Sigma tools release 0.10

Moved Sysmon schema XML from contrib directory into module
Added CAR tags
2019-03-16 01:02:48 +01:00 · 2019-03-16 00:59:29 +01:00 · 2019-03-16 00:37:09 +01:00 · 2019-03-16 00:03:27 +01:00 · 2019-03-15 23:47:24 +01:00 · 2019-03-15 23:46:38 +01:00
253 changed files with 4305 additions and 2570 deletions
@@ -1,7 +1,7 @@
 language: python
 dist: xenial
 python:
-  - 3.5
+  # - 3.5  # Deactivated because Travis CI tests failed randomly (Travis's problem)
  - 3.6
  - 3.7
 sudo: true
@@ -15,3 +15,10 @@ install:
 script:
  - make test
  - make test-backend-es-qs
+notifications:
+  email:
+    recipients:
+      - venom14@gmail.com
+      - thomas@patzke.org
+    on_success: change
+    on_failure: always
@@ -1,4 +1,12 @@
 ---
 # https://yamllint.readthedocs.io/en/latest/configuration.html
+extends: default
 rules:
+  comments: disable
+  comments-indentation: disable
  document-start: disable
+  empty-lines: {max: 2, max-start: 2, max-end: 2}
+  indentation: disable
+  line-length: disable
+  new-line-at-end-of-file: disable
+  trailing-spaces: disable
@@ -1,7 +1,7 @@
-.PHONY: test test-yaml test-sigmac
+.PHONY: test test-rules test-sigmac
 TMPOUT = $(shell tempfile||mktemp)
 COVSCOPE = tools/sigma/*.py,tools/sigma/backends/*.py,tools/sigmac,tools/merge_sigma
-test: clearcov test-yaml test-sigmac test-merge build finish
+test: clearcov test-rules test-sigmac test-merge build finish

 clearcov:
 	rm -f .coverage
@@ -10,21 +10,27 @@ finish:
 	coverage report --fail-under=90
 	rm -f $(TMPOUT)

-test-yaml:
+test-rules:
 	yamllint rules
+	tests/test_rules.py

 test-sigmac:
+	coverage run -a --include=$(COVSCOPE) tools/sigmac
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -h
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -l
+	! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvd -t es-qs rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-qs rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -O rulecomment -rvdI -t es-qs rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t kibana rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t graylog rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t xpack-watcher rules/ > /dev/null
-	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t elastalert rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t elastalert -O alert_methods=http_post,email -O emails=test@test.invalid -O http_post_url=http://test.invalid rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunkxml rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t logpoint rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t wdatp rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t ala rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t ala --backend-config tests/backend_config.yml rules/windows/process_creation/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-dsl rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t powershell -c tools/config/powershell-windows-all.yml -Ocsv rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t arcsight -c tools/config/arcsight.yml rules/ > /dev/null
@@ -39,6 +45,7 @@ test-sigmac:
 	! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'level=xcritical' rules/ > /dev/null
 	! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'foo=bar' rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-windows.yml -t es-qs rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/generic/sysmon.yml -c tools/config/elk-windows.yml -t es-qs rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-linux.yml -t es-qs rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-windows.yml -t kibana rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-windows.yml -Ooutput=curl -t kibana rules/ > /dev/null
@@ -48,10 +55,13 @@ test-sigmac:
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-linux.yml -t xpack-watcher rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-defaultindex.yml -t xpack-watcher rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/splunk-windows-all.yml -t splunk rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/splunk-windows-all-index.yml -t splunk rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/generic/sysmon.yml -c tools/config/splunk-windows-all.yml -t splunk rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/logpoint-windows-all.yml -t logpoint rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t grep rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t fieldlist rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -t xpack-watcher -O output=plain -O es=es -O foobar rules/windows/builtin/win_susp_failed_logons_single_source.yml > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -t kibana -c tests/config-multiple_mapping.yml -c tests/config-multiple_mapping-2.yml tests/mapping-conditional-multi.yml > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -t xpack-watcher -O output=json -O es=es -O foobar rules/windows/builtin/win_susp_failed_logons_single_source.yml > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -o $(TMPOUT) - < tests/collection_repeat.yml > /dev/null
 	! coverage run -a --include=$(COVSCOPE)  tools/sigmac -t xpack-watcher -O output=foobar -O es=es -O foobar rules/windows/builtin/win_susp_failed_logons_single_source.yml > /dev/null
@@ -24,6 +24,12 @@ This repository contains:

 [![Sigma - Generic Signatures for Log Events](https://preview.ibb.co/cMCigR/Screen_Shot_2017_10_18_at_15_47_15.png)](https://www.youtube.com/watch?v=OheVuE9Ifhs "Sigma - Generic Signatures for Log Events")

+## SANS Webcast on MITRE ATT&CK and Sigma
+
+The SANS webcast on Sigma contains a very good 20 min introduction to the project by John Hubbart from minute 39 onward. (SANS account required; registration is free)
+
+[MITRE ATT&CK and Sigma Alerting Webcast Recording](https://www.sans.org/webcasts/mitre-att-ck-sigma-alerting-110010 "MITRE ATT&CK and Sigma Alerting")
+
 # Use Cases

 * Describe your detection method in Sigma to make it sharable
@@ -61,7 +67,7 @@ Florian wrote a short [rule creation tutorial](https://www.nextron-systems.com/2
 1. Download or clone the respository
 2. Check the `./rules` sub directory for an overview on the rule base
 3. Run `python sigmac --help` in folder `./tools` to get a help on the rule converter
-4. Convert a rule of your choice with `sigmac` like `python sigmac -t splunk ../rules/windows/builtin/win_susp_process_creations.yml`
+4. Convert a rule of your choice with `sigmac` like `./sigmac -t splunk -c tools/config/generic/sysmon.yml ./rules/windows/process_creation/win_susp_whoami.yml`
 5. Convert a whole rule directory with `python sigmac -t splunk -r ../rules/proxy/`
 6. Check the `./tools/config` folder and the [wiki](https://github.com/Neo23x0/sigma/wiki/Converter-Tool-Sigmac) if you need custom field or log source mappings in your environment

@@ -90,7 +96,87 @@ Sigmac converts sigma rules into queries or inputs of the supported targets list
 Sigma library that may be used to integrate Sigma support in other projects. Further, there's `merge_sigma.py` which
 merges multiple YAML documents of a Sigma rule collection into simple Sigma rules.

-![sigmac_converter](./images/Sigmac-win_susp_rc4_kerberos.png)
+### Usage
+
+```
+usage: sigmac [-h] [--recurse] [--filter FILTER]
+              [--target {arcsight,es-qs,es-dsl,kibana,xpack-watcher,elastalert,graylog,logpoint,grep,netwitness,powershell,qradar,qualys,splunk,splunkxml,sumologic,fieldlist,wdatp}]
+              [--target-list] [--config CONFIG] [--output OUTPUT]
+              [--backend-option BACKEND_OPTION] [--defer-abort]
+              [--ignore-backend-errors] [--verbose] [--debug]
+              [inputs [inputs ...]]
+
+Convert Sigma rules into SIEM signatures.
+
+positional arguments:
+  inputs                Sigma input files ('-' for stdin)
+
+optional arguments:
+  -h, --help            show this help message and exit
+  --recurse, -r         Use directory as input (recurse into subdirectories is
+                        not implemented yet)
+  --filter FILTER, -f FILTER
+                        Define comma-separated filters that must match (AND-
+                        linked) to rule to be processed. Valid filters:
+                        level<=x, level>=x, level=x, status=y, logsource=z,
+                        tag=t. x is one of: low, medium, high, critical. y is
+                        one of: experimental, testing, stable. z is a word
+                        appearing in an arbitrary log source attribute. t is a
+                        tag that must appear in the rules tag list, case-
+                        insensitive matching. Multiple log source
+                        specifications are AND linked.
+  --target {arcsight,es-qs,es-dsl,kibana,xpack-watcher,elastalert,graylog,logpoint,grep,netwitness,powershell,qradar,qualys,splunk,splunkxml,sumologic,fieldlist,wdatp}, -t {arcsight,es-qs,es-dsl,kibana,xpack-watcher,elastalert,graylog,logpoint,grep,netwitness,powershell,qradar,qualys,splunk,splunkxml,sumologic,fieldlist,wdatp}
+                        Output target format
+  --target-list, -l     List available output target formats
+  --config CONFIG, -c CONFIG
+                        Configurations with field name and index mapping for
+                        target environment. Multiple configurations are merged
+                        into one. Last config is authorative in case of
+                        conflicts.
+  --output OUTPUT, -o OUTPUT
+                        Output file or filename prefix if multiple files are
+                        generated
+  --backend-option BACKEND_OPTION, -O BACKEND_OPTION
+                        Options and switches that are passed to the backend
+  --defer-abort, -d     Don't abort on parse or conversion errors, proceed
+                        with next rule. The exit code from the last error is
+                        returned
+  --ignore-backend-errors, -I
+                        Only return error codes for parse errors and ignore
+                        errors for rules that cause backend errors. Useful,
+                        when you want to get as much queries as possible.
+  --verbose, -v         Be verbose
+  --debug, -D           Debugging output
+```
+
+### Examples
+
+#### Single Rule Translation
+Translate a single rule
+```
+tools/sigmac -t splunk rules/windows/sysmon/sysmon_susp_image_load.yml
+```
+#### Rule Set Translation
+Translate a whole rule directory and ignore backend errors (`-I`) in rule conversion for the selected backend (`-t splunk`)
+```
+tools/sigmac -I -t splunk -r rules/windows/sysmon/
+```
+#### Rule Set Translation with Custom Config 
+Apply your own config file (`-c ~/my-elk-winlogbeat.yml`) during conversion, which can contain you custom field and source mappings
+```
+tools/sigmac -t es-qs -c ~/my-elk-winlogbeat.yml -r rules/windows/sysmon
+```
+#### Generic Rule Set Translation
+Use a config file for `process_creation` rules (`-r rules/windows/process_creation`) that instructs sigmac to create queries for a Sysmon log source (`-c tools/config/generic/sysmon.yml`) and the ElasticSearch target backend (`-t es-qs`) 
+```
+tools/sigmac -t es-qs -c tools/config/generic/sysmon.yml -r rules/windows/process_creation
+```
+#### Generic Rule Set Translation with Custom Config
+Use a config file for a single `process_creation` rule (`./rules/windows/process_creation/win_susp_outlook.yml`) that instructs sigmac to create queries for process creation events generated in the Windows Security Eventlog (`-c tools/config/generic/windows-audit.yml`) and a Splunk target backend (`-t splunk`)
+```
+tools/sigmac -t splunk -c ~/my-splunk-mapping.yml -c tools/config/generic/windows-audit.yml ./rules/windows/process_creation/win_susp_outlook.yml
+```
+(See @blubbfiction's [blog post](https://patzke.org/a-guide-to-generic-log-sources-in-sigma.html) for more information)

 ### Supported Targets

@@ -180,7 +266,7 @@ These tools are not part of the main toolchain and maintained separately by thei
 * Integration into Threat Intel Exchanges
 * Attempts to convince others to use the rule format in their reports, threat feeds, blog posts, threat sharing platforms

-# Projects that use Sigma
+# Projects or Products that use Sigma

 * [MISP](http://www.misp-project.org/2017/03/26/MISP.2.4.70.released.html) (since version 2.4.70, March 2017)
 * [TA-Sigma-Searches](https://github.com/dstaulcu/TA-Sigma-Searches) (Splunk App)
@@ -188,6 +274,7 @@ These tools are not part of the main toolchain and maintained separately by thei
 * [ypsilon](https://github.com/P4T12ICK/ypsilon) - Automated Use Case Testing 
 * [uncoder.io](https://uncoder.io/) - Online Translator for SIEM Searches
 * [SPARK](https://www.nextron-systems.com/2018/06/28/spark-applies-sigma-rules-in-eventlog-scan/) - Scan with Sigma rules on endpoints
+* [RANK VASA](https://globenewswire.com/news-release/2019/03/04/1745907/0/en/RANK-Software-to-Help-MSSPs-Scale-Cybersecurity-Offerings.html)

 # Licenses

@@ -201,4 +288,6 @@ The content of this repository is released under the following licenses:

 This is a private project mainly developed by Florian Roth and Thomas Patzke with feedback from many fellow analysts and friends. Rules are our own or have been drived from blog posts, tweets or other public sources that are referenced in the rules.

