Sigma tools release 0.9

* Converted (to generic sigma) rules
* Converter outputs by default with indentation 4

.travis.yml

@@ -1,7 +1,7 @@
 language: python
 dist: xenial
 python:
-  - 3.5
+  # - 3.5  # Deactivated because Travis CI tests failed randomly (Travis's problem)
   - 3.6
   - 3.7
 sudo: true
@@ -15,3 +15,10 @@ install:
 script:
   - make test
   - make test-backend-es-qs
+notifications:
+  email:
+    recipients:
+      - venom14@gmail.com
+      - thomas@patzke.org
+    on_success: change
+    on_failure: always

.yamllint

@@ -1,4 +1,12 @@
 ---
 # https://yamllint.readthedocs.io/en/latest/configuration.html
+extends: default
 rules:
+  comments: disable
+  comments-indentation: disable
   document-start: disable
+  empty-lines: {max: 2, max-start: 2, max-end: 2}
+  indentation: disable
+  line-length: disable
+  new-line-at-end-of-file: disable
+  trailing-spaces: disable

Makefile

@@ -1,7 +1,7 @@
-.PHONY: test test-yaml test-sigmac
+.PHONY: test test-rules test-sigmac
 TMPOUT = $(shell tempfile||mktemp)
 COVSCOPE = tools/sigma/*.py,tools/sigma/backends/*.py,tools/sigmac,tools/merge_sigma
-test: clearcov test-yaml test-sigmac test-merge build finish
+test: clearcov test-rules test-sigmac test-merge build finish
 
 clearcov:
 	rm -f .coverage
@@ -10,11 +10,15 @@ finish:
 	coverage report --fail-under=90
 	rm -f $(TMPOUT)
 
-test-yaml:
+test-rules:
 	yamllint rules
+	tests/test_rules.py
 
 test-sigmac:
+	coverage run -a --include=$(COVSCOPE) tools/sigmac
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -h
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -l
+	! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvd -t es-qs rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-qs rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -O rulecomment -rvdI -t es-qs rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t kibana rules/ > /dev/null
@@ -39,6 +43,7 @@ test-sigmac:
 	! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'level=xcritical' rules/ > /dev/null
 	! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'foo=bar' rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-windows.yml -t es-qs rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/generic/sysmon.yml -c tools/config/elk-windows.yml -t es-qs rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-linux.yml -t es-qs rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-windows.yml -t kibana rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-windows.yml -Ooutput=curl -t kibana rules/ > /dev/null
@@ -48,10 +53,13 @@ test-sigmac:
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-linux.yml -t xpack-watcher rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-defaultindex.yml -t xpack-watcher rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/splunk-windows-all.yml -t splunk rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/splunk-windows-all-index.yml -t splunk rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/generic/sysmon.yml -c tools/config/splunk-windows-all.yml -t splunk rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/logpoint-windows-all.yml -t logpoint rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t grep rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t fieldlist rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -t xpack-watcher -O output=plain -O es=es -O foobar rules/windows/builtin/win_susp_failed_logons_single_source.yml > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -t kibana -c tests/config-multiple_mapping.yml -c tests/config-multiple_mapping-2.yml tests/mapping-conditional-multi.yml > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -t xpack-watcher -O output=json -O es=es -O foobar rules/windows/builtin/win_susp_failed_logons_single_source.yml > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -o $(TMPOUT) - < tests/collection_repeat.yml > /dev/null
 	! coverage run -a --include=$(COVSCOPE)  tools/sigmac -t xpack-watcher -O output=foobar -O es=es -O foobar rules/windows/builtin/win_susp_failed_logons_single_source.yml > /dev/null

README.md

@@ -24,6 +24,12 @@ This repository contains:
 
 [![Sigma - Generic Signatures for Log Events](https://preview.ibb.co/cMCigR/Screen_Shot_2017_10_18_at_15_47_15.png)](https://www.youtube.com/watch?v=OheVuE9Ifhs "Sigma - Generic Signatures for Log Events")
 
+## SANS Webcast on MITRE ATT&CK and Sigma
+
+The SANS webcast on Sigma contains a very good 20 min introduction to the project by John Hubbart from minute 39 onward. (SANS account required; registration is free)
+
+[MITRE ATT&CK and Sigma Alerting Webcast Recording](https://www.sans.org/webcasts/mitre-att-ck-sigma-alerting-110010 "MITRE ATT&CK and Sigma Alerting")
+
 # Use Cases
 
 * Describe your detection method in Sigma to make it sharable
@@ -201,4 +207,6 @@ The content of this repository is released under the following licenses:
 
 This is a private project mainly developed by Florian Roth and Thomas Patzke with feedback from many fellow analysts and friends. Rules are our own or have been drived from blog posts, tweets or other public sources that are referenced in the rules.
 
-Copyright for Tree Image: [studiobarcelona / 123RF Stock Photo](http://www.123rf.com/profile_studiobarcelona)
+# Info Graphic
+
+![sigmac_info_graphic](./images/sigma_infographic_lq.png)

contrib/sigma2sumologic.py

@@ -0,0 +1,247 @@
+#!/usr/bin/python
+# Copyright 2018 juju4
+
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+
+# You should have received a copy of the GNU Lesser General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+"""
+Project: sigma2sumologic.py
+Date: 11 Jan 2019
+Author: juju4
+Version: 1.0
+Description: This script executes sumologic search queries from Sigma SIEM rules.
+Workflow:
+    1. Convert rules with sigmac
+    2. Enrich: add ignore+local custom rules, priority
+    3. Format
+    4. Get results and save to txt/xlsx files
+Requirements:
+    $ pip install sumologic-sdk pyyaml pandas
+"""
+
+import re
+import os, sys, stat
+import glob
+import subprocess
+import argparse
+import yaml
+import traceback
+import logging
+from sumologic import SumoLogic
+import time
+import datetime
+import json
+import pandas
+
+logging.basicConfig(level=logging.DEBUG)
+logger = logging.getLogger(__name__)
+formatter = logging.Formatter('%(asctime)s - %(name)s - p%(process)s {%(pathname)s:%(lineno)d} - %(levelname)s - %(message)s')
+handler = logging.FileHandler('sigma2sumo.log')
+handler.setFormatter(formatter)
+logger.addHandler(handler)
+
+parser = argparse.ArgumentParser(description='Execute sigma rules in sumologic')
+parser.add_argument("--conf", help="script yaml config file", type=str, required=True)
+parser.add_argument("--accessid", help="Sumologic Access ID", type=str, required=False)
+parser.add_argument("--accesskey", help="Sumologic Access Key", type=str, required=False)
+parser.add_argument("--endpoint", help="Sumologic url endpoint", type=str, required=False)
+parser.add_argument("--ruledir", help="sigma rule directory path to convert", type=str, required=False)
+parser.add_argument("--outdir", help="output directory to create rules", type=str, required=False)
+parser.add_argument("--sigmac", help="Sigmac location", default="../tools/sigmac", type=str)
+parser.add_argument("--realerttime", help="Realert time (optional value, default 5 minutes)", type=str, default=5)
+parser.add_argument("--debug", help="Show debug output", type=bool, default=False)
+args = parser.parse_args()
+
+LIMIT = 100
+delay = 5
+
+def rule_element(file_content, elements):
+    """
+    Function used to get specific element from yaml document and return content
+    :type file_content: str
+    :type elements: list
+    :param file_content:
+    :param elements: list of elements of the yaml document to get "title", "description"
+    :return: the value of the key in the yaml document
+    """
+    try:
+        logger.debug("file_content: %s" % file_content)
+        yaml.safe_load(file_content.replace("---",""))
+    except:
+        raise Exception('Unsupported')
+    element_output = ""
+    for e in elements:
+        try:
+            element_output = yaml.safe_load(file_content.replace("---",""))[e]
+        except:
+            pass
+    if element_output is None:
+        return ""
+    return element_output
+
+def get_rule_as_sumologic(file):
+    """
+    Function used to get sumologic query output from rule file
+    :type file: str
+    :param file: rule filename
+    :return: string query
+    """
+    if not os.path.exists(args.sigmac):
+        logger.error("Cannot find sigmac rule coverter at '%s', please set a correct location via '--sigmac'")
+    cmd = [args.sigmac, file, "--target", "sumologic"]
+    logger.info('get_rule_as_sumologic cmd: %s' % cmd)
+    process = subprocess.Popen(cmd,stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+    output, err = process.communicate()
+
+    # output is byte-string...
+    output = output.decode("utf-8")
+    err = err.decode("utf-8")
+
+    logger.info('get_rule_as_sumologic output: %s' % output)
+    logger.info('get_rule_as_sumologic stderr: %s' % err)
+    if err or "unsupported" in err:
+        logger.error('Unsupported output at this time')
+        raise Exception('Unsupported output at this time')
+    output = output.split("\n")
+    # Remove empty string from \n
+    output = [a for a in output if a]
+    # Handle case of multiple queries returned
+    if len(output) > 1:
+        return " OR ".join(output)
+    return "".join(output)
+
+if args.help:
+    parser_print_help()
+
+if args.conf:
+    with open(args.conf, 'r') as ymlfile:
+        cfg = yaml.load(ymlfile)
+    args.accessid = cfg['accessid']
+    args.accesskey = cfg['accesskey']
+    args.endpoint = cfg['endpoint']
+    args.ruledir = cfg['ruledir']
+    args.outdir = cfg['outdir']
+    args.sigmac = cfg['sigmac']
+    try:
+        args.recursive = cfg['recursive']
+    except:
+        args.recursive = False
+    if args.recursive:
+        globpath = args.ruledir + "/**/*.yml"
+    else:
+        globpath = args.ruledir + "/*.yml"
+    logger.debug("args: %s" % args)
+    logger.debug("globpath: %s" % globpath)
+
+if args.outdir and not os.path.isdir(args.outdir):
+    os.mkdir(args.outdir, stat.S_IRWXU)
+
+# recursive
+for file in glob.iglob(globpath):
+# non-recursive (above, not working...)
+#for file in glob.iglob(args.ruledir + "/*.yml"):
+
+    file_basename = os.path.basename(os.path.splitext(file)[0])
+    file_basenamepath = os.path.splitext(file)[0]
+    file_ext = os.path.splitext(file)[1]
+    try:
+        if file_ext != '.yml':
+            continue
+
+        logger.info("Processing %s ..." % file_basename)
+        with open(file, "rb") as f:
+            file_content = f.read()
+
+        logger.info("Rule file: %s" % file)
+
+        sumo_query = get_rule_as_sumologic(file)
+
+        logger.info("  Checking if custom query file: %s" % file_basenamepath + '.custom')
+        if os.path.isfile(file_basenamepath + '.custom'):
+            # FIXME! want to add something in the middle for parsing for example...
+            logger.info("  Adding custom part to end query from: %s" % file_basenamepath + '.custom')
+            with open(file_basenamepath + '.custom', "rb") as f:
+                sumo_query += " " + f.read().decode('utf-8')
+        elif 'count ' not in sumo_query and ('EventID=' in sumo_query):
+                sumo_query += " | count _sourceCategory, hostname, EventID, msg_summary, _raw"
+        elif 'count ' not in sumo_query:
+                sumo_query += " | count _sourceCategory, hostname, _raw"
+
+        logger.info("Final sumo query: %s" % sumo_query)
+
+    except Exception as e:
+        if args.debug:
+            traceback.print_exc()
+        logger.exception("error generating sumo query " + str(file) + "----" + str(e))
+        pass
+
+    try:
+        # Run query
+        # https://github.com/SumoLogic/sumologic-python-sdk/blob/master/scripts/search-job.py
+        sumo = SumoLogic(args.accessid, args.accesskey, args.endpoint)
+        toTime = datetime.datetime.now().strftime("%Y-%m-%dT%H:%M:%S")
+        fromTime = datetime.datetime.strptime(toTime, "%Y-%m-%dT%H:%M:%S") - datetime.timedelta(hours = 24)
+        fromTime = fromTime.strftime("%Y-%m-%dT%H:%M:%S")
+        timeZone = 'UTC'
+        byReceiptTime = True
+
+        sj = sumo.search_job(sumo_query, fromTime, toTime, timeZone, byReceiptTime)
+
+        status = sumo.search_job_status(sj)
+        while status['state'] != 'DONE GATHERING RESULTS':
+            if status['state'] == 'CANCELLED':
+                break
+            time.sleep(delay)
+            status = sumo.search_job_status(sj)
+
+    except Exception as e:
+        if args.debug:
+            traceback.print_exc()
+        logger.exception("error seaching sumo  " + str(file) + "----" + str(e))
+        with open(os.path.join(args.outdir, "sigma-" + file_basename + '-error.txt'), "w") as f:
+            f.write(json.dumps(r, indent=4, sort_keys=True) + " ERROR: %s\n\nQUERY: %s" % (e, sumo_query))
+        pass
+
+    logger.info("Sumo search job status: %s" % status['state'])
+
+    try:
+        if status['state'] == 'DONE GATHERING RESULTS':
+            count = status['recordCount']
+            limit = count if count < LIMIT and count != 0 else LIMIT # compensate bad limit check
+            r = sumo.search_job_records(sj, limit=limit)
+            logger.info("Sumo search results: %s" % r)
+
+        logger.info("Saving final sumo query for %s to %s" % (file, os.path.join(args.outdir, "sigma-" + file_basename + '.sumo')))
+        with open(os.path.join(args.outdir, "sigma-" + file_basename + '.sumo'), "w") as f:
+            f.write(sumo_query)
+        if r and r['records'] != []:
+            logger.info("Saving results")
+            # as json text file
+            with open(os.path.join(args.outdir, "sigma-" + file_basename + '.txt'), "w") as f:
+                f.write(json.dumps(r, indent=4, sort_keys=True))
+            # as excel file
+            df = pandas.io.json.json_normalize(r['records'])
+            with pandas.ExcelWriter(os.path.join(args.outdir, "sigma-" + file_basename + ".xlsx")) as writer:
+                df.to_excel(writer, 'data')
+                pandas.DataFrame({'References': [
+                    "timeframe: from %s to %s" % (fromTime, toTime),
+                    "Sumo endpoint: %s" % args.endpoint,
+                    "Sumo query: %s" % sumo_query
+                    ]}).to_excel(writer, 'comments')
+
+        # and do whatever you want, email alert, report, ticket...
+
+    except Exception as e:
+        if args.debug:
+            traceback.print_exc()
+        logger.exception("error saving results " + str(file) + "----" + str(e))
+        pass

