Sigma tools release 0.10

Added and fixed tags on APT rules

Makefile

@@ -15,17 +15,22 @@ test-rules:
 	tests/test_rules.py
 
 test-sigmac:
+	coverage run -a --include=$(COVSCOPE) tools/sigmac
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -h
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -l
+	! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvd -t es-qs rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-qs rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -O rulecomment -rvdI -t es-qs rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t kibana rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t graylog rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t xpack-watcher rules/ > /dev/null
-	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t elastalert rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t elastalert -O alert_methods=http_post,email -O emails=test@test.invalid -O http_post_url=http://test.invalid rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunkxml rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t logpoint rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t wdatp rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t ala rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t ala --backend-config tests/backend_config.yml rules/windows/process_creation/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-dsl rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t powershell -c tools/config/powershell-windows-all.yml -Ocsv rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t arcsight -c tools/config/arcsight.yml rules/ > /dev/null
@@ -40,6 +45,7 @@ test-sigmac:
 	! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'level=xcritical' rules/ > /dev/null
 	! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'foo=bar' rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-windows.yml -t es-qs rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/generic/sysmon.yml -c tools/config/elk-windows.yml -t es-qs rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-linux.yml -t es-qs rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-windows.yml -t kibana rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-windows.yml -Ooutput=curl -t kibana rules/ > /dev/null
@@ -49,10 +55,13 @@ test-sigmac:
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-linux.yml -t xpack-watcher rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-defaultindex.yml -t xpack-watcher rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/splunk-windows-all.yml -t splunk rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/splunk-windows-all-index.yml -t splunk rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/generic/sysmon.yml -c tools/config/splunk-windows-all.yml -t splunk rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/logpoint-windows-all.yml -t logpoint rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t grep rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t fieldlist rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -t xpack-watcher -O output=plain -O es=es -O foobar rules/windows/builtin/win_susp_failed_logons_single_source.yml > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -t kibana -c tests/config-multiple_mapping.yml -c tests/config-multiple_mapping-2.yml tests/mapping-conditional-multi.yml > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -t xpack-watcher -O output=json -O es=es -O foobar rules/windows/builtin/win_susp_failed_logons_single_source.yml > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -o $(TMPOUT) - < tests/collection_repeat.yml > /dev/null
 	! coverage run -a --include=$(COVSCOPE)  tools/sigmac -t xpack-watcher -O output=foobar -O es=es -O foobar rules/windows/builtin/win_susp_failed_logons_single_source.yml > /dev/null

README.md

@@ -67,7 +67,7 @@ Florian wrote a short [rule creation tutorial](https://www.nextron-systems.com/2
 1. Download or clone the respository
 2. Check the `./rules` sub directory for an overview on the rule base
 3. Run `python sigmac --help` in folder `./tools` to get a help on the rule converter
-4. Convert a rule of your choice with `sigmac` like `python sigmac -t splunk ../rules/windows/builtin/win_susp_process_creations.yml`
+4. Convert a rule of your choice with `sigmac` like `./sigmac -t splunk -c tools/config/generic/sysmon.yml ./rules/windows/process_creation/win_susp_whoami.yml`
 5. Convert a whole rule directory with `python sigmac -t splunk -r ../rules/proxy/`
 6. Check the `./tools/config` folder and the [wiki](https://github.com/Neo23x0/sigma/wiki/Converter-Tool-Sigmac) if you need custom field or log source mappings in your environment
 
@@ -96,7 +96,87 @@ Sigmac converts sigma rules into queries or inputs of the supported targets list
 Sigma library that may be used to integrate Sigma support in other projects. Further, there's `merge_sigma.py` which
 merges multiple YAML documents of a Sigma rule collection into simple Sigma rules.
 
-![sigmac_converter](./images/Sigmac-win_susp_rc4_kerberos.png)
+### Usage
+
+```
+usage: sigmac [-h] [--recurse] [--filter FILTER]
+              [--target {arcsight,es-qs,es-dsl,kibana,xpack-watcher,elastalert,graylog,logpoint,grep,netwitness,powershell,qradar,qualys,splunk,splunkxml,sumologic,fieldlist,wdatp}]
+              [--target-list] [--config CONFIG] [--output OUTPUT]
+              [--backend-option BACKEND_OPTION] [--defer-abort]
+              [--ignore-backend-errors] [--verbose] [--debug]
+              [inputs [inputs ...]]
+
+Convert Sigma rules into SIEM signatures.
+
+positional arguments:
+  inputs                Sigma input files ('-' for stdin)
+
+optional arguments:
+  -h, --help            show this help message and exit
+  --recurse, -r         Use directory as input (recurse into subdirectories is
+                        not implemented yet)
+  --filter FILTER, -f FILTER
+                        Define comma-separated filters that must match (AND-
+                        linked) to rule to be processed. Valid filters:
+                        level<=x, level>=x, level=x, status=y, logsource=z,
+                        tag=t. x is one of: low, medium, high, critical. y is
+                        one of: experimental, testing, stable. z is a word
+                        appearing in an arbitrary log source attribute. t is a
+                        tag that must appear in the rules tag list, case-
+                        insensitive matching. Multiple log source
+                        specifications are AND linked.
+  --target {arcsight,es-qs,es-dsl,kibana,xpack-watcher,elastalert,graylog,logpoint,grep,netwitness,powershell,qradar,qualys,splunk,splunkxml,sumologic,fieldlist,wdatp}, -t {arcsight,es-qs,es-dsl,kibana,xpack-watcher,elastalert,graylog,logpoint,grep,netwitness,powershell,qradar,qualys,splunk,splunkxml,sumologic,fieldlist,wdatp}
+                        Output target format
+  --target-list, -l     List available output target formats
+  --config CONFIG, -c CONFIG
+                        Configurations with field name and index mapping for
+                        target environment. Multiple configurations are merged
+                        into one. Last config is authorative in case of
+                        conflicts.
+  --output OUTPUT, -o OUTPUT
+                        Output file or filename prefix if multiple files are
+                        generated
+  --backend-option BACKEND_OPTION, -O BACKEND_OPTION
+                        Options and switches that are passed to the backend
+  --defer-abort, -d     Don't abort on parse or conversion errors, proceed
+                        with next rule. The exit code from the last error is
+                        returned
+  --ignore-backend-errors, -I
+                        Only return error codes for parse errors and ignore
+                        errors for rules that cause backend errors. Useful,
+                        when you want to get as much queries as possible.
+  --verbose, -v         Be verbose
+  --debug, -D           Debugging output
+```
+
+### Examples
+
+#### Single Rule Translation
+Translate a single rule
+```
+tools/sigmac -t splunk rules/windows/sysmon/sysmon_susp_image_load.yml
+```
+#### Rule Set Translation
+Translate a whole rule directory and ignore backend errors (`-I`) in rule conversion for the selected backend (`-t splunk`)
+```
+tools/sigmac -I -t splunk -r rules/windows/sysmon/
+```
+#### Rule Set Translation with Custom Config 
+Apply your own config file (`-c ~/my-elk-winlogbeat.yml`) during conversion, which can contain you custom field and source mappings
+```
+tools/sigmac -t es-qs -c ~/my-elk-winlogbeat.yml -r rules/windows/sysmon
+```
+#### Generic Rule Set Translation
+Use a config file for `process_creation` rules (`-r rules/windows/process_creation`) that instructs sigmac to create queries for a Sysmon log source (`-c tools/config/generic/sysmon.yml`) and the ElasticSearch target backend (`-t es-qs`) 
+```
+tools/sigmac -t es-qs -c tools/config/generic/sysmon.yml -r rules/windows/process_creation
+```
+#### Generic Rule Set Translation with Custom Config
+Use a config file for a single `process_creation` rule (`./rules/windows/process_creation/win_susp_outlook.yml`) that instructs sigmac to create queries for process creation events generated in the Windows Security Eventlog (`-c tools/config/generic/windows-audit.yml`) and a Splunk target backend (`-t splunk`)
+```
+tools/sigmac -t splunk -c ~/my-splunk-mapping.yml -c tools/config/generic/windows-audit.yml ./rules/windows/process_creation/win_susp_outlook.yml
+```
+(See @blubbfiction's [blog post](https://patzke.org/a-guide-to-generic-log-sources-in-sigma.html) for more information)
 
 ### Supported Targets
 
@@ -186,7 +266,7 @@ These tools are not part of the main toolchain and maintained separately by thei
 * Integration into Threat Intel Exchanges
 * Attempts to convince others to use the rule format in their reports, threat feeds, blog posts, threat sharing platforms
 
-# Projects that use Sigma
+# Projects or Products that use Sigma
 
 * [MISP](http://www.misp-project.org/2017/03/26/MISP.2.4.70.released.html) (since version 2.4.70, March 2017)
 * [TA-Sigma-Searches](https://github.com/dstaulcu/TA-Sigma-Searches) (Splunk App)
@@ -194,6 +274,7 @@ These tools are not part of the main toolchain and maintained separately by thei
 * [ypsilon](https://github.com/P4T12ICK/ypsilon) - Automated Use Case Testing 
 * [uncoder.io](https://uncoder.io/) - Online Translator for SIEM Searches
 * [SPARK](https://www.nextron-systems.com/2018/06/28/spark-applies-sigma-rules-in-eventlog-scan/) - Scan with Sigma rules on endpoints
+* [RANK VASA](https://globenewswire.com/news-release/2019/03/04/1745907/0/en/RANK-Software-to-Help-MSSPs-Scale-Cybersecurity-Offerings.html)
 
 # Licenses
 

rules/apt/apt_apt29_thinktanks.yml

@@ -1,32 +1,20 @@
----
-action: global
 title: APT29 
 description: 'This method detects a suspicious powershell command line combination as used by APT29 in a campaign against US think tanks' 
 references:
     - https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/
-logsource:
-    product: windows
+tags:
+    - attack.execution
+    - attack.g0016
+    - attack.t1086
 author: Florian Roth
 date: 2018/12/04 
+logsource:
+    category: process_creation
+    product: windows
 detection:
+    selection:
+        CommandLine: '*-noni -ep bypass $*'
     condition: selection
 falsepositives:
     - unknown
 level: critical
----
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 1
-        CommandLine: '*-noni -ep bypass $*'
----
-logsource:
-    product: windows
-    service: security
-    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection:
-        EventID: 4688
-        ProcessCommandLine: '*-noni -ep bypass $*'

rules/apt/apt_apt29_tor.yml

@@ -5,33 +5,28 @@ description: 'This method detects malicious services mentioned in APT29 report b
 references:
     - https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html
 tags:
-    - attack.command_and_control
+    - attack.persistence
     - attack.g0016
-    - attack.t1172
+    - attack.t1050
 logsource:
     product: windows
+    service: system
 detection:
-    service:
+    service_install:
         EventID: 7045
         ServiceName: 'Google Update'
     timeframe: 5m
-    condition: service | near process
+    condition: service_install | near process
 falsepositives:
     - Unknown
 level: high
+
 ---
-# Windows Audit Log
+logsource:
+    category: process_creation
+    product: windows
 detection:
     process:
-        EventID: 4688 
-        NewProcessName: 
-            - 'C:\Program Files(x86)\Google\GoogleService.exe'
-            - 'C:\Program Files(x86)\Google\GoogleUpdate.exe'
----
-# Sysmon
-detection:
-    process:
-        EventID: 1 
         Image: 
             - 'C:\Program Files(x86)\Google\GoogleService.exe'
             - 'C:\Program Files(x86)\Google\GoogleUpdate.exe'

rules/apt/apt_babyshark.yml

@@ -1,39 +1,28 @@
----
-action: global
-title: Baby Shark Activity 
+title: Baby Shark Activity
 status: experimental
-description: 'Detects activity that could be related to Baby Shark malware' 
+description: Detects activity that could be related to Baby Shark malware
 references:
     - https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/
+tags:
+    - attack.execution
+    - attack.t1059
+    - attack.t1086
+    - attack.discovery
+    - attack.t1012
+    - attack.defense_evasion
+    - attack.t1170
 logsource:
+    category: process_creation
     product: windows
 author: Florian Roth
-date: 2019/02/24 
+date: 2019/02/24
 detection:
+    selection:
+        CommandLine:
+            - reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default"
+            - powershell.exe mshta.exe http*
+            - cmd.exe /c taskkill /im cmd.exe
     condition: selection
 falsepositives:
     - unknown
 level: high
----
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 1
-        CommandLine: 
-            - 'reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default"'
-            - 'powershell.exe mshta.exe http*'
-            - 'cmd.exe /c taskkill /im cmd.exe'
----
-logsource:
-    product: windows
-    service: security
-    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection:
-        EventID: 4688
-        ProcessCommandLine: 
-            - 'reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default"'
-            - 'powershell.exe mshta.exe http*'
-            - 'cmd.exe /c taskkill /im cmd.exe'

rules/apt/apt_bear_activity_gtr19.yml

@@ -1,44 +1,24 @@
----
-action: global
-title: Judgement Panda Exfil Activity 
-description: 'Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike' 
+title: Judgement Panda Exfil Activity
+description: Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike
 references:
     - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
-logsource:
-    product: windows
 author: Florian Roth
-date: 2019/02/21 
-tags: 
+date: 2019/02/21
+tags:
     - attack.credential_access
-    - attack.t1098
+    - attack.t1081
+    - attack.t1003
+logsource:
+    category: process_creation
+    product: windows
 detection:
+    selection1:
+        Image: '*\xcopy.exe'
+        CommandLine: '* /S /E /C /Q /H \\*'
+    selection2:
+        Image: '*\adexplorer.exe'
+        CommandLine: '* -snapshot "" c:\users\\*'
     condition: selection1 or selection2
 falsepositives:
     - unknown
 level: critical
----
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection1:
-        EventID: 1
-        Image: '*\xcopy.exe'
-        CommandLine: '* /S /E /C /Q /H \\*'
-    selection2:
-        EventID: 1
-        Image: '*\adexplorer.exe'
-        CommandLine: '* -snapshot "" c:\users\\*'
----
-logsource:
-    product: windows
-    service: security
-    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection1:
-        EventID: 4688
-        ProcessCommandLine: '*\xcopy.exe /S /E /C /Q /H \\*'
-    selection2:
-        EventID: 4688
-        NewProcessName: '*\adexplorer.exe'
-        ProcessCommandLine: '* -snapshot "" c:\users\\*'