-Copyright for Tree Image: [studiobarcelona / 123RF Stock Photo](http://www.123rf.com/profile_studiobarcelona)
+# Info Graphic
+
+![sigmac_info_graphic](./images/sigma_infographic_lq.png)
@@ -0,0 +1,247 @@
+#!/usr/bin/python
+# Copyright 2018 juju4
+
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+
+# You should have received a copy of the GNU Lesser General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+"""
+Project: sigma2sumologic.py
+Date: 11 Jan 2019
+Author: juju4
+Version: 1.0
+Description: This script executes sumologic search queries from Sigma SIEM rules.
+Workflow:
+    1. Convert rules with sigmac
+    2. Enrich: add ignore+local custom rules, priority
+    3. Format
+    4. Get results and save to txt/xlsx files
+Requirements:
+    $ pip install sumologic-sdk pyyaml pandas
+"""
+
+import re
+import os, sys, stat
+import glob
+import subprocess
+import argparse
+import yaml
+import traceback
+import logging
+from sumologic import SumoLogic
+import time
+import datetime
+import json
+import pandas
+
+logging.basicConfig(level=logging.DEBUG)
+logger = logging.getLogger(__name__)
+formatter = logging.Formatter('%(asctime)s - %(name)s - p%(process)s {%(pathname)s:%(lineno)d} - %(levelname)s - %(message)s')
+handler = logging.FileHandler('sigma2sumo.log')
+handler.setFormatter(formatter)
+logger.addHandler(handler)
+
+parser = argparse.ArgumentParser(description='Execute sigma rules in sumologic')
+parser.add_argument("--conf", help="script yaml config file", type=str, required=True)
+parser.add_argument("--accessid", help="Sumologic Access ID", type=str, required=False)
+parser.add_argument("--accesskey", help="Sumologic Access Key", type=str, required=False)
+parser.add_argument("--endpoint", help="Sumologic url endpoint", type=str, required=False)
+parser.add_argument("--ruledir", help="sigma rule directory path to convert", type=str, required=False)
+parser.add_argument("--outdir", help="output directory to create rules", type=str, required=False)
+parser.add_argument("--sigmac", help="Sigmac location", default="../tools/sigmac", type=str)
+parser.add_argument("--realerttime", help="Realert time (optional value, default 5 minutes)", type=str, default=5)
+parser.add_argument("--debug", help="Show debug output", type=bool, default=False)
+args = parser.parse_args()
+
+LIMIT = 100
+delay = 5
+
+def rule_element(file_content, elements):
+    """
+    Function used to get specific element from yaml document and return content
+    :type file_content: str
+    :type elements: list
+    :param file_content:
+    :param elements: list of elements of the yaml document to get "title", "description"
+    :return: the value of the key in the yaml document
+    """
+    try:
+        logger.debug("file_content: %s" % file_content)
+        yaml.safe_load(file_content.replace("---",""))
+    except:
+        raise Exception('Unsupported')
+    element_output = ""
+    for e in elements:
+        try:
+            element_output = yaml.safe_load(file_content.replace("---",""))[e]
+        except:
+            pass
+    if element_output is None:
+        return ""
+    return element_output
+
+def get_rule_as_sumologic(file):
+    """
+    Function used to get sumologic query output from rule file
+    :type file: str
+    :param file: rule filename
+    :return: string query
+    """
+    if not os.path.exists(args.sigmac):
+        logger.error("Cannot find sigmac rule coverter at '%s', please set a correct location via '--sigmac'")
+    cmd = [args.sigmac, file, "--target", "sumologic"]
+    logger.info('get_rule_as_sumologic cmd: %s' % cmd)
+    process = subprocess.Popen(cmd,stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+    output, err = process.communicate()
+
+    # output is byte-string...
+    output = output.decode("utf-8")
+    err = err.decode("utf-8")
+
+    logger.info('get_rule_as_sumologic output: %s' % output)
+    logger.info('get_rule_as_sumologic stderr: %s' % err)
+    if err or "unsupported" in err:
+        logger.error('Unsupported output at this time')
+        raise Exception('Unsupported output at this time')
+    output = output.split("\n")
+    # Remove empty string from \n
+    output = [a for a in output if a]
+    # Handle case of multiple queries returned
+    if len(output) > 1:
+        return " OR ".join(output)
+    return "".join(output)
+
+if args.help:
+    parser_print_help()
+
+if args.conf:
+    with open(args.conf, 'r') as ymlfile:
+        cfg = yaml.load(ymlfile)
+    args.accessid = cfg['accessid']
+    args.accesskey = cfg['accesskey']
+    args.endpoint = cfg['endpoint']
+    args.ruledir = cfg['ruledir']
+    args.outdir = cfg['outdir']
+    args.sigmac = cfg['sigmac']
+    try:
+        args.recursive = cfg['recursive']
+    except:
+        args.recursive = False
+    if args.recursive:
+        globpath = args.ruledir + "/**/*.yml"
+    else:
+        globpath = args.ruledir + "/*.yml"
+    logger.debug("args: %s" % args)
+    logger.debug("globpath: %s" % globpath)
+
+if args.outdir and not os.path.isdir(args.outdir):
+    os.mkdir(args.outdir, stat.S_IRWXU)
+
+# recursive
+for file in glob.iglob(globpath):
+# non-recursive (above, not working...)
+#for file in glob.iglob(args.ruledir + "/*.yml"):
+
+    file_basename = os.path.basename(os.path.splitext(file)[0])
+    file_basenamepath = os.path.splitext(file)[0]
+    file_ext = os.path.splitext(file)[1]
+    try:
+        if file_ext != '.yml':
+            continue
+
+        logger.info("Processing %s ..." % file_basename)
+        with open(file, "rb") as f:
+            file_content = f.read()
+
+        logger.info("Rule file: %s" % file)
+
+        sumo_query = get_rule_as_sumologic(file)
+
+        logger.info("  Checking if custom query file: %s" % file_basenamepath + '.custom')
+        if os.path.isfile(file_basenamepath + '.custom'):
+            # FIXME! want to add something in the middle for parsing for example...
+            logger.info("  Adding custom part to end query from: %s" % file_basenamepath + '.custom')
+            with open(file_basenamepath + '.custom', "rb") as f:
+                sumo_query += " " + f.read().decode('utf-8')
+        elif 'count ' not in sumo_query and ('EventID=' in sumo_query):
+                sumo_query += " | count _sourceCategory, hostname, EventID, msg_summary, _raw"
+        elif 'count ' not in sumo_query:
+                sumo_query += " | count _sourceCategory, hostname, _raw"
+
+        logger.info("Final sumo query: %s" % sumo_query)
+
+    except Exception as e:
+        if args.debug:
+            traceback.print_exc()
+        logger.exception("error generating sumo query " + str(file) + "----" + str(e))
+        pass
+
+    try:
+        # Run query
+        # https://github.com/SumoLogic/sumologic-python-sdk/blob/master/scripts/search-job.py
+        sumo = SumoLogic(args.accessid, args.accesskey, args.endpoint)
+        toTime = datetime.datetime.now().strftime("%Y-%m-%dT%H:%M:%S")
+        fromTime = datetime.datetime.strptime(toTime, "%Y-%m-%dT%H:%M:%S") - datetime.timedelta(hours = 24)
+        fromTime = fromTime.strftime("%Y-%m-%dT%H:%M:%S")
+        timeZone = 'UTC'
+        byReceiptTime = True
+
+        sj = sumo.search_job(sumo_query, fromTime, toTime, timeZone, byReceiptTime)
+
+        status = sumo.search_job_status(sj)
+        while status['state'] != 'DONE GATHERING RESULTS':
+            if status['state'] == 'CANCELLED':
+                break
+            time.sleep(delay)
+            status = sumo.search_job_status(sj)
+
+    except Exception as e:
+        if args.debug:
+            traceback.print_exc()
+        logger.exception("error seaching sumo  " + str(file) + "----" + str(e))
+        with open(os.path.join(args.outdir, "sigma-" + file_basename + '-error.txt'), "w") as f:
+            f.write(json.dumps(r, indent=4, sort_keys=True) + " ERROR: %s\n\nQUERY: %s" % (e, sumo_query))
+        pass
+
+    logger.info("Sumo search job status: %s" % status['state'])
+
+    try:
+        if status['state'] == 'DONE GATHERING RESULTS':
+            count = status['recordCount']
+            limit = count if count < LIMIT and count != 0 else LIMIT # compensate bad limit check
+            r = sumo.search_job_records(sj, limit=limit)
+            logger.info("Sumo search results: %s" % r)
+
+        logger.info("Saving final sumo query for %s to %s" % (file, os.path.join(args.outdir, "sigma-" + file_basename + '.sumo')))
+        with open(os.path.join(args.outdir, "sigma-" + file_basename + '.sumo'), "w") as f:
+            f.write(sumo_query)
+        if r and r['records'] != []:
+            logger.info("Saving results")
+            # as json text file
+            with open(os.path.join(args.outdir, "sigma-" + file_basename + '.txt'), "w") as f:
+                f.write(json.dumps(r, indent=4, sort_keys=True))
+            # as excel file
+            df = pandas.io.json.json_normalize(r['records'])
+            with pandas.ExcelWriter(os.path.join(args.outdir, "sigma-" + file_basename + ".xlsx")) as writer:
+                df.to_excel(writer, 'data')
+                pandas.DataFrame({'References': [
+                    "timeframe: from %s to %s" % (fromTime, toTime),
+                    "Sumo endpoint: %s" % args.endpoint,
+                    "Sumo query: %s" % sumo_query
+                    ]}).to_excel(writer, 'comments')
+
+        # and do whatever you want, email alert, report, ticket...
+
+    except Exception as e:
+        if args.debug:
+            traceback.print_exc()
+        logger.exception("error saving results " + str(file) + "----" + str(e))
+        pass
@@ -1,32 +1,20 @@
---
-action: global
 title: APT29 
 description: 'This method detects a suspicious powershell command line combination as used by APT29 in a campaign against US think tanks' 
 references:
    - https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/
-logsource:
-    product: windows
+tags:
+    - attack.execution
+    - attack.g0016
+    - attack.t1086
 author: Florian Roth
 date: 2018/12/04 
+logsource:
+    category: process_creation
+    product: windows
 detection:
+    selection:
+        CommandLine: '*-noni -ep bypass $*'
    condition: selection
 falsepositives:
    - unknown
 level: critical
---
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 1
-        CommandLine: '*-noni -ep bypass $*'
---
-logsource:
-    product: windows
-    service: security
-    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection:
-        EventID: 4688
-        ProcessCommandLine: '*-noni -ep bypass $*'
@@ -5,33 +5,28 @@ description: 'This method detects malicious services mentioned in APT29 report b
 references:
    - https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html
 tags:
-    - attack.command_and_control
+    - attack.persistence
    - attack.g0016
-    - attack.t1172
+    - attack.t1050
 logsource:
    product: windows
+    service: system
 detection:
-    service:
+    service_install:
        EventID: 7045
        ServiceName: 'Google Update'
    timeframe: 5m
-    condition: service | near process
+    condition: service_install | near process
 falsepositives:
    - Unknown
 level: high
+
 ---
-# Windows Audit Log
+logsource:
+    category: process_creation
+    product: windows
 detection:
    process:
-        EventID: 4688 
-        NewProcessName: 
-            - 'C:\Program Files(x86)\Google\GoogleService.exe'
-            - 'C:\Program Files(x86)\Google\GoogleUpdate.exe'
---
-# Sysmon
-detection:
-    process:
-        EventID: 1 
        Image: 
            - 'C:\Program Files(x86)\Google\GoogleService.exe'
            - 'C:\Program Files(x86)\Google\GoogleUpdate.exe'
@@ -0,0 +1,28 @@
+title: Baby Shark Activity
+status: experimental
+description: Detects activity that could be related to Baby Shark malware
+references:
+    - https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/
+tags:
+    - attack.execution
+    - attack.t1059
+    - attack.t1086
+    - attack.discovery
+    - attack.t1012
+    - attack.defense_evasion
+    - attack.t1170
+logsource:
+    category: process_creation
+    product: windows
+author: Florian Roth
+date: 2019/02/24
+detection:
+    selection:
+        CommandLine:
+            - reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default"
+            - powershell.exe mshta.exe http*
+            - cmd.exe /c taskkill /im cmd.exe
+    condition: selection
+falsepositives:
+    - unknown
+level: high
@@ -0,0 +1,24 @@
+title: Judgement Panda Exfil Activity
+description: Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike
+references:
+    - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
+author: Florian Roth
+date: 2019/02/21
+tags:
+    - attack.credential_access
+    - attack.t1081
+    - attack.t1003
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection1:
+        Image: '*\xcopy.exe'
+        CommandLine: '* /S /E /C /Q /H \\*'
+    selection2:
+        Image: '*\adexplorer.exe'
+        CommandLine: '* -snapshot "" c:\users\\*'
+    condition: selection1 or selection2
+falsepositives:
+    - unknown
+level: critical
@@ -3,7 +3,7 @@ description: 'This method detects a service install of malicious services mentio
 references:
    - https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/
 tags:
-    - attack.command_and_control
+    - attack.persistence
    - attack.g0010
    - attack.t1050
 logsource:
@@ -5,8 +5,14 @@ description: Detects Chafer activity attributed to OilRig as reported in Nyotron
 references:
    - https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/
 tags:
+    - attack.persistence
    - attack.g0049
+    - attack.t1053
+    - attack.s0111
+    - attack.defense_evasion
+    - attack.t1112
 date: 2018/03/23
+modified: 2019/03/01
 author: Florian Roth, Markus Neis
 detection:
    condition: 1 of them
@@ -24,6 +30,16 @@ detection:
            - 'SC Scheduled Scan'
            - 'UpdatMachine'
 ---
+logsource:
+    product: windows
+    service: security
+detection:
+    selection_service:
+        EventID: 4698
+        TaskName:
+            - 'SC Scheduled Scan'
+            - 'UpdatMachine'
+---
 logsource:
   product: windows
   service: sysmon
@@ -39,17 +55,19 @@ detection:
        TargetObject: '*\Control\SecurityProviders\WDigest\UseLogonCredential'
        EventType: 'SetValue'
        Details: 'DWORD (0x00000001)'
+---
+logsource:
+    category: process_creation
+    product: windows
+detection:
    selection_process1:
-        EventID: 1 
        CommandLine: 
            - '*\Service.exe i'
            - '*\Service.exe u'
            - '*\microsoft\Taskbar\autoit3.exe'
            - 'C:\wsc.exe*'
    selection_process2:
-        EventID: 1
-        Image: '*\Windows\Temp\DB\*.exe'
+        Image: '*\Windows\Temp\DB\\*.exe'
    selection_process3:
-        EventID: 1
        CommandLine: '*\nslookup.exe -q=TXT*'
-        ParentImage: '*\Autoit*'
+        ParentImage: '*\Autoit*'
@@ -8,11 +8,10 @@ tags:
    - attack.g0045
    - attack.t1064
 logsource:
+    category: process_creation
    product: windows
-    service: sysmon
 detection:
    selection:
-        EventID: 1
        Image: '*\cscript.exe'
        CommandLine: '*.vbs /shell *'
    condition: selection
@@ -1,5 +1,3 @@
---
-action: global
 title: CrackMapExecWin 
 description: Detects CrackMapExecWin Activity as Described by NCSC
 status: experimental
@@ -8,31 +6,14 @@ references:
 tags:
    - attack.g0035
 author: Markus Neis
-detection:
-    condition: 1 of them
-falsepositives: 
-    - None 
-level: critical
---
-# Windows Audit Log
 logsource:
+    category: process_creation
    product: windows
-    service: security
-    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
 detection:
-    selection1:
-        # Does not require group policy 'Audit Process Creation' > Include command line in process creation events
-        EventID: 4688
-        NewProcessName:
-            - '*\crackmapexec.exe'
---
-# Sysmon
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection1:
-        # Does not require group policy 'Audit Process Creation' > Include command line in process creation events
-        EventID: 1
+    selection:
        Image:
            - '*\crackmapexec.exe'
+    condition: selection
+falsepositives: 
+    - None 
+level: critical
@@ -10,15 +10,13 @@ tags:
 author: Florian Roth
 date: 2018/01/31
 logsource:
+    category: process_creation
    product: windows
-    service: sysmon
 detection:
    selection1:
-        EventID: 1
        Image: 'C:\Windows\SysWOW64\cmd.exe'
        CommandLine: '*\Windows\Caches\NavShExt.dll *'
    selection2:
-        EventID: 1
        CommandLine: '*\AppData\Roaming\MICROS~1\Windows\Caches\NavShExt.dll,Setting'
    condition: 1 of them
 falsepositives:
@@ -1,6 +1,5 @@
---
-action: global
 title: Equation Group DLL_U Load
+author: Florian Roth
 description: Detects a specific tool and export used by EquationGroup
 references:
    - https://github.com/adamcaudill/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type=
@@ -10,36 +9,18 @@ tags:
    - attack.execution
    - attack.g0020
    - attack.t1059
-author: Florian Roth
-date: 2018/03/10 
-modified: 2018/12/11
+    - attack.defense_evasion
+    - attack.t1085
+logsource:
+    category: process_creation
+    product: windows
 detection:
+    selection1:
+        Image: '*\rundll32.exe'
+        CommandLine: '*,dll_u'
+    selection2:
+        CommandLine: '* -export dll_u *'
    condition: 1 of them
 falsepositives:
    - Unknown
 level: critical
---
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection1:
-        EventID: 1
-        Image: '*\rundll32.exe'
-        CommandLine: '*,dll_u'
-    selection2:
-        EventID: 1
-        CommandLine: '* -export dll_u *'
---
-logsource:
-    product: windows
-    service: security
-    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection1:
-        EventID: 4688
-        Image: '*\rundll32.exe'
-        ProcessCommandLine: '*,dll_u'
-    selection2:
-        EventID: 4688
-        ProcessCommandLine: '* -export dll_u *'
@@ -68,7 +68,6 @@ detection:
        - 'chmod 755 /usr/vmsys/bin/pipe'
        - 'chmod -R 755 /usr/vmsys'
        - 'chmod 755 $opbin/*tunnel'
-        - '< /dev/console | uudecode && uncompress'
        - 'chmod 700 sendmail'
        - 'chmod 0700 sendmail'
        - '/usr/bin/wget http*sendmail;chmod +x sendmail;'
@@ -1,6 +1,5 @@
---
-action: global
 title: Hurricane Panda Activity
+author: Florian Roth
 status: experimental
 description: Detects Hurricane Panda Activity 
 references: 
@@ -9,34 +8,16 @@ tags:
    - attack.privilege_escalation
    - attack.g0009
    - attack.t1068
-author: Florian Roth
-date: 2018/02/25
-modified: 2018/12/11
+logsource:
+    category: process_creation
+    product: windows
 detection:
+    selection:
+        CommandLine: 
+            - '* localgroup administrators admin /add'
+            - '*\Win64.exe*'
    condition: selection
 falsepositives:
    - Unknown
 level: high
---
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 1
-        CommandLine: 
-            - '* localgroup administrators admin /add'
-            - '*\Win64.exe*'
---
-logsource:
-    product: windows
-    service: security
-    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection:
-        EventID: 4688
-        ProcessCommandLine: 
-            - '* localgroup administrators admin /add'
-            - '*\Win64.exe*'
-