rules/apt/apt_babyshark.yml

@@ -0,0 +1,20 @@
+title: Baby Shark Activity
+status: experimental
+description: Detects activity that could be related to Baby Shark malware
+references:
+    - https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/
+logsource:
+    category: process_creation
+    product: windows
+author: Florian Roth
+date: 2019/02/24
+detection:
+    selection:
+        CommandLine:
+            - reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default"
+            - powershell.exe mshta.exe http*
+            - cmd.exe /c taskkill /im cmd.exe
+    condition: selection
+falsepositives:
+    - unknown
+level: high

rules/apt/apt_bear_activity_gtr19.yml

@@ -0,0 +1,23 @@
+title: Judgement Panda Exfil Activity
+description: Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike
+references:
+    - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
+author: Florian Roth
+date: 2019/02/21
+tags:
+    - attack.credential_access
+    - attack.t1098
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection1:
+        Image: '*\xcopy.exe'
+        CommandLine: '* /S /E /C /Q /H \\*'
+    selection2:
+        Image: '*\adexplorer.exe'
+        CommandLine: '* -snapshot "" c:\users\\*'
+    condition: selection1 or selection2
+falsepositives:
+    - unknown
+level: critical

rules/apt/apt_chafer_mar18.yml

@@ -5,8 +5,14 @@ description: Detects Chafer activity attributed to OilRig as reported in Nyotron
 references:
     - https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/
 tags:
+    - attack.persistence
     - attack.g0049
+    - attack.t1053
+    - attack.s0111
+    - attack.defense_evasion
+    - attack.t1112
 date: 2018/03/23
+modified: 2019/03/01
 author: Florian Roth, Markus Neis
 detection:
     condition: 1 of them
@@ -24,6 +30,16 @@ detection:
             - 'SC Scheduled Scan'
             - 'UpdatMachine'
 ---
+logsource:
+    product: windows
+    service: security
+detection:
+    selection_service:
+        EventID: 4698
+        TaskName:
+            - 'SC Scheduled Scan'
+            - 'UpdatMachine'
+---
 logsource:
    product: windows
    service: sysmon
@@ -48,8 +64,8 @@ detection:
             - 'C:\wsc.exe*'
     selection_process2:
         EventID: 1
-        Image: '*\Windows\Temp\DB\*.exe'
+        Image: '*\Windows\Temp\DB\\*.exe'
     selection_process3:
         EventID: 1
         CommandLine: '*\nslookup.exe -q=TXT*'
-        ParentImage: '*\Autoit*'
+        ParentImage: '*\Autoit*'

rules/apt/apt_equationgroup_lnx.yml

@@ -68,7 +68,6 @@ detection:
         - 'chmod 755 /usr/vmsys/bin/pipe'
         - 'chmod -R 755 /usr/vmsys'
         - 'chmod 755 $opbin/*tunnel'
-        - '< /dev/console | uudecode && uncompress'
         - 'chmod 700 sendmail'
         - 'chmod 0700 sendmail'
         - '/usr/bin/wget http*sendmail;chmod +x sendmail;'

rules/apt/apt_judgement_panda_gtr19.yml

@@ -0,0 +1,33 @@
+title: Judgement Panda Exfil Activity
+description: Detects Judgement Panda activity as described in Global Threat Report 2019 by Crowdstrike
+references:
+    - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
+author: Florian Roth
+date: 2019/02/21
+tags:
+    - attack.lateral_movement
+    - attack.g0010
+    - attack.credential_access
+    - attack.t1098
+    - attack.exfiltration
+    - attack.t1002
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection1:
+        CommandLine:
+            - '*\ldifde.exe -f -n *'
+            - '*\7za.exe a 1.7z *'
+            - '* eprod.ldf'
+            - '*\aaaa\procdump64.exe*'
+            - '*\aaaa\netsess.exe*'
+            - '*\aaaa\7za.exe*'
+            - '*copy .\1.7z \\*'
+            - '*copy \\client\c$\aaaa\*'
+    selection2:
+        Image: C:\Users\Public\7za.exe
+    condition: selection1 or selection2
+falsepositives:
+    - unknown
+level: critical

rules/apt/apt_sofacy.yml

@@ -25,8 +25,8 @@ detection:
     selection:
         EventID: 1
         CommandLine: 
-            - 'rundll32.exe %APPDATA%\*.dat",*'
-            - 'rundll32.exe %APPDATA%\*.dll",#1'
+            - 'rundll32.exe %APPDATA%\\*.dat",*'
+            - 'rundll32.exe %APPDATA%\\*.dll",#1'
 ---
 logsource:
     product: windows
@@ -36,5 +36,5 @@ detection:
     selection:
         EventID: 4688
         ProcessCommandLine: 
-            - 'rundll32.exe %APPDATA%\*.dat",*'
-            - 'rundll32.exe %APPDATA%\*.dll",#1'
+            - 'rundll32.exe %APPDATA%\\*.dat",*'
+            - 'rundll32.exe %APPDATA%\\*.dll",#1'

rules/apt/apt_turla_commands.yml

@@ -21,8 +21,8 @@ detection:
       EventID: 1
       CommandLine: 
          - 'net use \\%DomainController%\C$ "P@ssw0rd" *'
-         - 'dir c:\*.doc* /s'
-         - 'dir %TEMP%\*.exe'
+         - 'dir c:\\*.doc* /s'
+         - 'dir %TEMP%\\*.exe'
    condition: selection
 level: critical
 ---

rules/linux/lnx_shell_susp_commands.yml

@@ -6,6 +6,8 @@ references:
     - http://pastebin.com/FtygZ1cg
     - https://artkond.com/2017/03/23/pivoting-guide/
 author: Florian Roth
+date: 2017/08/21
+modified: 2019/02/05
 logsource:
     product: linux
 detection:
@@ -15,30 +17,37 @@ detection:
         - 'wget * - http* | sh'
         - 'wget * - http* | bash'
         - 'python -m SimpleHTTPServer'
-        - 'import pty; pty.spawn'
+        - '-m http.server'  # Python 3
+        - 'import pty; pty.spawn*'
+        - 'socat exec:*'
+        - 'socat -O /tmp/*'
+        - 'socat tcp-connect*'
+        - '*echo binary >>*'
         # Malware 
         - '*wget *; chmod +x*'
         - '*wget *; chmod 777 *'
         - '*cd /tmp || cd /var/run || cd /mnt*'
         # Apache Struts in-the-wild exploit codes  
-        - 'stop;service iptables stop;'
-        - 'stop;SuSEfirewall2 stop;'
-        - 'chmod 777 2020'
-        - '">>/etc/rc.local;'
-        - 'wget -c *;chmod 777'
+        - '*stop;service iptables stop;*'
+        - '*stop;SuSEfirewall2 stop;*'
+        - 'chmod 777 2020*'
+        - '*>>/etc/rc.local'
         # Metasploit framework exploit codes
-        - 'base64 -d /tmp/'
-        - ' | base64 -d'
-        - '/bin/chmod u+s'
-        - 'chmod +s /tmp/'
-        - 'chmod u+s /tmp/'
-        - '/tmp/haxhax'
-        - '/tmp/ns_sploit'
-        - 'nc -l -p '
-        - 'cp /bin/ksh '
-        - 'cp /bin/sh '
-        - ' /tmp/*.b64 '
-        - '/tmp/ysocereal.jar'
+        - '*base64 -d /tmp/*'
+        - '* | base64 -d *'
+        - '*/chmod u+s *'
+        - '*chmod +s /tmp/*'
+        - '*chmod u+s /tmp/*'
+        - '* /tmp/haxhax*'
+        - '* /tmp/ns_sploit*'
+        - 'nc -l -p *'
+        - 'cp /bin/ksh *'
+        - 'cp /bin/sh *'
+        - '* /tmp/*.b64 *'
+        - '*/tmp/ysocereal.jar*'
+        - '*/tmp/x *'
+        - '*; chmod +x /tmp/*'
+        - '*;chmod +x /tmp/*'
     condition: keywords
 falsepositives:
     - Unknown

rules/proxy/proxy_chafer_malware.yml

@@ -0,0 +1,20 @@
+title: Chafer Malware URL Pattern
+status: experimental
+description: Detects HTTP requests used by Chafer malware
+references:
+    - https://securelist.com/chafer-used-remexi-malware/89538/
+author: Florian Roth
+date: 2019/01/31
+logsource:
+    category: proxy
+detection:
+    selection:
+        c-uri-query: '*/asp.asp?ui=*'
+    condition: selection
+fields:
+    - ClientIP
+    - URL
+    - UserAgent
+falsepositives:
+    - Unknown
+level: critical

rules/proxy/proxy_cobalt_ocsp.yml

@@ -0,0 +1,19 @@
+title: CobaltStrike Malleable (OCSP) Profile
+status: experimental
+description: Detects Malleable (OCSP) Profile with Typo (OSCP) in URL
+references:
+    - https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/ocsp.profile
+author: Markus Neis
+tags:
+    - attack.t1102
+logsource:
+    category: proxy
+detection:
+    selection:
+      URL: '*/oscp/*'
+      Host: 'ocsp.verisign.com'
+     
+    condition: selection 
+falsepositives:
+    - Unknown
+level: high

rules/proxy/proxy_cobalt_onedrive.yml

@@ -0,0 +1,21 @@
+title: CobaltStrike Malleable OneDrive browsing traffic profile
+status: experimental
+description: Detects Malleable OneDrive Profile 
+references:
+    - https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/onedrive_getonly.profile    
+author: Markus Neis
+tags:
+    - attack.t1102
+logsource:
+    category: proxy
+detection:
+    selection:
+      HttpMethod: 'GET'
+      URL: '*?manifest=wac'
+      Host: 'onedrive.live.com'
+    filter:
+      URL: 'http*://onedrive.live.com/*'     
+    condition: selection and not filter
+falsepositives:
+    - Unknown
+level: high

rules/proxy/proxy_download_susp_dyndns.yml

@@ -56,7 +56,6 @@ detection:
             - '*.mooo.com'
             - '*.dns-dns.com'
             - '*.strangled.net'
-            - '*.ddns.info'
             - '*.adultdns.net'
             - '*.craftx.biz'
             - '*.ddns01.com'

rules/proxy/proxy_download_susp_tlds_blacklist.yml

@@ -53,14 +53,12 @@ detection:
             - '*.vip'
             - '*.party'
             - '*.tech'
-            - '*.tech'
             - '*.xyz'
             - '*.date'
             - '*.faith'
             - '*.zip'
             - '*.cricket'
             - '*.space'
-            - '*.top'
             # McAfee report 
             - '*.info'
             - '*.vn'
@@ -94,7 +92,6 @@ detection:
             - '*.trade'
             - '*.accountant'
             # Spamhaus 2018 https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/
-            - '*.click'
             - '*.cf'
             - '*.gq'
             - '*.ml'

rules/proxy/proxy_ua_apt.yml

@@ -39,6 +39,8 @@ detection:
         - 'Mozilla/4.0 (compatible; RMS)'  # Attacks on industrial enterprises using RMS and TeamViewer https://goo.gl/GthvTw
         - 'Mozilla/4.0 (compatible; MSIE 6.0; DynGate)'  # Attacks on industrial enterprises using RMS and TeamViewer https://goo.gl/GthvTw
         - 'O/9.27 (W; U; Z)' # Cmstar https://www.virustotal.com/#/file/e4328011bb2b04abc856ccd04404c9f95d67167f6c291d343e8ffa8aa2aa2099/details
+        - 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0;  Trident/5.0*'  # KerrDown UA https://goo.gl/s2WU6o
+        - 'Mozilla/5.0 (Windows NT 9; *'  # Suspicious 'Windows NT 9' user agent - used by APT33 malware in 2018
     condition: selection
 fields:
     - ClientIP

rules/proxy/proxy_ua_frameworks.yml

@@ -33,6 +33,7 @@ detection:
         - 'X-FORWARDED-FOR'
         - 'DotDotPwn v2.1'
         - 'SIPDROID'
+        - 'Mozilla/5.0 (Windows NT 10.0; Win32; x32; rv:60.0)'  # CobaltStrike https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/
 