rules/apt/apt_carbonpaper_turla.yml

@@ -3,7 +3,7 @@ description: 'This method detects a service install of malicious services mentio
 references:
     - https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/
 tags:
-    - attack.command_and_control
+    - attack.persistence
     - attack.g0010
     - attack.t1050
 logsource:

rules/apt/apt_chafer_mar18.yml

@@ -5,8 +5,14 @@ description: Detects Chafer activity attributed to OilRig as reported in Nyotron
 references:
     - https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/
 tags:
+    - attack.persistence
     - attack.g0049
+    - attack.t1053
+    - attack.s0111
+    - attack.defense_evasion
+    - attack.t1112
 date: 2018/03/23
+modified: 2019/03/01
 author: Florian Roth, Markus Neis
 detection:
     condition: 1 of them
@@ -24,6 +30,16 @@ detection:
             - 'SC Scheduled Scan'
             - 'UpdatMachine'
 ---
+logsource:
+    product: windows
+    service: security
+detection:
+    selection_service:
+        EventID: 4698
+        TaskName:
+            - 'SC Scheduled Scan'
+            - 'UpdatMachine'
+---
 logsource:
    product: windows
    service: sysmon
@@ -39,17 +55,19 @@ detection:
         TargetObject: '*\Control\SecurityProviders\WDigest\UseLogonCredential'
         EventType: 'SetValue'
         Details: 'DWORD (0x00000001)'
+---
+logsource:
+    category: process_creation
+    product: windows
+detection:
     selection_process1:
-        EventID: 1 
         CommandLine: 
             - '*\Service.exe i'
             - '*\Service.exe u'
             - '*\microsoft\Taskbar\autoit3.exe'
             - 'C:\wsc.exe*'
     selection_process2:
-        EventID: 1
         Image: '*\Windows\Temp\DB\\*.exe'
     selection_process3:
-        EventID: 1
         CommandLine: '*\nslookup.exe -q=TXT*'
         ParentImage: '*\Autoit*'

rules/apt/apt_cloudhopper.yml

@@ -8,11 +8,10 @@ tags:
     - attack.g0045
     - attack.t1064
 logsource:
+    category: process_creation
     product: windows
-    service: sysmon
 detection:
     selection:
-        EventID: 1
         Image: '*\cscript.exe'
         CommandLine: '*.vbs /shell *'
     condition: selection

rules/apt/apt_dragonfly.yml

@@ -1,5 +1,3 @@
----
-action: global
 title: CrackMapExecWin 
 description: Detects CrackMapExecWin Activity as Described by NCSC
 status: experimental
@@ -8,31 +6,14 @@ references:
 tags:
     - attack.g0035
 author: Markus Neis
-detection:
-    condition: 1 of them
-falsepositives: 
-    - None 
-level: critical
----
-# Windows Audit Log
 logsource:
+    category: process_creation
     product: windows
-    service: security
-    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
 detection:
-    selection1:
-        # Does not require group policy 'Audit Process Creation' > Include command line in process creation events
-        EventID: 4688
-        NewProcessName:
-            - '*\crackmapexec.exe'
----
-# Sysmon
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection1:
-        # Does not require group policy 'Audit Process Creation' > Include command line in process creation events
-        EventID: 1
+    selection:
         Image:
             - '*\crackmapexec.exe'
+    condition: selection
+falsepositives: 
+    - None 
+level: critical

rules/apt/apt_elise.yml

@@ -10,15 +10,13 @@ tags:
 author: Florian Roth
 date: 2018/01/31
 logsource:
+    category: process_creation
     product: windows
-    service: sysmon
 detection:
     selection1:
-        EventID: 1
         Image: 'C:\Windows\SysWOW64\cmd.exe'
         CommandLine: '*\Windows\Caches\NavShExt.dll *'
     selection2:
-        EventID: 1
         CommandLine: '*\AppData\Roaming\MICROS~1\Windows\Caches\NavShExt.dll,Setting'
     condition: 1 of them
 falsepositives:

rules/apt/apt_equationgroup_dll_u_load.yml

@@ -1,6 +1,5 @@
----
-action: global
 title: Equation Group DLL_U Load
+author: Florian Roth
 description: Detects a specific tool and export used by EquationGroup
 references:
     - https://github.com/adamcaudill/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type=
@@ -10,36 +9,18 @@ tags:
     - attack.execution
     - attack.g0020
     - attack.t1059
-author: Florian Roth
-date: 2018/03/10 
-modified: 2018/12/11
+    - attack.defense_evasion
+    - attack.t1085
+logsource:
+    category: process_creation
+    product: windows
 detection:
+    selection1:
+        Image: '*\rundll32.exe'
+        CommandLine: '*,dll_u'
+    selection2:
+        CommandLine: '* -export dll_u *'
     condition: 1 of them
 falsepositives:
     - Unknown
 level: critical
----
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection1:
-        EventID: 1
-        Image: '*\rundll32.exe'
-        CommandLine: '*,dll_u'
-    selection2:
-        EventID: 1
-        CommandLine: '* -export dll_u *'
----
-logsource:
-    product: windows
-    service: security
-    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection1:
-        EventID: 4688
-        Image: '*\rundll32.exe'
-        ProcessCommandLine: '*,dll_u'
-    selection2:
-        EventID: 4688
-        ProcessCommandLine: '* -export dll_u *'

rules/apt/apt_hurricane_panda.yml

@@ -1,6 +1,5 @@
----
-action: global
 title: Hurricane Panda Activity
+author: Florian Roth
 status: experimental
 description: Detects Hurricane Panda Activity 
 references: 
@@ -9,34 +8,16 @@ tags:
     - attack.privilege_escalation
     - attack.g0009
     - attack.t1068
-author: Florian Roth
-date: 2018/02/25
-modified: 2018/12/11
+logsource:
+    category: process_creation
+    product: windows
 detection:
+    selection:
+        CommandLine: 
+            - '* localgroup administrators admin /add'
+            - '*\Win64.exe*'
     condition: selection
 falsepositives:
     - Unknown
 level: high
----
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 1
-        CommandLine: 
-            - '* localgroup administrators admin /add'
-            - '*\Win64.exe*'
----
-logsource:
-    product: windows
-    service: security
-    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection:
-        EventID: 4688
-        ProcessCommandLine: 
-            - '* localgroup administrators admin /add'
-            - '*\Win64.exe*'
-
 

rules/apt/apt_judgement_panda_gtr19.yml

@@ -1,61 +1,33 @@
----
-action: global
-title: Judgement Panda Exfil Activity 
-description: 'Detects Judgement Panda activity as described in Global Threat Report 2019 by Crowdstrike' 
+title: Judgement Panda Exfil Activity
+description: Detects Judgement Panda activity as described in Global Threat Report 2019 by Crowdstrike
 references:
     - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
-logsource:
-    product: windows
 author: Florian Roth
-date: 2019/02/21 
-tags: 
+date: 2019/02/21
+tags:
     - attack.lateral_movement
     - attack.g0010
     - attack.credential_access
     - attack.t1098
     - attack.exfiltration
     - attack.t1002
+logsource:
+    category: process_creation
+    product: windows
 detection:
+    selection1:
+        CommandLine:
+            - '*\ldifde.exe -f -n *'
+            - '*\7za.exe a 1.7z *'
+            - '* eprod.ldf'
+            - '*\aaaa\procdump64.exe*'
+            - '*\aaaa\netsess.exe*'
+            - '*\aaaa\7za.exe*'
+            - '*copy .\1.7z \\*'
+            - '*copy \\client\c$\aaaa\*'
+    selection2:
+        Image: C:\Users\Public\7za.exe
     condition: selection1 or selection2
 falsepositives:
     - unknown
 level: critical
----
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection1:
-        EventID: 1
-        CommandLine: 
-            - '*\ldifde.exe -f -n *'
-            - '*\7za.exe a 1.7z *'
-            - '* eprod.ldf'
-            - '*\aaaa\procdump64.exe*'
-            - '*\aaaa\netsess.exe*'
-            - '*\aaaa\7za.exe*'
-            - '*copy .\1.7z \\*'
-            - '*copy \\client\c$\aaaa\*'
-    selection2:
-        EventID: 1
-        Image: 'C:\Users\Public\7za.exe'
----
-logsource:
-    product: windows
-    service: security
-    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection1:
-        EventID: 4688
-        ProcessCommandLine:
-            - '*\ldifde.exe -f -n *'
-            - '*\7za.exe a 1.7z *'
-            - '* eprod.ldf'
-            - '*\aaaa\procdump64.exe*'
-            - '*\aaaa\netsess.exe*'
-            - '*\aaaa\7za.exe*'
-            - '*copy .\1.7z \\*'
-            - '*copy \\client\c$\aaaa\*'
-    selection2:
-        EventID: 4688
-        NewProcessName: 'C:\Users\Public\7za.exe'

rules/apt/apt_pandemic.yml

@@ -1,3 +1,5 @@
+---
+action: global
 title: Pandemic Registry Key
 status: experimental
 description: Detects Pandemic Windows Implant
@@ -8,19 +10,7 @@ tags:
     - attack.lateral_movement
     - attack.t1105
 author: Florian Roth
-logsource:
-    product: windows
-    service: sysmon
 detection:
-    selection1:
-        EventID: 13
-        TargetObject: 
-            - '\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\services\null\Instance*'
-            - '\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\null\Instance*'
-            - '\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\null\Instance*'
-    selection2:
-        EventID: 1
-        Command: 'loaddll -a *'
     condition: 1 of them
 fields:
     - EventID
@@ -32,4 +22,22 @@ fields:
 falsepositives:
     - unknown
 level: critical
+---
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection1:
+        EventID: 13
+        TargetObject: 
+            - '\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\services\null\Instance*'
+            - '\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\null\Instance*'
+            - '\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\null\Instance*'
+---
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection2:
+        Command: 'loaddll -a *'
 

rules/apt/apt_slingshot.yml

@@ -1,29 +1,25 @@
 ---
 action: global
 title: Defrag Deactivation
+author: Florian Roth
 description: Detects the deactivation of the Scheduled defragmentation task as seen by Slingshot APT group
 references:
     - https://securelist.com/apt-slingshot/84312/
 tags:
     - attack.persistence
-author: Florian Roth
-date: 2018/03/10
-logsource:
-    product: windows
-    service: security
-    definition: 'Requirements: Audit Policy : Audit Other Object Access Events > Success'       
+    - attack.t1053
+    - attack.s0111
 detection:
-    condition: selection
+    condition: 1 of them
 falsepositives:
     - Unknown
 level: medium
 ---
 logsource:
+    category: process_creation
     product: windows
-    service: sysmon
 detection:
-    selection:
-        EventID: 1
+    selection1:
         CommandLine: 
             - '*schtasks* /delete *Defrag\ScheduledDefrag*'
 ---
@@ -32,6 +28,6 @@ logsource:
     service: security
     definition: 'Requirements: Audit Policy : Audit Other Object Access Events > Success'       
 detection:
-    selection:
+    selection2:
         EventID: 4701
-        TaskName: '\Microsoft\Windows\Defrag\ScheduledDefrag'
+        TaskName: '\Microsoft\Windows\Defrag\ScheduledDefrag'

rules/apt/apt_sofacy.yml

@@ -1,6 +1,5 @@
----
-action: global
 title: Sofacy Trojan Loader Activity
+author: Florian Roth
 status: experimental
 description: Detects Trojan loader acitivty as used by APT28 
 references: 
@@ -9,32 +8,19 @@ references:
     - https://twitter.com/ClearskySec/status/960924755355369472
 tags:
     - attack.g0007
-author: Florian Roth
-date: 2018/03/01
-modified: 2018/12/11
+    - attack.execution
+    - attack.t1059
+    - attack.defense_evasion
+    - attack.t1085
+logsource:
+    category: process_creation
+    product: windows
 detection:
+    selection:
+        CommandLine: 
+            - 'rundll32.exe %APPDATA%\\*.dat",*'
+            - 'rundll32.exe %APPDATA%\\*.dll",#1'
     condition: selection
 falsepositives:
     - Unknown
 level: critical
----
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 1
-        CommandLine: 
-            - 'rundll32.exe %APPDATA%\\*.dat",*'
-            - 'rundll32.exe %APPDATA%\\*.dll",#1'
----
-logsource:
-    product: windows
-    service: security
-    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection:
-        EventID: 4688
-        ProcessCommandLine: 
-            - 'rundll32.exe %APPDATA%\\*.dat",*'
-            - 'rundll32.exe %APPDATA%\\*.dll",#1'

rules/apt/apt_sofacy_zebrocy.yml

@@ -1,6 +1,5 @@
----
-action: global
 title: Sofacy Zebrocy
+author: Florian Roth
 description: Detects Sofacy's Zebrocy malware execution
 references:
     - https://app.any.run/tasks/54acca9a-394e-4384-a0c8-91a96d36c81d
@@ -8,27 +7,13 @@ tags:
     - attack.execution
     - attack.g0020
     - attack.t1059
-author: Florian Roth
-date: 2018/03/10
+logsource:
+    category: process_creation
+    product: windows
 detection:
+    selection:
+        CommandLine: '*cmd.exe /c SYSTEMINFO & TASKLIST'
     condition: selection
 falsepositives:
     - Unknown
 level: critical
----
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 1
-        CommandLine: '*cmd.exe /c SYSTEMINFO & TASKLIST'
----
-logsource:
-    product: windows
-    service: security
-    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection:
-        EventID: 4688
-        ProcessCommandLine: '*cmd.exe /c SYSTEMINFO & TASKLIST'