@@ -0,0 +1,33 @@
+title: Judgement Panda Exfil Activity
+description: Detects Judgement Panda activity as described in Global Threat Report 2019 by Crowdstrike
+references:
+    - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
+author: Florian Roth
+date: 2019/02/21
+tags:
+    - attack.lateral_movement
+    - attack.g0010
+    - attack.credential_access
+    - attack.t1098
+    - attack.exfiltration
+    - attack.t1002
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection1:
+        CommandLine:
+            - '*\ldifde.exe -f -n *'
+            - '*\7za.exe a 1.7z *'
+            - '* eprod.ldf'
+            - '*\aaaa\procdump64.exe*'
+            - '*\aaaa\netsess.exe*'
+            - '*\aaaa\7za.exe*'
+            - '*copy .\1.7z \\*'
+            - '*copy \\client\c$\aaaa\*'
+    selection2:
+        Image: C:\Users\Public\7za.exe
+    condition: selection1 or selection2
+falsepositives:
+    - unknown
+level: critical
@@ -1,3 +1,5 @@
+---
+action: global
 title: Pandemic Registry Key
 status: experimental
 description: Detects Pandemic Windows Implant
@@ -8,19 +10,7 @@ tags:
    - attack.lateral_movement
    - attack.t1105
 author: Florian Roth
-logsource:
-    product: windows
-    service: sysmon
 detection:
-    selection1:
-        EventID: 13
-        TargetObject: 
-            - '\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\services\null\Instance*'
-            - '\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\null\Instance*'
-            - '\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\null\Instance*'
-    selection2:
-        EventID: 1
-        Command: 'loaddll -a *'
    condition: 1 of them
 fields:
    - EventID
@@ -32,4 +22,22 @@ fields:
 falsepositives:
    - unknown
 level: critical
+---
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection1:
+        EventID: 13
+        TargetObject: 
+            - '\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\services\null\Instance*'
+            - '\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\null\Instance*'
+            - '\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\null\Instance*'
+---
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection2:
+        Command: 'loaddll -a *'