         # Exploits
         - '*wordpress hash grabber*'

rules/proxy/proxy_ua_suspicious.yml

@@ -21,6 +21,7 @@ detection:
         - 'Mozila/*'  # single 'l'
         - '_'
         - 'CertUtil URL Agent'  # https://twitter.com/stvemillertime/status/985150675527974912
+        - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0)'  # CobaltStrike Beacon https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/
     falsepositives:
         UserAgent:
             - 'Mozilla/3.0 * Acrobat *'  # Acrobat with linked content

rules/web/web_apache_threading_error.yml

@@ -0,0 +1,16 @@
+title: Apache Threading Error
+status: experimental
+description: Detects an issue in apache logs that reports threading related errors
+author: Florian Roth
+date: 2019/01/22
+references:
+    - https://github.com/hannob/apache-uaf/blob/master/README.md
+logsource:
+    product: apache
+detection:
+    keywords:
+        - '__pthread_tpp_change_priority: Assertion `new_prio == -1 || (new_prio >= fifo_min_prio && new_prio <= fifo_max_prio)'
+    condition: keywords
+falsepositives:
+    - https://bz.apache.org/bugzilla/show_bug.cgi?id=46185
+level: medium

rules/windows/builtin/win_eventlog_cleared.yml

@@ -1,21 +0,0 @@
-title: Eventlog Cleared Experimental
-status: experimental
-description: Detects a cleared Windows Eventlog as e.g. caused by "wevtutil cl" command execution  
-author: Florian Roth
-date: 2017/06/27
-references:
-    - https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100
-tags:
-    - attack.defense_evasion
-    - attack.t1070
-logsource:
-    product: windows
-    service: system
-detection:
-    selection:
-        EventID: 104
-        Source: Eventlog
-    condition: selection
-falsepositives:
-    - unknown
-level: high

rules/windows/builtin/win_hack_rubeus.yml

@@ -1,52 +0,0 @@
----
-action: global
-title: Rubeus Hack Tool
-description: Detects command line parameters used by Rubeus hack tool 
-author: Florian Roth
-references: 
-    - https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/
-date: 2018/12/19
-tags:
-    - attack.credential_access
-    - attack.t1003
-    - attack.s0005
-detection:
-    condition: selection
-falsepositives:
-    - unlikely
-level: critical
----
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 1
-        CommandLine: 
-            - '* asreproast *'
-            - '* dump /service:krbtgt *'
-            - '* kerberoast *'
-            - '* createnetonly /program:*'
-            - '* ptt /ticket:*'
-            - '* /impersonateuser:*'
-            - '* renew /ticket:*'
-            - '* asktgt /user:*'
-            - '* harvest /interval:*'
----
-logsource:
-    product: windows
-    service: security
-    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection:
-        EventID: 4688
-        ProcessCommandLine: 
-            - '* asreproast *'
-            - '* dump /service:krbtgt *'
-            - '* kerberoast *'
-            - '* createnetonly /program:*'
-            - '* ptt /ticket:*'
-            - '* /impersonateuser:*'
-            - '* renew /ticket:*'
-            - '* asktgt /user:*'
-            - '* harvest /interval:*'

rules/windows/builtin/win_net_ntlm_downgrade.yml

@@ -22,9 +22,9 @@ detection:
     selection1:
         EventID: 13
         TargetObject: 
-            - '*SYSTEM\*ControlSet*\Control\Lsa\lmcompatibilitylevel'
-            - '*SYSTEM\*ControlSet*\Control\Lsa\NtlmMinClientSec'
-            - '*SYSTEM\*ControlSet*\Control\Lsa\RestrictSendingNTLMTraffic'
+            - '*SYSTEM\\*ControlSet*\Control\Lsa\lmcompatibilitylevel'
+            - '*SYSTEM\\*ControlSet*\Control\Lsa\NtlmMinClientSec'
+            - '*SYSTEM\\*ControlSet*\Control\Lsa\RestrictSendingNTLMTraffic'
 ---
 # Windows Security Eventlog: Process Creation with Full Command Line
 logsource:
@@ -34,7 +34,7 @@ logsource:
 detection:
     selection2:
         EventID: 4657
-        ObjectName: '\REGISTRY\MACHINE\SYSTEM\*ControlSet*\Control\Lsa'
+        ObjectName: '\REGISTRY\MACHINE\SYSTEM\\*ControlSet*\Control\Lsa'
         ObjectValueName: 
             - 'LmCompatibilityLevel'
             - 'NtlmMinClientSec'

rules/windows/builtin/win_plugx_susp_exe_locations.yml

@@ -1,146 +0,0 @@
-title: Executable used by PlugX in Uncommon Location
-status: experimental
-description: Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location
-references:
-    - 'http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/'
-    - 'https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/'
-author: Florian Roth
-date: 2017/06/12
-tags:
-    - attack.s0013
-logsource:
-    product: windows
-    service: security
-detection:
-
-    # CamMute
-    selection_cammute:
-        EventID: 4688
-        CommandLine: '*\CamMute.exe'
-    filter_cammute:
-        EventID: 4688
-        CommandLine: '*\Lenovo\Communication Utility\*'
-
-    # Chrome Frame Helper
-    selection_chrome_frame:
-        EventID: 4688
-        CommandLine: '*\chrome_frame_helper.exe'
-    filter_chrome_frame:
-        EventID: 4688
-        CommandLine: '*\Google\Chrome\application\*'    
-
-    # Microsoft Device Emulator
-    selection_devemu:
-        EventID: 4688
-        CommandLine: '*\dvcemumanager.exe'
-    filter_devemu:
-        EventID: 4688
-        CommandLine: '*\Microsoft Device Emulator\*'   
-
-    # Windows Media Player Gadget
-    selection_gadget:
-        EventID: 4688
-        CommandLine: '*\Gadget.exe'
-    filter_gadget:
-        EventID: 4688
-        CommandLine: '*\Windows Media Player\*'
-
-    # HTML Help Workshop
-    selection_hcc:
-        EventID: 4688
-        CommandLine: '*\hcc.exe'
-    filter_hcc:
-        EventID: 4688
-        CommandLine: '*\HTML Help Workshop\*'
-
-    # Hotkey Command Module for Intel Graphics Contollers
-    selection_hkcmd:
-        EventID: 4688
-        CommandLine: '*\hkcmd.exe'
-    filter_hkcmd:
-        EventID: 4688
-        CommandLine: 
-            - '*\System32\*'
-            - '*\SysNative\*'
-            - '*\SysWowo64\*'
-
-    # McAfee component
-    selection_mc:
-        EventID: 4688
-        CommandLine: '*\Mc.exe'
-    filter_mc:
-        EventID: 4688
-        CommandLine: 
-            - '*\Microsoft Visual Studio*'
-            - '*\Microsoft SDK*'
-            - '*\Windows Kit*'
-
-    # MsMpEng - Microsoft Malware Protection Engine
-    selection_msmpeng:
-        EventID: 4688
-        CommandLine: '*\MsMpEng.exe'
-    filter_msmpeng:
-        EventID: 4688
-        CommandLine: 
-            - '*\Microsoft Security Client\*'
-            - '*\Windows Defender\*'
-            - '*\AntiMalware\*'
-
-    # Microsoft Security Center
-    selection_msseces:
-        EventID: 4688
-        CommandLine: '*\msseces.exe'
-    filter_msseces:
-        EventID: 4688
-        CommandLine: '*\Microsoft Security Center\*'
-
-    # Microsoft Office 2003 OInfo
-    selection_oinfo:
-        EventID: 4688
-        CommandLine: '*\OInfoP11.exe'
-    filter_oinfo:
-        EventID: 4688
-        CommandLine: '*\Common Files\Microsoft Shared\*'      
-
-    # OLE View
-    selection_oleview:
-        EventID: 4688
-        CommandLine: '*\OleView.exe'
-    filter_oleview:
-        EventID: 4688
-        CommandLine: 
-            - '*\Microsoft Visual Studio*'
-            - '*\Microsoft SDK*'
-            - '*\Windows Kit*'   
-            - '*\Windows Resource Kit\*'
-
-    # RC
-    selection_rc:
-        EventID: 4688
-        CommandLine: '*\rc.exe'
-    filter_rc:
-        EventID: 4688
-        CommandLine: 
-            - '*\Microsoft Visual Studio*'
-            - '*\Microsoft SDK*'
-            - '*\Windows Kit*'   
-            - '*\Windows Resource Kit\*'
-            - '*\Microsoft.NET\*'  
-
-    condition: ( selection_cammute and not filter_cammute ) or  
-                ( selection_chrome_frame and not filter_chrome_frame ) or
-                ( selection_devemu and not filter_devemu ) or
-                ( selection_gadget and not filter_gadget ) or 
-                ( selection_hcc and not filter_hcc ) or 
-                ( selection_hkcmd and not filter_hkcmd ) or 
-                ( selection_mc and not filter_mc ) or
-                ( selection_msmpeng and not filter_msmpeng ) or
-                ( selection_msseces and not filter_msseces ) or
-                ( selection_oinfo and not filter_oinfo ) or 
-                ( selection_oleview and not filter_oleview ) or 
-                ( selection_rc and not filter_rc ) 
-falsepositives:
-    - Unknown
-level: high
-
-

rules/windows/builtin/win_powershell_b64_shellcode.yml

@@ -1,44 +0,0 @@
-action: global
-title: PowerShell Base64 Encoded Shellcode
-description: Detects Base64 encoded Shellcode 
-status: experimental
-references:
-    - https://twitter.com/cyb3rops/status/1063072865992523776
-author: Florian Roth
-date: 2018/11/17
-tags:
-    - attack.defense_evasion
-    - attack.t1036
-detection:
-    condition: selection1 and selection2
-falsepositives: 
-    - Unknown
-level: critical
----
-# Windows Audit Log
-logsource:
-    product: windows
-    service: security
-    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection1:
-        EventID: 4688
-        ProcessCommandLine: '*AAAAYInlM*'
-    selection2:
-        ProcessCommandLine: 
-            - '*OiCAAAAYInlM*'
-            - '*OiJAAAAYInlM*'
----
-# Sysmon
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection1:
-        EventID: 1
-        CommandLine: '*AAAAYInlM*'
-    selection2:
-        CommandLine: 
-            - '*OiCAAAAYInlM*'
-            - '*OiJAAAAYInlM*'
-

rules/windows/builtin/win_rdp_localhost_login.yml

@@ -0,0 +1,24 @@
+title: RDP Login from localhost
+description: RDP login with localhost source address may be a tunnelled login
+references:
+    - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
+date: 2019/01/28
+modified: 2019/01/29
+tags:
+    - attack.lateral_movement
+status: experimental
+author: Thomas Patzke
+logsource:
+    product: windows
+    service: security
+detection:
+    selection:
+        EventID: 4624
+        LogonType: 10
+        SourceNetworkAddress:
+            - "::1"
+            - "127.0.0.1"
+    condition: selection
+falsepositives:
+    - Unknown
+level: high

rules/windows/builtin/win_rdp_reverse_tunnel.yml

@@ -0,0 +1,31 @@
+title: RDP over Reverse SSH Tunnel WFP
+status: experimental
+description: Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389
+references:
+    - https://twitter.com/SBousseaden/status/1096148422984384514
+author: Samir Bousseaden
+date: 2019/02/16
+tags:
+    - attack.defense_evasion
+    - attack.command_and_control
+    - attack.t1076
+logsource:
+    product: windows
+    service: security
+detection:
+    selection:
+        EventID: 5156
+    sourceRDP:
+        SourcePort: 3389
+        DestinationAddress:
+            - '127.*'
+            - '::1'
+    destinationRDP:
+        DestinationPort: 3389
+        SourceAddress:
+            - '127.*'
+            - '::1'
+    condition: selection and ( sourceRDP or destinationRDP )
+falsepositives:
+    - unknown
+level: high

rules/windows/builtin/win_susp_cli_escape.yml

@@ -1,57 +0,0 @@
-action: global
-title: Suspicious Commandline Escape
-description: Detects suspicious process that use escape characters
-status: experimental
-references:
-    - https://twitter.com/vysecurity/status/885545634958385153
-    - https://twitter.com/Hexacorn/status/885553465417756673
-    - https://twitter.com/Hexacorn/status/885570278637678592
-    - https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html
-    - http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/
-author: juju4
-modified: 2018/12/11
-tags:
-    - attack.defense_evasion
-    - attack.t1140
-detection:
-    condition: selection
-falsepositives: 
-    - False positives depend on scripts and administrative tools used in the monitored environment
-level: low
----
-# Windows Audit Log
-logsource:
-    product: windows
-    service: security
-    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection:
-        EventID: 4688
-        ProcessCommandLine: 
-            #- '^'
-            #- '@'
-# 0x002D -, 0x2013 , 0x2014 , 0x2015 ― ... FIXME! how to match hexa form?
-            # - '-'
-            # - '―'
-            #- 'c:/'
-            - '<TAB>'
-            - '^h^t^t^p'
-            - 'h"t"t"p'
----
-# Sysmon
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 1
-        CommandLine: 
-            #- '^'
-            #- '@'
-# 0x002D -, 0x2013 , 0x2014 , 0x2015 ― ... FIXME! how to match hexa form?
-            # - '-'
-            # - '―'
-            #- 'c:/'
-            - '<TAB>'
-            - '^h^t^t^p'
-            - 'h"t"t"p'

rules/windows/builtin/win_susp_commands_recon_activity.yml

@@ -1,73 +0,0 @@
----
-action: global
-title: Reconnaissance Activity with Net Command
-status: experimental
-description: 'Detects a set of commands often used in recon stages by different attack groups' 
-references:
-    - https://twitter.com/haroonmeer/status/939099379834658817
-    - https://twitter.com/c_APT_ure/status/939475433711722497
-    - https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html
-author:  Florian Roth, Markus Neis
-date: 2018/08/22
-modified: 2018/12/11
-tags:
-    - attack.discovery
-    - attack.t1073
-    - attack.t1012 
-detection:
-    timeframe: 15s 
-    condition: selection | count() by CommandLine > 4
-falsepositives: 
-    - False positives depend on scripts and administrative tools used in the monitored environment
-level: medium
----
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 1
-        CommandLine: 
-            - 'tasklist'
-            - 'net time'
-            - 'systeminfo'
-            - 'whoami'
-            - 'nbtstat'
-            - 'net start'
-            - '*\net1 start'
-            - 'qprocess'
-            - 'nslookup'
-            - 'hostname.exe'
-            - '*\net1 user /domain'
-            - '*\net1 group /domain'
-            - '*\net1 group "domain admins" /domain'
-            - '*\net1 group "Exchange Trusted Subsystem" /domain'
-            - '*\net1 accounts /domain' 
-            - '*\net1 user net localgroup administrators' 
-            - 'netstat -an'
----
-logsource:
-    product: windows
-    service: security
-    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection:
-        EventID: 4688
-        ProcessCommandLine: 
-            - 'tasklist'
-            - 'net time'
-            - 'systeminfo'
-            - 'whoami'
-            - 'nbtstat'
-            - 'net start'
-            - '*\net1 start'
-            - 'qprocess'
-            - 'nslookup'
-            - 'hostname.exe'
-            - '*\net1 user /domain'
-            - '*\net1 group /domain'
-            - '*\net1 group "domain admins" /domain'
-            - '*\net1 group "Exchange Trusted Subsystem" /domain'
-            - '*\net1 accounts /domain' 
-            - '*\net1 user net localgroup administrators' 
-            - 'netstat -an'