rules/apt/apt_ta17_293a_ps.yml

@@ -9,11 +9,10 @@ tags:
 author: Florian Roth
 date: 2017/10/22
 logsource:
+    category: process_creation
     product: windows
-    service: sysmon
 detection:
     selection:
-        EventID: 1
         CommandLine: 'ps.exe -accepteula'
     condition: selection
 falsepositives:

rules/apt/apt_tropictrooper.yml

@@ -1,34 +1,17 @@
-action: global
 title: TropicTrooper Campaign November 2018
+author: "@41thexplorer, Windows Defender ATP"
 status: stable
 description: Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia
 references:
     - https://cloudblogs.microsoft.com/microsoftsecure/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/
-author: "@41thexplorer, Windows Defender ATP"
-date: 2018/11/30
-modified: 2018/12/11
 tags:
     - attack.execution
     - attack.t1085
+logsource:
+    category: process_creation
+    product: windows
 detection:
+    selection:
+        CommandLine: '*abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc*'
     condition: selection
-level: high
----
-# Windows Security Eventlog: Process Creation with Full Command Line
-logsource:
-    product: windows
-    service: security
-    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection:
-        EventID: 4688
-        ProcessCommandLine: '*abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc*'
----
-# Sysmon: Process Creation (ID 1)
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 1
-        CommandLine: '*abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc*'
+level: high

rules/apt/apt_turla_commands.yml

@@ -6,19 +6,24 @@ description: Detects automated lateral movement by Turla group
 references:
     - https://securelist.com/the-epic-turla-operation/65545/
 tags:
-    - attack.lateral_movement
     - attack.g0010
+    - attack.execution
+    - attack.t1059
+    - attack.lateral_movement
+    - attack.t1077
+    - attack.discovery
+    - attack.t1083
+    - attack.t1135
 author: Markus Neis
 date: 2017/11/07
 logsource:
-   product: windows
-   service: sysmon
+    category: process_creation
+    product: windows
 falsepositives:
    - Unknown
 ---
 detection:
    selection:
-      EventID: 1
       CommandLine: 
          - 'net use \\%DomainController%\C$ "P@ssw0rd" *'
          - 'dir c:\\*.doc* /s'
@@ -28,13 +33,10 @@ level: critical
 ---
 detection:
    netCommand1:
-      EventID: 1
       CommandLine: 'net view /DOMAIN'
    netCommand2:
-      EventID: 1
       CommandLine: 'net session'
    netCommand3:
-      EventID: 1
       CommandLine: 'net share'
    timeframe: 1m
    condition: netCommand1 | near netCommand2 and netCommand3 

rules/apt/apt_turla_service_png.yml

@@ -5,9 +5,9 @@ references:
 author: Florian Roth
 date: 2018/11/23
 tags:
-    - attack.command_and_control
-    - attack.g0016
-    - attack.t1172
+    - attack.persistence
+    - attack.g0010
+    - attack.t1050
 logsource:
     product: windows
     service: system

rules/apt/apt_unidentified_nov_18.yml

@@ -1,3 +1,4 @@
+---
 action: global
 title: Unidentified Attacker November 2018
 status: stable
@@ -11,26 +12,14 @@ tags:
     - attack.execution
     - attack.t1085
 detection:
-    condition: selection
+    condition: 1 of them
 level: high
 ---
-# Windows Security Eventlog: Process Creation with Full Command Line
 logsource:
+    category: process_creation
     product: windows
-    service: security
-    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
 detection:
-    selection:
-        EventID: 4688
-        ProcessCommandLine: '*cyzfc.dat, PointFunctionCall'
----
-# Sysmon: Process Creation (ID 1)
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 1
+    selection1:
         CommandLine: '*cyzfc.dat, PointFunctionCall'
 ---
 # Sysmon: File Creation (ID 11)
@@ -38,7 +27,7 @@ logsource:
     product: windows
     service: sysmon
 detection:
-    selection:
+    selection2:
         EventID: 11
         TargetFilename: 
             - '*ds7002.lnk*' 

rules/apt/apt_zxshell.yml

@@ -5,12 +5,15 @@ references:
     - https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100
 tags:
     - attack.g0001
+    - attack.execution
+    - attack.t1059
+    - attack.defense_evasion
+    - attack.t1085
 logsource:
+    category: process_creation
     product: windows
-    service: sysmon
 detection:
     selection:
-        EventID: 1
         Command: 
             - 'rundll32.exe *,zxFunction*'
             - 'rundll32.exe *,RemoteDiskXXXXX'

rules/apt/crime_fireball.yml

@@ -6,12 +6,16 @@ date: 2017/06/03
 references:
     - https://www.virustotal.com/en/file/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022/analysis/
     - https://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100
+tags:
+    - attack.execution
+    - attack.t1059
+    - attack.defense_evasion
+    - attack.t1085
 logsource:
+    category: process_creation
     product: windows
-    service: sysmon
 detection:
     selection:
-        EventID: 1
         CommandLine: '*\rundll32.exe *,InstallArcherSvc'
     condition: selection
 fields:

rules/proxy/proxy_download_susp_tlds_blacklist.yml

@@ -96,6 +96,8 @@ detection:
             - '*.gq'
             - '*.ml'
             - '*.ga'
+            # Custom 
+            - '*.pw'
     condition: selection
 fields:
     - ClientIP

rules/proxy/proxy_ua_bitsadmin_susp_tld.yml

@@ -0,0 +1,26 @@
+title: Bitsadmin to Uncommon TLD
+status: experimental
+description: Detects Bitsadmin connections to domains with uncommon TLDs 
+    - https://twitter.com/jhencinski/status/1102695118455349248
+    - https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/
+author: Florian Roth
+date: 2019/03/07
+logsource:
+    category: proxy
+detection:
+    selection:
+        UserAgent:
+            - 'Microsoft BITS/*'
+    falsepositives:
+        r-dns:
+            - '*.com' 
+            - '*.net' 
+            - '*.org' 
+    condition: selection and not falsepositives
+fields:
+    - ClientIP
+    - URL
+    - UserAgent
+falsepositives:
+    - Rare programs that use Bitsadmin and update from regional TLDs e.g. .uk or .ca
+level: high

rules/windows/builtin/win_admin_rdp_login.yml

@@ -5,6 +5,7 @@ references:
 tags:
     - attack.lateral_movement
     - attack.t1078
+    - car.2016-04-005
 status: experimental
 author: juju4
 logsource:
@@ -18,6 +19,6 @@ detection:
         AuthenticationPackageName: Negotiate
         AccountName: 'Admin-*'
     condition: selection
-falsepositives: 
+falsepositives:
     - Legitimate administrative activity
 level: low

rules/windows/builtin/win_alert_ad_user_backdoors.yml

@@ -8,6 +8,7 @@ author: '@neu5ron'
 tags:
     - attack.t1098
     - attack.credential_access
+    - attack.persistence
 logsource:
     product: windows
     service: security

rules/windows/builtin/win_alert_enable_weak_encryption.yml

@@ -4,6 +4,9 @@ references:
     - https://adsecurity.org/?p=2053
     - https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/
 author: '@neu5ron'
+tags:
+    - attack.defense_evasion
+    - attack.t1089
 logsource:
     product: windows
     service: security

rules/windows/builtin/win_hack_rubeus.yml

@@ -1,52 +0,0 @@
----
-action: global
-title: Rubeus Hack Tool
-description: Detects command line parameters used by Rubeus hack tool 
-author: Florian Roth
-references: 
-    - https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/
-date: 2018/12/19
-tags:
-    - attack.credential_access
-    - attack.t1003
-    - attack.s0005
-detection:
-    condition: selection
-falsepositives:
-    - unlikely
-level: critical
----
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 1
-        CommandLine: 
-            - '* asreproast *'
-            - '* dump /service:krbtgt *'
-            - '* kerberoast *'
-            - '* createnetonly /program:*'
-            - '* ptt /ticket:*'
-            - '* /impersonateuser:*'
-            - '* renew /ticket:*'
-            - '* asktgt /user:*'
-            - '* harvest /interval:*'
----
-logsource:
-    product: windows
-    service: security
-    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection:
-        EventID: 4688
-        ProcessCommandLine: 
-            - '* asreproast *'
-            - '* dump /service:krbtgt *'
-            - '* kerberoast *'
-            - '* createnetonly /program:*'
-            - '* ptt /ticket:*'
-            - '* /impersonateuser:*'
-            - '* renew /ticket:*'
-            - '* asktgt /user:*'
-            - '* harvest /interval:*'

rules/windows/builtin/win_hack_smbexec.yml

@@ -11,6 +11,7 @@ tags:
     - attack.t1035
 logsource:
     product: windows
+    service: system
 detection:
     service_installation:
         EventID: 7045

rules/windows/builtin/win_mal_creddumper.yml

@@ -1,3 +1,5 @@
+---
+action: global
 title: Malicious Service Install
 description: This method detects well-known keywords of malicious services in the Windows System Eventlog 
 author: Florian Roth
@@ -9,10 +11,9 @@ logsource:
     product: windows
     service: system
 detection:
-    selection:
+    selection1:
         EventID: 
           - 7045
-          - 4697
     keywords:
       - 'WCE SERVICE'
       - 'WCESERVICE'
@@ -20,7 +21,14 @@ detection:
     quarkspwdump:
         EventID: 16
         HiveName: '*\AppData\Local\Temp\SAM*.dmp'
-    condition: ( selection and keywords ) or quarkspwdump
+    condition: ( selection1 and keywords ) or ( selection2 and keywords ) or quarkspwdump
 falsepositives:
     - Unlikely
 level: high
+---
+logsource:
+    product: windows
+    service: security
+detection:
+    selection2:
+        EventID: 4697

rules/windows/builtin/win_multiple_suspicious_cli.yml

@@ -1,112 +0,0 @@
-action: global
-title: Quick Execution of a Series of Suspicious Commands
-description: Detects multiple suspicious process in a limited timeframe
-status: experimental
-references:
-    - https://car.mitre.org/wiki/CAR-2013-04-002
-author: juju4
-modified: 2012/12/11
-falsepositives:
-    - False positives depend on scripts and administrative tools used in the monitored environment
-level: low
----
-# Windows Audit Log
-logsource:
-    product: windows
-    service: security
-    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection:
-        EventID: 4688
-        ProcessCommandLine: 
-            - arp.exe
-            - at.exe
-            - attrib.exe
-            - cscript.exe
-            - dsquery.exe
-            - hostname.exe
-            - ipconfig.exe
-            - mimikatz.exe
-            - nbstat.exe
-            - net.exe
-            - netsh.exe
-            - nslookup.exe
-            - ping.exe
-            - quser.exe
-            - qwinsta.exe
-            - reg.exe
-            - runas.exe
-            - sc.exe
-            - schtasks.exe
-            - ssh.exe
-            - systeminfo.exe
-            - taskkill.exe
-            - telnet.exe
-            - tracert.exe
-            - wscript.exe
-            - xcopy.exe
-# others
-            - pscp.exe
-            - copy.exe
-            - robocopy.exe
-            - certutil.exe
-            - vssadmin.exe
-            - powershell.exe
-            - wevtutil.exe
-            - psexec.exe
-            - bcedit.exe
-            - wbadmin.exe
-            - icacls.exe
-            - diskpart.exe
-    timeframe: 5m
-    condition: selection | count() by MachineName > 5
----
-# Sysmon
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 1
-        CommandLine: 
-            - arp.exe
-            - at.exe
-            - attrib.exe
-            - cscript.exe
-            - dsquery.exe
-            - hostname.exe
-            - ipconfig.exe
-            - mimikatz.exe
-            - nbstat.exe
-            - net.exe
-            - netsh.exe
-            - nslookup.exe
-            - ping.exe
-            - quser.exe
-            - qwinsta.exe
-            - reg.exe
-            - runas.exe
-            - sc.exe
-            - schtasks.exe
-            - ssh.exe
-            - systeminfo.exe
-            - taskkill.exe
-            - telnet.exe
-            - tracert.exe
-            - wscript.exe
-            - xcopy.exe
-# others
-            - pscp.exe
-            - copy.exe
-            - robocopy.exe
-            - certutil.exe
-            - vssadmin.exe
-            - powershell.exe
-            - wevtutil.exe
-            - psexec.exe
-            - bcedit.exe
-            - wbadmin.exe
-            - icacls.exe
-            - diskpart.exe
-    timeframe: 5m
-    condition: selection | count() by MachineName > 5

rules/windows/builtin/win_netsh_port_fwd.yml

@@ -1,35 +0,0 @@
----
-action: global
-title: Netsh Port Forwarding
-description: Detects netsh commands that configure a port forwarding
-references:
-    - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
-date: 2019/01/29
-tags:
-    - attack.lateral_movement
-status: experimental
-author: Florian Roth
-detection:
-    condition: selection
-falsepositives:
-    - Legitimate administration
-level: medium
----
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 1
-        CommandLine: 
-            - 'netsh interface portproxy add v4tov4 *'
----
-logsource:
-    product: windows
-    service: security
-    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection:
-        EventID: 4688
-        ProcessCommandLine: 
-            - 'netsh interface portproxy add v4tov4 *'