@@ -1,29 +1,25 @@
 ---
 action: global
 title: Defrag Deactivation
+author: Florian Roth
 description: Detects the deactivation of the Scheduled defragmentation task as seen by Slingshot APT group
 references:
    - https://securelist.com/apt-slingshot/84312/
 tags:
    - attack.persistence
-author: Florian Roth
-date: 2018/03/10
-logsource:
-    product: windows
-    service: security
-    definition: 'Requirements: Audit Policy : Audit Other Object Access Events > Success'       
+    - attack.t1053
+    - attack.s0111
 detection:
-    condition: selection
+    condition: 1 of them
 falsepositives:
    - Unknown
 level: medium
 ---
 logsource:
+    category: process_creation
    product: windows
-    service: sysmon
 detection:
-    selection:
-        EventID: 1
+    selection1:
        CommandLine: 
            - '*schtasks* /delete *Defrag\ScheduledDefrag*'
 ---
@@ -32,6 +28,6 @@ logsource:
    service: security
    definition: 'Requirements: Audit Policy : Audit Other Object Access Events > Success'       
 detection:
-    selection:
+    selection2:
        EventID: 4701
-        TaskName: '\Microsoft\Windows\Defrag\ScheduledDefrag'
+        TaskName: '\Microsoft\Windows\Defrag\ScheduledDefrag'
@@ -1,6 +1,5 @@
---
-action: global
 title: Sofacy Trojan Loader Activity
+author: Florian Roth
 status: experimental
 description: Detects Trojan loader acitivty as used by APT28 
 references: 
@@ -9,32 +8,19 @@ references:
    - https://twitter.com/ClearskySec/status/960924755355369472
 tags:
    - attack.g0007
-author: Florian Roth
-date: 2018/03/01
-modified: 2018/12/11
+    - attack.execution
+    - attack.t1059
+    - attack.defense_evasion
+    - attack.t1085
+logsource:
+    category: process_creation
+    product: windows
 detection:
+    selection:
+        CommandLine: 
+            - 'rundll32.exe %APPDATA%\\*.dat",*'
+            - 'rundll32.exe %APPDATA%\\*.dll",#1'
    condition: selection
 falsepositives:
    - Unknown
 level: critical
---
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 1
-        CommandLine: 
-            - 'rundll32.exe %APPDATA%\*.dat",*'
-            - 'rundll32.exe %APPDATA%\*.dll",#1'
---
-logsource:
-    product: windows
-    service: security
-    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection:
-        EventID: 4688
-        ProcessCommandLine: 
-            - 'rundll32.exe %APPDATA%\*.dat",*'
-            - 'rundll32.exe %APPDATA%\*.dll",#1'
@@ -1,6 +1,5 @@
---
-action: global
 title: Sofacy Zebrocy
+author: Florian Roth
 description: Detects Sofacy's Zebrocy malware execution
 references:
    - https://app.any.run/tasks/54acca9a-394e-4384-a0c8-91a96d36c81d
@@ -8,27 +7,13 @@ tags:
    - attack.execution
    - attack.g0020
    - attack.t1059
-author: Florian Roth
-date: 2018/03/10
+logsource:
+    category: process_creation
+    product: windows
 detection:
+    selection:
+        CommandLine: '*cmd.exe /c SYSTEMINFO & TASKLIST'
    condition: selection
 falsepositives:
    - Unknown
 level: critical
---
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 1
-        CommandLine: '*cmd.exe /c SYSTEMINFO & TASKLIST'
---
-logsource:
-    product: windows
-    service: security
-    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection:
-        EventID: 4688
-        ProcessCommandLine: '*cmd.exe /c SYSTEMINFO & TASKLIST'
@@ -9,11 +9,10 @@ tags:
 author: Florian Roth
 date: 2017/10/22
 logsource:
+    category: process_creation
    product: windows
-    service: sysmon
 detection:
    selection:
-        EventID: 1
        CommandLine: 'ps.exe -accepteula'
    condition: selection
 falsepositives:
@@ -1,34 +1,17 @@
-action: global
 title: TropicTrooper Campaign November 2018
+author: "@41thexplorer, Windows Defender ATP"
 status: stable
 description: Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia
 references:
    - https://cloudblogs.microsoft.com/microsoftsecure/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/
-author: "@41thexplorer, Windows Defender ATP"
-date: 2018/11/30
-modified: 2018/12/11
 tags:
    - attack.execution
    - attack.t1085
+logsource:
+    category: process_creation
+    product: windows
 detection:
+    selection:
+        CommandLine: '*abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc*'
    condition: selection
-level: high
---
-# Windows Security Eventlog: Process Creation with Full Command Line
-logsource:
-    product: windows
-    service: security
-    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection:
-        EventID: 4688
-        ProcessCommandLine: '*abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc*'
---
-# Sysmon: Process Creation (ID 1)
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 1
-        CommandLine: '*abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc*'
+level: high
@@ -6,35 +6,37 @@ description: Detects automated lateral movement by Turla group
 references:
    - https://securelist.com/the-epic-turla-operation/65545/
 tags:
-    - attack.lateral_movement
    - attack.g0010
+    - attack.execution
+    - attack.t1059
+    - attack.lateral_movement
+    - attack.t1077
+    - attack.discovery
+    - attack.t1083
+    - attack.t1135
 author: Markus Neis
 date: 2017/11/07
 logsource:
-   product: windows
-   service: sysmon
+    category: process_creation
+    product: windows
 falsepositives:
   - Unknown
 ---
 detection:
   selection:
-      EventID: 1
      CommandLine: 
         - 'net use \\%DomainController%\C$ "P@ssw0rd" *'
-         - 'dir c:\*.doc* /s'
-         - 'dir %TEMP%\*.exe'
+         - 'dir c:\\*.doc* /s'
+         - 'dir %TEMP%\\*.exe'
   condition: selection
 level: critical
 ---
 detection:
   netCommand1:
-      EventID: 1
      CommandLine: 'net view /DOMAIN'
   netCommand2:
-      EventID: 1
      CommandLine: 'net session'
   netCommand3:
-      EventID: 1
      CommandLine: 'net share'
   timeframe: 1m
   condition: netCommand1 | near netCommand2 and netCommand3 
@@ -5,9 +5,9 @@ references:
 author: Florian Roth
 date: 2018/11/23
 tags:
-    - attack.command_and_control
-    - attack.g0016
-    - attack.t1172
+    - attack.persistence
+    - attack.g0010
+    - attack.t1050
 logsource:
    product: windows
    service: system
@@ -1,3 +1,4 @@
+---
 action: global
 title: Unidentified Attacker November 2018
 status: stable
@@ -11,26 +12,14 @@ tags:
    - attack.execution
    - attack.t1085
 detection:
-    condition: selection
+    condition: 1 of them
 level: high
 ---
-# Windows Security Eventlog: Process Creation with Full Command Line
 logsource:
+    category: process_creation
    product: windows
-    service: security
-    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
 detection:
-    selection:
-        EventID: 4688
-        ProcessCommandLine: '*cyzfc.dat, PointFunctionCall'
---
-# Sysmon: Process Creation (ID 1)
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 1
+    selection1:
        CommandLine: '*cyzfc.dat, PointFunctionCall'
 ---
 # Sysmon: File Creation (ID 11)
@@ -38,7 +27,7 @@ logsource:
    product: windows
    service: sysmon
 detection:
-    selection:
+    selection2:
        EventID: 11
        TargetFilename: 
            - '*ds7002.lnk*' 
@@ -5,12 +5,15 @@ references:
    - https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100
 tags:
    - attack.g0001
+    - attack.execution
+    - attack.t1059
+    - attack.defense_evasion
+    - attack.t1085
 logsource:
+    category: process_creation
    product: windows
-    service: sysmon
 detection:
    selection:
-        EventID: 1
        Command: 
            - 'rundll32.exe *,zxFunction*'
            - 'rundll32.exe *,RemoteDiskXXXXX'
@@ -6,12 +6,16 @@ date: 2017/06/03
 references:
    - https://www.virustotal.com/en/file/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022/analysis/
    - https://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100
+tags:
+    - attack.execution
+    - attack.t1059
+    - attack.defense_evasion
+    - attack.t1085
 logsource:
+    category: process_creation
    product: windows
-    service: sysmon
 detection:
    selection:
-        EventID: 1
        CommandLine: '*\rundll32.exe *,InstallArcherSvc'
    condition: selection
 fields:
@@ -6,6 +6,8 @@ references:
    - http://pastebin.com/FtygZ1cg
    - https://artkond.com/2017/03/23/pivoting-guide/
 author: Florian Roth
+date: 2017/08/21
+modified: 2019/02/05
 logsource:
    product: linux
 detection:
@@ -15,30 +17,37 @@ detection:
        - 'wget * - http* | sh'
        - 'wget * - http* | bash'
        - 'python -m SimpleHTTPServer'
-        - 'import pty; pty.spawn'
+        - '-m http.server'  # Python 3
+        - 'import pty; pty.spawn*'
+        - 'socat exec:*'
+        - 'socat -O /tmp/*'
+        - 'socat tcp-connect*'
+        - '*echo binary >>*'
        # Malware 
        - '*wget *; chmod +x*'
        - '*wget *; chmod 777 *'
        - '*cd /tmp || cd /var/run || cd /mnt*'
        # Apache Struts in-the-wild exploit codes  
-        - 'stop;service iptables stop;'
-        - 'stop;SuSEfirewall2 stop;'
-        - 'chmod 777 2020'
-        - '">>/etc/rc.local;'
-        - 'wget -c *;chmod 777'
+        - '*stop;service iptables stop;*'
+        - '*stop;SuSEfirewall2 stop;*'
+        - 'chmod 777 2020*'
+        - '*>>/etc/rc.local'
        # Metasploit framework exploit codes
-        - 'base64 -d /tmp/'
-        - ' | base64 -d'
-        - '/bin/chmod u+s'
-        - 'chmod +s /tmp/'
-        - 'chmod u+s /tmp/'
-        - '/tmp/haxhax'
-        - '/tmp/ns_sploit'
-        - 'nc -l -p '
-        - 'cp /bin/ksh '
-        - 'cp /bin/sh '
-        - ' /tmp/*.b64 '
-        - '/tmp/ysocereal.jar'
+        - '*base64 -d /tmp/*'
+        - '* | base64 -d *'
+        - '*/chmod u+s *'
+        - '*chmod +s /tmp/*'
+        - '*chmod u+s /tmp/*'
+        - '* /tmp/haxhax*'
+        - '* /tmp/ns_sploit*'
+        - 'nc -l -p *'
+        - 'cp /bin/ksh *'
+        - 'cp /bin/sh *'
+        - '* /tmp/*.b64 *'
+        - '*/tmp/ysocereal.jar*'
+        - '*/tmp/x *'
+        - '*; chmod +x /tmp/*'
+        - '*;chmod +x /tmp/*'
    condition: keywords
 falsepositives:
    - Unknown
@@ -0,0 +1,20 @@
+title: Chafer Malware URL Pattern
+status: experimental
+description: Detects HTTP requests used by Chafer malware
+references:
+    - https://securelist.com/chafer-used-remexi-malware/89538/
+author: Florian Roth
+date: 2019/01/31
+logsource:
+    category: proxy
+detection:
+    selection:
+        c-uri-query: '*/asp.asp?ui=*'
+    condition: selection
+fields:
+    - ClientIP
+    - URL
+    - UserAgent
+falsepositives:
+    - Unknown
+level: critical
@@ -0,0 +1,19 @@
+title: CobaltStrike Malleable (OCSP) Profile
+status: experimental
+description: Detects Malleable (OCSP) Profile with Typo (OSCP) in URL
+references:
+    - https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/ocsp.profile
+author: Markus Neis
+tags:
+    - attack.t1102
+logsource:
+    category: proxy
+detection:
+    selection:
+      URL: '*/oscp/*'
+      Host: 'ocsp.verisign.com'
+     
+    condition: selection 
+falsepositives:
+    - Unknown
+level: high
@@ -0,0 +1,21 @@
+title: CobaltStrike Malleable OneDrive browsing traffic profile
+status: experimental
+description: Detects Malleable OneDrive Profile 
+references:
+    - https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/onedrive_getonly.profile    
+author: Markus Neis
+tags:
+    - attack.t1102
+logsource:
+    category: proxy
+detection:
+    selection:
+      HttpMethod: 'GET'
+      URL: '*?manifest=wac'
+      Host: 'onedrive.live.com'
+    filter:
+      URL: 'http*://onedrive.live.com/*'     
+    condition: selection and not filter
+falsepositives:
+    - Unknown
+level: high
@@ -56,7 +56,6 @@ detection:
            - '*.mooo.com'
            - '*.dns-dns.com'
            - '*.strangled.net'
-            - '*.ddns.info'
            - '*.adultdns.net'
            - '*.craftx.biz'
            - '*.ddns01.com'
@@ -53,14 +53,12 @@ detection:
            - '*.vip'
            - '*.party'
            - '*.tech'
-            - '*.tech'
            - '*.xyz'
            - '*.date'
            - '*.faith'
            - '*.zip'
            - '*.cricket'
            - '*.space'
-            - '*.top'
            # McAfee report 
            - '*.info'
            - '*.vn'
@@ -94,11 +92,12 @@ detection:
            - '*.trade'
            - '*.accountant'
            # Spamhaus 2018 https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/
-            - '*.click'
            - '*.cf'
            - '*.gq'
            - '*.ml'
            - '*.ga'
+            # Custom 
+            - '*.pw'
    condition: selection
 fields:
    - ClientIP
@@ -39,6 +39,8 @@ detection:
        - 'Mozilla/4.0 (compatible; RMS)'  # Attacks on industrial enterprises using RMS and TeamViewer https://goo.gl/GthvTw
        - 'Mozilla/4.0 (compatible; MSIE 6.0; DynGate)'  # Attacks on industrial enterprises using RMS and TeamViewer https://goo.gl/GthvTw
        - 'O/9.27 (W; U; Z)' # Cmstar https://www.virustotal.com/#/file/e4328011bb2b04abc856ccd04404c9f95d67167f6c291d343e8ffa8aa2aa2099/details
+        - 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0;  Trident/5.0*'  # KerrDown UA https://goo.gl/s2WU6o
+        - 'Mozilla/5.0 (Windows NT 9; *'  # Suspicious 'Windows NT 9' user agent - used by APT33 malware in 2018
    condition: selection
 fields:
    - ClientIP
@@ -0,0 +1,26 @@
+title: Bitsadmin to Uncommon TLD
+status: experimental
+description: Detects Bitsadmin connections to domains with uncommon TLDs 
+    - https://twitter.com/jhencinski/status/1102695118455349248
+    - https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/
+author: Florian Roth
+date: 2019/03/07
+logsource:
+    category: proxy
+detection:
+    selection:
+        UserAgent:
+            - 'Microsoft BITS/*'
+    falsepositives:
+        r-dns:
+            - '*.com' 
+            - '*.net' 
+            - '*.org' 
+    condition: selection and not falsepositives
+fields:
+    - ClientIP
+    - URL
+    - UserAgent
+falsepositives:
+    - Rare programs that use Bitsadmin and update from regional TLDs e.g. .uk or .ca
+level: high
@@ -33,6 +33,7 @@ detection:
        - 'X-FORWARDED-FOR'
        - 'DotDotPwn v2.1'
        - 'SIPDROID'
+        - 'Mozilla/5.0 (Windows NT 10.0; Win32; x32; rv:60.0)'  # CobaltStrike https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/