rules/windows/builtin/win_susp_dhcp_config_failed.yml

@@ -9,10 +9,10 @@ date: 2017/05/15
 author: Dimitrios Slamaris
 logsource:
     product: windows
-    service: system
+    service: dhcp
 detection:
     selection:
-          EventID: 
+        EventID: 
             - 1031
             - 1032
             - 1034

rules/windows/builtin/win_susp_eventlog_cleared.yml

@@ -1,7 +1,8 @@
 title: Eventlog Cleared
-description: One of the Windows Eventlogs has been cleared
+description: One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution
 references:
     - https://twitter.com/deviouspolack/status/832535435960209408
+    - https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100
 author: Florian Roth
 tags:
     - attack.defense_evasion

rules/windows/builtin/win_susp_failed_logon_reasons.yml

@@ -1,6 +1,9 @@
 title: Account Tampering - Suspicious Failed Logon Reasons
 description: This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.
 author: Florian Roth
+modified: 2019/03/01
+references:
+    - https://twitter.com/SBousseaden/status/1101431884540710913
 tags:
     - attack.persistence
     - attack.privilege_escalation
@@ -19,6 +22,7 @@ detection:
             - '0xC0000070'
             - '0xC0000413'
             - '0xC000018C'
+            - '0xC000015B'  # The user has not been granted the requested logon type (aka logon right) at this machine
     condition: selection
 falsepositives:
     - User using a disabled account

rules/windows/builtin/win_susp_procdump.yml

@@ -1,49 +0,0 @@
-action: global
-title: Suspicious Use of Procdump
-description: Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we're also able to catch cases in which the attacker has renamed the procdump executable. 
-status: experimental
-references:
-    - Internal Research
-author: Florian Roth
-date: 2018/10/30
-tags:
-    - attack.defense_evasion
-    - attack.t1036
-    - attack.credential_access
-    - attack.t1003
-detection:
-    condition: selection and selection1 and selection2
-falsepositives: 
-    - Unlikely, because no one should dump an lsass process memory
-    - Another tool that uses the command line switches of Procdump
-level: medium
----
-# Windows Audit Log
-logsource:
-    product: windows
-    service: security
-    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection:
-        EventID: 4688
-    selection1:
-        ProcessCommandLine:
-            - "* -ma *"
-    selection2: 
-        ProcessCommandLine:
-            - '* lsass.exe*'
----
-# Sysmon
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 1
-    selection1:
-        CommandLine:
-            - "* -ma *"
-    selection2: 
-        CommandLine:
-            - '* lsass.exe*'
-

rules/windows/builtin/win_susp_process_creations.yml

@@ -1,136 +0,0 @@
----
-action: global
-title: Suspicious Process Creation
-description: Detects suspicious process starts on Windows systems based on keywords
-status: experimental
-references:
-    - https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/
-    - https://www.youtube.com/watch?v=H3t_kHQG1Js&feature=youtu.be&t=15m35s
-    - https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/
-    - https://twitter.com/subTee/status/872244674609676288
-    - https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/remote-tool-examples
-    - https://tyranidslair.blogspot.ca/2017/07/dg-on-windows-10-s-executing-arbitrary.html
-    - https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/
-    - https://subt0x10.blogspot.ca/2017/04/bypassing-application-whitelisting.html
-    - https://gist.github.com/subTee/7937a8ef07409715f15b84781e180c46#file-rat-bat
-    - https://twitter.com/vector_sec/status/896049052642533376
-author: Florian Roth
-modified: 2012/12/11
-detection:
-    condition: selection
-falsepositives: 
-    - False positives depend on scripts and administrative tools used in the monitored environment
-level: medium
----
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 1
-        CommandLine: 
-            # Hacking activity
-            - 'vssadmin.exe delete shadows*'
-            - 'vssadmin delete shadows*'
-            - 'vssadmin create shadow /for=C:*'
-            - 'copy \\?\GLOBALROOT\Device\*\windows\ntds\ntds.dit*'
-            - 'copy \\?\GLOBALROOT\Device\*\config\SAM*'
-            - 'reg SAVE HKLM\SYSTEM *'
-            - '* sekurlsa:*'
-            - 'net localgroup adminstrators * /add'
-            - 'net group "Domain Admins" * /ADD /DOMAIN'
-            - 'certutil.exe *-urlcache* http*'
-            - 'certutil.exe *-urlcache* ftp*'
-            # Malware
-            - 'netsh advfirewall firewall *\AppData\*'
-            - 'attrib +S +H +R *\AppData\*'
-            - 'schtasks* /create *\AppData\*'
-            - 'schtasks* /sc minute*'
-            - '*\Regasm.exe *\AppData\*'
-            - '*\Regasm *\AppData\*'
-            - '*\bitsadmin* /transfer*'
-            - '*\certutil.exe * -decode *'
-            - '*\certutil.exe * -decodehex *'
-            - '*\certutil.exe -ping *'
-            - 'icacls * /grant Everyone:F /T /C /Q'
-            - '* wmic shadowcopy delete *'
-            - '* wbadmin.exe delete catalog -quiet*'  # http://blog.talosintelligence.com/2018/02/olympic-destroyer.html
-            # Scripts
-            - '*\wscript.exe *.jse'
-            - '*\wscript.exe *.js'
-            - '*\wscript.exe *.vba'
-            - '*\wscript.exe *.vbe'
-            - '*\cscript.exe *.jse'
-            - '*\cscript.exe *.js'
-            - '*\cscript.exe *.vba'
-            - '*\cscript.exe *.vbe'
-            # UAC bypass
-            - '*\fodhelper.exe'
-            # persistence
-            - '*waitfor*/s*'
-            - '*waitfor*/si persist*'
-            # remote
-            - '*remote*/s*'
-            - '*remote*/c*'
-            - '*remote*/q*'
-            # AddInProcess
-            - '*AddInProcess*'
-            # NotPowershell (nps) attack
-            # - '*msbuild*'  # too many false positives
----
-logsource:
-    product: windows
-    service: security
-    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection:
-        EventID: 4688
-        ProcessCommandLine: 
-            # Hacking activity
-            - 'vssadmin.exe delete shadows*'
-            - 'vssadmin delete shadows*'
-            - 'vssadmin create shadow /for=C:*'
-            - 'copy \\?\GLOBALROOT\Device\*\windows\ntds\ntds.dit*'
-            - 'copy \\?\GLOBALROOT\Device\*\config\SAM*'
-            - 'reg SAVE HKLM\SYSTEM *'
-            - '* sekurlsa:*'
-            - 'net localgroup adminstrators * /add'
-            - 'net group "Domain Admins" * /ADD /DOMAIN'
-            - 'certutil.exe *-urlcache* http*'
-            - 'certutil.exe *-urlcache* ftp*'
-            # Malware
-            - 'netsh advfirewall firewall *\AppData\*'
-            - 'attrib +S +H +R *\AppData\*'
-            - 'schtasks* /create *\AppData\*'
-            - 'schtasks* /sc minute*'
-            - '*\Regasm.exe *\AppData\*'
-            - '*\Regasm *\AppData\*'
-            - '*\bitsadmin* /transfer*'
-            - '*\certutil.exe * -decode *'
-            - '*\certutil.exe * -decodehex *'
-            - '*\certutil.exe -ping *'
-            - 'icacls * /grant Everyone:F /T /C /Q'
-            - '* wmic shadowcopy delete *'
-            - '* wbadmin.exe delete catalog -quiet*'  # http://blog.talosintelligence.com/2018/02/olympic-destroyer.html
-            # Scripts
-            - '*\wscript.exe *.jse'
-            - '*\wscript.exe *.js'
-            - '*\wscript.exe *.vba'
-            - '*\wscript.exe *.vbe'
-            - '*\cscript.exe *.jse'
-            - '*\cscript.exe *.js'
-            - '*\cscript.exe *.vba'
-            - '*\cscript.exe *.vbe'
-            # UAC bypass
-            - '*\fodhelper.exe'
-            # persistence
-            - '*waitfor*/s*'
-            - '*waitfor*/si persist*'
-            # remote
-            - '*remote*/s*'
-            - '*remote*/c*'
-            - '*remote*/q*'
-            # AddInProcess
-            - '*AddInProcess*'
-            # NotPowershell (nps) attack
-            # - '*msbuild*'  # too many false positives

rules/windows/builtin/win_susp_ps_appdata.yml

@@ -1,39 +0,0 @@
----
-action: global
-title: PowerShell Script Run in AppData
-status: experimental
-description: Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder 
-references:
-    - https://twitter.com/JohnLaTwC/status/1082851155481288706
-    - https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03
-author: Florian Roth
-date: 2019/01/09
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    condition: selection
-falsepositives:
-    - Administrative scripts
-level: medium
----
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 1
-        CommandLine: 
-            - '* /c powershell*\AppData\Local\*'
-            - '* /c powershell*\AppData\Roaming\*'
----
-logsource:
-    product: windows
-    service: security
-    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection:
-        EventID: 4688
-        ProcessCommandLine: 
-            - '* /c powershell*\AppData\Local\*'
-            - '* /c powershell*\AppData\Roaming\*'

rules/windows/builtin/win_susp_rasdial_activity.yml

@@ -1,32 +0,0 @@
-action: global
-title: Suspicious RASdial Activity
-description: Detects suspicious process related to rasdial.exe
-status: experimental
-references:
-    - https://twitter.com/subTee/status/891298217907830785
-author: juju4
-detection:
-    selection:
-        CommandLine: 
-            - 'rasdial'
-    condition: selection
-falsepositives: 
-    - False positives depend on scripts and administrative tools used in the monitored environment
-level: medium
----
-# Windows Audit Log
-logsource:
-    product: windows
-    service: security
-    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection:
-        EventID: 4688
----
-# Sysmon
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 1

rules/windows/builtin/win_susp_run_locations.yml

@@ -1,38 +0,0 @@
-action: global
-title: Suspicious Process Start Locations
-description: Detects suspicious process run from unusual locations
-status: experimental
-references:
-    - https://car.mitre.org/wiki/CAR-2013-05-002
-author: juju4
-tags:
-    - attack.defense_evasion
-    - attack.t1036
-detection:
-    selection:
-        CommandLine:
-            - "*:\\RECYCLER\\*"
-            - "*:\\SystemVolumeInformation\\*"
-            - "%windir%\\Tasks\\*"
-            - "%systemroot%\\debug\\*"
-    condition: selection
-falsepositives: 
-    - False positives depend on scripts and administrative tools used in the monitored environment
-level: medium
----
-# Windows Audit Log
-logsource:
-    product: windows
-    service: security
-    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection:
-        EventID: 4688
----
-# Sysmon
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 1

rules/windows/builtin/win_susp_svchost.yml

@@ -1,49 +0,0 @@
----
-action: global
-title: Suspicious Svchost Processes
-description: Detects suspicious svchost processes with parent process that is not services.exe, command line missing -k parameter or running outside Windows folder
-author: Florian Roth, @c_APT_ure
-date: 2018/10/26
-status: experimental
-references:
-    - https://twitter.com/Moti_B/status/1002280132143394816
-    - https://twitter.com/Moti_B/status/1002280287840153601
-falsepositives: 
-    - Renamed %SystemRoot%s 
-level: high
----
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 1
-        Image: '*\svchost.exe'
-    filter1:
-        ParentImage: 
-            - '*\services.exe'
-            - '*\MsMpEng.exe'
-    filter2:
-        CommandLine: '* -k *'
-    filter3:
-        Image: 'C:\Windows\S*'  # \* is a reserved expression
-    condition: selection and not ( filter1 or filter2 or filter3 )
----
-logsource:
-    product: windows
-    service: security
-    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection:
-        EventID: 4688
-        NewProcessName: '*\svchost.exe'
-    # Deactivated as long as some backends do not fully support the 'null' expression
-    # filter2:
-    #    ProcessCommandLine:
-    #        - null  # Missing KB3004375 and Group Policy setting
-    #        - '* -k *'
-    filter3:
-        NewProcessName: 'C:\Windows\S*'  # \* is a reserved expression
-    condition: selection and not filter3
-
-        

rules/windows/builtin/win_susp_time_modification.yml

@@ -0,0 +1,28 @@
+title: Unauthorized System Time Modification
+status: experimental
+description: Detect scenarios where a potentially unauthorized application or user is modifying the system time.
+author: '@neu5ron'
+references:
+    - Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well)
+    - Live environment caused by malware
+date: 2019/02/05
+tags:
+    - attack.t1099
+logsource:
+    product: windows
+    service: security
+    definition: 'Requirements: Audit Policy : System > Audit Security State Change, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\System\Audit Security State Change'
+detection:
+    selection:
+        EventID: 4616
+    filter1:
+        ProcessName: 'C:\Program Files\VMware\VMware Tools\vmtoolsd.exe'
+    filter2:
+        ProcessName: 'C:\Windows\System32\VBoxService.exe'
+    filter3:
+        ProcessName: 'C:\Windows\System32\svchost.exe'
+        SubjectUserSid: 'S-1-5-19'
+    condition: selection and not ( filter1 or filter2 or filter3 )
+falsepositives:
+    - HyperV or other virtualization technologies with binary not listed in filter portion of detection
+level: high

rules/windows/builtin/win_susp_whoami.yml

@@ -1,36 +0,0 @@
----
-action: global
-title: Whoami Execution
-status: experimental
-description: 'Detects the execution of whoami, which is often used by attackers after exloitation / privilege escalation but rarely used by administrators' 
-references:
-    - https://twitter.com/haroonmeer/status/939099379834658817
-    - https://twitter.com/c_APT_ure/status/939475433711722497
-author: Florian Roth
-date: 2018/05/22
-tags:
-    - attack.discovery
-    - attack.t1033
-detection:
-    condition: selection
-falsepositives: 
-    - Admin activity
-    - Scripts and administrative tools used in the monitored environment
-level: high
----
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 1
-        CommandLine: 'whoami'
----
-logsource:
-    product: windows
-    service: security
-    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection:
-        EventID: 4688
-        NewProcessName: '*\whoami.exe'