rules/windows/builtin/win_plugx_susp_exe_locations.yml

@@ -1,146 +0,0 @@
-title: Executable used by PlugX in Uncommon Location
-status: experimental
-description: Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location
-references:
-    - 'http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/'
-    - 'https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/'
-author: Florian Roth
-date: 2017/06/12
-tags:
-    - attack.s0013
-logsource:
-    product: windows
-    service: security
-detection:
-
-    # CamMute
-    selection_cammute:
-        EventID: 4688
-        CommandLine: '*\CamMute.exe'
-    filter_cammute:
-        EventID: 4688
-        CommandLine: '*\Lenovo\Communication Utility\\*'
-
-    # Chrome Frame Helper
-    selection_chrome_frame:
-        EventID: 4688
-        CommandLine: '*\chrome_frame_helper.exe'
-    filter_chrome_frame:
-        EventID: 4688
-        CommandLine: '*\Google\Chrome\application\\*'    
-
-    # Microsoft Device Emulator
-    selection_devemu:
-        EventID: 4688
-        CommandLine: '*\dvcemumanager.exe'
-    filter_devemu:
-        EventID: 4688
-        CommandLine: '*\Microsoft Device Emulator\\*'   
-
-    # Windows Media Player Gadget
-    selection_gadget:
-        EventID: 4688
-        CommandLine: '*\Gadget.exe'
-    filter_gadget:
-        EventID: 4688
-        CommandLine: '*\Windows Media Player\\*'
-
-    # HTML Help Workshop
-    selection_hcc:
-        EventID: 4688
-        CommandLine: '*\hcc.exe'
-    filter_hcc:
-        EventID: 4688
-        CommandLine: '*\HTML Help Workshop\\*'
-
-    # Hotkey Command Module for Intel Graphics Contollers
-    selection_hkcmd:
-        EventID: 4688
-        CommandLine: '*\hkcmd.exe'
-    filter_hkcmd:
-        EventID: 4688
-        CommandLine: 
-            - '*\System32\\*'
-            - '*\SysNative\\*'
-            - '*\SysWowo64\\*'
-
-    # McAfee component
-    selection_mc:
-        EventID: 4688
-        CommandLine: '*\Mc.exe'
-    filter_mc:
-        EventID: 4688
-        CommandLine: 
-            - '*\Microsoft Visual Studio*'
-            - '*\Microsoft SDK*'
-            - '*\Windows Kit*'
-
-    # MsMpEng - Microsoft Malware Protection Engine
-    selection_msmpeng:
-        EventID: 4688
-        CommandLine: '*\MsMpEng.exe'
-    filter_msmpeng:
-        EventID: 4688
-        CommandLine: 
-            - '*\Microsoft Security Client\\*'
-            - '*\Windows Defender\\*'
-            - '*\AntiMalware\\*'
-
-    # Microsoft Security Center
-    selection_msseces:
-        EventID: 4688
-        CommandLine: '*\msseces.exe'
-    filter_msseces:
-        EventID: 4688
-        CommandLine: '*\Microsoft Security Center\\*'
-
-    # Microsoft Office 2003 OInfo
-    selection_oinfo:
-        EventID: 4688
-        CommandLine: '*\OInfoP11.exe'
-    filter_oinfo:
-        EventID: 4688
-        CommandLine: '*\Common Files\Microsoft Shared\\*'      
-
-    # OLE View
-    selection_oleview:
-        EventID: 4688
-        CommandLine: '*\OleView.exe'
-    filter_oleview:
-        EventID: 4688
-        CommandLine: 
-            - '*\Microsoft Visual Studio*'
-            - '*\Microsoft SDK*'
-            - '*\Windows Kit*'   
-            - '*\Windows Resource Kit\\*'
-
-    # RC
-    selection_rc:
-        EventID: 4688
-        CommandLine: '*\rc.exe'
-    filter_rc:
-        EventID: 4688
-        CommandLine: 
-            - '*\Microsoft Visual Studio*'
-            - '*\Microsoft SDK*'
-            - '*\Windows Kit*'   
-            - '*\Windows Resource Kit\\*'
-            - '*\Microsoft.NET\\*'  
-
-    condition: ( selection_cammute and not filter_cammute ) or  
-                ( selection_chrome_frame and not filter_chrome_frame ) or
-                ( selection_devemu and not filter_devemu ) or
-                ( selection_gadget and not filter_gadget ) or 
-                ( selection_hcc and not filter_hcc ) or 
-                ( selection_hkcmd and not filter_hkcmd ) or 
-                ( selection_mc and not filter_mc ) or
-                ( selection_msmpeng and not filter_msmpeng ) or
-                ( selection_msseces and not filter_msseces ) or
-                ( selection_oinfo and not filter_oinfo ) or 
-                ( selection_oleview and not filter_oleview ) or 
-                ( selection_rc and not filter_rc ) 
-falsepositives:
-    - Unknown
-level: high
-
-

rules/windows/builtin/win_powershell_b64_shellcode.yml

@@ -1,44 +0,0 @@
-action: global
-title: PowerShell Base64 Encoded Shellcode
-description: Detects Base64 encoded Shellcode 
-status: experimental
-references:
-    - https://twitter.com/cyb3rops/status/1063072865992523776
-author: Florian Roth
-date: 2018/11/17
-tags:
-    - attack.defense_evasion
-    - attack.t1036
-detection:
-    condition: selection1 and selection2
-falsepositives: 
-    - Unknown
-level: critical
----
-# Windows Audit Log
-logsource:
-    product: windows
-    service: security
-    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection1:
-        EventID: 4688
-        ProcessCommandLine: '*AAAAYInlM*'
-    selection2:
-        ProcessCommandLine: 
-            - '*OiCAAAAYInlM*'
-            - '*OiJAAAAYInlM*'
----
-# Sysmon
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection1:
-        EventID: 1
-        CommandLine: '*AAAAYInlM*'
-    selection2:
-        CommandLine: 
-            - '*OiCAAAAYInlM*'
-            - '*OiJAAAAYInlM*'
-

rules/windows/builtin/win_rdp_localhost_login.yml

@@ -6,6 +6,7 @@ date: 2019/01/28
 modified: 2019/01/29
 tags:
     - attack.lateral_movement
+    - attack.t1076
 status: experimental
 author: Thomas Patzke
 logsource:

rules/windows/builtin/win_spn_enum.yml

@@ -1,39 +0,0 @@
----
-action: global
-title: Possible SPN Enumeration 
-description: Detects Service Principal Name Enumeration used for Kerberoasting
-status: experimental
-references:
-    - https://p16.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation
-author: Markus Neis, keepwatch
-date: 2018/11/14
-tags:
-    - attack.credential_access
-    - attack.t1208
-detection:
-    selection_image:
-         Image: '*\setspn.exe'
-    selection_desc:
-        Description: '*Query or reset the computer* SPN attribute*'
-    cmd:
-        CommandLine: '*-q*'
-    condition: selection and (selection_image or selection_desc) and cmd
-falsepositives: 
-    - Administrator Activity 
-level: medium
----
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 1
----
-logsource:
-    product: windows
-    service: security
-    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection:
-        EventID: 4688
-

rules/windows/builtin/win_susp_bcdedit.yml

@@ -1,39 +0,0 @@
----
-action: global
-title: Possible Ransomware or unauthorized MBR modifications
-status: experimental
-description: Detects, possibly, malicious unauthorized usage of bcdedit.exe
-references:
-    - https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set
-author: "@neu5ron"
-date: 2019/02/07
-detection:
-    condition: selection
-level: medium
----
-# Windows Security Eventlog: Process Creation with Full Command Line
-logsource:
-    product: windows
-    service: security
-    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection:
-        EventID: 4688
-        NewProcessName: '*\fsutil.exe'
-        ProcessCommandLine: 
-            - '*delete*'
-            - '*deletevalue*'
-            - '*import*'
----
-# Sysmon: Process Creation (ID 1)
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 1
-        Image: '*\fsutil.exe'
-        ProcessCommandLine: 
-            - '*delete*'
-            - '*deletevalue*'
-            - '*import*'

rules/windows/builtin/win_susp_calc.yml

@@ -1,41 +0,0 @@
----
-action: global
-title: Suspicious Calculator Usage
-description: Detects suspicious use of calc.exe with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion
-status: experimental
-references:
-    - https://twitter.com/ItsReallyNick/status/1094080242686312448
-author: Florian Roth
-date: 2019/02/09
-detection:
-    condition: selection1 or ( selection2 and not filter2 )
-falsepositives: 
-    - Unknown
-level: high
----
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection1:
-        EventID: 1
-        CommandLine: '*\calc.exe *'
-    selection2:
-        EventID: 1
-        Image: '*\calc.exe'
-    filter2:
-        Image: '*\Windows\Sys*'
----
-logsource:
-    product: windows
-    service: security
-    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection1:
-        EventID: 4688
-        ProcessCommandLine: '*\calc.exe *'
-    selection2:
-        EventID: 1
-        Image: '*\calc.exe'
-    filter2:
-        Image: '*\Windows\Sys*'

rules/windows/builtin/win_susp_certutil_encode.yml

@@ -1,43 +0,0 @@
----
-action: global
-title: Certutil Encode
-status: experimental
-description: 'Detects suspicious a certutil command that used to encode files, which is sometimes used for data exfiltration' 
-references:
-    - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
-    - https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/
-logsource:
-    product: windows
-author: Florian Roth
-date: 2019/02/24 
-detection:
-    condition: selection
-falsepositives:
-    - unknown
-level: medium
----
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 1
-        CommandLine: 
-            - 'certutil -f -encode *'
-            - 'certutil.exe -f -encode *'
-            - 'certutil -encode -f *'
-            - 'certutil.exe -encode -f *'
----
-logsource:
-    product: windows
-    service: security
-    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection:
-        EventID: 4688
-        ProcessCommandLine: 
-            - 'certutil -f -encode *'
-            - 'certutil.exe -f -encode *'
-            - 'certutil -encode -f *'
-            - 'certutil.exe -encode -f *'
-

rules/windows/builtin/win_susp_cli_escape.yml

@@ -1,57 +0,0 @@
-action: global
-title: Suspicious Commandline Escape
-description: Detects suspicious process that use escape characters
-status: experimental
-references:
-    - https://twitter.com/vysecurity/status/885545634958385153
-    - https://twitter.com/Hexacorn/status/885553465417756673
-    - https://twitter.com/Hexacorn/status/885570278637678592
-    - https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html
-    - http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/
-author: juju4
-modified: 2018/12/11
-tags:
-    - attack.defense_evasion
-    - attack.t1140
-detection:
-    condition: selection
-falsepositives: 
-    - False positives depend on scripts and administrative tools used in the monitored environment
-level: low
----
-# Windows Audit Log
-logsource:
-    product: windows
-    service: security
-    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection:
-        EventID: 4688
-        ProcessCommandLine: 
-            #- '^'
-            #- '@'
-# 0x002D -, 0x2013 , 0x2014 , 0x2015 ― ... FIXME! how to match hexa form?
-            # - '-'
-            # - '―'
-            #- 'c:/'
-            - '<TAB>'
-            - '^h^t^t^p'
-            - 'h"t"t"p'
----
-# Sysmon
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 1
-        CommandLine: 
-            #- '^'
-            #- '@'
-# 0x002D -, 0x2013 , 0x2014 , 0x2015 ― ... FIXME! how to match hexa form?
-            # - '-'
-            # - '―'
-            #- 'c:/'
-            - '<TAB>'
-            - '^h^t^t^p'
-            - 'h"t"t"p'

rules/windows/builtin/win_susp_commands_recon_activity.yml

@@ -1,73 +0,0 @@
----
-action: global
-title: Reconnaissance Activity with Net Command
-status: experimental
-description: 'Detects a set of commands often used in recon stages by different attack groups' 
-references:
-    - https://twitter.com/haroonmeer/status/939099379834658817
-    - https://twitter.com/c_APT_ure/status/939475433711722497
-    - https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html
-author: Florian Roth, Markus Neis
-date: 2018/08/22
-modified: 2018/12/11
-tags:
-    - attack.discovery
-    - attack.t1073
-    - attack.t1012 
-detection:
-    timeframe: 15s 
-    condition: selection | count() by CommandLine > 4
-falsepositives: 
-    - False positives depend on scripts and administrative tools used in the monitored environment
-level: medium
----
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 1
-        CommandLine: 
-            - 'tasklist'
-            - 'net time'
-            - 'systeminfo'
-            - 'whoami'
-            - 'nbtstat'
-            - 'net start'
-            - '*\net1 start'
-            - 'qprocess'
-            - 'nslookup'
-            - 'hostname.exe'
-            - '*\net1 user /domain'
-            - '*\net1 group /domain'
-            - '*\net1 group "domain admins" /domain'
-            - '*\net1 group "Exchange Trusted Subsystem" /domain'
-            - '*\net1 accounts /domain' 
-            - '*\net1 user net localgroup administrators' 
-            - 'netstat -an'
----
-logsource:
-    product: windows
-    service: security
-    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection:
-        EventID: 4688
-        ProcessCommandLine: 
-            - 'tasklist'
-            - 'net time'
-            - 'systeminfo'
-            - 'whoami'
-            - 'nbtstat'
-            - 'net start'
-            - '*\net1 start'
-            - 'qprocess'
-            - 'nslookup'
-            - 'hostname.exe'
-            - '*\net1 user /domain'
-            - '*\net1 group /domain'
-            - '*\net1 group "domain admins" /domain'
-            - '*\net1 group "Exchange Trusted Subsystem" /domain'
-            - '*\net1 accounts /domain' 
-            - '*\net1 user net localgroup administrators' 
-            - 'netstat -an'

rules/windows/builtin/win_susp_dhcp_config.yml

@@ -9,6 +9,7 @@ date: 2017/05/15
 author: Dimitrios Slamaris
 tags:
     - attack.defense_evasion
+    - attack.t1073
 logsource:
     product: windows
     service: system

rules/windows/builtin/win_susp_dhcp_config_failed.yml

@@ -6,6 +6,9 @@ references:
     - https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx
     - https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx
 date: 2017/05/15
+tags:
+    - attack.defense_evasion
+    - attack.t1073
 author: Dimitrios Slamaris
 logsource:
     product: windows