        # Exploits
        - '*wordpress hash grabber*'
@@ -21,6 +21,7 @@ detection:
        - 'Mozila/*'  # single 'l'
        - '_'
        - 'CertUtil URL Agent'  # https://twitter.com/stvemillertime/status/985150675527974912
+        - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0)'  # CobaltStrike Beacon https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/
    falsepositives:
        UserAgent:
            - 'Mozilla/3.0 * Acrobat *'  # Acrobat with linked content
@@ -0,0 +1,16 @@
+title: Apache Threading Error
+status: experimental
+description: Detects an issue in apache logs that reports threading related errors
+author: Florian Roth
+date: 2019/01/22
+references:
+    - https://github.com/hannob/apache-uaf/blob/master/README.md
+logsource:
+    product: apache
+detection:
+    keywords:
+        - '__pthread_tpp_change_priority: Assertion `new_prio == -1 || (new_prio >= fifo_min_prio && new_prio <= fifo_max_prio)'
+    condition: keywords
+falsepositives:
+    - https://bz.apache.org/bugzilla/show_bug.cgi?id=46185
+level: medium
@@ -5,6 +5,7 @@ references:
 tags:
    - attack.lateral_movement
    - attack.t1078
+    - car.2016-04-005
 status: experimental
 author: juju4
 logsource:
@@ -18,6 +19,6 @@ detection:
        AuthenticationPackageName: Negotiate
        AccountName: 'Admin-*'
    condition: selection
-falsepositives: 
+falsepositives:
    - Legitimate administrative activity
 level: low
@@ -8,6 +8,7 @@ author: '@neu5ron'
 tags:
    - attack.t1098
    - attack.credential_access
+    - attack.persistence
 logsource:
    product: windows
    service: security
@@ -4,6 +4,9 @@ references:
    - https://adsecurity.org/?p=2053
    - https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/
 author: '@neu5ron'
+tags:
+    - attack.defense_evasion
+    - attack.t1089
 logsource:
    product: windows
    service: security
@@ -1,21 +0,0 @@
-title: Eventlog Cleared Experimental
-status: experimental
-description: Detects a cleared Windows Eventlog as e.g. caused by "wevtutil cl" command execution  
-author: Florian Roth
-date: 2017/06/27
-references:
-    - https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100
-tags:
-    - attack.defense_evasion
-    - attack.t1070
-logsource:
-    product: windows
-    service: system
-detection:
-    selection:
-        EventID: 104
-        Source: Eventlog
-    condition: selection
-falsepositives:
-    - unknown
-level: high
@@ -1,52 +0,0 @@
---
-action: global
-title: Rubeus Hack Tool
-description: Detects command line parameters used by Rubeus hack tool 
-author: Florian Roth
-references: 
-    - https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/
-date: 2018/12/19
-tags:
-    - attack.credential_access
-    - attack.t1003
-    - attack.s0005
-detection:
-    condition: selection
-falsepositives:
-    - unlikely
-level: critical
---
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 1
-        CommandLine: 
-            - '* asreproast *'
-            - '* dump /service:krbtgt *'
-            - '* kerberoast *'
-            - '* createnetonly /program:*'
-            - '* ptt /ticket:*'
-            - '* /impersonateuser:*'
-            - '* renew /ticket:*'
-            - '* asktgt /user:*'
-            - '* harvest /interval:*'
---
-logsource:
-    product: windows
-    service: security
-    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection:
-        EventID: 4688
-        ProcessCommandLine: 
-            - '* asreproast *'
-            - '* dump /service:krbtgt *'
-            - '* kerberoast *'
-            - '* createnetonly /program:*'
-            - '* ptt /ticket:*'
-            - '* /impersonateuser:*'
-            - '* renew /ticket:*'
-            - '* asktgt /user:*'
-            - '* harvest /interval:*'
@@ -11,6 +11,7 @@ tags:
    - attack.t1035
 logsource:
    product: windows
+    service: system
 detection:
    service_installation:
        EventID: 7045
@@ -1,3 +1,5 @@
+---
+action: global
 title: Malicious Service Install
 description: This method detects well-known keywords of malicious services in the Windows System Eventlog 
 author: Florian Roth
@@ -9,10 +11,9 @@ logsource:
    product: windows
    service: system
 detection:
-    selection:
+    selection1:
        EventID: 
          - 7045
-          - 4697
    keywords:
      - 'WCE SERVICE'
      - 'WCESERVICE'
@@ -20,7 +21,14 @@ detection:
    quarkspwdump:
        EventID: 16
        HiveName: '*\AppData\Local\Temp\SAM*.dmp'
-    condition: ( selection and keywords ) or quarkspwdump
+    condition: ( selection1 and keywords ) or ( selection2 and keywords ) or quarkspwdump
 falsepositives:
    - Unlikely
 level: high
+---
+logsource:
+    product: windows
+    service: security
+detection:
+    selection2:
+        EventID: 4697
@@ -1,112 +0,0 @@
-action: global
-title: Quick Execution of a Series of Suspicious Commands
-description: Detects multiple suspicious process in a limited timeframe
-status: experimental
-references:
-    - https://car.mitre.org/wiki/CAR-2013-04-002
-author: juju4
-modified: 2012/12/11
-falsepositives:
-    - False positives depend on scripts and administrative tools used in the monitored environment
-level: low
---
-# Windows Audit Log
-logsource:
-    product: windows
-    service: security
-    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection:
-        EventID: 4688
-        ProcessCommandLine: 
-            - arp.exe
-            - at.exe
-            - attrib.exe
-            - cscript.exe
-            - dsquery.exe
-            - hostname.exe
-            - ipconfig.exe
-            - mimikatz.exe
-            - nbstat.exe
-            - net.exe
-            - netsh.exe
-            - nslookup.exe
-            - ping.exe
-            - quser.exe
-            - qwinsta.exe
-            - reg.exe
-            - runas.exe
-            - sc.exe
-            - schtasks.exe
-            - ssh.exe
-            - systeminfo.exe
-            - taskkill.exe
-            - telnet.exe
-            - tracert.exe
-            - wscript.exe
-            - xcopy.exe
-# others
-            - pscp.exe
-            - copy.exe
-            - robocopy.exe
-            - certutil.exe
-            - vssadmin.exe
-            - powershell.exe
-            - wevtutil.exe
-            - psexec.exe
-            - bcedit.exe
-            - wbadmin.exe
-            - icacls.exe
-            - diskpart.exe
-    timeframe: 5m
-    condition: selection | count() by MachineName > 5
---
-# Sysmon
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 1
-        CommandLine: 
-            - arp.exe
-            - at.exe
-            - attrib.exe
-            - cscript.exe
-            - dsquery.exe
-            - hostname.exe
-            - ipconfig.exe
-            - mimikatz.exe
-            - nbstat.exe
-            - net.exe
-            - netsh.exe
-            - nslookup.exe
-            - ping.exe
-            - quser.exe
-            - qwinsta.exe
-            - reg.exe
-            - runas.exe
-            - sc.exe
-            - schtasks.exe
-            - ssh.exe
-            - systeminfo.exe
-            - taskkill.exe
-            - telnet.exe
-            - tracert.exe
-            - wscript.exe
-            - xcopy.exe
-# others
-            - pscp.exe
-            - copy.exe
-            - robocopy.exe
-            - certutil.exe
-            - vssadmin.exe
-            - powershell.exe
-            - wevtutil.exe
-            - psexec.exe
-            - bcedit.exe
-            - wbadmin.exe
-            - icacls.exe
-            - diskpart.exe
-    timeframe: 5m
-    condition: selection | count() by MachineName > 5
@@ -22,9 +22,9 @@ detection:
    selection1:
        EventID: 13
        TargetObject: 
-            - '*SYSTEM\*ControlSet*\Control\Lsa\lmcompatibilitylevel'
-            - '*SYSTEM\*ControlSet*\Control\Lsa\NtlmMinClientSec'
-            - '*SYSTEM\*ControlSet*\Control\Lsa\RestrictSendingNTLMTraffic'
+            - '*SYSTEM\\*ControlSet*\Control\Lsa\lmcompatibilitylevel'
+            - '*SYSTEM\\*ControlSet*\Control\Lsa\NtlmMinClientSec'
+            - '*SYSTEM\\*ControlSet*\Control\Lsa\RestrictSendingNTLMTraffic'
 ---
 # Windows Security Eventlog: Process Creation with Full Command Line
 logsource:
@@ -34,7 +34,7 @@ logsource:
 detection:
    selection2:
        EventID: 4657
-        ObjectName: '\REGISTRY\MACHINE\SYSTEM\*ControlSet*\Control\Lsa'
+        ObjectName: '\REGISTRY\MACHINE\SYSTEM\\*ControlSet*\Control\Lsa'
        ObjectValueName: 
            - 'LmCompatibilityLevel'
            - 'NtlmMinClientSec'
@@ -1,146 +0,0 @@
-title: Executable used by PlugX in Uncommon Location
-status: experimental
-description: Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location
-references:
-    - 'http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/'
-    - 'https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/'
-author: Florian Roth
-date: 2017/06/12
-tags:
-    - attack.s0013
-logsource:
-    product: windows
-    service: security
-detection:
-
-    # CamMute
-    selection_cammute:
-        EventID: 4688
-        CommandLine: '*\CamMute.exe'
-    filter_cammute:
-        EventID: 4688
-        CommandLine: '*\Lenovo\Communication Utility\*'
-
-    # Chrome Frame Helper
-    selection_chrome_frame:
-        EventID: 4688
-        CommandLine: '*\chrome_frame_helper.exe'
-    filter_chrome_frame:
-        EventID: 4688
-        CommandLine: '*\Google\Chrome\application\*'    
-
-    # Microsoft Device Emulator
-    selection_devemu:
-        EventID: 4688
-        CommandLine: '*\dvcemumanager.exe'
-    filter_devemu:
-        EventID: 4688
-        CommandLine: '*\Microsoft Device Emulator\*'   
-
-    # Windows Media Player Gadget
-    selection_gadget:
-        EventID: 4688
-        CommandLine: '*\Gadget.exe'
-    filter_gadget:
-        EventID: 4688
-        CommandLine: '*\Windows Media Player\*'
-
-    # HTML Help Workshop
-    selection_hcc:
-        EventID: 4688
-        CommandLine: '*\hcc.exe'
-    filter_hcc:
-        EventID: 4688
-        CommandLine: '*\HTML Help Workshop\*'
-
-    # Hotkey Command Module for Intel Graphics Contollers
-    selection_hkcmd:
-        EventID: 4688
-        CommandLine: '*\hkcmd.exe'
-    filter_hkcmd:
-        EventID: 4688
-        CommandLine: 
-            - '*\System32\*'
-            - '*\SysNative\*'
-            - '*\SysWowo64\*'
-
-    # McAfee component
-    selection_mc:
-        EventID: 4688
-        CommandLine: '*\Mc.exe'
-    filter_mc:
-        EventID: 4688
-        CommandLine: 
-            - '*\Microsoft Visual Studio*'
-            - '*\Microsoft SDK*'
-            - '*\Windows Kit*'
-
-    # MsMpEng - Microsoft Malware Protection Engine
-    selection_msmpeng:
-        EventID: 4688
-        CommandLine: '*\MsMpEng.exe'
-    filter_msmpeng:
-        EventID: 4688
-        CommandLine: 
-            - '*\Microsoft Security Client\*'
-            - '*\Windows Defender\*'
-            - '*\AntiMalware\*'
-
-    # Microsoft Security Center
-    selection_msseces:
-        EventID: 4688
-        CommandLine: '*\msseces.exe'
-    filter_msseces:
-        EventID: 4688
-        CommandLine: '*\Microsoft Security Center\*'
-
-    # Microsoft Office 2003 OInfo
-    selection_oinfo:
-        EventID: 4688
-        CommandLine: '*\OInfoP11.exe'
-    filter_oinfo:
-        EventID: 4688
-        CommandLine: '*\Common Files\Microsoft Shared\*'      
-
-    # OLE View
-    selection_oleview:
-        EventID: 4688
-        CommandLine: '*\OleView.exe'
-    filter_oleview:
-        EventID: 4688
-        CommandLine: 
-            - '*\Microsoft Visual Studio*'
-            - '*\Microsoft SDK*'
-            - '*\Windows Kit*'   
-            - '*\Windows Resource Kit\*'
-
-    # RC
-    selection_rc:
-        EventID: 4688
-        CommandLine: '*\rc.exe'
-    filter_rc:
-        EventID: 4688
-        CommandLine: 
-            - '*\Microsoft Visual Studio*'
-            - '*\Microsoft SDK*'
-            - '*\Windows Kit*'   
-            - '*\Windows Resource Kit\*'
-            - '*\Microsoft.NET\*'  
-
-    condition: ( selection_cammute and not filter_cammute ) or  
-                ( selection_chrome_frame and not filter_chrome_frame ) or
-                ( selection_devemu and not filter_devemu ) or
-                ( selection_gadget and not filter_gadget ) or 
-                ( selection_hcc and not filter_hcc ) or 
-                ( selection_hkcmd and not filter_hkcmd ) or 
-                ( selection_mc and not filter_mc ) or
-                ( selection_msmpeng and not filter_msmpeng ) or
-                ( selection_msseces and not filter_msseces ) or
-                ( selection_oinfo and not filter_oinfo ) or 
-                ( selection_oleview and not filter_oleview ) or 
-                ( selection_rc and not filter_rc ) 
-falsepositives:
-    - Unknown
-level: high
-
-
@@ -1,44 +0,0 @@
-action: global
-title: PowerShell Base64 Encoded Shellcode
-description: Detects Base64 encoded Shellcode 
-status: experimental
-references:
-    - https://twitter.com/cyb3rops/status/1063072865992523776
-author: Florian Roth
-date: 2018/11/17
-tags:
-    - attack.defense_evasion
-    - attack.t1036
-detection:
-    condition: selection1 and selection2
-falsepositives: 
-    - Unknown
-level: critical
---
-# Windows Audit Log
-logsource:
-    product: windows
-    service: security
-    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection1:
-        EventID: 4688
-        ProcessCommandLine: '*AAAAYInlM*'
-    selection2:
-        ProcessCommandLine: 
-            - '*OiCAAAAYInlM*'
-            - '*OiJAAAAYInlM*'
---
-# Sysmon
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection1:
-        EventID: 1
-        CommandLine: '*AAAAYInlM*'
-    selection2:
-        CommandLine: 
-            - '*OiCAAAAYInlM*'
-            - '*OiJAAAAYInlM*'
-
@@ -0,0 +1,25 @@
+title: RDP Login from localhost
+description: RDP login with localhost source address may be a tunnelled login
+references:
+    - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
+date: 2019/01/28
+modified: 2019/01/29
+tags:
+    - attack.lateral_movement
+    - attack.t1076
+status: experimental
+author: Thomas Patzke
+logsource:
+    product: windows
+    service: security
+detection:
+    selection:
+        EventID: 4624
+        LogonType: 10
+        SourceNetworkAddress:
+            - "::1"
+            - "127.0.0.1"
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
@@ -0,0 +1,31 @@
+title: RDP over Reverse SSH Tunnel WFP
+status: experimental