rules/windows/builtin/win_wmi_persistence_script_event_consumer.yml

@@ -1,36 +0,0 @@
----
-action: global
-title: WMI Persistence - Script Event Consumer
-status: experimental
-description: Detects WMI script event consumers
-references:
-    - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
-author: Thomas Patzke
-date: 2018/03/07
-tags:
-    - attack.execution
-    - attack.persistence
-    - attack.t1047
-detection:
-    selection:
-        Image: 'C:\WINDOWS\system32\wbem\scrcons.exe'
-        ParentImage: 'C:\Windows\System32\svchost.exe'
-    condition: selection
-falsepositives: 
-    - Legitimate event consumers
-level: high
----
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 1
----
-logsource:
-    product: windows
-    service: security
-    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection:
-        EventID: 4688

rules/windows/malware/av_exploiting.yml

@@ -1,6 +1,7 @@
 title: Antivirus Exploitation Framework Detection
 description: Detects a highly relevant Antivirus alert that reports an exploitation framework
 date: 2018/09/09
+modified: 2019/01/16
 author: Florian Roth
 references:
     - https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/
@@ -15,10 +16,12 @@ detection:
     selection:
         Signature: 
             - "*MeteTool*"
+            - "*MPreter*"
             - "*Meterpreter*"
             - "*Metasploit*"
             - "*PowerSploit*"
             - "*CobaltSrike*"
+            - "*Swrort*"
     condition: selection
 fields:
     - FileName

rules/windows/malware/av_relevant_files.yml

@@ -9,12 +9,12 @@ logsource:
 detection:
     selection:
         FileName:
-            - 'C:\Windows\Temp\*'
-            - 'C:\Temp\*'
-            - '*\\Client\*'
-            - 'C:\PerfLogs\*'
-            - 'C:\Users\Public\*'
-            - 'C:\Users\Default\*'
+            - 'C:\Windows\Temp\\*'
+            - 'C:\Temp\\*'
+            - '*\\Client\\*'
+            - 'C:\PerfLogs\\*'
+            - 'C:\Users\Public\\*'
+            - 'C:\Users\Default\\*'
             - '*.ps1'
             - '*.vbs'
             - '*.bat'

rules/windows/malware/sysmon_malware_dridex.yml

@@ -1,40 +0,0 @@
----
-action: global
-title: Dridex Process Pattern
-status: experimental
-description: Detects typical Dridex process patterns
-references:
-    - https://app.any.run/tasks/993daa5e-112a-4ff6-8b5a-edbcec7c7ba3
-author: Florian Roth
-date: 2019/01/10
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    condition: 1 of them
-falsepositives:
-    - Unlikely
-level: critical
----
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection1:
-        EventID: 1
-        CommandLine: '*\svchost.exe C:\Users\*\Desktop\*'
-    selection2:
-        EventID: 1
-        ParentImage: '*\svchost.exe*'
-        CommandLine: 
-            - '*whoami.exe /all'
-            - '*net.exe view'
----
-logsource:
-    product: windows
-    service: security
-    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection:
-        EventID: 4688
-        ProcessCommandLine: '*\svchost.exe C:\Users\*\Desktop\*'

rules/windows/malware/win_mal_ursnif.yml

@@ -0,0 +1,22 @@
+title: Ursnif
+status: experimental
+description: Detects new registry key created by Ursnif malware. 
+references:
+    - https://blog.yoroi.company/research/ursnif-long-live-the-steganography/
+    - https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/
+tags:
+    - attack.execution
+    - attack.t1112
+author: megan201296
+date: 2019/02/13
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 13
+        TargetObject: 'HKU\Software\AppDataLow\Software\Microsoft\\*'
+    condition: selection
+falsepositives:
+    - Unknown
+level: critical

rules/windows/malware/win_mal_wannacry.yml

@@ -1,67 +0,0 @@
-action: global
-title: WannaCry Ransomware 
-description: Detects WannaCry Ransomware Activity
-status: experimental
-references:
-    - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
-author: Florian Roth
-detection:
-    selection1:
-        CommandLine:
-            - '*vssadmin delete shadows*'
-            - '*icacls * /grant Everyone:F /T /C /Q*'
-            - '*bcdedit /set {default} recoveryenabled no*'
-            - '*wbadmin delete catalog -quiet*'
-    condition: 1 of them
-falsepositives: 
-    - Unknown
-level: critical
----
-# Windows Audit Log
-logsource:
-    product: windows
-    service: security
-    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection1:
-        # Requires group policy 'Audit Process Creation' > Include command line in process creation events
-        EventID: 4688
-    selection2:
-        # Does not require group policy 'Audit Process Creation' > Include command line in process creation events
-        EventID: 4688
-        NewProcessName:
-            - '*\tasksche.exe'
-            - '*\mssecsvc.exe'
-            - '*\taskdl.exe'
-            - '*\WanaDecryptor*'
-            - '*\taskhsvc.exe'
-            - '*\taskse.exe'
-            - '*\111.exe'
-            - '*\lhdfrgui.exe'
-            - '*\diskpart.exe'  # Rare, but can be false positive
-            - '*\linuxnew.exe'
-            - '*\wannacry.exe'
----
-# Sysmon
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection1:
-        # Requires group policy 'Audit Process Creation' > Include command line in process creation events
-        EventID: 1
-    selection2:
-        # Does not require group policy 'Audit Process Creation' > Include command line in process creation events
-        EventID: 1
-        Image:
-            - '*\tasksche.exe'
-            - '*\mssecsvc.exe'
-            - '*\taskdl.exe'
-            - '*\WanaDecryptor*'
-            - '*\taskhsvc.exe'
-            - '*\taskse.exe'
-            - '*\111.exe'
-            - '*\lhdfrgui.exe'
-            - '*\diskpart.exe'  # Rare, but can be false positive
-            - '*\linuxnew.exe'
-            - '*\wannacry.exe'

rules/windows/other/win_wmi_persistence.yml

@@ -19,7 +19,7 @@ detection:
         - 'ActiveScriptEventConsumer'
         - 'CommandLineEventConsumer'
         - 'CommandLineTemplate'
-        - 'Binding EventFilter'
+        # - 'Binding EventFilter'  # too many false positive with HP Health Driver
     selection2:
         EventID: 5859
     condition: selection and 1 of keywords or selection2

rules/windows/powershell/powershell_malicious_commandlets.yml

@@ -1,6 +1,7 @@
 title: Malicious PowerShell Commandlets
 status: experimental
 description: Detects Commandlet names from well-known PowerShell exploitation frameworks
+modified: 2019/01/22
 references:
     - https://adsecurity.org/?p=2921
 tags:
@@ -40,7 +41,6 @@ detection:
         - Get-VulnAutoRun
         - Get-VulnSchTask
         - Get-UnattendedInstallFile
-        - Get-WebConfig
         - Get-ApplicationHost
         - Get-RegAlwaysInstallElevated
         - Get-Unconstrained
@@ -54,7 +54,6 @@ detection:
         - Check-VM
         - Get-LSASecret
         - Get-PassHashes
-        - Invoke-Mimikatz
         - Show-TargetScreen
         - Port-Scan
         - Invoke-PoshRatHttp
@@ -64,19 +63,13 @@ detection:
         - Add-Persistence
         - Do-Exfiltration
         - Start-CaptureServer
-        - Invoke-DllInjection
-        - Invoke-ReflectivePEInjection
-        - Invoke-ShellCode
         - Get-ChromeDump
         - Get-ClipboardContents
         - Get-FoxDump
         - Get-IndexedItem
-        - Get-Keystrokes
         - Get-Screenshot
         - Invoke-Inveigh
         - Invoke-NetRipper
-        - Invoke-NinjaCopy
-        - Out-Minidump
         - Invoke-EgressCheck
         - Invoke-PostExfil
         - Invoke-PSInject
@@ -84,11 +77,8 @@ detection:
         - MailRaider
         - New-HoneyHash
         - Set-MacAttribute
-        - Get-VaultCredential
         - Invoke-DCSync
-        - Invoke-Mimikatz
         - Invoke-PowerDump
-        - Invoke-TokenManipulation
         - Exploit-Jboss
         - Invoke-ThunderStruck
         - Invoke-VoiceTroll
@@ -100,7 +90,6 @@ detection:
         - Install-SSP
         - Invoke-BackdoorLNK
         - PowerBreach
-        - Get-GPPPassword
         - Get-SiteListPassword
         - Get-System
         - Invoke-BypassUAC

rules/windows/powershell/powershell_malicious_keywords.yml

@@ -1,6 +1,7 @@
 title: Malicious PowerShell Keywords
 status: experimental
 description: Detects keywords from well-known PowerShell exploitation frameworks
+modified: 2019/01/22
 references:
     - https://adsecurity.org/?p=2921
 tags:
@@ -15,18 +16,12 @@ detection:
     keywords:
         - AdjustTokenPrivileges
         - IMAGE_NT_OPTIONAL_HDR64_MAGIC
-        - Management.Automation.RuntimeException
         - Microsoft.Win32.UnsafeNativeMethods
         - ReadProcessMemory.Invoke
-        - Runtime.InteropServices
         - SE_PRIVILEGE_ENABLED
-        - System.Security.Cryptography
-        - System.Runtime.InteropServices
         - LSA_UNICODE_STRING
         - MiniDumpWriteDump
         - PAGE_EXECUTE_READ
-        - Net.Sockets.SocketFlags
-        - Reflection.Assembly
         - SECURITY_DELEGATION
         - TOKEN_ADJUST_PRIVILEGES
         - TOKEN_ALL_ACCESS

rules/windows/powershell/powershell_suspicious_keywords.yml

@@ -0,0 +1,21 @@
+title: Suspicious PowerShell Keywords
+status: experimental
+description: Detects keywords that could indicate the use of some PowerShell exploitation framework
+date: 2019/02/11
+author: Florian Roth
+references:
+    - https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462
+tags:
+    - attack.execution
+    - attack.t1086
+logsource:
+    product: windows
+    service: powershell
+    definition: 'It is recommanded to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
+detection:
+    keywords:
+        - System.Reflection.Assembly.Load
+    condition: keywords
+falsepositives:
+    - Penetration tests
+level: high

rules/windows/process_creation/powershell_xor_commandline.yml

@@ -1,4 +1,3 @@
-action: global
 title: Suspicious XOR Encoded PowerShell Command Line
 description: Detects suspicious powershell process which includes bxor command, alternatvide obfuscation method to b64 encoded commands.
 status: experimental
@@ -9,21 +8,9 @@ detection:
         CommandLine:
             - '* -bxor*'
     condition: selection
-falsepositives: 
+falsepositives:
     - unknown
 level: medium
----
 logsource:
+    category: process_creation
     product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 1
----
-logsource:
-    product: windows
-    service: security
-    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection:
-        EventID: 4688

rules/windows/process_creation/win_attrib_hiding_files.yml

@@ -3,19 +3,18 @@ status: experimental
 description: Detects usage of attrib.exe to hide files from users.
 author: Sami Ruohonen
 logsource:
+    category: process_creation
     product: windows
-    service: sysmon
 detection:
     selection:
-        EventID: 1
         Image: '*\attrib.exe'
         CommandLine: '* +h *'
     ini:
         CommandLine: '*\desktop.ini *'
     intel:
         ParentImage: '*\cmd.exe'
-        CommandLine: '+R +H +S +A \*.cui'
-        ParentCommandLine: 'C:\WINDOWS\system32\\*.bat'
+        CommandLine: +R +H +S +A \\*.cui
+        ParentCommandLine: C:\WINDOWS\system32\\*.bat
     condition: selection and not (ini or intel)
 fields:
     - CommandLine

rules/windows/process_creation/win_bypass_squiblytwo.yml

@@ -12,25 +12,23 @@ falsepositives:
     - Unknown
 level: medium
 logsource:
-   product: windows
-   service: sysmon
+    category: process_creation
+    product: windows
 detection:
     selection1:
-        EventID: 1
         Image:
             - '*\wmic.exe'
         CommandLine:
-            - 'wmic * *format:\"http*'
-            - "wmic * /format:'http"
-            - 'wmic * /format:http*'
+            - wmic * *format:\"http*
+            - wmic * /format:'http
+            - wmic * /format:http*
     selection2:
-        EventID: 1
         Imphash:
-             - '1B1A3F43BF37B5BFE60751F2EE2F326E'
-             - '37777A96245A3C74EB217308F3546F4C'
-             - '9D87C9D67CE724033C0B40CC4CA1B206'
+            - 1B1A3F43BF37B5BFE60751F2EE2F326E
+            - 37777A96245A3C74EB217308F3546F4C
+            - 9D87C9D67CE724033C0B40CC4CA1B206
         CommandLine:
             - '* *format:\"http*'
-            - "* /format:'http"
+            - '* /format:''http'
             - '* /format:http*'
     condition: 1 of them

rules/windows/process_creation/win_cmdkey_recon.yml

@@ -1,16 +1,15 @@
 title: Cmdkey Cached Credentials Recon
 status: experimental
 description: Detects usage of cmdkey to look for cached credentials
-references: 
+references:
     - https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation
     - https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx
 author: jmallette
 logsource:
+    category: process_creation
     product: windows
-    service: sysmon
 detection:
     selection:
-        EventID: 1
         Image: '*\cmdkey.exe'
         CommandLine: '* /list *'
     condition: selection