rules/windows/builtin/win_susp_dns_config.yml

@@ -6,6 +6,9 @@ references:
     - https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
     - https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx
     - https://twitter.com/gentilkiwi/status/861641945944391680
+tags:
+    - attack.defense_evasion
+    - attack.t1073
 author: Florian Roth
 logsource:
     product: windows

rules/windows/builtin/win_susp_dsrm_password_change.yml

@@ -7,6 +7,7 @@ author: Thomas Patzke
 tags:
     - attack.persistence
     - attack.privilege_escalation
+    - attack.t1098
 logsource:
     product: windows
     service: security

rules/windows/builtin/win_susp_failed_logon_reasons.yml

@@ -1,6 +1,9 @@
 title: Account Tampering - Suspicious Failed Logon Reasons
 description: This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.
 author: Florian Roth
+modified: 2019/03/01
+references:
+    - https://twitter.com/SBousseaden/status/1101431884540710913
 tags:
     - attack.persistence
     - attack.privilege_escalation
@@ -14,11 +17,12 @@ detection:
             - 4625
             - 4776
         Status:
-            - '0xC0000072'
-            - '0xC000006F'
-            - '0xC0000070'
-            - '0xC0000413'
-            - '0xC000018C'
+            - '0xC0000072'  # User logon to account disabled by administrator
+            - '0xC000006F'  # User logon outside authorized hours
+            - '0xC0000070'  # User logon from unauthorized workstation
+            - '0xC0000413'  # Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine
+            - '0xC000018C'  # The logon request failed because the trust relationship between the primary domain and the trusted domain failed
+            - '0xC000015B'  # The user has not been granted the requested logon type (aka logon right) at this machine
     condition: selection
 falsepositives:
     - User using a disabled account

rules/windows/builtin/win_susp_gup.yml

@@ -1,35 +0,0 @@
----
-action: global
-title: Suspicious GUP Usage
-description: Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks
-status: experimental
-references:
-    - https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html
-author: Florian Roth
-date: 2019/02/06
-detection:
-    condition: selection and not filter
-falsepositives: 
-    - 'Execution of tools named GUP.exe and located in folders different than Notepad++\updater'
-level: high
----
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 1
-        Image: '*\GUP.exe'
-    filter:
-        Image: '*\updater\*'
----
-logsource:
-    product: windows
-    service: security
-    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection:
-        EventID: 4688
-        NewProcessName: '*\GUP.exe'
-    filter:
-        NewProcessName: '*\updater\*'

rules/windows/builtin/win_susp_mshta_execution.yml

@@ -0,0 +1,39 @@
+title: MSHTA Suspicious Execution 01
+status: experimental
+description: Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism
+date: 22/02/2019
+modified: 22/02/2019
+author: Diego Perez (@darkquassar)
+references:
+    - http://blog.sevagas.com/?Hacking-around-HTA-files
+    - https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356
+    - https://docs.microsoft.com/en-us/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script
+    - https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997
+tags:
+    - attack.defense_evasion
+    - attack.t1140
+logsource:
+    category: process_creation
+    product: windows
+falsepositives: 
+    - False positives depend on scripts and administrative tools used in the monitored environment
+level: high
+detection:
+    selection1:
+        CommandLine: 
+            - '*mshta vbscript:CreateObject("Wscript.Shell")*'
+            - '*mshta vbscript:Execute("Execute*'
+            - '*mshta vbscript:CreateObject("Wscript.Shell").Run("mshta.exe*'
+    selection2:
+        Image:
+            - 'C:\Windows\system32\mshta.exe'
+        CommandLine: 
+            - '*.jpg*'
+            - '*.png*'
+            - '*.lnk*'
+            # - '*.chm*'  # could be prone to false positives
+            - '*.xls*'
+            - '*.doc*'
+            - '*.zip*'
+    condition:
+        selection1 or selection2

rules/windows/builtin/win_susp_msiexec_web_install.yml

@@ -1,34 +0,0 @@
----
-action: global
-title: MsiExec Web Install
-status: experimental
-description: Detects suspicious msiexec proess starts with web addreses as parameter
-references:
-    - https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/
-author: Florian Roth
-date: 2018/02/09
-modified: 2012/12/11
-detection:
-    condition: selection
-falsepositives: 
-    - False positives depend on scripts and administrative tools used in the monitored environment
-level: medium
----
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 1
-        CommandLine: 
-            - '* msiexec*:\/\/*'
----
-logsource:
-    product: windows
-    service: security
-    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection:
-        EventID: 4688
-        ProcessCommandLine: 
-            - '* msiexec*:\/\/*'

rules/windows/builtin/win_susp_ntlm_auth.yml

@@ -7,8 +7,8 @@ references:
 author: Florian Roth
 date: 2018/06/08
 tags:
-    - attack.credential_access
-    - attack.t1208
+    - attack.lateral_movement
+    - attack.t1075
 logsource:
     product: windows
     service: ntlm

rules/windows/builtin/win_susp_procdump.yml

@@ -1,49 +0,0 @@
-action: global
-title: Suspicious Use of Procdump
-description: Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we're also able to catch cases in which the attacker has renamed the procdump executable. 
-status: experimental
-references:
-    - Internal Research
-author: Florian Roth
-date: 2018/10/30
-tags:
-    - attack.defense_evasion
-    - attack.t1036
-    - attack.credential_access
-    - attack.t1003
-detection:
-    condition: selection and selection1 and selection2
-falsepositives: 
-    - Unlikely, because no one should dump an lsass process memory
-    - Another tool that uses the command line switches of Procdump
-level: medium
----
-# Windows Audit Log
-logsource:
-    product: windows
-    service: security
-    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection:
-        EventID: 4688
-    selection1:
-        ProcessCommandLine:
-            - "* -ma *"
-    selection2: 
-        ProcessCommandLine:
-            - '* lsass.exe*'
----
-# Sysmon
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 1
-    selection1:
-        CommandLine:
-            - "* -ma *"
-    selection2: 
-        CommandLine:
-            - '* lsass.exe*'
-

rules/windows/builtin/win_susp_process_creations.yml

@@ -1,147 +0,0 @@
----
-action: global
-title: Suspicious Process Creation
-description: Detects suspicious process starts on Windows systems based on keywords
-status: experimental
-references:
-    - https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/
-    - https://www.youtube.com/watch?v=H3t_kHQG1Js&feature=youtu.be&t=15m35s
-    - https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/
-    - https://twitter.com/subTee/status/872244674609676288
-    - https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/remote-tool-examples
-    - https://tyranidslair.blogspot.ca/2017/07/dg-on-windows-10-s-executing-arbitrary.html
-    - https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/
-    - https://subt0x10.blogspot.ca/2017/04/bypassing-application-whitelisting.html
-    - https://gist.github.com/subTee/7937a8ef07409715f15b84781e180c46#file-rat-bat
-    - https://twitter.com/vector_sec/status/896049052642533376
-    - http://security-research.dyndns.org/pub/slides/FIRST-TC-2018/FIRST-TC-2018_Tom-Ueltschi_Sysmon_PUBLIC.pdf
-author: Florian Roth
-modified: 2018/12/11
-detection:
-    condition: selection
-falsepositives: 
-    - False positives depend on scripts and administrative tools used in the monitored environment
-level: medium
----
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 1
-        CommandLine: 
-            # Hacking activity
-            - 'vssadmin.exe delete shadows*'
-            - 'vssadmin delete shadows*'
-            - 'vssadmin create shadow /for=C:*'
-            - 'copy \\?\GLOBALROOT\Device\\*\windows\ntds\ntds.dit*'
-            - 'copy \\?\GLOBALROOT\Device\\*\config\SAM*'
-            - 'reg SAVE HKLM\SYSTEM *'
-            - 'reg SAVE HKLM\SAM *'
-            - '* sekurlsa:*'
-            - 'net localgroup adminstrators * /add'
-            - 'net group "Domain Admins" * /ADD /DOMAIN'
-            - 'certutil.exe *-urlcache* http*'
-            - 'certutil.exe *-urlcache* ftp*'
-            # Malware
-            - 'netsh advfirewall firewall *\AppData\\*'
-            - 'attrib +S +H +R *\AppData\\*'
-            - 'schtasks* /create *\AppData\\*'
-            - 'schtasks* /sc minute*'
-            - '*\Regasm.exe *\AppData\\*'
-            - '*\Regasm *\AppData\\*'
-            - '*\bitsadmin* /transfer*'
-            - '*\certutil.exe * -decode *'
-            - '*\certutil.exe * -decodehex *'
-            - '*\certutil.exe -ping *'
-            - 'icacls * /grant Everyone:F /T /C /Q'
-            - '* wmic shadowcopy delete *'
-            - '* wbadmin.exe delete catalog -quiet*'  # http://blog.talosintelligence.com/2018/02/olympic-destroyer.html
-            # Scripts
-            - '*\wscript.exe *.jse'
-            - '*\wscript.exe *.js'
-            - '*\wscript.exe *.vba'
-            - '*\wscript.exe *.vbe'
-            - '*\cscript.exe *.jse'
-            - '*\cscript.exe *.js'
-            - '*\cscript.exe *.vba'
-            - '*\cscript.exe *.vbe'
-            # UAC bypass
-            - '*\fodhelper.exe'
-            # persistence
-            - '*waitfor*/s*'
-            - '*waitfor*/si persist*'
-            # remote
-            - '*remote*/s*'
-            - '*remote*/c*'
-            - '*remote*/q*'
-            # AddInProcess
-            - '*AddInProcess*'
-            # NotPowershell (nps) attack
-            # - '*msbuild*'  # too many false positives
----
-logsource:
-    product: windows
-    service: security
-    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection:
-        EventID: 4688
-        ProcessCommandLine: 
-            # Hacking activity
-            - 'vssadmin.exe delete shadows*'
-            - 'vssadmin delete shadows*'
-            - 'vssadmin create shadow /for=C:*'
-            - 'copy \\?\GLOBALROOT\Device\\*\windows\ntds\ntds.dit*'
-            - 'copy \\?\GLOBALROOT\Device\\*\config\SAM*'
-            - 'reg SAVE HKLM\SYSTEM *'
-            - 'reg SAVE HKLM\SAM *'
-            - '* sekurlsa:*'
-            - 'net localgroup adminstrators * /add'
-            - 'net group "Domain Admins" * /ADD /DOMAIN'
-            - 'certutil.exe *-urlcache* http*'
-            - 'certutil.exe *-urlcache* ftp*'
-            # Malware
-            - 'netsh advfirewall firewall *\AppData\\*'
-            - 'attrib +S +H +R *\AppData\\*'
-            - 'schtasks* /create *\AppData\\*'
-            - 'schtasks* /sc minute*'
-            - '*\Regasm.exe *\AppData\\*'
-            - '*\Regasm *\AppData\\*'
-            - '*\bitsadmin* /transfer*'
-            - '*\certutil.exe * -decode *'
-            - '*\certutil.exe * -decodehex *'
-            - '*\certutil.exe -ping *'
-            - 'icacls * /grant Everyone:F /T /C /Q'
-            - '* wmic shadowcopy delete *'
-            - '* wbadmin.exe delete catalog -quiet*'  # http://blog.talosintelligence.com/2018/02/olympic-destroyer.html
-            # Scripts
-            - '*\wscript.exe *.jse'
-            - '*\wscript.exe *.js'
-            - '*\wscript.exe *.vba'
-            - '*\wscript.exe *.vbe'
-            - '*\cscript.exe *.jse'
-            - '*\cscript.exe *.js'
-            - '*\cscript.exe *.vba'
-            - '*\cscript.exe *.vbe'
-            # UAC bypass
-            - '*\fodhelper.exe'
-            # persistence
-            - '*waitfor*/s*'
-            - '*waitfor*/si persist*'
-            # remote
-            - '*remote*/s*'
-            - '*remote*/c*'
-            - '*remote*/q*'
-            # AddInProcess
-            - '*AddInProcess*'
-            # NotPowershell (nps) attack
-            # - '*msbuild*'  # too many false positives
-            # Keyloggers and Password-Stealers abusing NirSoft tools(Limitless Logger, Predator Pain, HawkEye Keylogger, iSpy Keylogger, KeyBase Keylogger)
-            - '* /stext *'
-            - '* /scomma *'
-            - '* /stab *'
-            - '* /stabular *'
-            - '* /shtml *'
-            - '* /sverhtml *'
-            - '* /sxml *'

rules/windows/builtin/win_susp_ps_appdata.yml

@@ -1,39 +0,0 @@
----
-action: global
-title: PowerShell Script Run in AppData
-status: experimental
-description: Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder 
-references:
-    - https://twitter.com/JohnLaTwC/status/1082851155481288706
-    - https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03
-author: Florian Roth
-date: 2019/01/09
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    condition: selection
-falsepositives:
-    - Administrative scripts
-level: medium
----
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 1
-        CommandLine: 
-            - '* /c powershell*\AppData\Local\\*'
-            - '* /c powershell*\AppData\Roaming\\*'
----
-logsource:
-    product: windows
-    service: security
-    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection:
-        EventID: 4688
-        ProcessCommandLine: 
-            - '* /c powershell*\AppData\Local\\*'
-            - '* /c powershell*\AppData\Roaming\\*'

rules/windows/builtin/win_susp_rasdial_activity.yml

@@ -1,32 +0,0 @@
-action: global
-title: Suspicious RASdial Activity
-description: Detects suspicious process related to rasdial.exe
-status: experimental
-references:
-    - https://twitter.com/subTee/status/891298217907830785
-author: juju4
-detection:
-    selection:
-        CommandLine: 
-            - 'rasdial'
-    condition: selection
-falsepositives: 
-    - False positives depend on scripts and administrative tools used in the monitored environment
-level: medium
----
-# Windows Audit Log
-logsource:
-    product: windows
-    service: security
-    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection:
-        EventID: 4688
----
-# Sysmon
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 1