+description: Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389
+references:
+    - https://twitter.com/SBousseaden/status/1096148422984384514
+author: Samir Bousseaden
+date: 2019/02/16
+tags:
+    - attack.defense_evasion
+    - attack.command_and_control
+    - attack.t1076
+logsource:
+    product: windows
+    service: security
+detection:
+    selection:
+        EventID: 5156
+    sourceRDP:
+        SourcePort: 3389
+        DestinationAddress:
+            - '127.*'
+            - '::1'
+    destinationRDP:
+        DestinationPort: 3389
+        SourceAddress:
+            - '127.*'
+            - '::1'
+    condition: selection and ( sourceRDP or destinationRDP )
+falsepositives:
+    - unknown
+level: high
@@ -1,57 +0,0 @@
-action: global
-title: Suspicious Commandline Escape
-description: Detects suspicious process that use escape characters
-status: experimental
-references:
-    - https://twitter.com/vysecurity/status/885545634958385153
-    - https://twitter.com/Hexacorn/status/885553465417756673
-    - https://twitter.com/Hexacorn/status/885570278637678592
-    - https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html
-    - http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/
-author: juju4
-modified: 2018/12/11
-tags:
-    - attack.defense_evasion
-    - attack.t1140
-detection:
-    condition: selection
-falsepositives: 
-    - False positives depend on scripts and administrative tools used in the monitored environment
-level: low
---
-# Windows Audit Log
-logsource:
-    product: windows
-    service: security
-    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection:
-        EventID: 4688
-        ProcessCommandLine: 
-            #- '^'
-            #- '@'
-# 0x002D -, 0x2013 , 0x2014 , 0x2015 ― ... FIXME! how to match hexa form?
-            # - '-'
-            # - '―'
-            #- 'c:/'
-            - '<TAB>'
-            - '^h^t^t^p'
-            - 'h"t"t"p'
---
-# Sysmon
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 1
-        CommandLine: 
-            #- '^'
-            #- '@'
-# 0x002D -, 0x2013 , 0x2014 , 0x2015 ― ... FIXME! how to match hexa form?
-            # - '-'
-            # - '―'
-            #- 'c:/'
-            - '<TAB>'
-            - '^h^t^t^p'
-            - 'h"t"t"p'
@@ -1,73 +0,0 @@
---
-action: global
-title: Reconnaissance Activity with Net Command
-status: experimental
-description: 'Detects a set of commands often used in recon stages by different attack groups' 
-references:
-    - https://twitter.com/haroonmeer/status/939099379834658817
-    - https://twitter.com/c_APT_ure/status/939475433711722497
-    - https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html
-author:  Florian Roth, Markus Neis
-date: 2018/08/22
-modified: 2018/12/11
-tags:
-    - attack.discovery
-    - attack.t1073
-    - attack.t1012 
-detection:
-    timeframe: 15s 
-    condition: selection | count() by CommandLine > 4
-falsepositives: 
-    - False positives depend on scripts and administrative tools used in the monitored environment
-level: medium
---
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 1
-        CommandLine: 
-            - 'tasklist'
-            - 'net time'
-            - 'systeminfo'
-            - 'whoami'
-            - 'nbtstat'
-            - 'net start'
-            - '*\net1 start'
-            - 'qprocess'
-            - 'nslookup'
-            - 'hostname.exe'
-            - '*\net1 user /domain'
-            - '*\net1 group /domain'
-            - '*\net1 group "domain admins" /domain'
-            - '*\net1 group "Exchange Trusted Subsystem" /domain'
-            - '*\net1 accounts /domain' 
-            - '*\net1 user net localgroup administrators' 
-            - 'netstat -an'
---
-logsource:
-    product: windows
-    service: security
-    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection:
-        EventID: 4688
-        ProcessCommandLine: 
-            - 'tasklist'
-            - 'net time'
-            - 'systeminfo'
-            - 'whoami'
-            - 'nbtstat'
-            - 'net start'
-            - '*\net1 start'
-            - 'qprocess'
-            - 'nslookup'
-            - 'hostname.exe'
-            - '*\net1 user /domain'
-            - '*\net1 group /domain'
-            - '*\net1 group "domain admins" /domain'
-            - '*\net1 group "Exchange Trusted Subsystem" /domain'
-            - '*\net1 accounts /domain' 
-            - '*\net1 user net localgroup administrators' 
-            - 'netstat -an'
@@ -9,6 +9,7 @@ date: 2017/05/15
 author: Dimitrios Slamaris
 tags:
    - attack.defense_evasion
+    - attack.t1073
 logsource:
    product: windows
    service: system
@@ -6,13 +6,16 @@ references:
    - https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx
    - https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx
 date: 2017/05/15
+tags:
+    - attack.defense_evasion
+    - attack.t1073
 author: Dimitrios Slamaris
 logsource:
    product: windows
-    service: system
+    service: dhcp
 detection:
    selection:
-          EventID: 
+        EventID: 
            - 1031
            - 1032
            - 1034
@@ -6,6 +6,9 @@ references:
    - https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
    - https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx
    - https://twitter.com/gentilkiwi/status/861641945944391680
+tags:
+    - attack.defense_evasion
+    - attack.t1073
 author: Florian Roth
 logsource:
    product: windows
@@ -7,6 +7,7 @@ author: Thomas Patzke
 tags:
    - attack.persistence
    - attack.privilege_escalation
+    - attack.t1098
 logsource:
    product: windows
    service: security
@@ -1,7 +1,8 @@
 title: Eventlog Cleared
-description: One of the Windows Eventlogs has been cleared
+description: One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution
 references:
    - https://twitter.com/deviouspolack/status/832535435960209408
+    - https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100
 author: Florian Roth
 tags:
    - attack.defense_evasion
@@ -1,6 +1,9 @@
 title: Account Tampering - Suspicious Failed Logon Reasons
 description: This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.
 author: Florian Roth
+modified: 2019/03/01
+references:
+    - https://twitter.com/SBousseaden/status/1101431884540710913
 tags:
    - attack.persistence
    - attack.privilege_escalation
@@ -14,11 +17,12 @@ detection:
            - 4625
            - 4776
        Status:
-            - '0xC0000072'
-            - '0xC000006F'
-            - '0xC0000070'
-            - '0xC0000413'
-            - '0xC000018C'
+            - '0xC0000072'  # User logon to account disabled by administrator
+            - '0xC000006F'  # User logon outside authorized hours
+            - '0xC0000070'  # User logon from unauthorized workstation
+            - '0xC0000413'  # Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine
+            - '0xC000018C'  # The logon request failed because the trust relationship between the primary domain and the trusted domain failed
+            - '0xC000015B'  # The user has not been granted the requested logon type (aka logon right) at this machine
    condition: selection
 falsepositives:
    - User using a disabled account
@@ -0,0 +1,39 @@
+title: MSHTA Suspicious Execution 01
+status: experimental
+description: Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism
+date: 22/02/2019
+modified: 22/02/2019
+author: Diego Perez (@darkquassar)
+references:
+    - http://blog.sevagas.com/?Hacking-around-HTA-files
+    - https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356
+    - https://docs.microsoft.com/en-us/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script
+    - https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997
+tags:
+    - attack.defense_evasion
+    - attack.t1140
+logsource:
+    category: process_creation
+    product: windows
+falsepositives: 
+    - False positives depend on scripts and administrative tools used in the monitored environment
+level: high
+detection:
+    selection1:
+        CommandLine: 
+            - '*mshta vbscript:CreateObject("Wscript.Shell")*'
+            - '*mshta vbscript:Execute("Execute*'
+            - '*mshta vbscript:CreateObject("Wscript.Shell").Run("mshta.exe*'
+    selection2:
+        Image:
+            - 'C:\Windows\system32\mshta.exe'
+        CommandLine: 
+            - '*.jpg*'
+            - '*.png*'
+            - '*.lnk*'
+            # - '*.chm*'  # could be prone to false positives
+            - '*.xls*'
+            - '*.doc*'
+            - '*.zip*'
+    condition:
+        selection1 or selection2
@@ -1,34 +0,0 @@
---
-action: global
-title: MsiExec Web Install
-status: experimental
-description: Detects suspicious msiexec proess starts with web addreses as parameter
-references:
-    - https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/
-author: Florian Roth
-date: 2018/02/09
-modified: 2012/12/11
-detection:
-    condition: selection
-falsepositives: 
-    - False positives depend on scripts and administrative tools used in the monitored environment
-level: medium
---
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 1
-        CommandLine: 
-            - '* msiexec*:\/\/*'
---
-logsource:
-    product: windows
-    service: security
-    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection:
-        EventID: 4688
-        ProcessCommandLine: 
-            - '* msiexec*:\/\/*'
@@ -7,8 +7,8 @@ references:
 author: Florian Roth
 date: 2018/06/08
 tags:
-    - attack.credential_access
-    - attack.t1208
+    - attack.lateral_movement
+    - attack.t1075
 logsource:
    product: windows
    service: ntlm
@@ -1,49 +0,0 @@
-action: global
-title: Suspicious Use of Procdump
-description: Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we're also able to catch cases in which the attacker has renamed the procdump executable. 
-status: experimental
-references:
-    - Internal Research
-author: Florian Roth
-date: 2018/10/30
-tags:
-    - attack.defense_evasion
-    - attack.t1036
-    - attack.credential_access
-    - attack.t1003
-detection:
-    condition: selection and selection1 and selection2
-falsepositives: 
-    - Unlikely, because no one should dump an lsass process memory
-    - Another tool that uses the command line switches of Procdump
-level: medium
---
-# Windows Audit Log
-logsource:
-    product: windows
-    service: security
-    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection:
-        EventID: 4688
-    selection1:
-        ProcessCommandLine:
-            - "* -ma *"
-    selection2: 
-        ProcessCommandLine:
-            - '* lsass.exe*'
---
-# Sysmon
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 1
-    selection1:
-        CommandLine:
-            - "* -ma *"
-    selection2: 
-        CommandLine:
-            - '* lsass.exe*'
-
@@ -1,136 +0,0 @@
---
-action: global
-title: Suspicious Process Creation
-description: Detects suspicious process starts on Windows systems based on keywords
-status: experimental
-references:
-    - https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/
-    - https://www.youtube.com/watch?v=H3t_kHQG1Js&feature=youtu.be&t=15m35s
-    - https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/
-    - https://twitter.com/subTee/status/872244674609676288
-    - https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/remote-tool-examples
-    - https://tyranidslair.blogspot.ca/2017/07/dg-on-windows-10-s-executing-arbitrary.html
-    - https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/
-    - https://subt0x10.blogspot.ca/2017/04/bypassing-application-whitelisting.html
-    - https://gist.github.com/subTee/7937a8ef07409715f15b84781e180c46#file-rat-bat
-    - https://twitter.com/vector_sec/status/896049052642533376
-author: Florian Roth
-modified: 2012/12/11
-detection:
-    condition: selection
-falsepositives: 
-    - False positives depend on scripts and administrative tools used in the monitored environment
-level: medium
---
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 1
-        CommandLine: 
-            # Hacking activity
-            - 'vssadmin.exe delete shadows*'
-            - 'vssadmin delete shadows*'
-            - 'vssadmin create shadow /for=C:*'
-            - 'copy \\?\GLOBALROOT\Device\*\windows\ntds\ntds.dit*'
-            - 'copy \\?\GLOBALROOT\Device\*\config\SAM*'
-            - 'reg SAVE HKLM\SYSTEM *'
-            - '* sekurlsa:*'
-            - 'net localgroup adminstrators * /add'
-            - 'net group "Domain Admins" * /ADD /DOMAIN'
-            - 'certutil.exe *-urlcache* http*'
-            - 'certutil.exe *-urlcache* ftp*'
-            # Malware
-            - 'netsh advfirewall firewall *\AppData\*'
-            - 'attrib +S +H +R *\AppData\*'
-            - 'schtasks* /create *\AppData\*'
-            - 'schtasks* /sc minute*'
-            - '*\Regasm.exe *\AppData\*'
-            - '*\Regasm *\AppData\*'
-            - '*\bitsadmin* /transfer*'
-            - '*\certutil.exe * -decode *'
-            - '*\certutil.exe * -decodehex *'
-            - '*\certutil.exe -ping *'
-            - 'icacls * /grant Everyone:F /T /C /Q'
-            - '* wmic shadowcopy delete *'
-            - '* wbadmin.exe delete catalog -quiet*'  # http://blog.talosintelligence.com/2018/02/olympic-destroyer.html
-            # Scripts
-            - '*\wscript.exe *.jse'
-            - '*\wscript.exe *.js'
-            - '*\wscript.exe *.vba'
-            - '*\wscript.exe *.vbe'
-            - '*\cscript.exe *.jse'
-            - '*\cscript.exe *.js'
-            - '*\cscript.exe *.vba'
-            - '*\cscript.exe *.vbe'
-            # UAC bypass
-            - '*\fodhelper.exe'
-            # persistence
-            - '*waitfor*/s*'
-            - '*waitfor*/si persist*'
-            # remote
-            - '*remote*/s*'
-            - '*remote*/c*'
-            - '*remote*/q*'
-            # AddInProcess
-            - '*AddInProcess*'
-            # NotPowershell (nps) attack
-            # - '*msbuild*'  # too many false positives
---
-logsource:
-    product: windows
-    service: security
-    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection:
-        EventID: 4688
-        ProcessCommandLine: 
-            # Hacking activity
-            - 'vssadmin.exe delete shadows*'
-            - 'vssadmin delete shadows*'
-            - 'vssadmin create shadow /for=C:*'
-            - 'copy \\?\GLOBALROOT\Device\*\windows\ntds\ntds.dit*'
-            - 'copy \\?\GLOBALROOT\Device\*\config\SAM*'