rules/windows/process_creation/win_cmstp_com_object_access.yml

@@ -13,17 +13,15 @@ references:
     - http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
     - https://twitter.com/hFireF0X/status/897640081053364225
 logsource:
+    category: process_creation
     product: windows
-    service: sysmon
 detection:
-    # CMSTP Spawning Child Process
     selection1:
-        EventID: 1
         ParentCommandLine: '*\DllHost.exe'
     selection2:
         ParentCommandLine:
-            - '*\{3E5FC7F9-9A51-4367-9063-A120244FBEC7}' #CMSTPLUA
-            - '*\{3E000D72-A845-4CD9-BD83-80C07C3B881F}' #CMLUAUTIL, see https://twitter.com/hFireF0X/status/897640081053364225
+            - '*\{3E5FC7F9-9A51-4367-9063-A120244FBEC7}'
+            - '*\{3E000D72-A845-4CD9-BD83-80C07C3B881F}'
     condition: selection1 and selection2
 fields:
     - CommandLine

rules/windows/process_creation/win_exploit_cve_2015_1641.yml

@@ -2,16 +2,15 @@ title: Exploit for CVE-2015-1641
 status: experimental
 description: Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641
 references:
-  - https://www.virustotal.com/en/file/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8/analysis/
-  - https://www.hybrid-analysis.com/sample/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8?environmentId=100
+    - https://www.virustotal.com/en/file/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8/analysis/
+    - https://www.hybrid-analysis.com/sample/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8?environmentId=100
 author: Florian Roth
 date: 2018/02/22
 logsource:
+    category: process_creation
     product: windows
-    service: sysmon
 detection:
     selection:
-        EventID: 1
         ParentImage: '*\WINWORD.EXE'
         Image: '*\MicroScMgmt.exe '
     condition: selection

rules/windows/process_creation/win_exploit_cve_2017_0261.yml

@@ -1,16 +1,15 @@
 title: Exploit for CVE-2017-0261
 status: experimental
-description: Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262 
+description: Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262
 references:
-  - https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html
+    - https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html
 author: Florian Roth
 date: 2018/02/22
 logsource:
+    category: process_creation
     product: windows
-    service: sysmon
 detection:
     selection:
-        EventID: 1
         ParentImage: '*\WINWORD.EXE'
         Image: '*\FLTLDR.exe*'
     condition: selection

rules/windows/process_creation/win_exploit_cve_2017_11882.yml

@@ -7,11 +7,10 @@ references:
 author: Florian Roth
 date: 2017/11/23
 logsource:
+    category: process_creation
     product: windows
-    service: sysmon
 detection:
     selection:
-        EventID: 1
         ParentImage: '*\EQNEDT32.EXE'
     condition: selection
 fields:

rules/windows/process_creation/win_exploit_cve_2017_8759.yml

@@ -1,16 +1,15 @@
-title: Exploit for CVE-2017-8759 
+title: Exploit for CVE-2017-8759
 description: Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759
 references:
-  - https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100
-  - https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100
+    - https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100
+    - https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100
 author: Florian Roth
 date: 15.09.2017
 logsource:
+    category: process_creation
     product: windows
-    service: sysmon
 detection:
     selection:
-        EventID: 1
         ParentImage: '*\WINWORD.EXE'
         Image: '*\csc.exe'
     condition: selection

rules/windows/process_creation/win_hack_rubeus.yml

@@ -0,0 +1,29 @@
+title: Rubeus Hack Tool
+description: Detects command line parameters used by Rubeus hack tool
+author: Florian Roth
+references:
+    - https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/
+date: 2018/12/19
+tags:
+    - attack.credential_access
+    - attack.t1003
+    - attack.s0005
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine:
+            - '* asreproast *'
+            - '* dump /service:krbtgt *'
+            - '* kerberoast *'
+            - '* createnetonly /program:*'
+            - '* ptt /ticket:*'
+            - '* /impersonateuser:*'
+            - '* renew /ticket:*'
+            - '* asktgt /user:*'
+            - '* harvest /interval:*'
+    condition: selection
+falsepositives:
+    - unlikely
+level: critical

rules/windows/process_creation/win_lethalhta.yml

@@ -1,4 +1,4 @@
-title: MSHTA spwaned by SVCHOST as seen in LethalHTA 
+title: MSHTA spwaned by SVCHOST as seen in LethalHTA
 status: experimental
 description: Detects MSHTA.EXE spwaned by SVCHOST described in report
 references:
@@ -6,11 +6,10 @@ references:
 author: Markus Neis
 date: 2018/06/07
 logsource:
+    category: process_creation
     product: windows
-    service: sysmon
 detection:
     selection:
-        EventID: 1
         ParentImage: '*\svchost.exe'
         Image: '*\mshta.exe'
     condition: selection

rules/windows/process_creation/win_mal_adwind.yml

@@ -1,4 +1,3 @@
----
 action: global
 title: Adwind RAT / JRAT
 status: experimental
@@ -13,44 +12,30 @@ detection:
     condition: selection
 level: high
 ---
-# Windows Security Eventlog: Process Creation with Full Command Line
 logsource:
+    category: process_creation
     product: windows
-    service: security
-    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
 detection:
     selection:
-        EventID: 4688
-        ProcessCommandLine: 
+        ProcessCommandLine:
             - '*\AppData\Roaming\Oracle*\java*.exe *'
             - '*cscript.exe *Retrive*.vbs *'
 ---
-# Sysmon: Process Creation (ID 1)
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 1
-        Image: '*\AppData\Roaming\Oracle\bin\java*.exe'
----
-# Sysmon: File Creation (ID 11)
 logsource:
     product: windows
     service: sysmon
 detection:
     selection:
         EventID: 11
-        TargetFilename: 
+        TargetFilename:
             - '*\AppData\Roaming\Oracle\bin\java*.exe'
             - '*\Retrive*.vbs'
 ---
-# Sysmon: Registry Value Set (ID 13)
 logsource:
     product: windows
     service: sysmon
 detection:
     selection:
         EventID: 13
-        TargetObject: '\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run*'
-        Details: '%AppData%\Roaming\Oracle\bin\*'
+        TargetObject: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run*
+        Details: '%AppData%\Roaming\Oracle\bin\\*'

rules/windows/process_creation/win_mal_wannacry.yml

@@ -0,0 +1,33 @@
+title: WannaCry Ransomware
+description: Detects WannaCry Ransomware Activity
+status: experimental
+references:
+    - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
+author: Florian Roth
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection1:
+        CommandLine:
+            - '*vssadmin delete shadows*'
+            - '*icacls * /grant Everyone:F /T /C /Q*'
+            - '*bcdedit /set {default} recoveryenabled no*'
+            - '*wbadmin delete catalog -quiet*'
+    selection2:
+        Image:
+            - '*\tasksche.exe'
+            - '*\mssecsvc.exe'
+            - '*\taskdl.exe'
+            - '*\WanaDecryptor*'
+            - '*\taskhsvc.exe'
+            - '*\taskse.exe'
+            - '*\111.exe'
+            - '*\lhdfrgui.exe'
+            - '*\diskpart.exe'
+            - '*\linuxnew.exe'
+            - '*\wannacry.exe'
+    condition: 1 of them
+falsepositives:
+    - Unknown
+level: critical

rules/windows/process_creation/win_malware_dridex.yml

@@ -0,0 +1,22 @@
+title: Dridex Process Pattern
+status: experimental
+description: Detects typical Dridex process patterns
+references:
+    - https://app.any.run/tasks/993daa5e-112a-4ff6-8b5a-edbcec7c7ba3
+author: Florian Roth
+date: 2019/01/10
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection1:
+        CommandLine: '*\svchost.exe C:\Users\\*\Desktop\\*'
+    selection2:
+        ParentImage: '*\svchost.exe*'
+        CommandLine:
+            - '*whoami.exe /all'
+            - '*net.exe view'
+    condition: 1 of them
+falsepositives:
+    - Unlikely
+level: critical

rules/windows/process_creation/win_malware_notpetya.yml

@@ -1,6 +1,7 @@
 title: NotPetya Ransomware Activity
 status: experimental
-description: Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and windows eventlogs are cleared using wevtutil
+description: Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive
+    C is deleted and windows eventlogs are cleared using wevtutil
 author: Florian Roth, Tom Ueltschi
 references:
     - https://securelist.com/schroedingers-petya/78870/
@@ -13,24 +14,20 @@ tags:
     - attack.t1070
     - attack.t1003
 logsource:
+    category: process_creation
     product: windows
-    service: sysmon
 detection:
     fsutil_clean_journal:
-        EventID: 1
         Image: '*\fsutil.exe'
-        CommandLine: '* deletejournal *'        
+        CommandLine: '* deletejournal *'
     pipe_com:
-        EventID: 1
-        CommandLine: '*\AppData\Local\Temp\* \\.\pipe\*'
+        CommandLine: '*\AppData\Local\Temp\* \\.\pipe\\*'
     event_clean:
-        EventID: 1
         Image: '*\wevtutil.exe'
         CommandLine: '* cl *'
     rundll32_dash1:
-        EventID: 1
         Image: '*\rundll32.exe'
-        CommandLine: '*.dat,#1'       
+        CommandLine: '*.dat,#1'
     perfc_keyword:
         - '*\perfc.dat*'
     condition: 1 of them
@@ -40,4 +37,3 @@ fields:
 falsepositives:
     - Admin activity
 level: critical
-

rules/windows/process_creation/win_malware_script_dropper.yml

@@ -3,28 +3,27 @@ status: experimental
 description: Detects wscript/cscript executions of scripts located in user directories
 author: Margaritis Dimitrios (idea), Florian Roth (rule)
 logsource:
+    category: process_creation
     product: windows
-    service: sysmon
 detection:
     selection:
-        EventID: 1
         Image:
             - '*\wscript.exe'
             - '*\cscript.exe'
         CommandLine:
-            - '* C:\Users\*.jse *'
-            - '* C:\Users\*.vbe *'
-            - '* C:\Users\*.js *'
-            - '* C:\Users\*.vba *'
-            - '* C:\Users\*.vbs *'
-            - '* C:\ProgramData\*.jse *'
-            - '* C:\ProgramData\*.vbe *'
-            - '* C:\ProgramData\*.js *'
-            - '* C:\ProgramData\*.vba *'
-            - '* C:\ProgramData\*.vbs *'
+            - '* C:\Users\\*.jse *'
+            - '* C:\Users\\*.vbe *'
+            - '* C:\Users\\*.js *'
+            - '* C:\Users\\*.vba *'
+            - '* C:\Users\\*.vbs *'
+            - '* C:\ProgramData\\*.jse *'
+            - '* C:\ProgramData\\*.vbe *'
+            - '* C:\ProgramData\\*.js *'
+            - '* C:\ProgramData\\*.vba *'
+            - '* C:\ProgramData\\*.vbs *'
     falsepositive:
         ParentImage: '*\winzip*'
-    condition: selection
+    condition: selection and not falsepositive
 fields:
     - CommandLine
     - ParentCommandLine

rules/windows/process_creation/win_malware_wannacry.yml

@@ -3,13 +3,12 @@ status: experimental
 description: Detects WannaCry ransomware activity via Sysmon
 references:
     - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
-author: Florian Roth (rule), Tom U. @c_APT_ure (collection) 
+author: Florian Roth (rule), Tom U. @c_APT_ure (collection)
 logsource:
+    category: process_creation
     product: windows
-    service: sysmon
 detection:
     selection1:
-        EventID: 1
         Image:
             - '*\tasksche.exe'
             - '*\mssecsvc.exe'
@@ -19,11 +18,10 @@ detection:
             - '*\taskse.exe'
             - '*\111.exe'
             - '*\lhdfrgui.exe'
-            - '*\diskpart.exe'  # Rare, but can be false positive
+            - '*\diskpart.exe'
             - '*\linuxnew.exe'
             - '*\wannacry.exe'
     selection2:
-        EventID: 1
         CommandLine:
             - '*vssadmin delete shadows*'
             - '*icacls * /grant Everyone:F /T /C /Q*'
@@ -37,5 +35,3 @@ fields:
 falsepositives:
     - Diskpart.exe usage to manage partitions on the local hard drive
 level: critical
-
-

rules/windows/process_creation/win_mavinject_proc_inj.yml

@@ -1,38 +1,24 @@
----
-action: global
-title: MavInject Process Injection
-status: experimental
-description: Detects process injection using the signed Windows tool Mavinject32.exe
-references:
-    - https://twitter.com/gN3mes1s/status/941315826107510784
-    - https://reaqta.com/2017/12/mavinject-microsoft-injector/
-    - https://twitter.com/Hexacorn/status/776122138063409152
-author: Florian Roth
-date: 2018/12/12
-tags:
-    - attack.process_injection
-    - attack.t1055
-    - attack.signed_binary_proxy_execution
-    - attack.t1218
-detection:
-    condition: selection
-falsepositives: 
-    - unknown
-level: critical
----
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 1
-        CommandLine: '* /INJECTRUNNING *'
----
-logsource:
-    product: windows
-    service: security
-    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection:
-        EventID: 4688
-        ProcessCommandLine: '* /INJECTRUNNING *'
+title: MavInject Process Injection
+status: experimental
+description: Detects process injection using the signed Windows tool Mavinject32.exe
+references:
+    - https://twitter.com/gN3mes1s/status/941315826107510784
+    - https://reaqta.com/2017/12/mavinject-microsoft-injector/
+    - https://twitter.com/Hexacorn/status/776122138063409152
+author: Florian Roth
+date: 2018/12/12
+tags:
+    - attack.process_injection
+    - attack.t1055
+    - attack.signed_binary_proxy_execution
+    - attack.t1218
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine: '* /INJECTRUNNING *'
+    condition: selection
+falsepositives:
+    - unknown
+level: critical

rules/windows/process_creation/win_mshta_spawn_shell.yml

@@ -5,11 +5,10 @@ references:
     - https://www.trustedsec.com/july-2015/malicious-htas/
 author: Michael Haag
 logsource:
+    category: process_creation
     product: windows
-    service: sysmon
 detection:
     selection:
-        EventID: 1
         ParentImage: '*\mshta.exe'
         Image:
             - '*\cmd.exe'
@@ -36,4 +35,3 @@ tags:
 falsepositives:
     - Printer software / driver installations
 level: high
-

