rules/windows/builtin/win_susp_process_creations.yml

@@ -1,7 +1,7 @@
 ---
 action: global
 title: Suspicious Process Creation
-description: Detects suspicious process starts on Windows systems bsed on keywords
+description: Detects suspicious process starts on Windows systems based on keywords
 status: experimental
 references:
     - https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/
@@ -15,8 +15,19 @@ references:
     - https://gist.github.com/subTee/7937a8ef07409715f15b84781e180c46#file-rat-bat
     - https://twitter.com/vector_sec/status/896049052642533376
 author: Florian Roth
+modified: 2012/12/11
+detection:
+    condition: selection
+falsepositives: 
+    - False positives depend on scripts and administrative tools used in the monitored environment
+level: medium
+---
+logsource:
+    product: windows
+    service: sysmon
 detection:
     selection:
+        EventID: 1
         CommandLine: 
             # Hacking activity
             - 'vssadmin.exe delete shadows*'
@@ -65,23 +76,61 @@ detection:
             # AddInProcess
             - '*AddInProcess*'
             # NotPowershell (nps) attack
-            - '*msbuild*'
-    condition: selection
-falsepositives: 
-    - False positives depend on scripts and administrative tools used in the monitored environment
-level: medium
----
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 1
+            # - '*msbuild*'  # too many false positives
 ---
 logsource:
     product: windows
     service: security
-    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
 detection:
     selection:
         EventID: 4688
+        ProcessCommandLine: 
+            # Hacking activity
+            - 'vssadmin.exe delete shadows*'
+            - 'vssadmin delete shadows*'
+            - 'vssadmin create shadow /for=C:*'
+            - 'copy \\?\GLOBALROOT\Device\*\windows\ntds\ntds.dit*'
+            - 'copy \\?\GLOBALROOT\Device\*\config\SAM*'
+            - 'reg SAVE HKLM\SYSTEM *'
+            - '* sekurlsa:*'
+            - 'net localgroup adminstrators * /add'
+            - 'net group "Domain Admins" * /ADD /DOMAIN'
+            - 'certutil.exe *-urlcache* http*'
+            - 'certutil.exe *-urlcache* ftp*'
+            # Malware
+            - 'netsh advfirewall firewall *\AppData\*'
+            - 'attrib +S +H +R *\AppData\*'
+            - 'schtasks* /create *\AppData\*'
+            - 'schtasks* /sc minute*'
+            - '*\Regasm.exe *\AppData\*'
+            - '*\Regasm *\AppData\*'
+            - '*\bitsadmin* /transfer*'
+            - '*\certutil.exe * -decode *'
+            - '*\certutil.exe * -decodehex *'
+            - '*\certutil.exe -ping *'
+            - 'icacls * /grant Everyone:F /T /C /Q'
+            - '* wmic shadowcopy delete *'
+            - '* wbadmin.exe delete catalog -quiet*'  # http://blog.talosintelligence.com/2018/02/olympic-destroyer.html
+            # Scripts
+            - '*\wscript.exe *.jse'
+            - '*\wscript.exe *.js'
+            - '*\wscript.exe *.vba'
+            - '*\wscript.exe *.vbe'
+            - '*\cscript.exe *.jse'
+            - '*\cscript.exe *.js'
+            - '*\cscript.exe *.vba'
+            - '*\cscript.exe *.vbe'
+            # UAC bypass
+            - '*\fodhelper.exe'
+            # persistence
+            - '*waitfor*/s*'
+            - '*waitfor*/si persist*'
+            # remote
+            - '*remote*/s*'
+            - '*remote*/c*'
+            - '*remote*/q*'
+            # AddInProcess
+            - '*AddInProcess*'
+            # NotPowershell (nps) attack
+            # - '*msbuild*'  # too many false positives

rules/windows/builtin/win_susp_ps_appdata.yml

@@ -0,0 +1,39 @@
+---
+action: global
+title: PowerShell Script Run in AppData
+status: experimental
+description: Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder 
+references:
+    - https://twitter.com/JohnLaTwC/status/1082851155481288706
+    - https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03
+author: Florian Roth
+date: 2019/01/09
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    condition: selection
+falsepositives:
+    - Administrative scripts
+level: medium
+---
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+        CommandLine: 
+            - '* /c powershell*\AppData\Local\*'
+            - '* /c powershell*\AppData\Roaming\*'
+---
+logsource:
+    product: windows
+    service: security
+    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+detection:
+    selection:
+        EventID: 4688
+        ProcessCommandLine: 
+            - '* /c powershell*\AppData\Local\*'
+            - '* /c powershell*\AppData\Roaming\*'