-            - 'reg SAVE HKLM\SYSTEM *'
-            - '* sekurlsa:*'
-            - 'net localgroup adminstrators * /add'
-            - 'net group "Domain Admins" * /ADD /DOMAIN'
-            - 'certutil.exe *-urlcache* http*'
-            - 'certutil.exe *-urlcache* ftp*'
-            # Malware
-            - 'netsh advfirewall firewall *\AppData\*'
-            - 'attrib +S +H +R *\AppData\*'
-            - 'schtasks* /create *\AppData\*'
-            - 'schtasks* /sc minute*'
-            - '*\Regasm.exe *\AppData\*'
-            - '*\Regasm *\AppData\*'
-            - '*\bitsadmin* /transfer*'
-            - '*\certutil.exe * -decode *'
-            - '*\certutil.exe * -decodehex *'
-            - '*\certutil.exe -ping *'
-            - 'icacls * /grant Everyone:F /T /C /Q'
-            - '* wmic shadowcopy delete *'
-            - '* wbadmin.exe delete catalog -quiet*'  # http://blog.talosintelligence.com/2018/02/olympic-destroyer.html
-            # Scripts
-            - '*\wscript.exe *.jse'
-            - '*\wscript.exe *.js'
-            - '*\wscript.exe *.vba'
-            - '*\wscript.exe *.vbe'
-            - '*\cscript.exe *.jse'
-            - '*\cscript.exe *.js'
-            - '*\cscript.exe *.vba'
-            - '*\cscript.exe *.vbe'
-            # UAC bypass
-            - '*\fodhelper.exe'
-            # persistence
-            - '*waitfor*/s*'
-            - '*waitfor*/si persist*'
-            # remote
-            - '*remote*/s*'
-            - '*remote*/c*'
-            - '*remote*/q*'
-            # AddInProcess
-            - '*AddInProcess*'
-            # NotPowershell (nps) attack
-            # - '*msbuild*'  # too many false positives
@@ -1,39 +0,0 @@
---
-action: global
-title: PowerShell Script Run in AppData
-status: experimental
-description: Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder 
-references:
-    - https://twitter.com/JohnLaTwC/status/1082851155481288706
-    - https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03
-author: Florian Roth
-date: 2019/01/09
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    condition: selection
-falsepositives:
-    - Administrative scripts
-level: medium
---
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 1
-        CommandLine: 
-            - '* /c powershell*\AppData\Local\*'
-            - '* /c powershell*\AppData\Roaming\*'
---
-logsource:
-    product: windows
-    service: security
-    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection:
-        EventID: 4688
-        ProcessCommandLine: 
-            - '* /c powershell*\AppData\Local\*'
-            - '* /c powershell*\AppData\Roaming\*'
@@ -1,32 +0,0 @@
-action: global
-title: Suspicious RASdial Activity
-description: Detects suspicious process related to rasdial.exe
-status: experimental
-references:
-    - https://twitter.com/subTee/status/891298217907830785
-author: juju4
-detection:
-    selection:
-        CommandLine: 
-            - 'rasdial'
-    condition: selection
-falsepositives: 
-    - False positives depend on scripts and administrative tools used in the monitored environment
-level: medium
---
-# Windows Audit Log
-logsource:
-    product: windows
-    service: security
-    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection:
-        EventID: 4688
---
-# Sysmon
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 1
@@ -1,38 +0,0 @@
-action: global
-title: Suspicious Process Start Locations
-description: Detects suspicious process run from unusual locations
-status: experimental
-references:
-    - https://car.mitre.org/wiki/CAR-2013-05-002
-author: juju4
-tags:
-    - attack.defense_evasion
-    - attack.t1036
-detection:
-    selection:
-        CommandLine:
-            - "*:\\RECYCLER\\*"
-            - "*:\\SystemVolumeInformation\\*"
-            - "%windir%\\Tasks\\*"
-            - "%systemroot%\\debug\\*"
-    condition: selection
-falsepositives: 
-    - False positives depend on scripts and administrative tools used in the monitored environment
-level: medium
---
-# Windows Audit Log
-logsource:
-    product: windows
-    service: security
-    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection:
-        EventID: 4688
---
-# Sysmon
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 1
@@ -9,7 +9,7 @@ references:
 tags:
    - attack.defense_evasion
    - attack.t1107
-    - attack.t1116
+    - attack.t1066
    - attack.s0195
 logsource:
    product: windows
@@ -1,49 +0,0 @@
---
-action: global
-title: Suspicious Svchost Processes
-description: Detects suspicious svchost processes with parent process that is not services.exe, command line missing -k parameter or running outside Windows folder
-author: Florian Roth, @c_APT_ure
-date: 2018/10/26
-status: experimental
-references:
-    - https://twitter.com/Moti_B/status/1002280132143394816
-    - https://twitter.com/Moti_B/status/1002280287840153601
-falsepositives: 
-    - Renamed %SystemRoot%s 
-level: high
---
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 1
-        Image: '*\svchost.exe'
-    filter1:
-        ParentImage: 
-            - '*\services.exe'
-            - '*\MsMpEng.exe'
-    filter2:
-        CommandLine: '* -k *'
-    filter3:
-        Image: 'C:\Windows\S*'  # \* is a reserved expression
-    condition: selection and not ( filter1 or filter2 or filter3 )
---
-logsource:
-    product: windows
-    service: security
-    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection:
-        EventID: 4688
-        NewProcessName: '*\svchost.exe'
-    # Deactivated as long as some backends do not fully support the 'null' expression
-    # filter2:
-    #    ProcessCommandLine:
-    #        - null  # Missing KB3004375 and Group Policy setting
-    #        - '* -k *'
-    filter3:
-        NewProcessName: 'C:\Windows\S*'  # \* is a reserved expression
-    condition: selection and not filter3
-
-        
@@ -0,0 +1,29 @@
+title: Unauthorized System Time Modification
+status: experimental
+description: Detect scenarios where a potentially unauthorized application or user is modifying the system time.
+author: '@neu5ron'
+references:
+    - Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well)
+    - Live environment caused by malware
+date: 2019/02/05
+tags:
+    - attack.defense_evasion
+    - attack.t1099
+logsource:
+    product: windows
+    service: security
+    definition: 'Requirements: Audit Policy : System > Audit Security State Change, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\System\Audit Security State Change'
+detection:
+    selection:
+        EventID: 4616
+    filter1:
+        ProcessName: 'C:\Program Files\VMware\VMware Tools\vmtoolsd.exe'
+    filter2:
+        ProcessName: 'C:\Windows\System32\VBoxService.exe'
+    filter3:
+        ProcessName: 'C:\Windows\System32\svchost.exe'
+        SubjectUserSid: 'S-1-5-19'
+    condition: selection and not ( filter1 or filter2 or filter3 )
+falsepositives:
+    - HyperV or other virtualization technologies with binary not listed in filter portion of detection
+level: high
@@ -1,36 +0,0 @@
---
-action: global
-title: Whoami Execution
-status: experimental
-description: 'Detects the execution of whoami, which is often used by attackers after exloitation / privilege escalation but rarely used by administrators' 
-references:
-    - https://twitter.com/haroonmeer/status/939099379834658817
-    - https://twitter.com/c_APT_ure/status/939475433711722497
-author: Florian Roth
-date: 2018/05/22
-tags:
-    - attack.discovery
-    - attack.t1033
-detection:
-    condition: selection
-falsepositives: 
-    - Admin activity
-    - Scripts and administrative tools used in the monitored environment
-level: high
---
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 1
-        CommandLine: 'whoami'
---
-logsource:
-    product: windows
-    service: security
-    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection:
-        EventID: 4688
-        NewProcessName: '*\whoami.exe'
@@ -5,6 +5,9 @@ references:
    - https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/
 status: experimental
 author: Florian Roth
+tags:
+    - attack.initial_access
+    - attack.t1200
 logsource:
    product: windows
    service: driver-framework
@@ -4,6 +4,7 @@ status: stable
 author: Florian Roth
 tags:
    - attack.privilege_escalation
+    - attack.t1078
 logsource:
    product: windows
    service: security
@@ -1,36 +0,0 @@
---
-action: global
-title: WMI Persistence - Script Event Consumer
-status: experimental
-description: Detects WMI script event consumers
-references:
-    - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
-author: Thomas Patzke
-date: 2018/03/07
-tags:
-    - attack.execution
-    - attack.persistence
-    - attack.t1047
-detection:
-    selection:
-        Image: 'C:\WINDOWS\system32\wbem\scrcons.exe'
-        ParentImage: 'C:\Windows\System32\svchost.exe'
-    condition: selection
-falsepositives: 
-    - Legitimate event consumers
-level: high
---
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 1
---
-logsource:
-    product: windows
-    service: security
-    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection:
-        EventID: 4688
@@ -1,6 +1,7 @@
 title: Antivirus Exploitation Framework Detection
 description: Detects a highly relevant Antivirus alert that reports an exploitation framework
 date: 2018/09/09
+modified: 2019/01/16
 author: Florian Roth
 references:
    - https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/
@@ -15,10 +16,12 @@ detection:
    selection:
        Signature: 
            - "*MeteTool*"
+            - "*MPreter*"
            - "*Meterpreter*"
            - "*Metasploit*"
            - "*PowerSploit*"
            - "*CobaltSrike*"
+            - "*Swrort*"
    condition: selection
 fields:
    - FileName
@@ -9,12 +9,12 @@ logsource:
 detection:
    selection:
        FileName:
-            - 'C:\Windows\Temp\*'
-            - 'C:\Temp\*'
-            - '*\\Client\*'
-            - 'C:\PerfLogs\*'
-            - 'C:\Users\Public\*'
-            - 'C:\Users\Default\*'
+            - 'C:\Windows\Temp\\*'
+            - 'C:\Temp\\*'
+            - '*\\Client\\*'
+            - 'C:\PerfLogs\\*'
+            - 'C:\Users\Public\\*'
+            - 'C:\Users\Default\\*'
            - '*.ps1'
            - '*.vbs'
            - '*.bat'
@@ -1,40 +0,0 @@
---
-action: global
-title: Dridex Process Pattern
-status: experimental
-description: Detects typical Dridex process patterns
-references:
-    - https://app.any.run/tasks/993daa5e-112a-4ff6-8b5a-edbcec7c7ba3
-author: Florian Roth
-date: 2019/01/10
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    condition: 1 of them
-falsepositives:
-    - Unlikely
-level: critical
---
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection1:
-        EventID: 1
-        CommandLine: '*\svchost.exe C:\Users\*\Desktop\*'
-    selection2:
-        EventID: 1
-        ParentImage: '*\svchost.exe*'
-        CommandLine: 
-            - '*whoami.exe /all'
-            - '*net.exe view'
---
-logsource:
-    product: windows
-    service: security
-    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection:
-        EventID: 4688
-        ProcessCommandLine: '*\svchost.exe C:\Users\*\Desktop\*'
@@ -0,0 +1,22 @@
+title: Ursnif
+status: experimental
+description: Detects new registry key created by Ursnif malware. 
+references:
+    - https://blog.yoroi.company/research/ursnif-long-live-the-steganography/
+    - https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/
+tags:
+    - attack.execution
+    - attack.t1112
+author: megan201296
+date: 2019/02/13
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 13
+        TargetObject: 'HKU\Software\AppDataLow\Software\Microsoft\\*'
+    condition: selection
+falsepositives:
+    - Unknown
+level: critical
@@ -1,67 +0,0 @@
-action: global
-title: WannaCry Ransomware 
-description: Detects WannaCry Ransomware Activity
-status: experimental
-references:
-    - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
-author: Florian Roth
-detection:
-    selection1:
-        CommandLine:
-            - '*vssadmin delete shadows*'
-            - '*icacls * /grant Everyone:F /T /C /Q*'
-            - '*bcdedit /set {default} recoveryenabled no*'
-            - '*wbadmin delete catalog -quiet*'
-    condition: 1 of them
-falsepositives: 
-    - Unknown
-level: critical
---
-# Windows Audit Log
-logsource:
-    product: windows
-    service: security
-    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection1:
-        # Requires group policy 'Audit Process Creation' > Include command line in process creation events
-        EventID: 4688
-    selection2:
-        # Does not require group policy 'Audit Process Creation' > Include command line in process creation events
-        EventID: 4688
-        NewProcessName:
-            - '*\tasksche.exe'
-            - '*\mssecsvc.exe'
-            - '*\taskdl.exe'
-            - '*\WanaDecryptor*'
-            - '*\taskhsvc.exe'
-            - '*\taskse.exe'
-            - '*\111.exe'
-            - '*\lhdfrgui.exe'
-            - '*\diskpart.exe'  # Rare, but can be false positive
-            - '*\linuxnew.exe'
-            - '*\wannacry.exe'
---
-# Sysmon
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection1:
-        # Requires group policy 'Audit Process Creation' > Include command line in process creation events
-        EventID: 1
-    selection2:
-        # Does not require group policy 'Audit Process Creation' > Include command line in process creation events
-        EventID: 1
-        Image:
-            - '*\tasksche.exe'
-            - '*\mssecsvc.exe'
-            - '*\taskdl.exe'
-            - '*\WanaDecryptor*'
-            - '*\taskhsvc.exe'
-            - '*\taskse.exe'
-            - '*\111.exe'
-            - '*\lhdfrgui.exe'
-            - '*\diskpart.exe'  # Rare, but can be false positive
-            - '*\linuxnew.exe'
-            - '*\wannacry.exe'
@@ -2,6 +2,7 @@ title: Rare Scheduled Task Creations
 status: experimental
 description: This rule detects rare scheduled task creations. Typically software gets installed on multiple systems and not only on a few. The aggregation and count function selects tasks with rare names. 
 tags:
+    - attack.persistence
    - attack.t1053
    - attack.s0111
 author: Florian Roth
@@ -1,3 +1,5 @@
+---
+action: global
 title: PsExec Tool Execution
 status: experimental
 description: Detects PsExec service installation and execution events (service and Sysmon)