rules/windows/process_creation/win_multiple_suspicious_cli.yml

@@ -1,4 +1,3 @@
-action: global
 title: Quick Execution of a Series of Suspicious Commands
 description: Detects multiple suspicious process in a limited timeframe
 status: experimental
@@ -6,19 +5,12 @@ references:
     - https://car.mitre.org/wiki/CAR-2013-04-002
 author: juju4
 modified: 2012/12/11
-falsepositives:
-    - False positives depend on scripts and administrative tools used in the monitored environment
-level: low
----
-# Windows Audit Log
 logsource:
+    category: process_creation
     product: windows
-    service: security
-    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
 detection:
     selection:
-        EventID: 4688
-        ProcessCommandLine: 
+        CommandLine:
             - arp.exe
             - at.exe
             - attrib.exe
@@ -45,7 +37,6 @@ detection:
             - tracert.exe
             - wscript.exe
             - xcopy.exe
-# others
             - pscp.exe
             - copy.exe
             - robocopy.exe
@@ -60,53 +51,6 @@ detection:
             - diskpart.exe
     timeframe: 5m
     condition: selection | count() by MachineName > 5
----
-# Sysmon
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 1
-        CommandLine: 
-            - arp.exe
-            - at.exe
-            - attrib.exe
-            - cscript.exe
-            - dsquery.exe
-            - hostname.exe
-            - ipconfig.exe
-            - mimikatz.exe
-            - nbstat.exe
-            - net.exe
-            - netsh.exe
-            - nslookup.exe
-            - ping.exe
-            - quser.exe
-            - qwinsta.exe
-            - reg.exe
-            - runas.exe
-            - sc.exe
-            - schtasks.exe
-            - ssh.exe
-            - systeminfo.exe
-            - taskkill.exe
-            - telnet.exe
-            - tracert.exe
-            - wscript.exe
-            - xcopy.exe
-# others
-            - pscp.exe
-            - copy.exe
-            - robocopy.exe
-            - certutil.exe
-            - vssadmin.exe
-            - powershell.exe
-            - wevtutil.exe
-            - psexec.exe
-            - bcedit.exe
-            - wbadmin.exe
-            - icacls.exe
-            - diskpart.exe
-    timeframe: 5m
-    condition: selection | count() by MachineName > 5
+falsepositives:
+    - False positives depend on scripts and administrative tools used in the monitored environment
+level: low

rules/windows/process_creation/win_netsh_port_fwd.yml

@@ -0,0 +1,20 @@
+title: Netsh Port Forwarding
+description: Detects netsh commands that configure a port forwarding
+references:
+    - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
+date: 2019/01/29
+tags:
+    - attack.lateral_movement
+status: experimental
+author: Florian Roth
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine:
+            - netsh interface portproxy add v4tov4 *
+    condition: selection
+falsepositives:
+    - Legitimate administration
+level: medium

rules/windows/process_creation/win_netsh_port_fwd_3389.yml

@@ -0,0 +1,20 @@
+title: Netsh RDP Port Forwarding
+description: Detects netsh commands that configure a port forwarding of port 3389 used for RDP
+references:
+    - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
+date: 2019/01/29
+tags:
+    - attack.lateral_movement
+status: experimental
+author: Florian Roth
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine:
+            - netsh i* p*=3389 c*
+    condition: selection
+falsepositives:
+    - Legitimate administration
+level: high

rules/windows/process_creation/win_office_shell.yml

@@ -0,0 +1,52 @@
+title: Microsoft Office Product Spawning Windows Shell
+status: experimental
+description: Detects a Windows command line executable started from Microsoft Word, Excel, Powerpoint, Publisher and Visio.
+references:
+    - https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100
+    - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
+    - https://www2.cybereason.com/asset/60:research-cobalt-kitty-attack-lifecycle
+tags:
+    - attack.execution
+    - attack.defense_evasion
+    - attack.t1059
+    - attack.t1202
+author: Michael Haag, Florian Roth, Markus Neis
+date: 2018/04/06
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        ParentImage:
+            - '*\WINWORD.EXE'
+            - '*\EXCEL.EXE'
+            - '*\POWERPNT.exe'
+            - '*\MSPUB.exe'
+            - '*\VISIO.exe'
+            - '*\OUTLOOK.EXE'
+        Image:
+            - '*\cmd.exe'
+            - '*\powershell.exe'
+            - '*\wscript.exe'
+            - '*\cscript.exe'
+            - '*\sh.exe'
+            - '*\bash.exe'
+            - '*\scrcons.exe'
+            - '*\schtasks.exe'
+            - '*\regsvr32.exe'
+            - '*\hh.exe'
+            - '*\wmic.exe'
+            - '*\mshta.exe'
+            - '*\rundll32.exe'
+            - '*\msiexec.exe'
+            - '*\forfiles.exe'
+            - '*\scriptrunner.exe'
+            - '*\mftrace.exe'
+            - '*\AppVLP.exe'
+    condition: selection
+fields:
+    - CommandLine
+    - ParentCommandLine
+falsepositives:
+    - unknown
+level: high

rules/windows/process_creation/win_plugx_susp_exe_locations.yml

@@ -0,0 +1,88 @@
+title: Executable used by PlugX in Uncommon Location - Sysmon Version
+status: experimental
+description: Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location
+references:
+    - http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/
+    - https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/
+author: Florian Roth
+date: 2017/06/12
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_cammute:
+        Image: '*\CamMute.exe'
+    filter_cammute:
+        Image: '*\Lenovo\Communication Utility\\*'
+    selection_chrome_frame:
+        Image: '*\chrome_frame_helper.exe'
+    filter_chrome_frame:
+        Image: '*\Google\Chrome\application\\*'
+    selection_devemu:
+        Image: '*\dvcemumanager.exe'
+    filter_devemu:
+        Image: '*\Microsoft Device Emulator\\*'
+    selection_gadget:
+        Image: '*\Gadget.exe'
+    filter_gadget:
+        Image: '*\Windows Media Player\\*'
+    selection_hcc:
+        Image: '*\hcc.exe'
+    filter_hcc:
+        Image: '*\HTML Help Workshop\\*'
+    selection_hkcmd:
+        Image: '*\hkcmd.exe'
+    filter_hkcmd:
+        Image:
+            - '*\System32\\*'
+            - '*\SysNative\\*'
+            - '*\SysWowo64\\*'
+    selection_mc:
+        Image: '*\Mc.exe'
+    filter_mc:
+        Image:
+            - '*\Microsoft Visual Studio*'
+            - '*\Microsoft SDK*'
+            - '*\Windows Kit*'
+    selection_msmpeng:
+        Image: '*\MsMpEng.exe'
+    filter_msmpeng:
+        Image:
+            - '*\Microsoft Security Client\\*'
+            - '*\Windows Defender\\*'
+            - '*\AntiMalware\\*'
+    selection_msseces:
+        Image: '*\msseces.exe'
+    filter_msseces:
+        Image: '*\Microsoft Security Center\\*'
+    selection_oinfo:
+        Image: '*\OInfoP11.exe'
+    filter_oinfo:
+        Image: '*\Common Files\Microsoft Shared\\*'
+    selection_oleview:
+        Image: '*\OleView.exe'
+    filter_oleview:
+        Image:
+            - '*\Microsoft Visual Studio*'
+            - '*\Microsoft SDK*'
+            - '*\Windows Kit*'
+            - '*\Windows Resource Kit\\*'
+    selection_rc:
+        Image: '*\rc.exe'
+    filter_rc:
+        Image:
+            - '*\Microsoft Visual Studio*'
+            - '*\Microsoft SDK*'
+            - '*\Windows Kit*'
+            - '*\Windows Resource Kit\\*'
+            - '*\Microsoft.NET\\*'
+    condition: ( selection_cammute and not filter_cammute ) or ( selection_chrome_frame and not filter_chrome_frame ) or ( selection_devemu and not filter_devemu )
+        or ( selection_gadget and not filter_gadget ) or ( selection_hcc and not filter_hcc ) or ( selection_hkcmd and not filter_hkcmd ) or ( selection_mc and not filter_mc
+        ) or ( selection_msmpeng and not filter_msmpeng ) or ( selection_msseces and not filter_msseces ) or ( selection_oinfo and not filter_oinfo ) or ( selection_oleview
+        and not filter_oleview ) or ( selection_rc and not filter_rc )
+fields:
+    - CommandLine
+    - ParentCommandLine
+falsepositives:
+    - Unknown
+level: high

rules/windows/process_creation/win_possible_applocker_bypass.yml

@@ -1,4 +1,3 @@
-action: global
 title: Possible Applocker Bypass
 description: Detects execution of executables that can be used to bypass Applocker whitelisting
 status: experimental
@@ -8,9 +7,12 @@ references:
 author: juju4
 tags:
     - attack.defense_evasion
+logsource:
+    category: process_creation
+    product: windows
 detection:
     selection:
-        CommandLine: 
+        CommandLine:
             - '*\msdt.exe*'
             - '*\installutil.exe*'
             - '*\regsvcs.exe*'
@@ -19,26 +21,8 @@ detection:
             - '*\msbuild.exe*'
             - '*\ieexec.exe*'
             - '*\mshta.exe*'
-            # higher risk of false positives
-#            - '*\cscript.EXE*'
     condition: selection
-falsepositives: 
+falsepositives:
     - False positives depend on scripts and administrative tools used in the monitored environment
+    - Using installutil to add features for .NET applications (primarly would occur in developer environments)
 level: low
----
-# Windows Audit Log
-logsource:
-    product: windows
-    service: security
-    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection:
-        EventID: 4688
----
-# Sysmon
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 1

rules/windows/process_creation/win_powershell_amsi_bypass.yml

@@ -1,4 +1,4 @@
-title: Powershell AMSI Bypass via .NET Reflection  
+title: Powershell AMSI Bypass via .NET Reflection
 status: experimental
 description: Detects Request to amsiInitFailed that can be used to disable AMSI Scanning
 references:
@@ -10,18 +10,16 @@ tags:
 author: Markus Neis
 date: 2018/08/17
 logsource:
+    category: process_creation
     product: windows
-    service: sysmon
 detection:
     selection1:
-        EventID: 1
         CommandLine:
             - '*System.Management.Automation.AmsiUtils*'
     selection2:
         CommandLine:
-            - '*amsiInitFailed*'            
+            - '*amsiInitFailed*'
     condition: selection1 and selection2
     falsepositives:
-    - Potential Admin Activity 
+        - Potential Admin Activity
 level: high
-

rules/windows/process_creation/win_powershell_b64_shellcode.yml

@@ -0,0 +1,24 @@
+title: PowerShell Base64 Encoded Shellcode
+description: Detects Base64 encoded Shellcode
+status: experimental
+references:
+    - https://twitter.com/cyb3rops/status/1063072865992523776
+author: Florian Roth
+date: 2018/11/17
+tags:
+    - attack.defense_evasion
+    - attack.t1036
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection1:
+        CommandLine: '*AAAAYInlM*'
+    selection2:
+        CommandLine:
+            - '*OiCAAAAYInlM*'
+            - '*OiJAAAAYInlM*'
+    condition: selection1 and selection2
+falsepositives:
+    - Unknown
+level: critical

rules/windows/process_creation/win_powershell_dll_execution.yml

@@ -9,19 +9,16 @@ tags:
 author: Markus Neis
 date: 2018/08/25
 logsource:
+    category: process_creation
     product: windows
-    service: sysmon
 detection:
     selection1:
-        EventID: 1
         Image:
             - '*\rundll32.exe'
     selection2:
-        EventID: 1
         Description:
             - '*Windows-Hostprozess (Rundll32)*'
     selection3:
-        EventID: 1
         CommandLine:
             - '*Default.GetString*'
             - '*FromBase64String*'

rules/windows/process_creation/win_powershell_download.yml

@@ -6,15 +6,16 @@ tags:
     - attack.t1086
     - attack.execution
 logsource:
+    category: process_creation
     product: windows
-    service: sysmon
 detection:
     selection:
-        EventID: 1
         Image: '*\powershell.exe'
-        CommandLine: 
+        CommandLine:
             - '*new-object system.net.webclient).downloadstring(*'
             - '*new-object system.net.webclient).downloadfile(*'
+            - '*new-object net.webclient).downloadstring(*'
+            - '*new-object net.webclient).downloadfile(*'
     condition: selection
 fields:
     - CommandLine
@@ -22,4 +23,3 @@ fields:
 falsepositives:
     - unknown
 level: medium
-

rules/windows/process_creation/win_powershell_renamed_ps.yml

@@ -9,16 +9,15 @@ tags:
     - attack.execution
 author: Tom Ueltschi (@c_APT_ure)
 logsource:
+    category: process_creation
     product: windows
-    service: sysmon
 detection:
     selection:
-        EventID: 1
         Description: Windows PowerShell
     exclusion_1:
         Image:
-            - powershell.exe
-            - powershell_ise.exe
+            - '*\powershell.exe'
+            - '*\powershell_ise.exe'
     exclusion_2:
         Description: Windows PowerShell ISE
     condition: all of selection and not (1 of exclusion_*)

rules/windows/process_creation/win_powershell_suspicious_parameter_variation.yml

@@ -8,13 +8,12 @@ tags:
     - attack.t1086
 author: Florian Roth (rule), Daniel Bohannon (idea), Roberto Rodriguez (Fix)
 logsource:
+    category: process_creation
     product: windows
-    service: sysmon
 detection:
     selection:
         Image:
             - '*\Powershell.exe'
-        EventID: 1
         CommandLine:
             - ' -windowstyle h '
             - ' -windowstyl h'
@@ -34,7 +33,7 @@ detection:
             - ' -NoPro '
             - ' -NoProf '
             - ' -NoProfi '
-            - ' -NoProfil ' 
+            - ' -NoProfil '
             - ' -nonin '
             - ' -nonint '
             - ' -noninte '