rules/windows/builtin/win_susp_sdelete.yml

@@ -9,7 +9,7 @@ references:
 tags:
     - attack.defense_evasion
     - attack.t1107
-    - attack.t1116
+    - attack.t1066
     - attack.s0195
 logsource:
     product: windows

rules/windows/builtin/win_susp_svchost.yml

@@ -1,49 +0,0 @@
----
-action: global
-title: Suspicious Svchost Processes
-description: Detects suspicious svchost processes with parent process that is not services.exe, command line missing -k parameter or running outside Windows folder
-author: Florian Roth, @c_APT_ure
-date: 2018/10/26
-status: experimental
-references:
-    - https://twitter.com/Moti_B/status/1002280132143394816
-    - https://twitter.com/Moti_B/status/1002280287840153601
-falsepositives: 
-    - Renamed %SystemRoot%s 
-level: high
----
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 1
-        Image: '*\svchost.exe'
-    filter1:
-        ParentImage: 
-            - '*\services.exe'
-            - '*\MsMpEng.exe'
-    filter2:
-        CommandLine: '* -k *'
-    filter3:
-        Image: 'C:\Windows\S*'  # \* is a reserved expression
-    condition: selection and not ( filter1 or filter2 or filter3 )
----
-logsource:
-    product: windows
-    service: security
-    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection:
-        EventID: 4688
-        NewProcessName: '*\svchost.exe'
-    # Deactivated as long as some backends do not fully support the 'null' expression
-    # filter2:
-    #    ProcessCommandLine:
-    #        - null  # Missing KB3004375 and Group Policy setting
-    #        - '* -k *'
-    filter3:
-        NewProcessName: 'C:\Windows\S*'  # \* is a reserved expression
-    condition: selection and not filter3
-
-        

rules/windows/builtin/win_susp_time_modification.yml

@@ -7,6 +7,7 @@ references:
     - Live environment caused by malware
 date: 2019/02/05
 tags:
+    - attack.defense_evasion
     - attack.t1099
 logsource:
     product: windows

rules/windows/builtin/win_susp_whoami.yml

@@ -1,36 +0,0 @@
----
-action: global
-title: Whoami Execution
-status: experimental
-description: 'Detects the execution of whoami, which is often used by attackers after exloitation / privilege escalation but rarely used by administrators' 
-references:
-    - https://twitter.com/haroonmeer/status/939099379834658817
-    - https://twitter.com/c_APT_ure/status/939475433711722497
-author: Florian Roth
-date: 2018/05/22
-tags:
-    - attack.discovery
-    - attack.t1033
-detection:
-    condition: selection
-falsepositives: 
-    - Admin activity
-    - Scripts and administrative tools used in the monitored environment
-level: high
----
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 1
-        CommandLine: 'whoami'
----
-logsource:
-    product: windows
-    service: security
-    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection:
-        EventID: 4688
-        NewProcessName: '*\whoami.exe'

rules/windows/builtin/win_usb_device_plugged.yml

@@ -5,6 +5,9 @@ references:
     - https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/
 status: experimental
 author: Florian Roth
+tags:
+    - attack.initial_access
+    - attack.t1200
 logsource:
     product: windows
     service: driver-framework

rules/windows/builtin/win_user_added_to_local_administrators.yml

@@ -4,6 +4,7 @@ status: stable
 author: Florian Roth
 tags:
     - attack.privilege_escalation
+    - attack.t1078
 logsource:
     product: windows
     service: security

rules/windows/builtin/win_wmi_persistence_script_event_consumer.yml

@@ -1,36 +0,0 @@
----
-action: global
-title: WMI Persistence - Script Event Consumer
-status: experimental
-description: Detects WMI script event consumers
-references:
-    - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
-author: Thomas Patzke
-date: 2018/03/07
-tags:
-    - attack.execution
-    - attack.persistence
-    - attack.t1047
-detection:
-    selection:
-        Image: 'C:\WINDOWS\system32\wbem\scrcons.exe'
-        ParentImage: 'C:\Windows\System32\svchost.exe'
-    condition: selection
-falsepositives: 
-    - Legitimate event consumers
-level: high
----
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 1
----
-logsource:
-    product: windows
-    service: security
-    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection:
-        EventID: 4688

rules/windows/malware/win_mal_wannacry.yml

@@ -1,67 +0,0 @@
-action: global
-title: WannaCry Ransomware 
-description: Detects WannaCry Ransomware Activity
-status: experimental
-references:
-    - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
-author: Florian Roth
-detection:
-    selection1:
-        CommandLine:
-            - '*vssadmin delete shadows*'
-            - '*icacls * /grant Everyone:F /T /C /Q*'
-            - '*bcdedit /set {default} recoveryenabled no*'
-            - '*wbadmin delete catalog -quiet*'
-    condition: 1 of them
-falsepositives: 
-    - Unknown
-level: critical
----
-# Windows Audit Log
-logsource:
-    product: windows
-    service: security
-    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection1:
-        # Requires group policy 'Audit Process Creation' > Include command line in process creation events
-        EventID: 4688
-    selection2:
-        # Does not require group policy 'Audit Process Creation' > Include command line in process creation events
-        EventID: 4688
-        NewProcessName:
-            - '*\tasksche.exe'
-            - '*\mssecsvc.exe'
-            - '*\taskdl.exe'
-            - '*\WanaDecryptor*'
-            - '*\taskhsvc.exe'
-            - '*\taskse.exe'
-            - '*\111.exe'
-            - '*\lhdfrgui.exe'
-            - '*\diskpart.exe'  # Rare, but can be false positive
-            - '*\linuxnew.exe'
-            - '*\wannacry.exe'
----
-# Sysmon
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection1:
-        # Requires group policy 'Audit Process Creation' > Include command line in process creation events
-        EventID: 1
-    selection2:
-        # Does not require group policy 'Audit Process Creation' > Include command line in process creation events
-        EventID: 1
-        Image:
-            - '*\tasksche.exe'
-            - '*\mssecsvc.exe'
-            - '*\taskdl.exe'
-            - '*\WanaDecryptor*'
-            - '*\taskhsvc.exe'
-            - '*\taskse.exe'
-            - '*\111.exe'
-            - '*\lhdfrgui.exe'
-            - '*\diskpart.exe'  # Rare, but can be false positive
-            - '*\linuxnew.exe'
-            - '*\wannacry.exe'

rules/windows/other/win_rare_schtask_creation.yml

@@ -2,6 +2,7 @@ title: Rare Scheduled Task Creations
 status: experimental
 description: This rule detects rare scheduled task creations. Typically software gets installed on multiple systems and not only on a few. The aggregation and count function selects tasks with rare names. 
 tags:
+    - attack.persistence
     - attack.t1053
     - attack.s0111
 author: Florian Roth

rules/windows/other/win_tool_psexec.yml

@@ -1,3 +1,5 @@
+---
+action: global
 title: PsExec Tool Execution
 status: experimental
 description: Detects PsExec service installation and execution events (service and Sysmon)
@@ -9,20 +11,7 @@ tags:
     - attack.execution
     - attack.t1035
     - attack.s0029
-logsource:
-    product: windows
 detection:
-    service_installation:
-        EventID: 7045
-        ServiceName: 'PSEXESVC'
-        ServiceFileName: '*\PSEXESVC.exe'
-    service_execution:
-        EventID: 7036
-        ServiceName: 'PSEXESVC'
-    sysmon_processcreation:
-        EventID: 1
-        Image: '*\PSEXESVC.exe'
-        User: 'NT AUTHORITY\SYSTEM'
     condition: 1 of them
 fields:
     - EventID
@@ -33,3 +22,24 @@ fields:
 falsepositives:
     - unknown
 level: low
+---
+logsource:
+    product: windows
+    service: system
+detection:
+    service_installation:
+        EventID: 7045
+        ServiceName: 'PSEXESVC'
+        ServiceFileName: '*\PSEXESVC.exe'
+    service_execution:
+        EventID: 7036
+        ServiceName: 'PSEXESVC'
+---
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    sysmon_processcreation:
+        Image: '*\PSEXESVC.exe'
+        User: 'NT AUTHORITY\SYSTEM'
+

rules/windows/powershell/powershell_shellcode_b64.yml

@@ -4,7 +4,10 @@ description: Detects Base64 encoded Shellcode
 references:
     - https://twitter.com/cyb3rops/status/1063072865992523776
 tags:
+    - attack.privilege_escalation
     - attack.execution
+    - attack.t1055
+    - attack.t1086
 author: David Ledbetter (shellcode), Florian Roth (rule)
 date: 2018/11/17
 logsource:

rules/windows/process_creation/powershell_xor_commandline.yml

@@ -1,29 +1,19 @@
-action: global
 title: Suspicious XOR Encoded PowerShell Command Line
 description: Detects suspicious powershell process which includes bxor command, alternatvide obfuscation method to b64 encoded commands.
 status: experimental
 author: Sami Ruohonen
 date: 2018/09/05
+tags:
+    - attack.execution
+    - attack.t1086
 detection:
     selection:
         CommandLine:
             - '* -bxor*'
     condition: selection
-falsepositives: 
+falsepositives:
     - unknown
 level: medium
----
 logsource:
+    category: process_creation
     product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 1
----
-logsource:
-    product: windows
-    service: security
-    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection:
-        EventID: 4688

rules/windows/process_creation/win_attrib_hiding_files.yml

@@ -3,19 +3,18 @@ status: experimental
 description: Detects usage of attrib.exe to hide files from users.
 author: Sami Ruohonen
 logsource:
+    category: process_creation
     product: windows
-    service: sysmon
 detection:
     selection:
-        EventID: 1
         Image: '*\attrib.exe'
         CommandLine: '* +h *'
     ini:
         CommandLine: '*\desktop.ini *'
     intel:
         ParentImage: '*\cmd.exe'
-        CommandLine: '+R +H +S +A \\*.cui'
-        ParentCommandLine: 'C:\WINDOWS\system32\\*.bat'
+        CommandLine: +R +H +S +A \\*.cui
+        ParentCommandLine: C:\WINDOWS\system32\\*.bat
     condition: selection and not (ini or intel)
 fields:
     - CommandLine

rules/windows/process_creation/win_bypass_squiblytwo.yml

@@ -12,25 +12,23 @@ falsepositives:
     - Unknown
 level: medium
 logsource:
-   product: windows
-   service: sysmon
+    category: process_creation
+    product: windows
 detection:
     selection1:
-        EventID: 1
         Image:
             - '*\wmic.exe'
         CommandLine:
-            - 'wmic * *format:\"http*'
-            - "wmic * /format:'http"
-            - 'wmic * /format:http*'
+            - wmic * *format:\"http*
+            - wmic * /format:'http
+            - wmic * /format:http*
     selection2:
-        EventID: 1
         Imphash:
-             - '1B1A3F43BF37B5BFE60751F2EE2F326E'
-             - '37777A96245A3C74EB217308F3546F4C'
-             - '9D87C9D67CE724033C0B40CC4CA1B206'
+            - 1B1A3F43BF37B5BFE60751F2EE2F326E
+            - 37777A96245A3C74EB217308F3546F4C
+            - 9D87C9D67CE724033C0B40CC4CA1B206
         CommandLine:
             - '* *format:\"http*'
-            - "* /format:'http"
+            - '* /format:''http'
             - '* /format:http*'
     condition: 1 of them

rules/windows/process_creation/win_cmdkey_recon.yml

@@ -1,16 +1,18 @@
 title: Cmdkey Cached Credentials Recon
 status: experimental
 description: Detects usage of cmdkey to look for cached credentials
-references: 
+references:
     - https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation
     - https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx
 author: jmallette
+tags:
+    - attack.credential_access
+    - attack.t1003
 logsource:
+    category: process_creation
     product: windows
-    service: sysmon
 detection:
     selection:
-        EventID: 1
         Image: '*\cmdkey.exe'
         CommandLine: '* /list *'
     condition: selection

rules/windows/process_creation/win_cmstp_com_object_access.yml

@@ -13,17 +13,15 @@ references:
     - http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
     - https://twitter.com/hFireF0X/status/897640081053364225
 logsource:
+    category: process_creation
     product: windows
-    service: sysmon
 detection:
-    # CMSTP Spawning Child Process
     selection1:
-        EventID: 1
         ParentCommandLine: '*\DllHost.exe'
     selection2:
         ParentCommandLine:
-            - '*\{3E5FC7F9-9A51-4367-9063-A120244FBEC7}' #CMSTPLUA
-            - '*\{3E000D72-A845-4CD9-BD83-80C07C3B881F}' #CMLUAUTIL, see https://twitter.com/hFireF0X/status/897640081053364225
+            - '*\{3E5FC7F9-9A51-4367-9063-A120244FBEC7}'
+            - '*\{3E000D72-A845-4CD9-BD83-80C07C3B881F}'
     condition: selection1 and selection2
 fields:
     - CommandLine

rules/windows/process_creation/win_exploit_cve_2015_1641.yml

@@ -2,16 +2,18 @@ title: Exploit for CVE-2015-1641
 status: experimental
 description: Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641
 references:
-  - https://www.virustotal.com/en/file/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8/analysis/
-  - https://www.hybrid-analysis.com/sample/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8?environmentId=100
+    - https://www.virustotal.com/en/file/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8/analysis/
+    - https://www.hybrid-analysis.com/sample/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8?environmentId=100
 author: Florian Roth
 date: 2018/02/22
+tags:
+    - attack.defense_evasion
+    - attack.t1036
 logsource:
+    category: process_creation
     product: windows
-    service: sysmon
 detection:
     selection:
-        EventID: 1
         ParentImage: '*\WINWORD.EXE'
         Image: '*\MicroScMgmt.exe '
     condition: selection