@@ -9,20 +11,7 @@ tags:
    - attack.execution
    - attack.t1035
    - attack.s0029
-logsource:
-    product: windows
 detection:
-    service_installation:
-        EventID: 7045
-        ServiceName: 'PSEXESVC'
-        ServiceFileName: '*\PSEXESVC.exe'
-    service_execution:
-        EventID: 7036
-        ServiceName: 'PSEXESVC'
-    sysmon_processcreation:
-        EventID: 1
-        Image: '*\PSEXESVC.exe'
-        User: 'NT AUTHORITY\SYSTEM'
    condition: 1 of them
 fields:
    - EventID
@@ -33,3 +22,24 @@ fields:
 falsepositives:
    - unknown
 level: low
+---
+logsource:
+    product: windows
+    service: system
+detection:
+    service_installation:
+        EventID: 7045
+        ServiceName: 'PSEXESVC'
+        ServiceFileName: '*\PSEXESVC.exe'
+    service_execution:
+        EventID: 7036
+        ServiceName: 'PSEXESVC'
+---
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    sysmon_processcreation:
+        Image: '*\PSEXESVC.exe'
+        User: 'NT AUTHORITY\SYSTEM'
+
@@ -19,7 +19,7 @@ detection:
        - 'ActiveScriptEventConsumer'
        - 'CommandLineEventConsumer'
        - 'CommandLineTemplate'
-        - 'Binding EventFilter'
+        # - 'Binding EventFilter'  # too many false positive with HP Health Driver
    selection2:
        EventID: 5859
    condition: selection and 1 of keywords or selection2
@@ -1,6 +1,7 @@
 title: Malicious PowerShell Commandlets
 status: experimental
 description: Detects Commandlet names from well-known PowerShell exploitation frameworks
+modified: 2019/01/22
 references:
    - https://adsecurity.org/?p=2921
 tags:
@@ -40,7 +41,6 @@ detection:
        - Get-VulnAutoRun
        - Get-VulnSchTask
        - Get-UnattendedInstallFile
-        - Get-WebConfig
        - Get-ApplicationHost
        - Get-RegAlwaysInstallElevated
        - Get-Unconstrained
@@ -54,7 +54,6 @@ detection:
        - Check-VM
        - Get-LSASecret
        - Get-PassHashes
-        - Invoke-Mimikatz
        - Show-TargetScreen
        - Port-Scan
        - Invoke-PoshRatHttp
@@ -64,19 +63,13 @@ detection:
        - Add-Persistence
        - Do-Exfiltration
        - Start-CaptureServer
-        - Invoke-DllInjection
-        - Invoke-ReflectivePEInjection
-        - Invoke-ShellCode
        - Get-ChromeDump
        - Get-ClipboardContents
        - Get-FoxDump
        - Get-IndexedItem
-        - Get-Keystrokes
        - Get-Screenshot
        - Invoke-Inveigh
        - Invoke-NetRipper
-        - Invoke-NinjaCopy
-        - Out-Minidump
        - Invoke-EgressCheck
        - Invoke-PostExfil
        - Invoke-PSInject
@@ -84,11 +77,8 @@ detection:
        - MailRaider
        - New-HoneyHash
        - Set-MacAttribute
-        - Get-VaultCredential
        - Invoke-DCSync
-        - Invoke-Mimikatz
        - Invoke-PowerDump
-        - Invoke-TokenManipulation
        - Exploit-Jboss
        - Invoke-ThunderStruck
        - Invoke-VoiceTroll
@@ -100,7 +90,6 @@ detection:
        - Install-SSP
        - Invoke-BackdoorLNK
        - PowerBreach
-        - Get-GPPPassword
        - Get-SiteListPassword
        - Get-System
        - Invoke-BypassUAC
@@ -1,6 +1,7 @@
 title: Malicious PowerShell Keywords
 status: experimental
 description: Detects keywords from well-known PowerShell exploitation frameworks
+modified: 2019/01/22
 references:
    - https://adsecurity.org/?p=2921
 tags:
@@ -15,18 +16,12 @@ detection:
    keywords:
        - AdjustTokenPrivileges
        - IMAGE_NT_OPTIONAL_HDR64_MAGIC
-        - Management.Automation.RuntimeException
        - Microsoft.Win32.UnsafeNativeMethods
        - ReadProcessMemory.Invoke
-        - Runtime.InteropServices
        - SE_PRIVILEGE_ENABLED
-        - System.Security.Cryptography
-        - System.Runtime.InteropServices
        - LSA_UNICODE_STRING
        - MiniDumpWriteDump
        - PAGE_EXECUTE_READ
-        - Net.Sockets.SocketFlags
-        - Reflection.Assembly
        - SECURITY_DELEGATION
        - TOKEN_ADJUST_PRIVILEGES
        - TOKEN_ALL_ACCESS
@@ -4,7 +4,10 @@ description: Detects Base64 encoded Shellcode
 references:
    - https://twitter.com/cyb3rops/status/1063072865992523776
 tags:
+    - attack.privilege_escalation
    - attack.execution
+    - attack.t1055
+    - attack.t1086
 author: David Ledbetter (shellcode), Florian Roth (rule)
 date: 2018/11/17
 logsource:
@@ -0,0 +1,21 @@
+title: Suspicious PowerShell Keywords
+status: experimental
+description: Detects keywords that could indicate the use of some PowerShell exploitation framework
+date: 2019/02/11
+author: Florian Roth
+references:
+    - https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462
+tags:
+    - attack.execution
+    - attack.t1086
+logsource:
+    product: windows
+    service: powershell
+    definition: 'It is recommanded to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
+detection:
+    keywords:
+        - System.Reflection.Assembly.Load
+    condition: keywords
+falsepositives:
+    - Penetration tests
+level: high
@@ -1,29 +1,19 @@
-action: global
 title: Suspicious XOR Encoded PowerShell Command Line
 description: Detects suspicious powershell process which includes bxor command, alternatvide obfuscation method to b64 encoded commands.
 status: experimental
 author: Sami Ruohonen
 date: 2018/09/05
+tags:
+    - attack.execution
+    - attack.t1086
 detection:
    selection:
        CommandLine:
            - '* -bxor*'
    condition: selection
-falsepositives: 
+falsepositives:
    - unknown
 level: medium
---
 logsource:
+    category: process_creation
    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 1
---
-logsource:
-    product: windows
-    service: security
-    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection:
-        EventID: 4688
@@ -3,19 +3,18 @@ status: experimental
 description: Detects usage of attrib.exe to hide files from users.
 author: Sami Ruohonen
 logsource:
+    category: process_creation
    product: windows
-    service: sysmon
 detection:
    selection:
-        EventID: 1
        Image: '*\attrib.exe'
        CommandLine: '* +h *'
    ini:
        CommandLine: '*\desktop.ini *'
    intel:
        ParentImage: '*\cmd.exe'
-        CommandLine: '+R +H +S +A \*.cui'
-        ParentCommandLine: 'C:\WINDOWS\system32\\*.bat'
+        CommandLine: +R +H +S +A \\*.cui
+        ParentCommandLine: C:\WINDOWS\system32\\*.bat
    condition: selection and not (ini or intel)
 fields:
    - CommandLine
@@ -12,25 +12,23 @@ falsepositives:
    - Unknown
 level: medium
 logsource:
-   product: windows
-   service: sysmon
+    category: process_creation
+    product: windows
 detection:
    selection1:
-        EventID: 1
        Image:
            - '*\wmic.exe'
        CommandLine:
-            - 'wmic * *format:\"http*'
-            - "wmic * /format:'http"
-            - 'wmic * /format:http*'
+            - wmic * *format:\"http*
+            - wmic * /format:'http
+            - wmic * /format:http*
    selection2:
-        EventID: 1
        Imphash:
-             - '1B1A3F43BF37B5BFE60751F2EE2F326E'
-             - '37777A96245A3C74EB217308F3546F4C'
-             - '9D87C9D67CE724033C0B40CC4CA1B206'
+            - 1B1A3F43BF37B5BFE60751F2EE2F326E
+            - 37777A96245A3C74EB217308F3546F4C
+            - 9D87C9D67CE724033C0B40CC4CA1B206
        CommandLine:
            - '* *format:\"http*'
-            - "* /format:'http"
+            - '* /format:''http'
            - '* /format:http*'
    condition: 1 of them
@@ -1,16 +1,18 @@
 title: Cmdkey Cached Credentials Recon
 status: experimental
 description: Detects usage of cmdkey to look for cached credentials
-references: 
+references:
    - https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation
    - https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx
 author: jmallette
+tags:
+    - attack.credential_access
+    - attack.t1003
 logsource:
+    category: process_creation
    product: windows
-    service: sysmon
 detection:
    selection:
-        EventID: 1
        Image: '*\cmdkey.exe'
        CommandLine: '* /list *'
    condition: selection
@@ -13,17 +13,15 @@ references:
    - http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
    - https://twitter.com/hFireF0X/status/897640081053364225
 logsource:
+    category: process_creation
    product: windows
-    service: sysmon
 detection:
-    # CMSTP Spawning Child Process
    selection1:
-        EventID: 1
        ParentCommandLine: '*\DllHost.exe'
    selection2:
        ParentCommandLine:
-            - '*\{3E5FC7F9-9A51-4367-9063-A120244FBEC7}' #CMSTPLUA
-            - '*\{3E000D72-A845-4CD9-BD83-80C07C3B881F}' #CMLUAUTIL, see https://twitter.com/hFireF0X/status/897640081053364225
+            - '*\{3E5FC7F9-9A51-4367-9063-A120244FBEC7}'
+            - '*\{3E000D72-A845-4CD9-BD83-80C07C3B881F}'
    condition: selection1 and selection2
 fields:
    - CommandLine
@@ -2,16 +2,18 @@ title: Exploit for CVE-2015-1641
 status: experimental
 description: Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641
 references:
-  - https://www.virustotal.com/en/file/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8/analysis/
-  - https://www.hybrid-analysis.com/sample/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8?environmentId=100
+    - https://www.virustotal.com/en/file/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8/analysis/
+    - https://www.hybrid-analysis.com/sample/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8?environmentId=100
 author: Florian Roth
 date: 2018/02/22
+tags:
+    - attack.defense_evasion
+    - attack.t1036
 logsource:
+    category: process_creation
    product: windows
-    service: sysmon
 detection:
    selection:
-        EventID: 1
        ParentImage: '*\WINWORD.EXE'
        Image: '*\MicroScMgmt.exe '
    condition: selection
@@ -1,16 +1,19 @@
 title: Exploit for CVE-2017-0261
 status: experimental
-description: Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262 
+description: Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262
 references:
-  - https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html
+    - https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html
 author: Florian Roth
 date: 2018/02/22
+tags:
+  - attack.defense_evasion
+  - attack.privilege_escalation
+  - attack.t1055
 logsource:
+    category: process_creation
    product: windows
-    service: sysmon
 detection:
    selection:
-        EventID: 1
        ParentImage: '*\WINWORD.EXE'
        Image: '*\FLTLDR.exe*'
    condition: selection
@@ -6,12 +6,14 @@ references:
    - https://www.google.com/url?hl=en&q=https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about&source=gmail&ust=1511481120837000&usg=AFQjCNGdL7gVwLXaNSl2Td8ylDYbSJFmPw
 author: Florian Roth
 date: 2017/11/23
+tags:
+    - attack.defense_evasion
+    - attack.t1211
 logsource:
+    category: process_creation
    product: windows
-    service: sysmon
 detection:
    selection:
-        EventID: 1
        ParentImage: '*\EQNEDT32.EXE'
    condition: selection
 fields:
@@ -0,0 +1,21 @@
+title: Exploit for CVE-2017-8759
+description: Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759
+references:
+    - https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100
+    - https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100
+tags:
+    - attack.execution
+    - attack.t1203
+author: Florian Roth
+date: 2017/09/15
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        ParentImage: '*\WINWORD.EXE'
+        Image: '*\csc.exe'
+    condition: selection
+falsepositives:
+    - Unknown
+level: critical
@@ -0,0 +1,29 @@
+title: Rubeus Hack Tool
+description: Detects command line parameters used by Rubeus hack tool
+author: Florian Roth
+references:
+    - https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/
+date: 2018/12/19
+tags:
+    - attack.credential_access
+    - attack.t1003
+    - attack.s0005
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine:
+            - '* asreproast *'
+            - '* dump /service:krbtgt *'
+            - '* kerberoast *'
+            - '* createnetonly /program:*'
+            - '* ptt /ticket:*'
+            - '* /impersonateuser:*'
+            - '* renew /ticket:*'
+            - '* asktgt /user:*'
+            - '* harvest /interval:*'
+    condition: selection
+falsepositives:
+    - unlikely
+level: critical
@@ -1,16 +1,19 @@
-title: MSHTA spwaned by SVCHOST as seen in LethalHTA 
+title: MSHTA spwaned by SVCHOST as seen in LethalHTA
 status: experimental
 description: Detects MSHTA.EXE spwaned by SVCHOST described in report
 references:
    - https://codewhitesec.blogspot.com/2018/07/lethalhta.html
+tags:
+    - attack.defense_evasion
+    - attack.execution
+    - attack.t1170
 author: Markus Neis
 date: 2018/06/07
 logsource:
+    category: process_creation
    product: windows
-    service: sysmon
 detection:
    selection:
-        EventID: 1
        ParentImage: '*\svchost.exe'
        Image: '*\mshta.exe'
    condition: selection
@@ -1,4 +1,3 @@
---
 action: global
 title: Adwind RAT / JRAT
 status: experimental
@@ -9,48 +8,37 @@ references:
 author: Florian Roth, Tom Ueltschi
 date: 2017/11/10
 modified: 2018/12/11
+tags:
+    - attack.execution
+    - attack.t1064
 detection:
    condition: selection
 level: high
 ---
-# Windows Security Eventlog: Process Creation with Full Command Line
 logsource:
+    category: process_creation
    product: windows
-    service: security
-    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
 detection:
    selection:
-        EventID: 4688
-        ProcessCommandLine: 
+        ProcessCommandLine:
            - '*\AppData\Roaming\Oracle*\java*.exe *'
            - '*cscript.exe *Retrive*.vbs *'
 ---
-# Sysmon: Process Creation (ID 1)
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 1
-        Image: '*\AppData\Roaming\Oracle\bin\java*.exe'
---
-# Sysmon: File Creation (ID 11)
 logsource:
    product: windows
    service: sysmon
 detection:
    selection:
        EventID: 11
-        TargetFilename: 
+        TargetFilename:
            - '*\AppData\Roaming\Oracle\bin\java*.exe'
            - '*\Retrive*.vbs'
 ---
-# Sysmon: Registry Value Set (ID 13)
 logsource:
    product: windows
    service: sysmon
 detection:
    selection:
        EventID: 13
-        TargetObject: '\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run*'
-        Details: '%AppData%\Roaming\Oracle\bin\*'
+        TargetObject: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run*
+        Details: '%AppData%\Roaming\Oracle\bin\\*'
--- a/Show More
+++ b/Show More