rules/windows/process_creation/win_process_creation_bitsadmin_download.yml

@@ -0,0 +1,28 @@
+title: Bitsadmin Download
+status: experimental
+description: Detects usage of bitsadmin downloading a file
+references:
+        - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
+        - https://isc.sans.edu/diary/22264
+tags:
+        - attack.defense_evasion
+        - attack.persistence
+        - attack.t1197
+        - attack.s0190
+author: Michael Haag
+logsource:
+        category: process_creation
+        product: windows
+detection:
+        selection:
+                Image:
+                        - '*\bitsadmin.exe'
+                CommandLine:
+                        - '/transfer'
+        condition: selection
+fields:
+        - CommandLine
+        - ParentCommandLine
+falsepositives:
+        - Some legitimate apps use this, but limited.
+level: medium

rules/windows/process_creation/win_psexesvc_start.yml

@@ -8,14 +8,12 @@ tags:
     - attack.t1035
     - attack.s0029
 logsource:
+    category: process_creation
     product: windows
-    service: security
-    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
 detection:
     selection:
-        EventID: 4688
-        ProcessCommandLine: 'C:\Windows\PSEXESVC.exe'
-    condition: 1 of them
+        ProcessCommandLine: C:\Windows\PSEXESVC.exe
+    condition: selection
 falsepositives:
     - Administrative activity
-level: low
+level: low

rules/windows/process_creation/win_sdbinst_shim_persistence.yml

@@ -1,4 +1,4 @@
-title: Possible Shim Database Persistence via sdbinst.exe 
+title: Possible Shim Database Persistence via sdbinst.exe
 status: experimental
 description: Detects execution of sdbinst writing to default shim database path C:\Windows\AppPatch\*
 references:
@@ -9,16 +9,15 @@ tags:
 author: Markus Neis
 date: 2018-08-03
 logsource:
+    category: process_creation
     product: windows
-    service: sysmon
 detection:
     selection:
-      EventID: 1
-      Image:
-      - '*\sdbinst.exe'
-      CommandLine: 
-        - '*\AppPatch\*}.sdb*'            
+        Image:
+            - '*\sdbinst.exe'
+        CommandLine:
+            - '*\AppPatch\\*}.sdb*'
     condition: selection
 falsepositives:
-    - Unknown 
+    - Unknown
 level: high

rules/windows/process_creation/win_shell_spawn_susp_program.yml

@@ -5,12 +5,12 @@ references:
     - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
 author: Florian Roth
 date: 2018/04/06
+modified: 2019/02/05
 logsource:
+    category: process_creation
     product: windows
-    service: sysmon
 detection:
     selection:
-        EventID: 1
         ParentImage:
             - '*\mshta.exe'
             - '*\powershell.exe'
@@ -25,11 +25,13 @@ detection:
             - '*\certutil.exe'
             - '*\bitsadmin.exe'
             - '*\mshta.exe'
-    condition: selection
+    falsepositives:
+        CurrentDirectory: '*\ccmcache\*'
+    condition: selection and not falsepositives
 fields:
     - CommandLine
     - ParentCommandLine
 falsepositives:
     - Administrative scripts
+    - Microsoft SCCM
 level: high
-

rules/windows/process_creation/win_spn_enum.yml

@@ -0,0 +1,24 @@
+title: Possible SPN Enumeration
+description: Detects Service Principal Name Enumeration used for Kerberoasting
+status: experimental
+references:
+    - https://p16.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation
+author: Markus Neis, keepwatch
+date: 2018/11/14
+tags:
+    - attack.credential_access
+    - attack.t1208
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_image:
+        Image: '*\setspn.exe'
+    selection_desc:
+        Description: '*Query or reset the computer* SPN attribute*'
+    cmd:
+        CommandLine: '*-q*'
+    condition: (selection_image or selection_desc) and cmd
+falsepositives:
+    - Administrator Activity
+level: medium

rules/windows/process_creation/win_susp_bcdedit.yml

@@ -0,0 +1,19 @@
+title: Possible Ransomware or unauthorized MBR modifications
+status: experimental
+description: Detects, possibly, malicious unauthorized usage of bcdedit.exe
+references:
+    - https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set
+author: '@neu5ron'
+date: 2019/02/07
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        NewProcessName: '*\fsutil.exe'
+        ProcessCommandLine:
+            - '*delete*'
+            - '*deletevalue*'
+            - '*import*'
+    condition: selection
+level: medium

rules/windows/process_creation/win_susp_calc.yml

@@ -0,0 +1,23 @@
+title: Suspicious Calculator Usage
+description: Detects suspicious use of calc.exe with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion
+status: experimental
+references:
+        - https://twitter.com/ItsReallyNick/status/1094080242686312448
+author: Florian Roth
+date: 2019/02/09
+logsource:
+        product: windows
+        service: sysmon
+detection:
+        selection1:
+                EventID: 1
+                CommandLine: '*\calc.exe *'
+        selection2:
+                EventID: 1
+                Image: '*\calc.exe'
+        filter2:
+                Image: '*\Windows\Sys*'
+        condition: selection1 or ( selection2 and not filter2 )
+falsepositives: 
+        - Unknown
+level: high

rules/windows/process_creation/win_susp_certutil_command.yml

@@ -0,0 +1,47 @@
+title: Suspicious Certutil Command
+status: experimental
+description: Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code with
+    the built-in certutil utility
+author: Florian Roth, juju4, keepwatch
+modified: 2019/01/22
+references:
+    - https://twitter.com/JohnLaTwC/status/835149808817991680
+    - https://twitter.com/subTee/status/888102593838362624
+    - https://twitter.com/subTee/status/888071631528235010
+    - https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/
+    - https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/
+    - https://twitter.com/egre55/status/1087685529016193025
+    - https://lolbas-project.github.io/lolbas/Binaries/Certutil/
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine:
+            - '* -decode *'
+            - '* /decode *'
+            - '* -decodehex *'
+            - '* /decodehex *'
+            - '* -urlcache *'
+            - '* /urlcache *'
+            - '* -verifyctl *'
+            - '* /verifyctl *'
+            - '* -encode *'
+            - '* /encode *'
+            - '*certutil* -URL*'
+            - '*certutil* /URL*'
+            - '*certutil* -ping*'
+            - '*certutil* /ping*'
+    condition: selection
+fields:
+    - CommandLine
+    - ParentCommandLine
+tags:
+    - attack.defense_evasion
+    - attack.t1140
+    - attack.t1105
+    - attack.s0189
+    - attack.g0007
+falsepositives:
+    - False positives depend on scripts and administrative tools used in the monitored environment
+level: high

rules/windows/process_creation/win_susp_certutil_encode.yml

@@ -0,0 +1,22 @@
+title: Certutil Encode
+status: experimental
+description: Detects suspicious a certutil command that used to encode files, which is sometimes used for data exfiltration
+references:
+    - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
+    - https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/
+author: Florian Roth
+date: 2019/02/24
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine:
+            - certutil -f -encode *
+            - certutil.exe -f -encode *
+            - certutil -encode -f *
+            - certutil.exe -encode -f *
+    condition: selection
+falsepositives:
+    - unknown
+level: medium

rules/windows/process_creation/win_susp_cli_escape.yml

@@ -0,0 +1,27 @@
+title: Suspicious Commandline Escape
+description: Detects suspicious process that use escape characters
+status: experimental
+references:
+    - https://twitter.com/vysecurity/status/885545634958385153
+    - https://twitter.com/Hexacorn/status/885553465417756673
+    - https://twitter.com/Hexacorn/status/885570278637678592
+    - https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html
+    - http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/
+author: juju4
+modified: 2018/12/11
+tags:
+    - attack.defense_evasion
+    - attack.t1140
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine:
+            - <TAB>
+            - ^h^t^t^p
+            - h"t"t"p
+    condition: selection
+falsepositives:
+    - False positives depend on scripts and administrative tools used in the monitored environment
+level: low

rules/windows/process_creation/win_susp_cmd_http_appdata.yml

@@ -0,0 +1,23 @@
+title: Command Line Execution with suspicious URL and AppData Strings
+status: experimental
+description: Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs
+    > powershell)
+references:
+    - https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100
+    - https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100
+author: Florian Roth
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine:
+            - cmd.exe /c *http://*%AppData%
+            - cmd.exe /c *https://*%AppData%
+    condition: selection
+fields:
+    - CommandLine
+    - ParentCommandLine
+falsepositives:
+    - High
+level: medium

rules/windows/process_creation/win_susp_commands_recon_activity.yml

@@ -0,0 +1,42 @@
+title: Reconnaissance Activity with Net Command
+status: experimental
+description: Detects a set of commands often used in recon stages by different attack groups
+references:
+    - https://twitter.com/haroonmeer/status/939099379834658817
+    - https://twitter.com/c_APT_ure/status/939475433711722497
+    - https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html
+author: Florian Roth, Markus Neis
+date: 2018/08/22
+modified: 2018/12/11
+tags:
+    - attack.discovery
+    - attack.t1073
+    - attack.t1012
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine:
+            - tasklist
+            - net time
+            - systeminfo
+            - whoami
+            - nbtstat
+            - net start
+            - '*\net1 start'
+            - qprocess
+            - nslookup
+            - hostname.exe
+            - '*\net1 user /domain'
+            - '*\net1 group /domain'
+            - '*\net1 group "domain admins" /domain'
+            - '*\net1 group "Exchange Trusted Subsystem" /domain'
+            - '*\net1 accounts /domain'
+            - '*\net1 user net localgroup administrators'
+            - netstat -an
+    timeframe: 15s
+    condition: selection | count() by CommandLine > 4
+falsepositives:
+    - False positives depend on scripts and administrative tools used in the monitored environment
+level: medium

rules/windows/process_creation/win_susp_control_dll_load.yml

@@ -6,11 +6,10 @@ date: 2017/04/15
 references:
     - https://twitter.com/rikvduijn/status/853251879320662017
 logsource:
+    category: process_creation
     product: windows
-    service: sysmon
 detection:
     selection:
-        EventID: 1
         ParentImage: '*\System32\control.exe'
         CommandLine: '*\rundll32.exe *'
     filter:

rules/windows/process_creation/win_susp_csc.yml

@@ -0,0 +1,24 @@
+title: Suspicious Parent of Csc.exe
+description: Detects a suspicious parent of csc.exe, which could by a sign of payload delivery
+status: experimental
+references:
+    - https://twitter.com/SBousseaden/status/1094924091256176641
+author: Florian Roth
+date: 2019/02/11
+tags:
+    - attack.defense_evasion
+    - attack.t1036
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image: '*\csc.exe*'
+        ParentImage:
+            - '*\wscript.exe'
+            - '*\cscript.exe'
+            - '*\mshta.exe'
+    condition: selection
+falsepositives:
+    - Unkown
+level: high

rules/windows/process_creation/win_susp_exec_folder.yml

@@ -0,0 +1,35 @@
+title: Executables Started in Suspicious Folder
+status: experimental
+description: Detects process starts of binaries from a suspicious folder
+author: Florian Roth
+date: 2017/10/14
+modfied: 2019/02/21
+references:
+    - https://github.com/mbevilacqua/appcompatprocessor/blob/master/AppCompatSearch.txt
+    - https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses
+    - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image:
+            - C:\PerfLogs\\*
+            - C:\$Recycle.bin\\*
+            - C:\Intel\Logs\\*
+            - C:\Users\Default\\*
+            - C:\Users\Public\\*
+            - C:\Users\NetworkService\\*
+            - C:\Windows\Fonts\\*
+            - C:\Windows\Debug\\*
+            - C:\Windows\Media\\*
+            - C:\Windows\Help\\*
+            - C:\Windows\addins\\*
+            - C:\Windows\repair\\*
+            - C:\Windows\security\\*
+            - '*\RSA\MachineKeys\\*'
+            - C:\Windows\system32\config\systemprofile\\*
+    condition: selection
+falsepositives:
+    - Unknown
+level: high

rules/windows/process_creation/win_susp_execution_path.yml

@@ -3,21 +3,20 @@ status: experimental
 description: Detects a suspicious exection from an uncommon folder
 author: Florian Roth
 logsource:
+    category: process_creation
     product: windows
-    service: sysmon
 detection:
     selection:
-        EventID: 1
-        Image: 
+        Image:
             - '*\$Recycle.bin'
-            - '*\Users\All Users\*'
-            - '*\Users\Default\*'
-            - '*\Users\Public\*'
-            - 'C:\Perflogs\*'
-            - '*\config\systemprofile\*'
-            - '*\Windows\Fonts\*'
-            - '*\Windows\IME\*'
-            - '*\Windows\addins\*'       
+            - '*\Users\All Users\\*'
+            - '*\Users\Default\\*'
+            - '*\Users\Public\\*'
+            - 'C:\Perflogs\\*'
+            - '*\config\systemprofile\\*'
+            - '*\Windows\Fonts\\*'
+            - '*\Windows\IME\\*'
+            - '*\Windows\addins\\*'
     condition: selection
 fields:
     - CommandLine

rules/windows/process_creation/win_susp_execution_path_webserver.yml

@@ -3,20 +3,19 @@ status: experimental
 description: Detects a suspicious program execution in a web service root folder (filter out false positives)
 author: Florian Roth
 logsource:
+    category: process_creation
     product: windows
-    service: sysmon
 detection:
     selection:
-        EventID: 1
-        Image: 
-            - '*\wwwroot\*'
-            - '*\wmpub\*'
-            - '*\htdocs\*'          
+        Image:
+            - '*\wwwroot\\*'
+            - '*\wmpub\\*'
+            - '*\htdocs\\*'
     filter:
-        Image: 
-            - '*bin\*'
-            - '*\Tools\*'
-            - '*\SMSComponent\*'
+        Image:
+            - '*bin\\*'
+            - '*\Tools\\*'
+            - '*\SMSComponent\\*'
         ParentImage:
             - '*\services.exe'
     condition: selection and not filter