rules/windows/builtin/win_susp_rasdial_activity.yml

@@ -18,7 +18,7 @@ level: medium
 logsource:
     product: windows
     service: security
-    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
 detection:
     selection:
         EventID: 4688

rules/windows/builtin/win_susp_rc4_kerberos.yml

@@ -3,6 +3,9 @@ status: experimental
 references:
     - https://adsecurity.org/?p=3458
     - https://www.trimarcsecurity.com/single-post/TrimarcResearch/Detecting-Kerberoasting-Activity
+tags:
+    - attack.credential_access
+    - attack.t1208
 description: Detects service ticket requests using RC4 encryption type
 logsource:
     product: windows

rules/windows/builtin/win_susp_run_locations.yml

@@ -5,6 +5,9 @@ status: experimental
 references:
     - https://car.mitre.org/wiki/CAR-2013-05-002
 author: juju4
+tags:
+    - attack.defense_evasion
+    - attack.t1036
 detection:
     selection:
         CommandLine:
@@ -21,7 +24,7 @@ level: medium
 logsource:
     product: windows
     service: security
-    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
 detection:
     selection:
         EventID: 4688

rules/windows/builtin/win_susp_rundll32_activity.yml

@@ -6,10 +6,14 @@ references:
     - http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/
     - https://twitter.com/Hexacorn/status/885258886428725250
     - https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52
+tags:
+    - attack.defense_evasion
+    - attack.execution
+    - attack.t1085
 author: juju4
 detection:
     selection:
-        CommandLine: 
+        CommandLine:
             # match with or without rundll32.exe to try to catch evasion
             - '*\rundll32.exe* url.dll,*OpenURL *'
             - '*\rundll32.exe* url.dll,*OpenURLA *'
@@ -25,14 +29,14 @@ detection:
             - '* javascript:*'
             - '*.RegisterXLL*'
     condition: selection
-falsepositives: 
+falsepositives:
     - False positives depend on scripts and administrative tools used in the monitored environment
 ---
 # Windows Audit Log
 logsource:
     product: windows
     service: security
-    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
 detection:
     selection:
         EventID: 4688

rules/windows/builtin/win_susp_sam_dump.yml

@@ -1,17 +1,20 @@
 title: SAM Dump to AppData
 status: experimental
 description: Detects suspicious SAM dump activity as cause by QuarksPwDump and other password dumpers
+tags:
+    - attack.credential_access
+    - attack.t1003
 author: Florian Roth
 logsource:
     product: windows
     service: system
-    description: The source of this type of event is Kernel-General
+    definition: The source of this type of event is Kernel-General
 detection:
     selection:
         EventID: 16
     keywords:
         - '*\AppData\Local\Temp\SAM-*.dmp *'
     condition: all of them
-falsepositives: 
+falsepositives:
     - Penetration testing
 level: high

rules/windows/builtin/win_susp_samr_pwset.yml

@@ -1,6 +1,9 @@
 title: Possible Remote Password Change Through SAMR 
 description: Detects a possible remote NTLM hash change through SAMR API SamiChangePasswordUser() or SamSetInformationUser(). "Audit User Account Management" in "Advanced Audit Policy Configuration" has to be enabled in your local security policy / GPO to see this events.
 author: Dimitrios Slamaris
+tags:
+    - attack.credential_access
+    - attack.t1212
 logsource:
     product: windows
     service: security

rules/windows/builtin/win_susp_sdelete.yml

@@ -6,6 +6,11 @@ references:
     - https://jpcertcc.github.io/ToolAnalysisResultSheet
     - https://www.jpcert.or.jp/english/pub/sr/ir_research.html
     - https://technet.microsoft.com/en-us/en-en/sysinternals/sdelete.aspx
+tags:
+    - attack.defense_evasion
+    - attack.t1107
+    - attack.t1116
+    - attack.s0195
 logsource:
     product: windows
     service: security

rules/windows/builtin/win_susp_security_eventlog_cleared.yml

@@ -1,5 +1,8 @@
 title: Security Eventlog Cleared
 description: Some threat groups tend to delete the local 'Security' Eventlog using certain utitlities
+tags:
+    - attack.defense_evasion
+    - attack.t1070
 author: Florian Roth
 logsource:
     product: windows