rules/windows/process_creation/win_exploit_cve_2017_0261.yml

@@ -1,16 +1,19 @@
 title: Exploit for CVE-2017-0261
 status: experimental
-description: Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262 
+description: Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262
 references:
-  - https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html
+    - https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html
 author: Florian Roth
 date: 2018/02/22
+tags:
+  - attack.defense_evasion
+  - attack.privilege_escalation
+  - attack.t1055
 logsource:
+    category: process_creation
     product: windows
-    service: sysmon
 detection:
     selection:
-        EventID: 1
         ParentImage: '*\WINWORD.EXE'
         Image: '*\FLTLDR.exe*'
     condition: selection

rules/windows/process_creation/win_exploit_cve_2017_11882.yml

@@ -6,12 +6,14 @@ references:
     - https://www.google.com/url?hl=en&q=https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about&source=gmail&ust=1511481120837000&usg=AFQjCNGdL7gVwLXaNSl2Td8ylDYbSJFmPw
 author: Florian Roth
 date: 2017/11/23
+tags:
+    - attack.defense_evasion
+    - attack.t1211
 logsource:
+    category: process_creation
     product: windows
-    service: sysmon
 detection:
     selection:
-        EventID: 1
         ParentImage: '*\EQNEDT32.EXE'
     condition: selection
 fields:

rules/windows/process_creation/win_exploit_cve_2017_8759.yml

@@ -0,0 +1,21 @@
+title: Exploit for CVE-2017-8759
+description: Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759
+references:
+    - https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100
+    - https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100
+tags:
+    - attack.execution
+    - attack.t1203
+author: Florian Roth
+date: 2017/09/15
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        ParentImage: '*\WINWORD.EXE'
+        Image: '*\csc.exe'
+    condition: selection
+falsepositives:
+    - Unknown
+level: critical

rules/windows/process_creation/win_hack_rubeus.yml

@@ -0,0 +1,29 @@
+title: Rubeus Hack Tool
+description: Detects command line parameters used by Rubeus hack tool
+author: Florian Roth
+references:
+    - https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/
+date: 2018/12/19
+tags:
+    - attack.credential_access
+    - attack.t1003
+    - attack.s0005
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine:
+            - '* asreproast *'
+            - '* dump /service:krbtgt *'
+            - '* kerberoast *'
+            - '* createnetonly /program:*'
+            - '* ptt /ticket:*'
+            - '* /impersonateuser:*'
+            - '* renew /ticket:*'
+            - '* asktgt /user:*'
+            - '* harvest /interval:*'
+    condition: selection
+falsepositives:
+    - unlikely
+level: critical

rules/windows/process_creation/win_lethalhta.yml

@@ -1,16 +1,19 @@
-title: MSHTA spwaned by SVCHOST as seen in LethalHTA 
+title: MSHTA spwaned by SVCHOST as seen in LethalHTA
 status: experimental
 description: Detects MSHTA.EXE spwaned by SVCHOST described in report
 references:
     - https://codewhitesec.blogspot.com/2018/07/lethalhta.html
+tags:
+    - attack.defense_evasion
+    - attack.execution
+    - attack.t1170
 author: Markus Neis
 date: 2018/06/07
 logsource:
+    category: process_creation
     product: windows
-    service: sysmon
 detection:
     selection:
-        EventID: 1
         ParentImage: '*\svchost.exe'
         Image: '*\mshta.exe'
     condition: selection

rules/windows/process_creation/win_mal_adwind.yml

@@ -1,4 +1,3 @@
----
 action: global
 title: Adwind RAT / JRAT
 status: experimental
@@ -9,48 +8,37 @@ references:
 author: Florian Roth, Tom Ueltschi
 date: 2017/11/10
 modified: 2018/12/11
+tags:
+    - attack.execution
+    - attack.t1064
 detection:
     condition: selection
 level: high
 ---
-# Windows Security Eventlog: Process Creation with Full Command Line
 logsource:
+    category: process_creation
     product: windows
-    service: security
-    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
 detection:
     selection:
-        EventID: 4688
-        ProcessCommandLine: 
+        ProcessCommandLine:
             - '*\AppData\Roaming\Oracle*\java*.exe *'
             - '*cscript.exe *Retrive*.vbs *'
 ---
-# Sysmon: Process Creation (ID 1)
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 1
-        Image: '*\AppData\Roaming\Oracle\bin\java*.exe'
----
-# Sysmon: File Creation (ID 11)
 logsource:
     product: windows
     service: sysmon
 detection:
     selection:
         EventID: 11
-        TargetFilename: 
+        TargetFilename:
             - '*\AppData\Roaming\Oracle\bin\java*.exe'
             - '*\Retrive*.vbs'
 ---
-# Sysmon: Registry Value Set (ID 13)
 logsource:
     product: windows
     service: sysmon
 detection:
     selection:
         EventID: 13
-        TargetObject: '\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run*'
+        TargetObject: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run*
         Details: '%AppData%\Roaming\Oracle\bin\\*'

rules/windows/process_creation/win_mal_wannacry.yml

@@ -0,0 +1,33 @@
+title: WannaCry Ransomware
+description: Detects WannaCry Ransomware Activity
+status: experimental
+references:
+    - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
+author: Florian Roth
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection1:
+        CommandLine:
+            - '*vssadmin delete shadows*'
+            - '*icacls * /grant Everyone:F /T /C /Q*'
+            - '*bcdedit /set {default} recoveryenabled no*'
+            - '*wbadmin delete catalog -quiet*'
+    selection2:
+        Image:
+            - '*\tasksche.exe'
+            - '*\mssecsvc.exe'
+            - '*\taskdl.exe'
+            - '*\WanaDecryptor*'
+            - '*\taskhsvc.exe'
+            - '*\taskse.exe'
+            - '*\111.exe'
+            - '*\lhdfrgui.exe'
+            - '*\diskpart.exe'
+            - '*\linuxnew.exe'
+            - '*\wannacry.exe'
+    condition: 1 of them
+falsepositives:
+    - Unknown
+level: critical

rules/windows/process_creation/win_malware_dridex.yml

@@ -1,5 +1,3 @@
----
-action: global
 title: Dridex Process Pattern
 status: experimental
 description: Detects typical Dridex process patterns
@@ -7,34 +5,22 @@ references:
     - https://app.any.run/tasks/993daa5e-112a-4ff6-8b5a-edbcec7c7ba3
 author: Florian Roth
 date: 2019/01/10
+tags:
+    - attack.defense_evasion
+    - attack.privilege_escalation
+    - attack.t1055
 logsource:
+    category: process_creation
     product: windows
-    service: sysmon
 detection:
+    selection1:
+        CommandLine: '*\svchost.exe C:\Users\\*\Desktop\\*'
+    selection2:
+        ParentImage: '*\svchost.exe*'
+        CommandLine:
+            - '*whoami.exe /all'
+            - '*net.exe view'
     condition: 1 of them
 falsepositives:
     - Unlikely
 level: critical
----
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection1:
-        EventID: 1
-        CommandLine: '*\svchost.exe C:\Users\\*\Desktop\\*'
-    selection2:
-        EventID: 1
-        ParentImage: '*\svchost.exe*'
-        CommandLine: 
-            - '*whoami.exe /all'
-            - '*net.exe view'
----
-logsource:
-    product: windows
-    service: security
-    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection:
-        EventID: 4688
-        ProcessCommandLine: '*\svchost.exe C:\Users\\*\Desktop\\*'

rules/windows/process_creation/win_malware_notpetya.yml

@@ -1,6 +1,7 @@
 title: NotPetya Ransomware Activity
 status: experimental
-description: Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and windows eventlogs are cleared using wevtutil
+description: Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive
+    C is deleted and windows eventlogs are cleared using wevtutil
 author: Florian Roth, Tom Ueltschi
 references:
     - https://securelist.com/schroedingers-petya/78870/
@@ -13,24 +14,20 @@ tags:
     - attack.t1070
     - attack.t1003
 logsource:
+    category: process_creation
     product: windows
-    service: sysmon
 detection:
     fsutil_clean_journal:
-        EventID: 1
         Image: '*\fsutil.exe'
-        CommandLine: '* deletejournal *'        
+        CommandLine: '* deletejournal *'
     pipe_com:
-        EventID: 1
         CommandLine: '*\AppData\Local\Temp\* \\.\pipe\\*'
     event_clean:
-        EventID: 1
         Image: '*\wevtutil.exe'
         CommandLine: '* cl *'
     rundll32_dash1:
-        EventID: 1
         Image: '*\rundll32.exe'
-        CommandLine: '*.dat,#1'       
+        CommandLine: '*.dat,#1'
     perfc_keyword:
         - '*\perfc.dat*'
     condition: 1 of them
@@ -40,4 +37,3 @@ fields:
 falsepositives:
     - Admin activity
 level: critical
-

rules/windows/process_creation/win_malware_script_dropper.yml

@@ -2,12 +2,15 @@ title: WScript or CScript Dropper
 status: experimental
 description: Detects wscript/cscript executions of scripts located in user directories
 author: Margaritis Dimitrios (idea), Florian Roth (rule)
+tags:
+    - attack.defense_evasion
+    - attack.execution
+    - attack.t1064
 logsource:
+    category: process_creation
     product: windows
-    service: sysmon
 detection:
     selection:
-        EventID: 1
         Image:
             - '*\wscript.exe'
             - '*\cscript.exe'
@@ -24,7 +27,7 @@ detection:
             - '* C:\ProgramData\\*.vbs *'
     falsepositive:
         ParentImage: '*\winzip*'
-    condition: selection
+    condition: selection and not falsepositive
 fields:
     - CommandLine
     - ParentCommandLine

rules/windows/process_creation/win_malware_wannacry.yml

@@ -3,13 +3,12 @@ status: experimental
 description: Detects WannaCry ransomware activity via Sysmon
 references:
     - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
-author: Florian Roth (rule), Tom U. @c_APT_ure (collection) 
+author: Florian Roth (rule), Tom U. @c_APT_ure (collection)
 logsource:
+    category: process_creation
     product: windows
-    service: sysmon
 detection:
     selection1:
-        EventID: 1
         Image:
             - '*\tasksche.exe'
             - '*\mssecsvc.exe'
@@ -19,11 +18,10 @@ detection:
             - '*\taskse.exe'
             - '*\111.exe'
             - '*\lhdfrgui.exe'
-            - '*\diskpart.exe'  # Rare, but can be false positive
+            - '*\diskpart.exe'
             - '*\linuxnew.exe'
             - '*\wannacry.exe'
     selection2:
-        EventID: 1
         CommandLine:
             - '*vssadmin delete shadows*'
             - '*icacls * /grant Everyone:F /T /C /Q*'
@@ -37,5 +35,3 @@ fields:
 falsepositives:
     - Diskpart.exe usage to manage partitions on the local hard drive
 level: critical
-
-

rules/windows/process_creation/win_mavinject_proc_inj.yml

@@ -1,38 +1,24 @@
----
-action: global
-title: MavInject Process Injection
-status: experimental
-description: Detects process injection using the signed Windows tool Mavinject32.exe
-references:
-    - https://twitter.com/gN3mes1s/status/941315826107510784
-    - https://reaqta.com/2017/12/mavinject-microsoft-injector/
-    - https://twitter.com/Hexacorn/status/776122138063409152
-author: Florian Roth
-date: 2018/12/12
-tags:
-    - attack.process_injection
-    - attack.t1055
-    - attack.signed_binary_proxy_execution
-    - attack.t1218
-detection:
-    condition: selection
-falsepositives: 
-    - unknown
-level: critical
----
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 1
-        CommandLine: '* /INJECTRUNNING *'
----
-logsource:
-    product: windows
-    service: security
-    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection:
-        EventID: 4688
-        ProcessCommandLine: '* /INJECTRUNNING *'
+title: MavInject Process Injection
+status: experimental
+description: Detects process injection using the signed Windows tool Mavinject32.exe
+references:
+    - https://twitter.com/gN3mes1s/status/941315826107510784
+    - https://reaqta.com/2017/12/mavinject-microsoft-injector/
+    - https://twitter.com/Hexacorn/status/776122138063409152
+author: Florian Roth
+date: 2018/12/12
+tags:
+    - attack.process_injection
+    - attack.t1055
+    - attack.signed_binary_proxy_execution
+    - attack.t1218
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine: '* /INJECTRUNNING *'
+    condition: selection
+falsepositives:
+    - unknown
+level: critical

rules/windows/process_creation/win_mshta_spawn_shell.yml

@@ -5,11 +5,10 @@ references:
     - https://www.trustedsec.com/july-2015/malicious-htas/
 author: Michael Haag
 logsource:
+    category: process_creation
     product: windows
-    service: sysmon
 detection:
     selection:
-        EventID: 1
         ParentImage: '*\mshta.exe'
         Image:
             - '*\cmd.exe'
@@ -36,4 +35,3 @@ tags:
 falsepositives:
     - Printer software / driver installations
 level: high
-

rules/windows/process_creation/win_multiple_suspicious_cli.yml

@@ -0,0 +1,58 @@
+title: Quick Execution of a Series of Suspicious Commands
+description: Detects multiple suspicious process in a limited timeframe
+status: experimental
+references:
+    - https://car.mitre.org/wiki/CAR-2013-04-002
+author: juju4
+modified: 2012/12/11
+tags:
+    - car.2013-04-002
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine:
+            - arp.exe
+            - at.exe
+            - attrib.exe
+            - cscript.exe
+            - dsquery.exe
+            - hostname.exe
+            - ipconfig.exe
+            - mimikatz.exe
+            - nbtstat.exe
+            - net.exe
+            - netsh.exe
+            - nslookup.exe
+            - ping.exe
+            - quser.exe
+            - qwinsta.exe
+            - reg.exe
+            - runas.exe
+            - sc.exe
+            - schtasks.exe
+            - ssh.exe
+            - systeminfo.exe
+            - taskkill.exe
+            - telnet.exe
+            - tracert.exe
+            - wscript.exe
+            - xcopy.exe
+            - pscp.exe
+            - copy.exe
+            - robocopy.exe
+            - certutil.exe
+            - vssadmin.exe
+            - powershell.exe
+            - wevtutil.exe
+            - psexec.exe
+            - bcedit.exe
+            - wbadmin.exe
+            - icacls.exe
+            - diskpart.exe
+    timeframe: 5m
+    condition: selection | count() by MachineName > 5
+falsepositives:
+    - False positives depend on scripts and administrative tools used in the monitored environment
+level: low

rules/windows/process_creation/win_netsh_port_fwd.yml

@@ -0,0 +1,22 @@
+title: Netsh Port Forwarding
+description: Detects netsh commands that configure a port forwarding
+references:
+    - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
+date: 2019/01/29
+tags:
+    - attack.lateral_movement
+    - attack.command_and_control
+    - attack.t1090
+status: experimental
+author: Florian Roth
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine:
+            - netsh interface portproxy add v4tov4 *
+    condition: selection
+falsepositives:
+    - Legitimate administration
+level: medium

rules/windows/process_creation/win_netsh_port_fwd_3389.yml

@@ -1,5 +1,3 @@
----
-action: global
 title: Netsh RDP Port Forwarding
 description: Detects netsh commands that configure a port forwarding of port 3389 used for RDP
 references:
@@ -7,29 +5,17 @@ references:
 date: 2019/01/29
 tags:
     - attack.lateral_movement
+    - attack.t1021
 status: experimental
 author: Florian Roth
+logsource:
+    category: process_creation
+    product: windows
 detection:
+    selection:
+        CommandLine:
+            - netsh i* p*=3389 c*
     condition: selection
 falsepositives:
     - Legitimate administration
 level: high
----
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 1
-        CommandLine: 
-            - 'netsh i* p*=3389 c*'
----
-logsource:
-    product: windows
-    service: security
-    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection:
-        EventID: 4688
-        ProcessCommandLine: 
-            - 'netsh i* p*=3389 c*'

rules/windows/process_creation/win_office_shell.yml

@@ -0,0 +1,51 @@
+title: Microsoft Office Product Spawning Windows Shell
+status: experimental
+description: Detects a Windows command line executable started from Microsoft Word, Excel, Powerpoint, Publisher and Visio.
+references:
+    - https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100
+    - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
+tags:
+    - attack.execution
+    - attack.defense_evasion
+    - attack.t1059
+    - attack.t1202
+author: Michael Haag, Florian Roth, Markus Neis
+date: 2018/04/06
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        ParentImage:
+            - '*\WINWORD.EXE'
+            - '*\EXCEL.EXE'
+            - '*\POWERPNT.exe'
+            - '*\MSPUB.exe'
+            - '*\VISIO.exe'
+            - '*\OUTLOOK.EXE'
+        Image:
+            - '*\cmd.exe'
+            - '*\powershell.exe'
+            - '*\wscript.exe'
+            - '*\cscript.exe'
+            - '*\sh.exe'
+            - '*\bash.exe'
+            - '*\scrcons.exe'
+            - '*\schtasks.exe'
+            - '*\regsvr32.exe'
+            - '*\hh.exe'
+            - '*\wmic.exe'
+            - '*\mshta.exe'
+            - '*\rundll32.exe'
+            - '*\msiexec.exe'
+            - '*\forfiles.exe'
+            - '*\scriptrunner.exe'
+            - '*\mftrace.exe'
+            - '*\AppVLP.exe'
+    condition: selection
+fields:
+    - CommandLine
+    - ParentCommandLine
+falsepositives:
+    - unknown
+level: high

rules/windows/process_creation/win_plugx_susp_exe_locations.yml

@@ -0,0 +1,95 @@
+title: Executable used by PlugX in Uncommon Location - Sysmon Version
+status: experimental
+description: Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location
+references:
+    - http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/
+    - https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/
+author: Florian Roth
+date: 2017/06/12
+tags:
+    - attack.s0013
+    - attack.defense_evasion
+    - attack.t1073
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_cammute:
+        Image: '*\CamMute.exe'
+    filter_cammute:
+        Image: '*\Lenovo\Communication Utility\\*'
+    selection_chrome_frame:
+        Image: '*\chrome_frame_helper.exe'
+    filter_chrome_frame:
+        Image: '*\Google\Chrome\application\\*'
+    selection_devemu:
+        Image: '*\dvcemumanager.exe'
+    filter_devemu:
+        Image: '*\Microsoft Device Emulator\\*'
+    selection_gadget:
+        Image: '*\Gadget.exe'
+    filter_gadget:
+        Image: '*\Windows Media Player\\*'
+    selection_hcc:
+        Image: '*\hcc.exe'
+    filter_hcc:
+        Image: '*\HTML Help Workshop\\*'
+    selection_hkcmd:
+        Image: '*\hkcmd.exe'
+    filter_hkcmd:
+        Image:
+            - '*\System32\\*'
+            - '*\SysNative\\*'
+            - '*\SysWowo64\\*'
+    selection_mc:
+        Image: '*\Mc.exe'
+    filter_mc:
+        Image:
+            - '*\Microsoft Visual Studio*'
+            - '*\Microsoft SDK*'
+            - '*\Windows Kit*'
+    selection_msmpeng:
+        Image: '*\MsMpEng.exe'
+    filter_msmpeng:
+        Image:
+            - '*\Microsoft Security Client\\*'
+            - '*\Windows Defender\\*'
+            - '*\AntiMalware\\*'
+    selection_msseces:
+        Image: '*\msseces.exe'
+    filter_msseces:
+        Image: 
+            - '*\Microsoft Security Center\\*'
+            - '*\Microsoft Security Client\\*'
+            - '*\Microsoft Security Essentials\\*'
+    selection_oinfo:
+        Image: '*\OInfoP11.exe'
+    filter_oinfo:
+        Image: '*\Common Files\Microsoft Shared\\*'
+    selection_oleview:
+        Image: '*\OleView.exe'
+    filter_oleview:
+        Image:
+            - '*\Microsoft Visual Studio*'
+            - '*\Microsoft SDK*'
+            - '*\Windows Kit*'
+            - '*\Windows Resource Kit\\*'
+    selection_rc:
+        Image: '*\rc.exe'
+    filter_rc:
+        Image:
+            - '*\Microsoft Visual Studio*'
+            - '*\Microsoft SDK*'
+            - '*\Windows Kit*'
+            - '*\Windows Resource Kit\\*'
+            - '*\Microsoft.NET\\*'
+    condition: ( selection_cammute and not filter_cammute ) or ( selection_chrome_frame and not filter_chrome_frame ) or ( selection_devemu and not filter_devemu )
+        or ( selection_gadget and not filter_gadget ) or ( selection_hcc and not filter_hcc ) or ( selection_hkcmd and not filter_hkcmd ) or ( selection_mc and not filter_mc
+        ) or ( selection_msmpeng and not filter_msmpeng ) or ( selection_msseces and not filter_msseces ) or ( selection_oinfo and not filter_oinfo ) or ( selection_oleview
+        and not filter_oleview ) or ( selection_rc and not filter_rc )
+fields:
+    - CommandLine
+    - ParentCommandLine
+falsepositives:
+    - Unknown
+level: high

rules/windows/process_creation/win_possible_applocker_bypass.yml

@@ -1,4 +1,3 @@
-action: global
 title: Possible Applocker Bypass
 description: Detects execution of executables that can be used to bypass Applocker whitelisting
 status: experimental
@@ -8,6 +7,13 @@ references:
 author: juju4
 tags:
     - attack.defense_evasion
+    - attack.t1118
+    - attack.t1121
+    - attack.t1127
+    - attack.t1170
+logsource:
+    category: process_creation
+    product: windows
 detection:
     selection:
         CommandLine:
@@ -19,27 +25,8 @@ detection:
             - '*\msbuild.exe*'
             - '*\ieexec.exe*'
             - '*\mshta.exe*'
-            # higher risk of false positives
-#            - '*\cscript.EXE*'
     condition: selection
 falsepositives:
     - False positives depend on scripts and administrative tools used in the monitored environment
     - Using installutil to add features for .NET applications (primarly would occur in developer environments)
 level: low
----
-# Windows Audit Log
-logsource:
-    product: windows
-    service: security
-    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
-detection:
-    selection:
-        EventID: 4688
----
-# Sysmon
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    selection:
-        EventID: 1

rules/windows/process_creation/win_powershell_amsi_bypass.yml

@@ -1,4 +1,4 @@
-title: Powershell AMSI Bypass via .NET Reflection  
+title: Powershell AMSI Bypass via .NET Reflection
 status: experimental
 description: Detects Request to amsiInitFailed that can be used to disable AMSI Scanning
 references:
@@ -6,22 +6,21 @@ references:
     - https://www.hybrid-analysis.com/sample/0ced17419e01663a0cd836c9c2eb925e3031ffb5b18ccf35f4dea5d586d0203e?environmentId=120
 tags:
     - attack.execution
+    - attack.defense_evasion
     - attack.t1086
 author: Markus Neis
 date: 2018/08/17
 logsource:
+    category: process_creation
     product: windows
-    service: sysmon
 detection:
     selection1:
-        EventID: 1
         CommandLine:
             - '*System.Management.Automation.AmsiUtils*'
     selection2:
         CommandLine:
-            - '*amsiInitFailed*'            
+            - '*amsiInitFailed*'
     condition: selection1 and selection2
     falsepositives:
-    - Potential Admin Activity 
+        - Potential Admin Activity
 level: high
-

rules/windows/process_creation/win_powershell_b64_shellcode.yml

@@ -0,0 +1,24 @@
+title: PowerShell Base64 Encoded Shellcode
+description: Detects Base64 encoded Shellcode
+status: experimental
+references:
+    - https://twitter.com/cyb3rops/status/1063072865992523776
+author: Florian Roth
+date: 2018/11/17
+tags:
+    - attack.defense_evasion
+    - attack.t1036
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection1:
+        CommandLine: '*AAAAYInlM*'
+    selection2:
+        CommandLine:
+            - '*OiCAAAAYInlM*'
+            - '*OiJAAAAYInlM*'
+    condition: selection1 and selection2
+falsepositives:
+    - Unknown
+level: critical

rules/windows/process_creation/win_powershell_dll_execution.yml

@@ -9,19 +9,16 @@ tags:
 author: Markus Neis
 date: 2018/08/25
 logsource:
+    category: process_creation
     product: windows
-    service: sysmon
 detection:
     selection1:
-        EventID: 1
         Image:
             - '*\rundll32.exe'
     selection2:
-        EventID: 1
         Description:
             - '*Windows-Hostprozess (Rundll32)*'
     selection3:
-        EventID: 1
         CommandLine:
             - '*Default.GetString*'
             - '*FromBase64String*'

rules/windows/process_creation/win_powershell_download.yml

@@ -6,18 +6,16 @@ tags:
     - attack.t1086
     - attack.execution
 logsource:
+    category: process_creation
     product: windows
-    service: sysmon
 detection:
     selection:
-        EventID: 1
         Image: '*\powershell.exe'
-        CommandLine: 
+        CommandLine:
             - '*new-object system.net.webclient).downloadstring(*'
             - '*new-object system.net.webclient).downloadfile(*'
-            - '*new-object net.webclient).downloadstring(*' # Ex. https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1086/T1086.md#atomic-test-2---bloodhound
-            - '*new-object net.webclient).downloadfile(*' # Ex. https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1086/T1086.md#atomic-test-3---obfuscation-tests
-
+            - '*new-object net.webclient).downloadstring(*'
+            - '*new-object net.webclient).downloadfile(*'
     condition: selection
 fields:
     - CommandLine
@@ -25,4 +23,3 @@ fields:
 falsepositives:
     - unknown
 level: medium
-

rules/windows/process_creation/win_powershell_renamed_ps.yml

@@ -9,11 +9,10 @@ tags:
     - attack.execution
 author: Tom Ueltschi (@c_APT_ure)
 logsource:
+    category: process_creation
     product: windows
-    service: sysmon
 detection:
     selection:
-        EventID: 1
         Description: Windows PowerShell
     exclusion_1:
         Image:

rules/windows/process_creation/win_powershell_suspicious_parameter_variation.yml

@@ -8,13 +8,12 @@ tags:
     - attack.t1086
 author: Florian Roth (rule), Daniel Bohannon (idea), Roberto Rodriguez (Fix)
 logsource:
+    category: process_creation
     product: windows
-    service: sysmon
 detection:
     selection:
         Image:
             - '*\Powershell.exe'
-        EventID: 1
         CommandLine:
             - ' -windowstyle h '
             - ' -windowstyl h'
@@ -34,7 +33,7 @@ detection:
             - ' -NoPro '
             - ' -NoProf '
             - ' -NoProfi '
-            - ' -NoProfil ' 
+            - ' -NoProfil '
             - ' -nonin '
             - ' -nonint '
             - ' -noninte '

rules/windows/process_creation/win_process_creation_bitsadmin_download.yml

@@ -0,0 +1,28 @@
+title: Bitsadmin Download
+status: experimental
+description: Detects usage of bitsadmin downloading a file
+references:
+        - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
+        - https://isc.sans.edu/diary/22264
+tags:
+        - attack.defense_evasion
+        - attack.persistence
+        - attack.t1197
+        - attack.s0190
+author: Michael Haag
+logsource:
+        category: process_creation
+        product: windows
+detection:
+        selection:
+                Image:
+                        - '*\bitsadmin.exe'
+                CommandLine:
+                        - '/transfer'
+        condition: selection
+fields:
+        - CommandLine
+        - ParentCommandLine
+falsepositives:
+        - Some legitimate apps use this, but limited.
+level: medium